Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spring Security for N00bz: A quick introduction for the terminally insecure

Spring Security for N00bz: A quick introduction for the terminally insecure

No one wants to be the next Equifax (or Target or Yahoo or TGX or or or) and feature prominently in headlines of the latest terrible security breach. Often referred to as a Career Limiting Move (CLM), it can also make you and your organization a target for lawsuits, legal charges, and recognition of the most negative kind. But security is *hard*, right? Where does one even begin???

One _fully open-source_ solution for application security is widely used and respected: Spring Security. Built with Java & Spring, it provides a proven app security platform that integrates with numerous languages and components to provide end-to-end security for your critical applications. Using the JavaScript framework du jour for front end development? Reactive systems? LDAP? OAuth2? OpenID Connect? *It's in there.*

Defense is a multi-faceted topic, but your application's security is central to it all. Come to this session for a thought-provoking introduction to _defense in depth_ and a live-coding "lock it down" exploration of how to secure your apps now and maintain their security over time using 100% open source software.


Mark Heckler

October 25, 2019


  1. Spring Security 4 N00bz A quick introduction for the terminally

    insecure Mark Heckler Professional Problem Solver, Spring Developer & Advocate www.thehecklers.com mark@thehecklers.com mheckler@pivotal.io @mkheck
  2. @mkheck www.thehecklers.com Who am I? • Author • Architect &

    Developer • Java Champion, Rockstar • Professional Problem Solver • Spring Developer & Advocate • Creador y curador de
  3. @mkheck www.thehecklers.com New book! But you can’t buy it yet…

    DISCLAIMER: artist’s rendition only, not the real cover
  4. @mkheck www.thehecklers.com Takeaways Contextual understanding of outside-in security profile System

    vs. application security Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value SHOW ME THE CODE
  5. @mkheck www.thehecklers.com Outside->In security, sort of… Cloud deployments have shuffled

    and/or inverted some of these… Obviated others General principles apply, if refocused for this century
  6. @mkheck www.thehecklers.com A few thoughts on system security Password/access hygiene

    2FA/MFA Sane authorizations Logging/auditing (with caveats) Wire encryption Store secrets securely Encrypted data at rest Another time, another talk…
  7. @mkheck www.thehecklers.com Application security

  8. @mkheck www.thehecklers.com Spring Security 3000 meter view Filter Filter Filter

    Filter Filter HttpFirewall SecurityFilterChain Request headers Of course, there is more…
  9. @mkheck www.thehecklers.com Spring Security request filtering (simplified) DelegatingFilterProxy SecurityFilterChain Filter

    1 Filter 2 Filter 3 Filter n … FilterChainProxy … SecurityFilterChain n User Servlet
  10. @mkheck www.thehecklers.com Let’s code!

  11. @mkheck www.thehecklers.com

  12. @mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-4-n00bz https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security Thanks for coming, stay

    in touch (& secure)!