SlideShare una empresa de Scribd logo

Building layers of defense for your application

VMware Tanzu
VMware Tanzu

This document discusses building layers of defense for applications using the Spring Security framework. It begins with an introduction to authentication and authorization. It then discusses the layers of defense for a web application and provides an overview of Spring Security, how it works, and how to integrate it. The document outlines common security threats and how Spring Security protects against them. It also covers topics like basic authentication, JWT, OAuth, OpenID Connect, and content security policy. Code examples are provided to demonstrate concepts like CSRF protection, HTTP verb tampering prevention, and session fixation.

Software
1 de 68
Descargar para leer sin conexión
Building Layers of Defense for Your Application Using Spring Security Framework Neha Sardana
About Me ● Software Developer ● Fellow JUG Leader at Garden State Java User Group, NJ and New York Java SIG, NY ● Building Spring based applications for almost 10 years ● Love to travel, practice yoga and watch cricket ● Github : nsardana-bny ● linkedin.com/in/nehasardana9786/ ● Twitter: @nehasardana09, Medium: @neha-nsit 2
Agenda ● Authentication and Authorization ● Layers of defense for a web app ● Spring Security - The 5Ws ● Common Security Threats ● Protection against threats ● Basic Authentication ● JWT, OAuth and OpenID Connect ● Code! ● Principles of Application Security 3
Pre-requisites ● Java ● Spring Framework ● Maven 4
What is Security? 5
Authentication ● Authentication is about validating your credentials like User Name/User ID and password to verify your identity. ● The system determines whether you are what you say you are using your credentials. 6
Authorization ● Authorization is the process to determine whether the authenticated user has access to particular resources. ● It verifies your rights to grant you access to resources such as information, databases, files, etc. ● Authorization usually comes after authentication which confirms your privileges to perform. 7
Layers of defense for a web app 8 ● Network Firewall ● Login Page ● Security Questions ● Authentication or Multi-factor Authentication ● Hashing and/or Salting ● Authorization Don’t give very specific error message to the user!!! EVER!
Introducing Spring Security Framework 9
10
What is Spring Security? ● Spring Security is a powerful and highly customizable authentication and access-control framework for Java based applications. ● It is the de-facto standard for securing Spring-based applications. ● Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements 11
Why Use Spring Security? ● Easy Integration with Spring Boot ● Supported by large Open Source Community ● Authentication/Authorization (Out of the box) ● Application layer framework (not tied to a particular web server) ● Loosely Coupled ● Filter Entry point/Servlet ● Multiple authentication models ● Protects from Common Security Threats! 12
Why use Spring Security? ● Due to increased adoption of frameworks like Spring Security, many of the previously common exploits such as: Cross Site Request Forgery and Clickjacking and many others are no longer on OWASP (Open Web Application Security Project) top 10. 13
How Spring Security integrates 14
15
How to use Spring Security in your application 16
17 Add below code to your pom.xml in Spring Boot Project
How Spring Security Works 18
19
● To enable Spring Security, you have to register Spring Security Filter, also known as, DelegatingFilterProxy, with your servlet container. ● DelegatingFilterProxy will forward all requests to other Spring Security Filters to perform Authentication or Authorization checks. ● Two important things to kick start your security framework: Dispatcher Servlet & Delegating Proxy Filter. 20 How Spring Security Works
21
Filter Interface 22
Filter Interface ● Init() - Called by the web container to indicate to a filter that it is being placed into service. ● destroy() - Called by the web container to indicate to a filter that it is being taken out of service. ● doFilter() - The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. ● The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain. 23
