Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Video: https://youtu.be/acnbD_zf7fo

Spring Boot has greatly simplified how to develop applications with Spring. Its auto-configuration and many starters has fostered a Spring renaissance that makes developing Spring apps fun again!

Stormpath's Spring Boot starter is one of the most sophisticated in the land! It works with and without Spring Security, providing standard authentication flows as well as sophisticated standards compliant authorization flows (e.g. OAuth2 and OpenID Connect). Stormpath also supports adding to a Zuul gateway to secure your microservices infrastructure. Stormpath has also recently released Juiser, which allows you to auto-create an authenticated user object from an X-Forwarded-User header.

Stormpath Evangelists, Micah Silverman and Matt Raible, demonstrate the wonders of Spring Boot and Stormpath's unique starter that provides an incredible amount of functionality.

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible

March 01, 2017
Tweet

Transcript

  1. PROSPECTING THE SECURITY LANDSCAPE WITH SPRING BOOT, ZUUL, AND STORMPATH

    MICAH SILVERMAN / @AFITNERD MATT RAIBLE / @MRAIBLE
  2. None
  3. Stormpath User Management

  4. About You Have you implemented your own authentication? How long

    have you been using Spring? Have you heard of Stormpath? Have you heard of or tried Stormpath?
  5. Spring Boot Automatically configures Spring whenever possible Provides production-ready features

    such as metrics, health checks and externalized configuration Absolutely no code generation and no requirement for XML configuration Embeds Tomcat, Jetty or Undertow directly
  6. Spring Boot 1.5 Apache Kafka Support Cloud Foundry actuator extensions

    Spring Data Ingalls LDAP support Loggers endpoint Spring Security 4.2 Support
  7. SPRING INITIALIZR @ start.spring.io

  8. None
  9. Stormpath’s REST API

  10. Stormpath’s Java SDK

  11. API vs Implementation

  12. Stormpath Java SDK Stack

  13. Learn More

  14. Authentication Mechanisms Supported Username and Password Basic Authentication OAuth 2.0

    Client API Open ID Connect (Q2 2017) Multi-Factor Authentication
  15. None
  16. Signature Computation Pseudo-code encodeSecret = "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w=" computeHMACSHA256( header + "."

    + payload, base64DecodeToByteArray(encodedSecret) )
  17. JWT Secret Anti-Patterns

  18. Short but not Sweet .signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

  19. You’re Doing it Wrong String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS256,

    b64EncodedSecret.getBytes("UTF-8") )
  20. Supersize that Secret! String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS512, TextCodec.BASE64.decode(b64EncodedSecret)

    )
  21. Thanks! Micah Silverman & Matt Raible
 @afitnerd @mraible Stormpath Java

    SDK · Java JWT · Juiser Stormpath + Spring + Zuul + Juiser Example Spring Boot MFA Example Stormpath Microservices Screencast JWT Inspector