Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Securing web applications with
Spring Security 3
Fernando Redondo Ramírez
@pronoide_fer
Roadmap
• Who am I?
• A brief introduction to
Spring Security
• Hands on
• Furthermore
Roadmap
• Who am I?
• A brief introduction to
Spring Security
• Hands on
• Furthermore
Brief Introduction to Spring Security
• Isn’t Security within JEE a standard feature?
Yes indeed, but:
• JEE Security ⇒ It...
Brief Introduction to Spring Security
• Why use Spring Security then?
because:
• Spring Security ⇒ It’s granted based
• Sp...
Brief Introduction to Spring Security
• Architecture and we are done!
Spring Security 3
internals
SecurityContextHolder
Se...
Your next mission
I need to put security
within our FBI X-Files
application!
Hands on! (Later at home)
Before start, you have to…
1. Install git in your computer
http://git-scm.com/book/en/Getting-St...
FBI X Files webapp
Import webapp (File/Import/Git/Proyect from Git)
FBI X Files webapp
Run webapp!
Stage: Setup Spring Security in webapp
i. Setup a interceptor filter for all web requests
Stage: Setup Spring Security in webapp
ii. Create a new spring bean configuration file with the least
config and load thro...
Stage: Setup Spring Security in webapp
iii. Explicitly config login / logout procedures
iv. Fix issues with resources, ima...
FBI X Files webapp
Stage: Setup Spring Security in webapp
v. Encrypt user’s paswords via Spring Security Crypto Module
• Encode passwords
• C...
Stage: Setup Spring Security in webapp
vi. Add Remember Me feature to users login process
Stage: Setup Spring Security in webapp
vii. Secure transport channel (HTTPS)
• Setup constrains and ports
• Configure tomc...
Stage: Setup Spring Security in webapp
viii. Session expiration control
ix. Session concurrency control
Stage: Setup Spring Security in webapp
x. JSP tag library usage (Spring Security Taglibs)
Stage: Setup Spring Security in webapp
xi. SpEL usage to protect URLs (Spring Expression Language)
xii. SpEL usage with Sp...
what have you done!
Is there only security in
the web resources
access? Is that the very
best you can make it?
Try this UR...
Stage: Setup Spring Security in business methods
xii. Secure business method invocations thru Spring Security
Annotations
Stage: Setup Spring Security in business methods
xiii. Secure business method invocations thru AspectJ pointcuts
Stage: Setup Spring Security in business methods
xiv. Secure business method invocations thru SpEL (Pre Invocation)
Much better! But…
What are you doing viewing files
that aren’t yours?
How come you are able to access to
your sister’s fil...
Stage: Setup Spring Security in an hierarchical way
xv. Secure business method invocations thru SpEL (Post Invocation)
xvi...
Stage: Setup Spring Security in an hierarchical way
xvii. Customization of access voters
• Code a new voter
Stage: Setup Spring Security in an hierarchical way
xviii.Customization of access voters (continuation)
• Dismiss Spring S...
Stage: Spring Security Extras
xix. Customization of security filter chain (Example A)
• Create custom filter
• Place it wi...
Stage: Spring Security Extras
xx. Customization of security filter chain (Example B)
• Create custom filter
• Place it wit...
The smoking man
All of these features about Spring
Security are pretty fine, but I can
always leverage a Java2 attack:
<%S...
Beyond this talk
• Not implicit but explicit configs
• ACL’s management
• Autentification with DataSources,
LDAP, X509, OP...
Whoami
• Entrepreneur and Business Manager at Pronoide
since 2003
• Java & Friends Trainer (JEE, Spring, Groovy, Maven, Je...
Apendix: Hands on (Later at home)!
Navigate along the project code with git presenter
1. Install jruby or ruby
http://jrub...
Nächste SlideShare
Wird geladen in …5
×

Javacro 2014 Spring Security 3 Speech

1.762 Aufrufe

Veröffentlicht am

Slides of my talk at JavaCro 2014: Securing web applications with Spring Security 3