FilterChainProxy & Security Filter Chain ● DelegatingFilterProxy delegates the request to FilterChainProxy (FCP) which in turn delegates to another object SecurityFilterChain (SFC). ● SFC is a wrapper around collection of Spring Filters that performs actual security tasks. ● When a request comes, FCP iterates through SFC in order to find the one which matches with the request url. ● After the above step, the appropriate Filter is invoked to perform security tasks. ● The Order of SFC matters a lot! ● There are options to have multiple SFC in one application to have multiple types of authentication for different types of URLs. 24
SecurityFilterChain Interface 25
SecurityFilterChain Interface ● matches() - returns boolean to checks if the request matches the filter chain ● getFilters() - returns a list of security filters for the matched request 26
27
Authentication Flow 28
Authentication Flow ● Authentication Filter creates an “Authentication Request” and passes it to the Authentication Manager ● Authentication Manager delegates to the Authentication Provider ● Authentication Provider uses UserDetailsService to load the UserDetails and returns an “Authenticated Principal” ● Authentication Filter sets the Authentication in the SecurityContext 29
30 AuthenticationFilter Authentication Principal AuthenticationManager Authentication Providers Authentication Principal Security Context UserDetailsService generates authenticates delegates get UserDetails SecurityContextHolder adds
Authentication Object ● Principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails. ● Credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked. ● Authorities - the GrantedAuthorities are high level permissions the user is granted. A few examples are roles or scopes. 31
32 Authentication Object
Authorization Flow 33
Authorization Flow ● FilterSecurityInterceptor obtains the “Security Metadata” by matching the current request ● FilterSecurityInterceptor gets the current Authentication ● The Authentication, Security Metadata and Request is passed to the AccessDecisionManager ● AccessDecisionManager delegates it to the AccessDecisionVoter(s) for decisioning 34
What happens when there is Exception? ● When “Access Denied” for current Authentication, ExceptionTranslationFilter delegates to the AccessDeniedHandler and returns a Http 403 status code ● When current Authentication is “Anonymous”, ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to start the Authentication Process 35
Filter Chain Ordering 1. ChannelProcessingFilter 2. WebAsyncManagerIntegrationFilter 3. SecurityContextPersistenceFilter 4. HeaderWriterFilter 5. CorsFilter 6. CsrfFilter 7. LogoutFilter 8. OAuth2AuthorizationRequestRedirectFilter 9. Saml2WebSsoAuthenticationRequestFilter 10. X509AuthenticationFilter 11. AbstractPreAuthenticatedProcessingFilter 12. CasAuthenticationFilter 13. OAuth2LoginAuthenticationFilter 14. Saml2WebSsoAuthenticationFilter 15. UsernamePasswordAuthenticationFilter 16. OpenIDAuthenticationFilter 17. DefaultLoginPageGeneratingFilter 36
Filter Chain Ordering (Contd.) 18. DefaultLogoutPageGeneratingFilter 19. ConcurrentSessionFilter 20. DigestAuthenticationFilter 21. BearerTokenAuthenticationFilter 22. BasicAuthenticationFilter 23. RequestCacheAwareFilter 24. SecurityContextHolderAwareRequestFilter 25. JaasApiIntegrationFilter 26. RememberMeAuthenticationFilter 27. AnonymousAuthenticationFilter 28. OAuth2AuthorizationCodeGrantFilter 29. SessionManagementFilter 30. ExceptionTranslationFilter 31. FilterSecurityInterceptor 32. SwitchUserFilter 37
Common Security Threats ● Injection ● Broken Authentication ● Sensitive Data Exposure ● XML External Entities ● Broken Access Control ● Security Misconfiguration ● Cross-Site Scripting ● Insecure Deserialization ● Using Components with Known Vulnerabilities ● Insufficient logging and monitoring 38
How Spring Security protects against Threats 39
Spring Security Headers 40
Spring Security Headers ● Disables Browser Cache ○ If your application provides its own cache control headers Spring Security will back out of the way ● Disables Content Sniffing ○ Content Sniffing- when the browser is trying to guess the content type of a request ● Disables Frame (prevents Clickjacking) ○ By default Spring Security disables rendering pages within an iframe ● HTTP Strict Transport Security (HSTS) ○ Instructs Browser to treat this domain and subdomains as an HSTS host for a year by default 41
Spring Security Headers ● Reflective XSS ○ Prevents Browser from rendering a page if it suspects a reflective XSS attack 42
