building layers of defense with spring security
play

Building Layers of Defense with Spring Security We have to distrust - PowerPoint PPT Presentation

Oct 04, 2022 •176 likes •709 views

Building Layers of Defense with Spring Security We have to distrust each other. It is our only defense against betrayal. Tennessee Williams About Me u Joris Kuipers ( @jkuipers) u Hands-on architect and fly-by-night Spring

  1. Building Layers of Defense with Spring Security “We have to distrust each other. It is our only defense against betrayal.” ― Tennessee Williams

  2. About Me u Joris Kuipers ( @jkuipers) u Hands-on architect and fly-by-night Spring trainer @ Trifork u @author tag in Spring Session’s support for Spring Security

  3. Layers Of Defense u Security concerns many levels u Physical, hardware, network, OS, middleware, applications, process / social, … u This talk focuses on applications

  4. Layers Of Defense u Web application has many layers to protect u Sometimes orthogonal u Often additive

  5. Layers Of Defense u Additivity implies some redundancy u That’s by design u Don’t rely on just a single layer of defense u Might have an error in security config / impl u Might be circumvented u AKA Defense in depth

  6. Spring Security u OSS framework for application-level authentication & authorization u Supports common standards & protocols u Works with any Java web application

  7. Spring Security Application-level: u No reliance on container, self-contained u Portable u Easy to extend and adapt u Assumes code itself is trusted

  8. Spring Security u Decouples authentication & authorization u Hooks into application through interceptors u Servlet Filters at web layer u Aspects at lower layers u Configured using Java-based fluent API

  9. Spring Security Configuration Steps to add Spring Security support: 1. Configure dependency and servlet filter chain 2. Centrally configure authentication 3. Centrally configure authorization 4. Configure code-specific authorization

  10. Config: Authentication @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { /* set up authentication: */ @Autowired void configureGlobal(AuthenticationManagerBuilder authMgrBuilder) throws Exception { authMgrBuilder.userDetailsService( myCustomUserDetailsService()); } // ...

  11. Config: HTTP Authorization /* ignore requests to these URLS: */ @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers( "/css/**" , "/img/**" , "/js/**" , "/favicon.ico" ); } // ...

  12. Config: HTTP Authorization /* configure URL-based authorization: */ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers( "/admin/**" ).hasRole( "ADMIN" ) .antMatchers(HttpMethod. POST , "/projects/**" ).hasRole( "PROJECT_MGR" ) .anyRequest().authenticated(); // additional configuration not shown… } }

  13. Spring Security Defaults This gives us: u Various HTTP Response headers u CSRF protection u Default login page

  14. HTTP Response Headers “We are responsible for actions performed in response to circumstances for which we are not responsible” ― Allan Massie

  15. Disable Browser Cache u Modern browsers also cache HTTPS responses u Attacker could see old page even after user logs out u In general not good for dynamic content u For URLs not ignored, these headers are added Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0

  16. Disable Content Sniffing u Content type guessed based on content u Attacker might upload polyglot file u Valid as both e.g. PostScript and JavaScript u JavaScript executed on download u Disabled using this header X-Content-Type-Options: nosniff

  17. Enable HSTS u H TTP S trict T ransport S ecurity u Enforce HTTPS for all requests to domain u Optionally incl. subdomains u Prevents man-in-the-middling initial request u Enabled by default for HTTPS requests: Strict-Transport-Security: max-age=31536000 ; includeSubDomains

  18. HSTS War Story Note: one HTTPS request triggers HSTS for entire domain and subdomains u Webapp might not support HTTPS-only u Domain may host more than just your application u Might be better handled by load balancer

  19. Disable Framing u Prevent Clickjacking u Attacker embeds app in frame as invisible overlay u Tricks users into clicking on something they shouldn’t u All framing disabled using this header u Can configure other options, e.g. SAME ORIGIN X-Frame-Options: DENY

  20. Block X-XSS Content u Built-in browser support to recognize reflected XSS attacks u http://example.com/index.php? user=<script>alert(123)</script> u Ensure support is enabled and blocks (not fixes) content X-XSS-Protection: 1; mode=block

