Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Matt Raible
PRO
March 01, 2017
Technology
1
410

Prospecting the Security Landscape with Spring Boot, Zuul, and Stormpath - KCSUG 2017

Video: https://youtu.be/acnbD_zf7fo

Spring Boot has greatly simplified how to develop applications with Spring. Its auto-configuration and many starters has fostered a Spring renaissance that makes developing Spring apps fun again!

Stormpath's Spring Boot starter is one of the most sophisticated in the land! It works with and without Spring Security, providing standard authentication flows as well as sophisticated standards compliant authorization flows (e.g. OAuth2 and OpenID Connect). Stormpath also supports adding to a Zuul gateway to secure your microservices infrastructure. Stormpath has also recently released Juiser, which allows you to auto-create an authenticated user object from an X-Forwarded-User header.

Stormpath Evangelists, Micah Silverman and Matt Raible, demonstrate the wonders of Spring Boot and Stormpath's unique starter that provides an incredible amount of functionality.

Matt Raible
PRO

March 01, 2017
Tweet

More Decks by Matt Raible

See All by Matt Raible
Micro Frontends for Java Developers - Devoxx UK 2023
mraible
PRO
1
210
OAuth for Java Developers - Codemotion Madrid 2023
mraible
PRO
0
310
OAuth for Java Developers - IntelliJ IDEA Live Stream 2023
mraible
PRO
0
430
Reactive Microservices with Spring Boot and JHipster - The Golden Path to SpringOne 2023
mraible
PRO
0
160
OAuth for Java Developers - Denver JUG 2023
mraible
PRO
0
370
What the Heck is OAuth - Boulder JUG 2023
mraible
PRO
0
270
How to Achieve Massive Productivity at Work - Denver JUG 2022
mraible
PRO
2
220
Web App Security for Java Developers - London JUG 2022
mraible
PRO
1
490
Comparing Native Java REST API Frameworks - Manchester JUG 2022
mraible
PRO
0
370

Other Decks in Technology

See All in Technology
Head toward Java 20 and Java 21
line_developers
PRO
0
340
データマイニングと機械学習-SVM
trycycle
0
150
Microsoft Build 2023 ふりかえり - IoT と AI 周りを中心に
mode86
0
150
Princess APIのAPIクライアントをTypeScriptで作ってnpmで公開してみた
ohmori_yusuke
1
510
IoTの振り返りと、IoTが産み出すデータ形式のおさらい【IoT-Tech Meetup】
soracom
PRO
0
790
よくわかるフォルシアのエンジニア 旅行プラットフォーム部編
forcia_dev_pr
0
150
ChatGPTをどう使うか?(JJUGナイトセミナー5/23)
shin_higuchi
0
810
「XIAOGYAN」への想い
matsujirushi
0
170
ジェネレーティブAIとの共創
yuyakakizaki08
1
460
Oracle Exadata Database Service on [email protected] ([email protected]) - UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
420
MagicPod開発における テスト自動化とCI
nozomiito
0
140
フルComposeでTVアプリを作った話
sasakitomohiro
0
290

Featured

See All Featured
Teambox: Starting and Learning
jrom
124
8k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
From Idea to $5000 a Month in 5 Months
shpigford
374
45k
Become a Pro
speakerdeck
PRO
7
3.4k
Git: the NoSQL Database
bkeepers
PRO
420
60k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
23
1.8k
Code Reviewing Like a Champion
maltzj
508
38k
Six Lessons from altMBA
skipperchong
16
2.5k
The Mythical Team-Month
searls
211
41k
Optimizing for Happiness
mojombo
366
66k

Transcript

  1. PROSPECTING THE SECURITY LANDSCAPE
    WITH SPRING BOOT, ZUUL, AND STORMPATH
    MICAH SILVERMAN / @AFITNERD
    MATT RAIBLE / @MRAIBLE

    View Slide

  2. View Slide

  3. Stormpath User Management

    View Slide

  4. About You
    Have you implemented your own authentication?

    How long have you been using Spring?

    Have you heard of Stormpath?

    Have you heard of or tried Stormpath?

    View Slide

  5. Spring Boot
    Automatically configures Spring whenever possible

    Provides production-ready features such as metrics, health checks and
    externalized configuration

    Absolutely no code generation and no requirement for XML
    configuration

    Embeds Tomcat, Jetty or Undertow directly

    View Slide

  6. Spring Boot 1.5
    Apache Kafka Support

    Cloud Foundry actuator extensions

    Spring Data Ingalls

    LDAP support

    Loggers endpoint

    Spring Security 4.2 Support

    View Slide

  7. SPRING INITIALIZR @ start.spring.io

    View Slide

  8. View Slide

  9. Stormpath’s REST API

    View Slide

  10. Stormpath’s Java SDK

    View Slide

  11. API vs Implementation

    View Slide

  12. Stormpath Java SDK Stack

    View Slide

  13. Learn More

    View Slide

  14. Authentication Mechanisms Supported
    Username and Password

    Basic Authentication

    OAuth 2.0

    Client API

    Open ID Connect (Q2 2017)

    Multi-Factor Authentication

    View Slide

  15. View Slide

  16. Signature Computation Pseudo-code
    encodeSecret =
    "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="
    computeHMACSHA256(
    header + "." + payload,
    base64DecodeToByteArray(encodedSecret)
    )

    View Slide

  17. JWT Secret Anti-Patterns

    View Slide

  18. Short but not Sweet
    .signWith(
    SignatureAlgorithm.HS256,
    "secret".getBytes("UTF-8")
    )

    View Slide

  19. You’re Doing it Wrong
    String b64EncodedSecret =
    "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
    .signWith(
    SignatureAlgorithm.HS256,
    b64EncodedSecret.getBytes("UTF-8")
    )

    View Slide

  20. Supersize that Secret!
    String b64EncodedSecret =
    "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
    .signWith(
    SignatureAlgorithm.HS512,
    TextCodec.BASE64.decode(b64EncodedSecret)
    )

    View Slide

  21. Thanks!
    Micah Silverman & Matt Raible

    @afitnerd @mraible
    Stormpath Java SDK · Java JWT · Juiser

    Stormpath + Spring + Zuul + Juiser Example

    Spring Boot MFA Example



    Stormpath Microservices Screencast

    JWT Inspector

    View Slide