Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Matt Raible
PRO
March 01, 2017
Technology
1
450

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Video: https://youtu.be/acnbD_zf7fo

Spring Boot has greatly simplified how to develop applications with Spring. Its auto-configuration and many starters has fostered a Spring renaissance that makes developing Spring apps fun again!

Stormpath's Spring Boot starter is one of the most sophisticated in the land! It works with and without Spring Security, providing standard authentication flows as well as sophisticated standards compliant authorization flows (e.g. OAuth2 and OpenID Connect). Stormpath also supports adding to a Zuul gateway to secure your microservices infrastructure. Stormpath has also recently released Juiser, which allows you to auto-create an authenticated user object from an X-Forwarded-User header.

Stormpath Evangelists, Micah Silverman and Matt Raible, demonstrate the wonders of Spring Boot and Stormpath's unique starter that provides an incredible amount of functionality.

Matt Raible
PRO

March 01, 2017
Tweet

More Decks by Matt Raible

See All by Matt Raible
Micro Frontends for Java Microservices - Utah JUG 2024
mraible
PRO
1
110
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
520
Comparing Native Java REST API Frameworks - jChampions Conference 2024
mraible
PRO
0
670
Comparing Native Java REST API Frameworks - Atlanta JUG 2024
mraible
PRO
1
250
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
330
Choosing the Right Java REST Framework - NY Java SIG 2023
mraible
PRO
0
410
OAuth for Java Developers - Garden State JUG 2023
mraible
PRO
0
180
Comparing Native Java REST API Frameworks - Philadelphia JUG 2023
mraible
PRO
2
770
Securing Spring Boot Microservices with OAuth and OpenID Connect - Devoxx Belgium 2023
mraible
PRO
0
100

Other Decks in Technology

See All in Technology
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
3.6k
自らを知り外と繋がる、日経のエンジニア採用とDevRel活動/devreljp92
nishiuma
2
190
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
1
730
M5stackで使用できるpHセンサの開発
shinrinakamura
1
290
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
460
パスワードを保存しますか?
hanacchi
0
210
Android Target SDK 35 (Android 15) 対応の概要
akkie76
0
200
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
22
6.6k
Cloud Service Mesh に触れ合う
phaya72
1
310
Dungeons and Dragons and Rails
joelq
0
150
コードファーストの考え方。 Amplify Gen2から学ぶAWS次世代のWeb開発体験
yoshiitaka
2
540
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
37k

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
25
2k
Raft: Consensus for Rubyists
vanstee
133
6.3k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Six Lessons from altMBA
skipperchong
22
3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
What the flash - Photography Introduction
edds
64
11k
Product Roadmaps are Hard
iamctodd
45
9.8k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Happy Clients
brianwarren
92
6.4k
Building an army of robots
kneath
300
41k
Building Flexible Design Systems
yeseniaperezcruz
320
37k
GitHub's CSS Performance
jonrohan
1025
450k

Transcript

  1. PROSPECTING THE SECURITY LANDSCAPE WITH SPRING BOOT, ZUUL, AND STORMPATH

    MICAH SILVERMAN / @AFITNERD MATT RAIBLE / @MRAIBLE
  2. None

  3. Stormpath User Management

  4. About You Have you implemented your own authentication? How long

    have you been using Spring? Have you heard of Stormpath? Have you heard of or tried Stormpath?

  5. Spring Boot Automatically configures Spring whenever possible Provides production-ready features

    such as metrics, health checks and externalized configuration Absolutely no code generation and no requirement for XML configuration Embeds Tomcat, Jetty or Undertow directly

  6. Spring Boot 1.5 Apache Kafka Support Cloud Foundry actuator extensions

    Spring Data Ingalls LDAP support Loggers endpoint Spring Security 4.2 Support

  7. SPRING INITIALIZR @ start.spring.io

  8. None

  9. Stormpath’s REST API

  10. Stormpath’s Java SDK

  11. API vs Implementation

  12. Stormpath Java SDK Stack

  13. Learn More

  14. Authentication Mechanisms Supported Username and Password Basic Authentication OAuth 2.0

    Client API Open ID Connect (Q2 2017) Multi-Factor Authentication
  15. None

  16. Signature Computation Pseudo-code encodeSecret = "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w=" computeHMACSHA256( header + "."

    + payload, base64DecodeToByteArray(encodedSecret) )

  17. JWT Secret Anti-Patterns

  18. Short but not Sweet .signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

  19. You’re Doing it Wrong String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS256,

    b64EncodedSecret.getBytes("UTF-8") )

  20. Supersize that Secret! String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS512, TextCodec.BASE64.decode(b64EncodedSecret)

    )

  21. Thanks! Micah Silverman & Matt Raible
 @afitnerd @mraible Stormpath Java

    SDK · Java JWT · Juiser Stormpath + Spring + Zuul + Juiser Example Spring Boot MFA Example Stormpath Microservices Screencast JWT Inspector