  21. Other Headers Support Other headers you can configure (disabled by default): u HTTP Public Key Pinning (HPKP)-related u Content Security Policy-related u Referrer-Policy

  22. CSRF / Session Riding Protection “One thing I learned about riding is to look for trouble before it happens.” ― Joe Davis

  23. Cross-Site Request Forgery CSRF tricks logged in users to make requests u Session cookie sent automatically u Look legit to server, but user never intended them

  24. Cross-Site Request Forgery Add session-specific token to all forms u Correct token means app initiated request u attacker cannot know token u Not needed for GET with proper HTTP verb usage u GETs should be safe u Also prevents leaking token through URL

  25. CSRF Protection in Spring Security Default: enabled for non-GET requests u Using session-scoped token u Include token as form request parameter < form action= "/logout" method= "post" > < input type= "submit" value= "Log out" /> < input type= "hidden" name= "${ _csrf.parameterName }" value= "${ _csrf.token }" /> </ form >

  26. CSRF Protection in Spring Security u Doesn’t work for JSON-sending SPAs u Store token in cookie and pass as header instead u No server-side session state, but still quite secure u Defaults work with AngularJS as-is @Override protected void configure(HttpSecurity http) throws Exception { http.csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() // additional configuration…

  27. URL-based Authorization “Does the walker choose the path, or the path the walker?” ― Garth Nix, Sabriel

  28. URL-based Authorization Very common, esp. with role-based authorization u Map URL structure to authorities u Optionally including HTTP methods u Good for coarse-grained rules

  29. Spring Security Configuration @Override protected void configure(HttpSecurity http) throws Exception { http /* configure URL-based authorization: */ .authorizeRequests() .antMatchers( "/admin/**" ).hasRole( "ADMIN" ) .antMatchers(HttpMethod. POST , "/projects/**" ).hasRole( "PROJECT_MGR" ) // other matchers… .anyRequest().authenticated(); // additional configuration not shown… } }

  30. URL-based Authorization Might become bloated u Esp. without role-related base URLs http.authorizeRequests() .antMatchers( "/products" , "/products/**" ).permitAll() .antMatchers( "/customer-portal-status" ).permitAll() .antMatchers( "/energycollectives" , "/energycollectives/**" ).permitAll() .antMatchers( "/meterreading" , "/meterreading/**" ).permitAll() .antMatchers( "/smartmeterreadingrequests" , "/smartmeterreadingrequests/**" ).permitAll() .antMatchers( "/offer" , "/offer/**" ).permitAll() .antMatchers( "/renewaloffer" , "/renewaloffer/**" ).permitAll() .antMatchers( "/address" ).permitAll() .antMatchers( "/iban/**" ).permitAll() .antMatchers( "/contracts" , "/contracts/**" ).permitAll() .antMatchers( "/zendesk/**" ).permitAll() .antMatchers( "/payment/**" ).permitAll() .antMatchers( "/phonenumber/**" ).permitAll() .antMatchers( "/debtcollectioncalendar/**" ).permitAll() .antMatchers( "/edsn/**" ).permitAll() .antMatchers( "/leads/**" ).permitAll() .antMatchers( "/dynamicanswer/**" ).permitAll() .antMatchers( "/masterdata" , "/masterdata/**" ).permitAll() .antMatchers( "/invoices/**" ).permitAll() .antMatchers( "/registerverification" , "/registerverification/**" ).permitAll() .antMatchers( "/smartmeterreadingreports" , "/smartmeterreadingreports/**" ).permitAll() .antMatchers( "/users" , "/users/**" ).permitAll() .antMatchers( "/batch/**" ).hasAuthority( "BATCH_ADMIN" ) .antMatchers( "/label/**" ).permitAll() .antMatchers( "/bankstatementtransactions" , "/bankstatementtransactions/**" ).permitAll() .antMatchers( "/directdebitsepamandate" , "/directdebitsepamandate/**" ).permitAll() .anyRequest().authenticated()

