building layers of defense with spring security
play

Building Layers of Defense with Spring Security We have to distrust - PowerPoint PPT Presentation

Oct 04, 2022 •176 likes •709 views

Building Layers of Defense with Spring Security We have to distrust each other. It is our only defense against betrayal. Tennessee Williams About Me u Joris Kuipers ( @jkuipers) u Hands-on architect and fly-by-night Spring

  1. Building Layers of Defense with Spring Security “We have to distrust each other. It is our only defense against betrayal.” ― Tennessee Williams

  2. About Me u Joris Kuipers ( @jkuipers) u Hands-on architect and fly-by-night Spring trainer @ Trifork u @author tag in Spring Session’s support for Spring Security

  3. Layers Of Defense u Security concerns many levels u Physical, hardware, network, OS, middleware, applications, process / social, … u This talk focuses on applications

  4. Layers Of Defense u Web application has many layers to protect u Sometimes orthogonal u Often additive

  5. Layers Of Defense u Additivity implies some redundancy u That’s by design u Don’t rely on just a single layer of defense u Might have an error in security config / impl u Might be circumvented u AKA Defense in depth

  6. Spring Security u OSS framework for application-level authentication & authorization u Supports common standards & protocols u Works with any Java web application

  7. Spring Security Application-level: u No reliance on container, self-contained u Portable u Easy to extend and adapt u Assumes code itself is trusted

  8. Spring Security u Decouples authentication & authorization u Hooks into application through interceptors u Servlet Filters at web layer u Aspects at lower layers u Configured using Java-based fluent API

  9. Spring Security Configuration Steps to add Spring Security support: 1. Configure dependency and servlet filter chain 2. Centrally configure authentication 3. Centrally configure authorization 4. Configure code-specific authorization

  10. Config: Authentication @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { /* set up authentication: */ @Autowired void configureGlobal(AuthenticationManagerBuilder authMgrBuilder) throws Exception { authMgrBuilder.userDetailsService( myCustomUserDetailsService()); } // ...

  11. Config: HTTP Authorization /* ignore requests to these URLS: */ @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers( "/css/**" , "/img/**" , "/js/**" , "/favicon.ico" ); } // ...

  12. Config: HTTP Authorization /* configure URL-based authorization: */ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers( "/admin/**" ).hasRole( "ADMIN" ) .antMatchers(HttpMethod. POST , "/projects/**" ).hasRole( "PROJECT_MGR" ) .anyRequest().authenticated(); // additional configuration not shown… } }

  13. Spring Security Defaults This gives us: u Various HTTP Response headers u CSRF protection u Default login page

  14. HTTP Response Headers “We are responsible for actions performed in response to circumstances for which we are not responsible” ― Allan Massie

  15. Disable Browser Cache u Modern browsers also cache HTTPS responses u Attacker could see old page even after user logs out u In general not good for dynamic content u For URLs not ignored, these headers are added Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0

  16. Disable Content Sniffing u Content type guessed based on content u Attacker might upload polyglot file u Valid as both e.g. PostScript and JavaScript u JavaScript executed on download u Disabled using this header X-Content-Type-Options: nosniff

  17. Enable HSTS u H TTP S trict T ransport S ecurity u Enforce HTTPS for all requests to domain u Optionally incl. subdomains u Prevents man-in-the-middling initial request u Enabled by default for HTTPS requests: Strict-Transport-Security: max-age=31536000 ; includeSubDomains

  18. HSTS War Story Note: one HTTPS request triggers HSTS for entire domain and subdomains u Webapp might not support HTTPS-only u Domain may host more than just your application u Might be better handled by load balancer

  19. Disable Framing u Prevent Clickjacking u Attacker embeds app in frame as invisible overlay u Tricks users into clicking on something they shouldn’t u All framing disabled using this header u Can configure other options, e.g. SAME ORIGIN X-Frame-Options: DENY

  20. Block X-XSS Content u Built-in browser support to recognize reflected XSS attacks u http://example.com/index.php? user=<script>alert(123)</script> u Ensure support is enabled and blocks (not fixes) content X-XSS-Protection: 1; mode=block

  21. Other Headers Support Other headers you can configure (disabled by default): u HTTP Public Key Pinning (HPKP)-related u Content Security Policy-related u Referrer-Policy

  22. CSRF / Session Riding Protection “One thing I learned about riding is to look for trouble before it happens.” ― Joe Davis

  23. Cross-Site Request Forgery CSRF tricks logged in users to make requests u Session cookie sent automatically u Look legit to server, but user never intended them

  24. Cross-Site Request Forgery Add session-specific token to all forms u Correct token means app initiated request u attacker cannot know token u Not needed for GET with proper HTTP verb usage u GETs should be safe u Also prevents leaking token through URL