CSRF Protection ● Cross-Site Request Forgery is an attack that forces a user to execute unwanted actions in an application they’re currently logged into. ● If the user is a normal user, a successful attack can involve state-changing requests like transferring funds or changing their email address. ● If the user has elevated permissions, a CSRF attack can compromise the entire application. ● Spring Security uses Synchronizer Token Pattern where along with creating the session cookie on authentication, it also creates a csrf token which a malicious site can not access or use. ● On the backend side, CSRF Filter expects this token along with state changing requests to allow the request to pass through. 43
Example of CSRF for SPA 44
HTTP Verb Tampering ● HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. ● Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods. 45
Example of HTTP Verb Tampering 46
Enable Content Security Policy to Prevent XSS Attacks ● Content Security Policy (CSP) is an added layer of security that helps mitigate XSS (cross-site scripting) and data injection attacks. ● To enable it, you need to configure your app to return a Content-Security-Policy header. ● You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML page. 47
Example for Content Security Policy prevention 48
Session Fixation ● Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). ● Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. 49
HTTPS in Production and NOT HTTP! 50
Basic Authentication 51
Basic Authentication ● Credentials are transmitted through header ● Header name: Authentication ● Header value: Basic + Base64(username:password) ● Eg: Authorization: Basic YMDDdnskdslkdlklsklddlk 52
Common Challenges with Basic Authentication ● Base64 is easy to decode! ● Managing password hash with application data is a bottleneck. ● Sharing username and password for integrating with third party vendor can cause a lot of problems. ● In case of a distributed application, while scaling up, you have to scale up the identity and authentication mechanism as well. ● If starting from a monolith application and going further down into Microservices, you will require Authentication and Authorization for each of the service which creating a problem later. 53
Introducing OAuth2, OIDC and JWT 54
55
Goal of OAuth2 ● This was driven mainly because the applications realised that user password sharing with multiple unknown apps was a big security threat. ● To allow applications to access data from third party apps without the users sharing their password. ● Problems while implementing single sign on because of the need to share passwords between applications 56
OAuth2 ● OAuth 2.0 is the industry-standard protocol for authorization. ● OAuth 1.0 was published in Dec 2007. ● It uses scopes to define permissions about what actions an authorized user can perform. ● However, OAuth 2.0 is not an authentication protocol and provides no information about the authenticated user. ● https://auth0.com/ 57
OpenID Connect ● OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information. ● It adds an ID token in addition to an access token, as well as a /userinfo endpoint that you can get additional information from. ● It also adds an endpoint discovery feature and dynamic client registration. 58
59 JSON Web Token (JWT) ● Light weight ○ JSON Map Information ● Verifiable ○ Digitally signed and Base64 URL encoded ● Protocol Agnostic ○ Can be used standalone ● Expiration Time
60 Field Description iat Indicates the token was "issued at" jit JSON Token ID iss Issuer of the token exp Expiry time sub Subject aud Audience JSON Structure ● Header ● Payload ● Signature
61
62
63
Code: https://github.com/nsardana-bny/spring-security- oauth2-okta-sample 64
Final Thoughts 65
Core Principles of Application Security ● Minimize attack surface area ● Establish secure defaults ● The principle of least privilege ● The principle of defense in depth ● Fail securely ● Don’t trust services ● Separation of duties ● Avoid security by obscurity ● Keep security simple ● Fix security issues correctly 66
References Medium Blog - Spring Security Code Walkthrough Spring Design Principles Top Courses on Spring Security OWASP Top 10 Spring Security Reference OAuth 2.1 Picture Credits: https://tinyurl.com/fp5pfux7 (Pluralsight.com) 67
Thank you! Twitter: @nehasardana09 68

