Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JHipster Security - JHipster Code 2020

Matt Raible
September 14, 2020

JHipster Security - JHipster Code 2020

An overview of the security features that JHipster provides, from authentication options to HTTPS to securing methods and routes.

Agenda:

- Spring Security Overview
- Authentication Options
- HTTPS
- Security Headers
- Dependency / Container Scanning
- Security-related JHipster issues

JHipster is secure by default!

📺 https://youtu.be/Ze0rt6JxTfE

Matt Raible

September 14, 2020
Tweet

More Decks by Matt Raible

Other Decks in Programming

Transcript

  1. Matt Raible | @mraible JHipster Security September 14, 2020 #jhipstercode

    Photo by Léonard Cotte https://unsplash.com/photos/c1Jp-fo53U8
  2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker,

    Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  3. Spring Security https://blog.ippon.tech/improving-the-access-control-of-a-jhipster-application/ JHipster ships with two roles: - ROLE_USER

    for CRUD - ROLE_ADMIN SecurityConfiguration for URL protection @PreAuthorize for method-level rules
  4. Authentication Options JSON Web Tokens (JWT) Session-based OAuth 2.0 and

    OpenID Connect JHipster UAA (User Authentication and Authorization)
  5. An open standard for authorization; anyone can implement it Provides

    “secure delegated access” to client applications Works over HTTPS and authorizes: Devices APIs Servers Applications … with access tokens rather than credentials What is OAuth?
  6. OAuth 2.0 Enables apps to obtain limited access (scopes) to

    a user’s data without giving away a user’s password Decouples authentication from authorization Supports multiple use cases addressing different client capabilities and deployment models Server-to-server apps Browser-based apps Mobile/Native apps Consoles/TVs Web-scale delegated authorization framework for REST/APIs Protecting APIs Since October 2012
  7. OAuth Simplified App requests authorization from User 1 User authorizes

    App and delivers proof 2 App presents proof of authorization to server to get a Token 3 Token is restricted to only access what the User authorized for the specific App 4
  8. JSON Web Token (JWT) base64url(Header) + “.” + base64url(Claims) +

    “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2 V4YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuT WVxdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0 QXVOeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHA iOjE0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF 90aW1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZ XhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1 ZX0.XcNXs4C7DqpR22LLti777AMMVCxM7FjEPKZQnd- AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H- L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyi Z9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhE Qsgm8 { "alg": "RS256” "kid": "123456789" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true } Header Claims Signature Header Claims
  9. Validate ID Token Token Endpoint Authorization Endpoint /.well-known/ openid-configuration JWKS

    Endpoint UserInfo Endpoint OAuth 2.0 Authorization Server & OpenID Connect Provider (OP) OAuth 2.0 Resource Server Client (Relying Party) 1 3 2 5 4 1 Discover OpenID Provider Metadata 2 Perform OAuth flow to obtain a ID token and/or access token 3 Get JSON Web Key Set (JWKS) for signature keys 4 Validate ID token (JSON Web Token) 5 Get additional user attributes with access token from UserInfo endpoint OpenID Connect
  10. Authorization Code Flow (Web) Authenticate via User Agent 1 User

    starts flow by visiting Web App Client with User Agent 2 Client sends authentication request with openid scope via browser redirect to Authorize Endpoint on Authorization Server 3 User authenticates and consents to Client to access user’s identity 4 Authorization Code Grant and optionally ID Token for Web App is returned to Client via browser redirect 4 2 3 1 User Web App (Client) Resource Server (RS) /UserInfo Authorization Server (AS)
  11. Authorization Code Flow (Web) Exchange Grant for Tokens 1b 1a

    User Web App (Client) Resource Server (RS) /UserInfo Authorization Server (AS) 2 2 Client optionally fetches additional claims with Access Token from UserInfo endpoint Client authenticates & exchanges Authorization Code Grant with token endpoint on Authorization Server for an ID Token, Access Token and optionally Refresh Token 1
  12. ⏩ Convert to PWA Keycloak + Registration Save User Snapshot

    ⛅ Okta + Registration Deploy to Heroku Okta Customization JHipster OIDC Demo https://youtu.be/GlJWUqy1SJM
  13. Force HTTPS in Production @Configuration public class WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter

    { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
  14. Security Headers @Override public void configure(HttpSecurity http) throws Exception {

    http ... .and() .headers() .contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 's storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src .and() .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROS .and() .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'non 'none'; speaker 'none'; fullscreen 'self'; payment 'none'") .and() .frameOptions() .deny() ... } https://securityheaders.com
  15. JHipster projects use Generated app scanning with Dependency / Container

    Scanning https://github.com/jhipster/generator-jhipster/issues/12441
  16. Written with Asciidoctor Quick and to the point, 162 pages

    Developed a Real World App: www.21-points.com Free Download from infoq.com/minibooks/jhipster-mini-book The JHipster Mini-Book