  25. CSRF Protection in Spring Security Default: enabled for non-GET requests u Using session-scoped token u Include token as form request parameter < form action= "/logout" method= "post" > < input type= "submit" value= "Log out" /> < input type= "hidden" name= "${ _csrf.parameterName }" value= "${ _csrf.token }" /> </ form >

  26. CSRF Protection in Spring Security u Doesn’t work for JSON-sending SPAs u Store token in cookie and pass as header instead u No server-side session state, but still quite secure u Defaults work with AngularJS as-is @Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() // additional configuration…

  27. URL-based Authorization “Does the walker choose the path, or the path the walker?” ― Garth Nix, Sabriel

  28. URL-based Authorization Very common, esp. with role-based authorization u Map URL structure to authorities u Optionally including HTTP methods u Good for coarse-grained rules

  29. Spring Security Configuration @Override protected void configure(HttpSecurity http) throws Exception { http /* configure URL-based authorization: */ .authorizeRequests() .antMatchers( "/admin/**" ).hasRole( "ADMIN" ) .antMatchers(HttpMethod. POST , "/projects/**" ).hasRole( "PROJECT_MGR" ) // other matchers… .anyRequest().authenticated(); // additional configuration not shown… } }

  30. URL-based Authorization Might become bloated u Esp. without role-related base URLs http.authorizeRequests() .antMatchers( "/products" , "/products/**" ).permitAll() .antMatchers( "/customer-portal-status" ).permitAll() .antMatchers( "/energycollectives" , "/energycollectives/**" ).permitAll() .antMatchers( "/meterreading" , "/meterreading/**" ).permitAll() .antMatchers( "/smartmeterreadingrequests" , "/smartmeterreadingrequests/**" ).permitAll() .antMatchers( "/offer" , "/offer/**" ).permitAll() .antMatchers( "/renewaloffer" , "/renewaloffer/**" ).permitAll() .antMatchers( "/address" ).permitAll() .antMatchers( "/iban/**" ).permitAll() .antMatchers( "/contracts" , "/contracts/**" ).permitAll() .antMatchers( "/zendesk/**" ).permitAll() .antMatchers( "/payment/**" ).permitAll() .antMatchers( "/phonenumber/**" ).permitAll() .antMatchers( "/debtcollectioncalendar/**" ).permitAll() .antMatchers( "/edsn/**" ).permitAll() .antMatchers( "/leads/**" ).permitAll() .antMatchers( "/dynamicanswer/**" ).permitAll() .antMatchers( "/masterdata" , "/masterdata/**" ).permitAll() .antMatchers( "/invoices/**" ).permitAll() .antMatchers( "/registerverification" , "/registerverification/**" ).permitAll() .antMatchers( "/smartmeterreadingreports" , "/smartmeterreadingreports/**" ).permitAll() .antMatchers( "/users" , "/users/**" ).permitAll() .antMatchers( "/batch/**" ).hasAuthority( "BATCH_ADMIN" ) .antMatchers( "/label/**" ).permitAll() .antMatchers( "/bankstatementtransactions" , "/bankstatementtransactions/**" ).permitAll() .antMatchers( "/directdebitsepamandate" , "/directdebitsepamandate/**" ).permitAll() .anyRequest().authenticated()

  31. URL-based Authorization Can be tricky to do properly u Rules matched in order u Matchers might not behave like you think they do u Need to have a catch-all u .anyRequest().authenticated(); u .anyRequest().denyAll();

  32. URL Matching Rules Gotchas http.authorizeRequests() Ordering very significant here! .antMatchers( "/products/inventory/**" ).hasRole( "ADMIN" ) .antMatchers( "/products/**" ).hasAnyRole( "USER" , "ADMIN" ) .antMatchers(… Does NOT match / products/delete/ .antMatchers( "/products/delete" ).hasRole( "ADMIN" ) (trailing slash)! . mvc Matchers( "/products/delete" ).hasRole( "ADMIN" )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers Dr. Stefan Frei &amp; Francisco Arts @stefan_frei @franklyfranc

787 views • 60 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Lecture 11: Energy and security Lecture 11: Energy and security considerations in wireless PHY +

Lecture 11: Energy and security Lecture 11: Energy and security considerations in wireless PHY +

Lecture 11: Energy and security Lecture 11: Energy and security considerations in wireless PHY + link considerations in wireless PHY + link layers layers Mythili Vutukuru CS 653 Spring 2014 Feb 10, Monday Energy and Security We will

259 views • 8 slides
Defense Security Service Defense Security Service Cybersecurity Operations Division

Defense Security Service Defense Security Service Cybersecurity Operations Division

