Slide 1

Slide 1 text

Matt Raible | @mraible JHipster Security September 14, 2020 #jhipstercode Photo by Léonard Cotte https://unsplash.com/photos/c1Jp-fo53U8

Slide 2

Slide 2 text

@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

developer.okta.com

Slide 7

Slide 7 text

Agenda Spring Security Overview Authentication Options HTTPS Security Headers Dependency / Container Scanning Security-related JHipster issues

Slide 8

Slide 8 text

Spring Security https://www.jhipster.tech/security/ JHipster ships with four users: - system for audit logs - anonymous - user - admin

Slide 9

Slide 9 text

Spring Security https://blog.ippon.tech/improving-the-access-control-of-a-jhipster-application/ JHipster ships with two roles: - ROLE_USER for CRUD - ROLE_ADMIN SecurityConfiguration for URL protection @PreAuthorize for method-level rules

Slide 10

Slide 10 text

Authentication Options JSON Web Tokens (JWT) Session-based OAuth 2.0 and OpenID Connect JHipster UAA (User Authentication and Authorization)

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

OIDC Login Forms

Slide 13

Slide 13 text

An open standard for authorization; anyone can implement it Provides “secure delegated access” to client applications Works over HTTPS and authorizes: Devices APIs Servers Applications … with access tokens rather than credentials What is OAuth?

Slide 14

Slide 14 text

OAuth 2.0 Enables apps to obtain limited access (scopes) to a user’s data without giving away a user’s password Decouples authentication from authorization Supports multiple use cases addressing different client capabilities and deployment models Server-to-server apps Browser-based apps Mobile/Native apps Consoles/TVs Web-scale delegated authorization framework for REST/APIs Protecting APIs Since October 2012

Slide 15

Slide 15 text

Hotel Key Cards, but for Apps

Slide 16

Slide 16 text

Hotel Key Cards, but for Apps OAuth Authorization Server Resource (API) Access Token

Slide 17

Slide 17 text

OAuth Simplified App requests authorization from User 1 User authorizes App and delivers proof 2 App presents proof of authorization to server to get a Token 3 Token is restricted to only access what the User authorized for the specific App 4

Slide 18

Slide 18 text

JSON Web Token (JWT) base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2 V4YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuT WVxdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0 QXVOeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHA iOjE0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF 90aW1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZ XhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1 ZX0.XcNXs4C7DqpR22LLti777AMMVCxM7FjEPKZQnd- AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H- L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyi Z9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhE Qsgm8 { "alg": "RS256” "kid": "123456789" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true } Header Claims Signature Header Claims

Slide 19

Slide 19 text

Validate ID Token Token Endpoint Authorization Endpoint /.well-known/ openid-configuration JWKS Endpoint UserInfo Endpoint OAuth 2.0 Authorization Server & OpenID Connect Provider (OP) OAuth 2.0 Resource Server Client (Relying Party) 1 3 2 5 4 1 Discover OpenID Provider Metadata 2 Perform OAuth flow to obtain a ID token and/or access token 3 Get JSON Web Key Set (JWKS) for signature keys 4 Validate ID token (JSON Web Token) 5 Get additional user attributes with access token from UserInfo endpoint OpenID Connect

Slide 20

Slide 20 text

Authorization Code Flow (Web) Authenticate via User Agent 1 User starts flow by visiting Web App Client with User Agent 2 Client sends authentication request with openid scope via browser redirect to Authorize Endpoint on Authorization Server 3 User authenticates and consents to Client to access user’s identity 4 Authorization Code Grant and optionally ID Token for Web App is returned to Client via browser redirect 4 2 3 1 User Web App (Client) Resource Server (RS) /UserInfo Authorization Server (AS)

Slide 21

Slide 21 text

Authorization Code Flow (Web) Exchange Grant for Tokens 1b 1a User Web App (Client) Resource Server (RS) /UserInfo Authorization Server (AS) 2 2 Client optionally fetches additional claims with Access Token from UserInfo endpoint Client authenticates & exchanges Authorization Code Grant with token endpoint on Authorization Server for an ID Token, Access Token and optionally Refresh Token 1

Slide 22

Slide 22 text

⏩ Convert to PWA Keycloak + Registration Save User Snapshot ⛅ Okta + Registration Deploy to Heroku Okta Customization JHipster OIDC Demo https://youtu.be/GlJWUqy1SJM

Slide 23

Slide 23 text

OAuth Specification oauth.net OAuth 2.0 Servers oauth.com Additional Resources

Slide 24

Slide 24 text

HTTPS aka TLS https://howhttps.works

Slide 25

Slide 25 text

JHipster TLS Support https://www.jhipster.tech/tls/ ./mvnw -Pdev,tls ./gradlew -Ptls npm run start-tls

Slide 26

Slide 26 text

Force HTTPS in Production @Configuration public class WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }

Slide 27

Slide 27 text

Security Headers @Override public void configure(HttpSecurity http) throws Exception { http ... .and() .headers() .contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 's storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src .and() .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROS .and() .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'non 'none'; speaker 'none'; fullscreen 'self'; payment 'none'") .and() .frameOptions() .deny() ... } https://securityheaders.com

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

JHipster projects use Generated app scanning with Dependency / Container Scanning https://github.com/jhipster/generator-jhipster/issues/12441

Slide 30

Slide 30 text

JHipster Security Issues http://bit.ly/jhc-2020-security

Slide 31

Slide 31 text

developer.okta.com/blog @oktadev

Slide 32

Slide 32 text

Written with Asciidoctor Quick and to the point, 162 pages Developed a Real World App: www.21-points.com Free Download from infoq.com/minibooks/jhipster-mini-book The JHipster Mini-Book

Slide 33

Slide 33 text

The JHipster Mini-Book is open source! github.com/mraible/jhipster-book Writing a book with code is awesome! ❤

Slide 34

Slide 34 text

Questions? Keep in touch! raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper

Slide 35

Slide 35 text

developer.okta.com