Recomendados

Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
Express node js
Express node jsExpress node js
Express node jsYashprit Singh
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 

Recomendados

Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
Express node js
Express node jsExpress node js
Express node jsYashprit Singh
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudEberhard Wolff
 
Express js
Express jsExpress js
Express jsManav Prasad
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
REST API
REST APIREST API
REST APITofazzal Ahmed
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementFahad Golra
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeupYu Iwama
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
.Net Core
.Net Core.Net Core
.Net CoreSoftware Infrastructure
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineVMware Tanzu
 
Introduction to Microservices Patterns
Introduction to Microservices PatternsIntroduction to Microservices Patterns
Introduction to Microservices PatternsDimosthenis Botsaris
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Introduction to Spring Cloud
Introduction to Spring Cloud Introduction to Spring Cloud
Introduction to Spring Cloud VMware Tanzu
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure webBen Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7Ben Abdallah Helmi
 

Más contenido relacionado

La actualidad más candente

Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudEberhard Wolff
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementFahad Golra
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeupYu Iwama
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineVMware Tanzu
 
Introduction to Microservices Patterns
Introduction to Microservices PatternsIntroduction to Microservices Patterns
Introduction to Microservices PatternsDimosthenis Botsaris
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Introduction to Spring Cloud
Introduction to Spring Cloud Introduction to Spring Cloud
Introduction to Spring Cloud VMware Tanzu
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 

La actualidad más candente (20)

Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
 
Express js
Express jsExpress js
Express js
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
REST API
REST APIREST API
REST API
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeup
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
.Net Core
.Net Core.Net Core
.Net Core
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring Statemachine
 
Introduction to Microservices Patterns
Introduction to Microservices PatternsIntroduction to Microservices Patterns
Introduction to Microservices Patterns
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Introduction to Spring Cloud
Introduction to Spring Cloud Introduction to Spring Cloud
Introduction to Spring Cloud
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 

Similar a Building layers of defense for your application

Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring SecurityKnoldus Inc.
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?smalltown
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slidesBassam Al-Khatib
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Client /server security overview
Client /server security overviewClient /server security overview
Client /server security overviewMohamed Sayed
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 

Similar a Building layers of defense for your application (20)

SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Hyderabad MuleSoft Meetup
Hyderabad MuleSoft MeetupHyderabad MuleSoft Meetup
Hyderabad MuleSoft Meetup
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Security testing
Security testingSecurity testing
Security testing
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Client /server security overview
Client /server security overviewClient /server security overview
Client /server security overview
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 

Más de VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready AppsVMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And BeyondVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptxVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchVMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishVMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - FrenchVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsVMware Tanzu
 

