Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Video: https://youtu.be/acnbD_zf7fo

Spring Boot has greatly simplified how to develop applications with Spring. Its auto-configuration and many starters has fostered a Spring renaissance that makes developing Spring apps fun again!

Stormpath's Spring Boot starter is one of the most sophisticated in the land! It works with and without Spring Security, providing standard authentication flows as well as sophisticated standards compliant authorization flows (e.g. OAuth2 and OpenID Connect). Stormpath also supports adding to a Zuul gateway to secure your microservices infrastructure. Stormpath has also recently released Juiser, which allows you to auto-create an authenticated user object from an X-Forwarded-User header.

Stormpath Evangelists, Micah Silverman and Matt Raible, demonstrate the wonders of Spring Boot and Stormpath's unique starter that provides an incredible amount of functionality.

Matt Raible

March 01, 2017
Tweet

More Decks by Matt Raible

Other Decks in Technology

Transcript

  1. PROSPECTING THE SECURITY LANDSCAPE
    WITH SPRING BOOT, ZUUL, AND STORMPATH
    MICAH SILVERMAN / @AFITNERD
    MATT RAIBLE / @MRAIBLE

    View full-size slide

  2. Stormpath User Management

    View full-size slide

  3. About You
    Have you implemented your own authentication?

    How long have you been using Spring?

    Have you heard of Stormpath?

    Have you heard of or tried Stormpath?

    View full-size slide

  4. Spring Boot
    Automatically configures Spring whenever possible

    Provides production-ready features such as metrics, health checks and
    externalized configuration

    Absolutely no code generation and no requirement for XML
    configuration

    Embeds Tomcat, Jetty or Undertow directly

    View full-size slide

  5. Spring Boot 1.5
    Apache Kafka Support

    Cloud Foundry actuator extensions

    Spring Data Ingalls

    LDAP support

    Loggers endpoint

    Spring Security 4.2 Support

    View full-size slide

  6. SPRING INITIALIZR @ start.spring.io

    View full-size slide

  7. Stormpath’s REST API

    View full-size slide

  8. Stormpath’s Java SDK

    View full-size slide

  9. API vs Implementation

    View full-size slide

  10. Stormpath Java SDK Stack

    View full-size slide

  11. Authentication Mechanisms Supported
    Username and Password

    Basic Authentication

    OAuth 2.0

    Client API

    Open ID Connect (Q2 2017)

    Multi-Factor Authentication

    View full-size slide

  12. Signature Computation Pseudo-code
    encodeSecret =
    "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="
    computeHMACSHA256(
    header + "." + payload,
    base64DecodeToByteArray(encodedSecret)
    )

    View full-size slide

  13. JWT Secret Anti-Patterns

    View full-size slide

  14. Short but not Sweet
    .signWith(
    SignatureAlgorithm.HS256,
    "secret".getBytes("UTF-8")
    )

    View full-size slide

  15. You’re Doing it Wrong
    String b64EncodedSecret =
    "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
    .signWith(
    SignatureAlgorithm.HS256,
    b64EncodedSecret.getBytes("UTF-8")
    )

    View full-size slide

  16. Supersize that Secret!
    String b64EncodedSecret =
    "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
    .signWith(
    SignatureAlgorithm.HS512,
    TextCodec.BASE64.decode(b64EncodedSecret)
    )

    View full-size slide

  17. Thanks!
    Micah Silverman & Matt Raible

    @afitnerd @mraible
    Stormpath Java SDK · Java JWT · Juiser

    Stormpath + Spring + Zuul + Juiser Example

    Spring Boot MFA Example



    Stormpath Microservices Screencast

    JWT Inspector

    View full-size slide