Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019

Matt Raible
PRO
November 13, 2019
Programming
1
1.7k

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019

Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.

This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!

You’ll learn how to add these features to a real application, using the Java language you know and love.

* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/

Matt Raible
PRO

November 13, 2019
Tweet

More Decks by Matt Raible

See All by Matt Raible
Micro Frontends for Java Microservices - Utah JUG 2024
mraible
PRO
0
85
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
490
Comparing Native Java REST API Frameworks - jChampions Conference 2024
mraible
PRO
0
640
Comparing Native Java REST API Frameworks - Atlanta JUG 2024
mraible
PRO
1
240
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
320
Choosing the Right Java REST Framework - NY Java SIG 2023
mraible
PRO
0
410
OAuth for Java Developers - Garden State JUG 2023
mraible
PRO
0
180
Comparing Native Java REST API Frameworks - Philadelphia JUG 2023
mraible
PRO
2
740
Securing Spring Boot Microservices with OAuth and OpenID Connect - Devoxx Belgium 2023
mraible
PRO
0
95

Other Decks in Programming

See All in Programming
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
250
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
Snowflakeで眠ったデータを起こそう!
estie
0
110
코틀린으로 멀티플랫폼 만들기
pangmoo
0
150
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
230
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
730
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
180
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
1.1k
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
360
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
900

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Automating Front-end Workflow
addyosmani
1356
200k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
In The Pink: A Labor of Love
frogandcode
138
21k
Facilitating Awesome Meetings
lara
42
5.6k
Visualization
eitanlees
136
14k
Embracing the Ebb and Flow
colly
80
4.1k
RailsConf 2023
tenderlove
4
540
Designing for humans not robots
tammielis
248
25k
BBQ
matthewcrist
80
8.8k

Transcript

  1. None
  2. None
  3. None

  4. 5 certbot mkcert

  5. None

  6. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }

  7. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
  8. None
  9. None
  10. None
  11. None
  12. None

  13. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk');

    // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); };

  14. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk');

    // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }

  15. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk');

    // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }

  16. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk');

    // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  17. None
  18. None
  19. None
  20. None
  21. None

  22. 23

  23. npm i -g npm-check-updates ncu

  24. mvn versions:display-dependency-updates

  25. gradle dependencyUpdates \ -Drevision=release

  26. None

  27. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
  28. None
  29. None

  30. Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options:

    nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

  31. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
  32. None
  33. None
  34. None
  35. None
  36. None

  37. spring: security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret}

    provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default

  38. @Grab('spring-boot-starter-oauth2-client') @RestController class Application { @GetMapping('/') String home(java.security.Principal user) {

    'Hello ' + user.name } }

  39. okta: oauth2: issuer: https://{yourOktaDomain}/oauth2/default client-id: {yourClientId} client-secret: {yourClientSecret} <dependency> <groupId>com.okta.spring</groupId>

    <artifactId>okta-spring-boot-starter</artifactId> <version>1.3.0</version> </dependency>
  40. None
  41. None
  42. None

  43. hash("TSD") =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 unhash("3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3") = ???

  44. hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD")

    = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

  45. hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash("TSD3")

    = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288

  46. hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("123") != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

  47. @Bean public PasswordEncoder passwordEncoder() { return new SCryptPasswordEncoder(); }

  48. @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return

    passwordEncoder.encode(password); }
  49. None
  50. None
  51. None
  52. None

  53. <dependencies> <dependency> <groupId>org.springframework.vault</groupId> <artifactId>spring-vault-core</artifactId> <version>2.2.0.RELEASE</version> </dependency> </dependencies>

  54. @Value("${password}") char[] password;

  55. Printing String password -> password Printing char[] password -> [C@6e8cf4c6

  56. None
  57. None
  58. None
  59. None

  60. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

  61. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

  62. None
  63. None
  64. None

  65. 68