Más de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Último

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 

Último (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 

Building layers of defense for your application

  • 1. Building Layers of Defense for Your Application Using Spring Security Framework Neha Sardana
  • 2. About Me ● Software Developer ● Fellow JUG Leader at Garden State Java User Group, NJ and New York Java SIG, NY ● Building Spring based applications for almost 10 years ● Love to travel, practice yoga and watch cricket ● Github : nsardana-bny ● linkedin.com/in/nehasardana9786/ ● Twitter: @nehasardana09, Medium: @neha-nsit 2
  • 3. Agenda ● Authentication and Authorization ● Layers of defense for a web app ● Spring Security - The 5Ws ● Common Security Threats ● Protection against threats ● Basic Authentication ● JWT, OAuth and OpenID Connect ● Code! ● Principles of Application Security 3
  • 4. Pre-requisites ● Java ● Spring Framework ● Maven 4
  • 6. Authentication ● Authentication is about validating your credentials like User Name/User ID and password to verify your identity. ● The system determines whether you are what you say you are using your credentials. 6
  • 7. Authorization ● Authorization is the process to determine whether the authenticated user has access to particular resources. ● It verifies your rights to grant you access to resources such as information, databases, files, etc. ● Authorization usually comes after authentication which confirms your privileges to perform. 7
  • 8. Layers of defense for a web app 8 ● Network Firewall ● Login Page ● Security Questions ● Authentication or Multi-factor Authentication ● Hashing and/or Salting ● Authorization Don’t give very specific error message to the user!!! EVER!
  • 10. 10
  • 11. What is Spring Security? ● Spring Security is a powerful and highly customizable authentication and access-control framework for Java based applications. ● It is the de-facto standard for securing Spring-based applications. ● Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements 11
  • 12. Why Use Spring Security? ● Easy Integration with Spring Boot ● Supported by large Open Source Community ● Authentication/Authorization (Out of the box) ● Application layer framework (not tied to a particular web server) ● Loosely Coupled ● Filter Entry point/Servlet ● Multiple authentication models ● Protects from Common Security Threats! 12
  • 13. Why use Spring Security? ● Due to increased adoption of frameworks like Spring Security, many of the previously common exploits such as: Cross Site Request Forgery and Clickjacking and many others are no longer on OWASP (Open Web Application Security Project) top 10. 13
  • 15. 15
  • 16. How to use Spring Security in your application 16
  • 17. 17 Add below code to your pom.xml in Spring Boot Project
  • 19. 19
  • 20. ● To enable Spring Security, you have to register Spring Security Filter, also known as, DelegatingFilterProxy, with your servlet container. ● DelegatingFilterProxy will forward all requests to other Spring Security Filters to perform Authentication or Authorization checks. ● Two important things to kick start your security framework: Dispatcher Servlet & Delegating Proxy Filter. 20 How Spring Security Works
  • 21. 21
  • 23. Filter Interface ● Init() - Called by the web container to indicate to a filter that it is being placed into service. ● destroy() - Called by the web container to indicate to a filter that it is being taken out of service. ● doFilter() - The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. ● The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain. 23
  • 24. FilterChainProxy & Security Filter Chain ● DelegatingFilterProxy delegates the request to FilterChainProxy (FCP) which in turn delegates to another object SecurityFilterChain (SFC). ● SFC is a wrapper around collection of Spring Filters that performs actual security tasks. ● When a request comes, FCP iterates through SFC in order to find the one which matches with the request url. ● After the above step, the appropriate Filter is invoked to perform security tasks. ● The Order of SFC matters a lot! ● There are options to have multiple SFC in one application to have multiple types of authentication for different types of URLs. 24
  • 26. SecurityFilterChain Interface ● matches() - returns boolean to checks if the request matches the filter chain ● getFilters() - returns a list of security filters for the matched request 26
  • 27. 27
  • 29. Authentication Flow ● Authentication Filter creates an “Authentication Request” and passes it to the Authentication Manager ● Authentication Manager delegates to the Authentication Provider ● Authentication Provider uses UserDetailsService to load the UserDetails and returns an “Authenticated Principal” ● Authentication Filter sets the Authentication in the SecurityContext 29
  • 30. 30 AuthenticationFilter Authentication Principal AuthenticationManager Authentication Providers Authentication Principal Security Context UserDetailsService generates authenticates delegates get UserDetails SecurityContextHolder adds
  • 31. Authentication Object ● Principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails. ● Credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked. ● Authorities - the GrantedAuthorities are high level permissions the user is granted. A few examples are roles or scopes. 31
  • 34. Authorization Flow ● FilterSecurityInterceptor obtains the “Security Metadata” by matching the current request ● FilterSecurityInterceptor gets the current Authentication ● The Authentication, Security Metadata and Request is passed to the AccessDecisionManager ● AccessDecisionManager delegates it to the AccessDecisionVoter(s) for decisioning 34
  • 35. What happens when there is Exception? ● When “Access Denied” for current Authentication, ExceptionTranslationFilter delegates to the AccessDeniedHandler and returns a Http 403 status code ● When current Authentication is “Anonymous”, ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to start the Authentication Process 35
