Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Supercharge AppSec with Spring Security, OpenID Connect, & OAuth2

Mark Heckler
February 26, 2020

How to Supercharge AppSec with Spring Security, OpenID Connect, & OAuth2

One fully open-source solution is widely used and respected to secure distributed systems & assets: Spring Security. Built with Java & Spring, it provides a proven app security platform that integrates with numerous languages and components to provide end-to-end security for your critical systems.

Defense is a multi-faceted topic, and your systems' security is central to it all. In this session, you'll see how you can leverage Spring Security to implement OpenID Connect & OAuth2 with ease, adding powerful & extensible mechanisms for authentication & authorization to secure your distributed systems.

This session is a live-coding "lock it down" exploration of how to secure your apps & assets now and maintain their security over time using 100% open source software.

Mark Heckler

February 26, 2020
Tweet

More Decks by Mark Heckler

Other Decks in Programming

Transcript

  1. How to Supercharge AppSec with Spring Security, OpenID Connect, &

    OAuth2 Mark Heckler Professional Problem Solver, Spring Developer & Advocate www.thehecklers.com [email protected] [email protected] @mkheck
  2. @mkheck www.thehecklers.com Who am I? • Author • Architect &

    Developer • Java Champion, Rockstar • Professional Problem Solver • Spring Developer & Advocate • Creador y curador de
  3. @mkheck www.thehecklers.com New book! But you can’t buy it yet…

    DISCLAIMER: artist’s rendition only, not the real cover
  4. @mkheck www.thehecklers.com New book! But you can’t buy it yet…

    DISCLAIMER: artist’s rendition only, not the real cover
  5. @mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security

    OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE
  6. @mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security

    OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE
  7. @mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security

    OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE
  8. @mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter

    HttpFirewall SecurityFilterChain Request headers Of course, there is more…
  9. @mkheck www.thehecklers.com Spring Security request filtering (simplified) DelegatingFilterProxy SecurityFilterChain Filter

    1 Filter 2 Filter 3 Filter n … FilterChainProxy … SecurityFilterChain n User Servlet
  10. @mkheck www.thehecklers.com About those headers… HTTP/1.1 200 Cache-Control: no-cache, no-store,

    max-age=0, must-revalidate Content-Length: 20 Content-Type: text/plain;charset=UTF-8 Date: Wed, 26 Feb 2020 20:13:58 GMT Expires: 0 Pragma: no-cache Set-Cookie: JSESSIONID=EB199990E5ABA3EA0E1A0B4430EF8E5C; Path=/; HttpOnly X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  11. @mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can

    you (legitimately) access? (Authentication) (Authorization)
  12. @mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can

    you (legitimately) access? (Authentication) (Authorization) OIDC OAuth2
  13. @mkheck www.thehecklers.com Why OpenID Connect & OAuth2? In traditional authentication,

    the client requests an access-restricted resource on the server by authenticating with the server using the resource owner’s credentials To provide third-party applications (3PAs) access, the resource owner shares credentials with the 3P. This creates several problems: 3PAs store the resource owner’s credentials for future use, typically a password in clear-text Servers must support password authentication, despite the security weaknesses inherent in passwords 3PAs gain overly broad access to the resource owner’s protected resources, removing any ability to restrict duration or access to a limited subset of resources Resource owners cannot revoke access to an individual 3P without revoking access to all third parties, and must do so by changing the 3P’s password Compromise of any 3PA results in compromise of the end-user’s password and all data protected by that password From IETF rfc6749, The OAuth2 Authorization Framework
  14. @mkheck www.thehecklers.com User Agent Authorization code grant Client Resource Owner

    Authorization Server Email/UID ********************* Resource Server Redirect URI: mysite.com/callback return to mysite.com/callback with authorization code Exchange authorization code for ID token & access token Provide access token with resource request and receive requested resources Client ID: abc123 User authenticates Response type: code