UNCLASSIFIED//FOUO Defense Security Service Defense Security Service Cybersecurity Operations Division Counterintelligence UNCLASSIFIED//FOUO UNCLASSIFIED Defense Security Service DSS Mission Capability DSS Supports national security and

490 views • 33 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof. Paul A. Strassmann George Mason University, March 27, 2007 1 Prof. Strassmann, GMU March 27, 2007 Lecture, REPRODUCED BY PERMISSION ONLY Elements of

662 views • 49 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
Advanced Energy for Homeland CONVERGE S T R A T E G I E S Defense and Security Michael Wu and

Advanced Energy for Homeland CONVERGE S T R A T E G I E S Defense and Security Michael Wu and

Advanced Energy for Homeland CONVERGE S T R A T E G I E S Defense and Security Michael Wu and Wilson Rickerson AGENDA 1.Defense Energy and National Security 2.State Support for DoD Missions 3.Advanced Energy Security for the Home Front

697 views • 16 slides
CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 A model for Control-Flow Hijack attacks

673 views • 41 slides
Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Defense Mechanisms for Software Security Static enforcement of security properties Analyze the code before it is run (e.g., during compile

661 views • 34 slides
Cybersecurity Update Its More Than Technology People: Your First Line of Defense Incident

Cybersecurity Update Its More Than Technology People: Your First Line of Defense Incident

Cybersecurity Update Its More Than Technology People: Your First Line of Defense Incident Response Overview Types of data in your environment and why it is important. Trending threats. Minimizing risks through layers of defense:

486 views • 30 slides
Reminders Time to deploy! Projects are due before class on Thursday! CS370, Gnay (Emory) Spring

Reminders Time to deploy! Projects are due before class on Thursday! CS370, Gnay (Emory) Spring

Reminders Time to deploy! Projects are due before class on Thursday! CS370, Gnay (Emory) Spring 2015 1 / 9 Reminders Time to deploy! Projects are due before class on Thursday! Ill make a Piazza post for you to put your links and description

656 views • 47 slides
SY306 Web and Databases for Cyber Operations Set #16: Sessions

SY306 Web and Databases for Cyber Operations Set #16: Sessions

SY306 Web and Databases for Cyber Operations Set #16: Sessions http://cgi.tutorial.codepoint.net/session Logging In Correctly Unique session IDs identify your client No other client who has connected to the website should have the same

492 views • 4 slides
C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology Offers to Elevate Questions Offers to Elevate Questions Arnaud Wijnant wijnant@uvt.nl Maurice Martens m.g.j.martens@uvt.nl IBUC 2010 Baltimore 11/

403 views • 12 slides
A RESTful JSON-LD Architecture A RESTful JSON-LD Architecture for Unraveling Hidden References

A RESTful JSON-LD Architecture A RESTful JSON-LD Architecture for Unraveling Hidden References

A RESTful JSON-LD Architecture A RESTful JSON-LD Architecture for Unraveling Hidden References for Unraveling Hidden References to Research Data to Research Data Konstantin Baierer, Philipp Zumstein Philipp Zumstein Konstantin Baierer,

758 views • 23 slides
clean out your junk-drawer ! increased complexity

clean out your junk-drawer ! increased complexity

clean out your junk-drawer ! increased complexity the good ol days .selection { ! font-size: 12px; line-height: 13px; ! font-family: Arial, Helvetica, sans-serif; !

845 views • 56 slides
Web Site Design and Development Lecture 22 CS 0134 Fall 2018 Tues and Thurs 1:00 2:15PM

Web Site Design and Development Lecture 22 CS 0134 Fall 2018 Tues and Thurs 1:00 2:15PM

Web Site Design and Development Lecture 22 CS 0134 Fall 2018 Tues and Thurs 1:00 2:15PM Form Forms that allow users to submit information to us are created with the form element Attributes id: the id of the form action:

344 views • 19 slides
Neural representations of formulae A brief introduction Karel Chvalovsk CIIRC CTU

Neural representations of formulae A brief introduction Karel Chvalovsk CIIRC CTU

Neural representations of formulae A brief introduction Karel Chvalovsk CIIRC CTU Introduction the goal is to represent formulae by vectors (as good as possible) we have seen such a representation using hand-crafted features based on

682 views • 37 slides
Memory and File Systems SOSP-25 Retrospective Mahadev Satyanarayanan School of Computer Science

Memory and File Systems SOSP-25 Retrospective Mahadev Satyanarayanan School of Computer Science

Memory and File Systems SOSP-25 Retrospective Mahadev Satyanarayanan School of Computer Science Carnegie Mellon University 1 SOSP-25 History Day 2015 M. Satyanarayanan Four Drivers of Progress The quest for scale from early 1950s The

654 views • 28 slides

More recommend