  • 36. Filter Chain Ordering 1. ChannelProcessingFilter 2. WebAsyncManagerIntegrationFilter 3. SecurityContextPersistenceFilter 4. HeaderWriterFilter 5. CorsFilter 6. CsrfFilter 7. LogoutFilter 8. OAuth2AuthorizationRequestRedirectFilter 9. Saml2WebSsoAuthenticationRequestFilter 10. X509AuthenticationFilter 11. AbstractPreAuthenticatedProcessingFilter 12. CasAuthenticationFilter 13. OAuth2LoginAuthenticationFilter 14. Saml2WebSsoAuthenticationFilter 15. UsernamePasswordAuthenticationFilter 16. OpenIDAuthenticationFilter 17. DefaultLoginPageGeneratingFilter 36
  • 37. Filter Chain Ordering (Contd.) 18. DefaultLogoutPageGeneratingFilter 19. ConcurrentSessionFilter 20. DigestAuthenticationFilter 21. BearerTokenAuthenticationFilter 22. BasicAuthenticationFilter 23. RequestCacheAwareFilter 24. SecurityContextHolderAwareRequestFilter 25. JaasApiIntegrationFilter 26. RememberMeAuthenticationFilter 27. AnonymousAuthenticationFilter 28. OAuth2AuthorizationCodeGrantFilter 29. SessionManagementFilter 30. ExceptionTranslationFilter 31. FilterSecurityInterceptor 32. SwitchUserFilter 37
  • 38. Common Security Threats ● Injection ● Broken Authentication ● Sensitive Data Exposure ● XML External Entities ● Broken Access Control ● Security Misconfiguration ● Cross-Site Scripting ● Insecure Deserialization ● Using Components with Known Vulnerabilities ● Insufficient logging and monitoring 38
  • 39. How Spring Security protects against Threats 39
  • 41. Spring Security Headers ● Disables Browser Cache ○ If your application provides its own cache control headers Spring Security will back out of the way ● Disables Content Sniffing ○ Content Sniffing- when the browser is trying to guess the content type of a request ● Disables Frame (prevents Clickjacking) ○ By default Spring Security disables rendering pages within an iframe ● HTTP Strict Transport Security (HSTS) ○ Instructs Browser to treat this domain and subdomains as an HSTS host for a year by default 41
  • 42. Spring Security Headers ● Reflective XSS ○ Prevents Browser from rendering a page if it suspects a reflective XSS attack 42
  • 43. CSRF Protection ● Cross-Site Request Forgery is an attack that forces a user to execute unwanted actions in an application they’re currently logged into. ● If the user is a normal user, a successful attack can involve state-changing requests like transferring funds or changing their email address. ● If the user has elevated permissions, a CSRF attack can compromise the entire application. ● Spring Security uses Synchronizer Token Pattern where along with creating the session cookie on authentication, it also creates a csrf token which a malicious site can not access or use. ● On the backend side, CSRF Filter expects this token along with state changing requests to allow the request to pass through. 43
  • 44. Example of CSRF for SPA 44
  • 45. HTTP Verb Tampering ● HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. ● Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods. 45
  • 46. Example of HTTP Verb Tampering 46
  • 47. Enable Content Security Policy to Prevent XSS Attacks ● Content Security Policy (CSP) is an added layer of security that helps mitigate XSS (cross-site scripting) and data injection attacks. ● To enable it, you need to configure your app to return a Content-Security-Policy header. ● You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML page. 47
  • 48. Example for Content Security Policy prevention 48
  • 49. Session Fixation ● Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). ● Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. 49
  • 50. HTTPS in Production and NOT HTTP! 50
  • 52. Basic Authentication ● Credentials are transmitted through header ● Header name: Authentication ● Header value: Basic + Base64(username:password) ● Eg: Authorization: Basic YMDDdnskdslkdlklsklddlk 52
  • 53. Common Challenges with Basic Authentication ● Base64 is easy to decode! ● Managing password hash with application data is a bottleneck. ● Sharing username and password for integrating with third party vendor can cause a lot of problems. ● In case of a distributed application, while scaling up, you have to scale up the identity and authentication mechanism as well. ● If starting from a monolith application and going further down into Microservices, you will require Authentication and Authorization for each of the service which creating a problem later. 53
  • 55. 55
  • 56. Goal of OAuth2 ● This was driven mainly because the applications realised that user password sharing with multiple unknown apps was a big security threat. ● To allow applications to access data from third party apps without the users sharing their password. ● Problems while implementing single sign on because of the need to share passwords between applications 56
  • 57. OAuth2 ● OAuth 2.0 is the industry-standard protocol for authorization. ● OAuth 1.0 was published in Dec 2007. ● It uses scopes to define permissions about what actions an authorized user can perform. ● However, OAuth 2.0 is not an authentication protocol and provides no information about the authenticated user. ● https://auth0.com/ 57
  • 58. OpenID Connect ● OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information. ● It adds an ID token in addition to an access token, as well as a /userinfo endpoint that you can get additional information from. ● It also adds an endpoint discovery feature and dynamic client registration. 58
  • 59. 59 JSON Web Token (JWT) ● Light weight ○ JSON Map Information ● Verifiable ○ Digitally signed and Base64 URL encoded ● Protocol Agnostic ○ Can be used standalone ● Expiration Time
  • 60. 60 Field Description iat Indicates the token was "issued at" jit JSON Token ID iss Issuer of the token exp Expiry time sub Subject aud Audience JSON Structure ● Header ● Payload ● Signature
  • 61. 61
  • 62. 62
  • 63. 63
  • 66. Core Principles of Application Security ● Minimize attack surface area ● Establish secure defaults ● The principle of least privilege ● The principle of defense in depth ● Fail securely ● Don’t trust services ● Separation of duties ● Avoid security by obscurity ● Keep security simple ● Fix security issues correctly 66
  • 67. References Medium Blog - Spring Security Code Walkthrough Spring Design Principles Top Courses on Spring Security OWASP Top 10 Spring Security Reference OAuth 2.1 Picture Credits: https://tinyurl.com/fp5pfux7 (Pluralsight.com) 67