JHipster Security - JHipster Code 2020

72a2082c6a4dd79ad68befb3db911616?s=47 Matt Raible
September 14, 2020

JHipster Security - JHipster Code 2020

An overview of the security features that JHipster provides, from authentication options to HTTPS to securing methods and routes.

Agenda:

- Spring Security Overview
- Authentication Options
- HTTPS
- Security Headers
- Dependency / Container Scanning
- Security-related JHipster issues

JHipster is secure by default!

📺 https://youtu.be/Ze0rt6JxTfE

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible

September 14, 2020
Tweet

Transcript

  1. Matt Raible | @mraible JHipster Security September 14, 2020 #jhipstercode

    Photo by Léonard Cotte https://unsplash.com/photos/c1Jp-fo53U8
  2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker,

    Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  3. None
  4. None
  5. None
  6. developer.okta.com

  7. Agenda Spring Security Overview Authentication Options HTTPS Security Headers Dependency

    / Container Scanning Security-related JHipster issues
  8. Spring Security https://www.jhipster.tech/security/ JHipster ships with four users: - system

    for audit logs - anonymous - user - admin
  9. Spring Security https://blog.ippon.tech/improving-the-access-control-of-a-jhipster-application/ JHipster ships with two roles: - ROLE_USER

    for CRUD - ROLE_ADMIN SecurityConfiguration for URL protection @PreAuthorize for method-level rules
  10. Authentication Options JSON Web Tokens (JWT) Session-based OAuth 2.0 and

    OpenID Connect JHipster UAA (User Authentication and Authorization)
  11. None
  12. OIDC Login Forms

  13. An open standard for authorization; anyone can implement it Provides

    “secure delegated access” to client applications Works over HTTPS and authorizes: Devices APIs Servers Applications … with access tokens rather than credentials What is OAuth?
  14. OAuth 2.0 Enables apps to obtain limited access (scopes) to

    a user’s data without giving away a user’s password Decouples authentication from authorization Supports multiple use cases addressing different client capabilities and deployment models Server-to-server apps Browser-based apps Mobile/Native apps Consoles/TVs Web-scale delegated authorization framework for REST/APIs Protecting APIs Since October 2012
  15. Hotel Key Cards, but for Apps

  16. Hotel Key Cards, but for Apps OAuth Authorization Server Resource

    (API) Access Token
  17. OAuth Simplified App requests authorization from User 1 User authorizes

    App and delivers proof 2 App presents proof of authorization to server to get a Token 3 Token is restricted to only access what the User authorized for the specific App 4
  18. JSON Web Token (JWT) base64url(Header) + “.” + base64url(Claims) +

    “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2 V4YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuT WVxdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0 QXVOeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHA iOjE0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF 90aW1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZ XhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1 ZX0.XcNXs4C7DqpR22LLti777AMMVCxM7FjEPKZQnd- AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H- L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyi Z9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhE Qsgm8 { "alg": "RS256” "kid": "123456789" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "karl@example.com", "email_verified": true } Header Claims Signature Header Claims
  19. Validate ID Token Token Endpoint Authorization Endpoint /.well-known/ openid-configuration JWKS

    Endpoint UserInfo Endpoint OAuth 2.0 Authorization Server & OpenID Connect Provider (OP) OAuth 2.0 Resource Server Client (Relying Party) 1 3 2 5 4 1 Discover OpenID Provider Metadata 2 Perform OAuth flow to obtain a ID token and/or access token 3 Get JSON Web Key Set (JWKS) for signature keys 4 Validate ID token (JSON Web Token) 5 Get additional user attributes with access token from UserInfo endpoint OpenID Connect
  20. Authorization Code Flow (Web) Authenticate via User Agent 1 User

    starts flow by visiting Web App Client with User Agent 2 Client sends authentication request with openid scope via browser redirect to Authorize Endpoint on Authorization Server 3 User authenticates and consents to Client to access user’s identity 4 Authorization Code Grant and optionally ID Token for Web App is returned to Client via browser redirect 4 2 3 1 User Web App (Client) Resource Server (RS) /UserInfo Authorization Server (AS)
  21. Authorization Code Flow (Web) Exchange Grant for Tokens 1b 1a

    User Web App (Client) Resource Server (RS) /UserInfo Authorization Server (AS) 2 2 Client optionally fetches additional claims with Access Token from UserInfo endpoint Client authenticates & exchanges Authorization Code Grant with token endpoint on Authorization Server for an ID Token, Access Token and optionally Refresh Token 1
  22. ⏩ Convert to PWA Keycloak + Registration Save User Snapshot

    ⛅ Okta + Registration Deploy to Heroku Okta Customization JHipster OIDC Demo https://youtu.be/GlJWUqy1SJM
  23. OAuth Specification oauth.net OAuth 2.0 Servers oauth.com Additional Resources

  24. HTTPS aka TLS https://howhttps.works

  25. JHipster TLS Support https://www.jhipster.tech/tls/ ./mvnw -Pdev,tls ./gradlew -Ptls npm run

    start-tls
  26. Force HTTPS in Production @Configuration public class WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter

    { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
  27. Security Headers @Override public void configure(HttpSecurity http) throws Exception {

    http ... .and() .headers() .contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 's storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src .and() .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROS .and() .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'non 'none'; speaker 'none'; fullscreen 'self'; payment 'none'") .and() .frameOptions() .deny() ... } https://securityheaders.com
  28. None
  29. JHipster projects use Generated app scanning with Dependency / Container

    Scanning https://github.com/jhipster/generator-jhipster/issues/12441
  30. JHipster Security Issues http://bit.ly/jhc-2020-security

  31. developer.okta.com/blog @oktadev

  32. Written with Asciidoctor Quick and to the point, 162 pages

    Developed a Real World App: www.21-points.com Free Download from infoq.com/minibooks/jhipster-mini-book The JHipster Mini-Book
  33. The JHipster Mini-Book is open source! github.com/mraible/jhipster-book Writing a book

    with code is awesome! ❤
  34. Questions? Keep in touch! raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper

  35. developer.okta.com