Veröffentlicht in: Technologie, News & Politik
  • Als Erste(r) kommentieren

Javacro 2014 Spring Security 3 Speech

  1. 1. Securing web applications with Spring Security 3 Fernando Redondo Ramírez @pronoide_fer
  2. 2. Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
  3. 3. Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
  4. 4. Brief Introduction to Spring Security • Isn’t Security within JEE a standard feature? Yes indeed, but: • JEE Security ⇒ It’s constraint based • JEE Security ⇒ It only defines a secured perimeter • JEE Security ⇒ its features are depending on each App Server (Realms, SSO, Cipher, etc) • JEE Security ⇒ Secured JEE Applications can’t easily move across different platforms or between server versions • JEE Security ⇒ Complex to adapt to Web 2.0 or changing requirements
  5. 5. Brief Introduction to Spring Security • Why use Spring Security then? because: • Spring Security ⇒ It’s granted based • Spring Security ⇒ Both perimeter and hierarchical • Spring Security ⇒ Features independent of the App Server • Spring Security ⇒ Transportable Secured JEE Applications • Spring Security ⇒ Adaptable and versatile
  6. 6. Brief Introduction to Spring Security • Architecture and we are done! Spring Security 3 internals SecurityContextHolder SecurityContext Authentication GrantedAuthority Web Requests Web/HTTP Security Security filter chain Authentication AuthenticationManager AuthenticationProviders UserDetailsService Authorization AccessDecisionManager Voters AfterInvocationManager Business Methods Business Object (Method) Security Proxies/Security Interceptors
  7. 7. Your next mission I need to put security within our FBI X-Files application!
  8. 8. Hands on! (Later at home) Before start, you have to… 1. Install git in your computer http://git-scm.com/book/en/Getting-Started-Installing-Git 2. Download Spring Tool Suite 3.5 https://spring.io/tools/sts/all 3. Start Spring Tool Suite 3.5 (STS) and choose or create a workspace (remember run it with a JDK) 4. Download http://pronoide.com/downloads/javacro2014- spring-security-xfiles.zip and unzip it into workspace folder. 5. Pace yourself! It’s all quite straightforward…
  9. 9. FBI X Files webapp Import webapp (File/Import/Git/Proyect from Git)
  10. 10. FBI X Files webapp Run webapp!
  11. 11. Stage: Setup Spring Security in webapp i. Setup a interceptor filter for all web requests
  12. 12. Stage: Setup Spring Security in webapp ii. Create a new spring bean configuration file with the least config and load through web.xml context parameter
  13. 13. Stage: Setup Spring Security in webapp iii. Explicitly config login / logout procedures iv. Fix issues with resources, images and CSS files
  14. 14. FBI X Files webapp
  15. 15. Stage: Setup Spring Security in webapp v. Encrypt user’s paswords via Spring Security Crypto Module • Encode passwords • Configure algorithm and salt field. Then use passwords within security config file
  16. 16. Stage: Setup Spring Security in webapp vi. Add Remember Me feature to users login process
  17. 17. Stage: Setup Spring Security in webapp vii. Secure transport channel (HTTPS) • Setup constrains and ports • Configure tomcat server (create SSL connector)
  18. 18. Stage: Setup Spring Security in webapp viii. Session expiration control ix. Session concurrency control
  19. 19. Stage: Setup Spring Security in webapp x. JSP tag library usage (Spring Security Taglibs)
  20. 20. Stage: Setup Spring Security in webapp xi. SpEL usage to protect URLs (Spring Expression Language) xii. SpEL usage with Spring security taglib
  21. 21. what have you done! Is there only security in the web resources access? Is that the very best you can make it? Try this URL and watch what is gonna happen: https://localhost:8443/fbi/xfiles/declassify?id=0
  22. 22. Stage: Setup Spring Security in business methods xii. Secure business method invocations thru Spring Security Annotations
  23. 23. Stage: Setup Spring Security in business methods xiii. Secure business method invocations thru AspectJ pointcuts
  24. 24. Stage: Setup Spring Security in business methods xiv. Secure business method invocations thru SpEL (Pre Invocation)
  25. 25. Much better! But… What are you doing viewing files that aren’t yours? How come you are able to access to your sister’s files? And why are you accessing at this time of the day?
  26. 26. Stage: Setup Spring Security in an hierarchical way xv. Secure business method invocations thru SpEL (Post Invocation) xvi. Secure business method invocations thru SpEL (Result Filtering)
  27. 27. Stage: Setup Spring Security in an hierarchical way xvii. Customization of access voters • Code a new voter
  28. 28. Stage: Setup Spring Security in an hierarchical way xviii.Customization of access voters (continuation) • Dismiss Spring Security auto-config and reveal actual config • Customize Access decision manager behavior
  29. 29. Stage: Spring Security Extras xix. Customization of security filter chain (Example A) • Create custom filter • Place it within the filter chain
  30. 30. Stage: Spring Security Extras xx. Customization of security filter chain (Example B) • Create custom filter • Place it within the filter chain
  31. 31. The smoking man All of these features about Spring Security are pretty fine, but I can always leverage a Java2 attack: <%System.exit(0);%>
  32. 32. Beyond this talk • Not implicit but explicit configs • ACL’s management • Autentification with DataSources, LDAP, X509, OPENID, JEE, etc • Captcha • Single Sign On • Java Config “… in most of my work, the laws of physics rarely seems to apply.” Fox Mulder 1x01 "Pilot"
  33. 33. Whoami • Entrepreneur and Business Manager at Pronoide since 2003 • Java & Friends Trainer (JEE, Spring, Groovy, Maven, Jenkins, Sonar, Weblogic, Jboss, Websphere, Disco Dancing and so ) • Doing things with Java from 1999 on • Computer Engineer • Happily married and proud father of two children • I used to wanna be a physics scientist and I really do love X-files series
  34. 34. Apendix: Hands on (Later at home)! Navigate along the project code with git presenter 1. Install jruby or ruby http://jruby.org/getting-started https://www.ruby-lang.org/en/installation/ 2. Install git presenter (gem install git_presenter) 3. When the code is ready use the "git-presenter init" command to initialize 4. Once it is initialized you can start the presentation with "git- presenter start" 5. Then use the following commands to navigate the presentation • next/n: move to the next slide (commit) • back/b: move to the back slide (commit) • end/e: move to the end of presentation • start/s: move to the start of presentation • list/l : list slides in presentation • help/h: display this message

×