  31. URL-based Authorization Can be tricky to do properly u Rules matched in order u Matchers might not behave like you think they do u Need to have a catch-all u .anyRequest().authenticated(); u .anyRequest().denyAll();

  32. URL Matching Rules Gotchas http.authorizeRequests() Ordering very significant here! .antMatchers( "/products/inventory/**" ).hasRole( "ADMIN" ) .antMatchers( "/products/**" ).hasAnyRole( "USER" , "ADMIN" ) .antMatchers(… Does NOT match / products/delete/ .antMatchers( "/products/delete" ).hasRole( "ADMIN" ) (trailing slash)! . mvc Matchers( "/products/delete" ).hasRole( "ADMIN" )

Recommend

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers Dr. Stefan Frei &amp; Francisco Arts @stefan_frei @franklyfranc

787 views • 60 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Lecture 11: Energy and security Lecture 11: Energy and security considerations in wireless PHY +

Lecture 11: Energy and security Lecture 11: Energy and security considerations in wireless PHY +

Lecture 11: Energy and security Lecture 11: Energy and security considerations in wireless PHY + link considerations in wireless PHY + link layers layers Mythili Vutukuru CS 653 Spring 2014 Feb 10, Monday Energy and Security We will

259 views • 8 slides
Defense Security Service Defense Security Service Cybersecurity Operations Division

Defense Security Service Defense Security Service Cybersecurity Operations Division

UNCLASSIFIED//FOUO Defense Security Service Defense Security Service Cybersecurity Operations Division Counterintelligence UNCLASSIFIED//FOUO UNCLASSIFIED Defense Security Service DSS Mission Capability DSS Supports national security and

490 views • 33 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof. Paul A. Strassmann George Mason University, March 27, 2007 1 Prof. Strassmann, GMU March 27, 2007 Lecture, REPRODUCED BY PERMISSION ONLY Elements of

662 views • 49 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
Advanced Energy for Homeland CONVERGE S T R A T E G I E S Defense and Security Michael Wu and

Advanced Energy for Homeland CONVERGE S T R A T E G I E S Defense and Security Michael Wu and

Advanced Energy for Homeland CONVERGE S T R A T E G I E S Defense and Security Michael Wu and Wilson Rickerson AGENDA 1.Defense Energy and National Security 2.State Support for DoD Missions 3.Advanced Energy Security for the Home Front

697 views • 16 slides
CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 A model for Control-Flow Hijack attacks

673 views • 41 slides
Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Reference Monitors Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Defense Mechanisms for Software Security Static enforcement of security properties Analyze the code before it is run (e.g., during compile

661 views • 34 slides
Cybersecurity Update Its More Than Technology People: Your First Line of Defense Incident

Cybersecurity Update Its More Than Technology People: Your First Line of Defense Incident

Cybersecurity Update Its More Than Technology People: Your First Line of Defense Incident Response Overview Types of data in your environment and why it is important. Trending threats. Minimizing risks through layers of defense:

486 views • 30 slides
Security Culture Why You Need One and How to Create It Masha Sedova Co-Founder, Elevate Security

Security Culture Why You Need One and How to Create It Masha Sedova Co-Founder, Elevate Security

Security Culture Why You Need One and How to Create It Masha Sedova Co-Founder, Elevate Security About me Cyber Analyst for Co-Founder, building the defense community Behavioral Security Platform Built and ran Salesforce Passionate about

657 views • 36 slides
~-- . . Department of Defense , ., OFFICE OF PREPUBLICATION AND SECURITY REVIEW !\M.A

~-- . . Department of Defense , ., OFFICE OF PREPUBLICATION AND SECURITY REVIEW !\M.A

~ Robert L. Bezy and Kathryn Bolles CLEARED For Open Publication Jan 30, 2020 . . ~-- . . Department of Defense , ., OFFICE OF PREPUBLICATION AND SECURITY REVIEW !\M.A . , ' 11'{,Q&quot; , _._,._. U Department of Defense

218 views • 18 slides
THE BIGGEST OPTICAL It has a closed cycle of production starting from research and development

THE BIGGEST OPTICAL It has a closed cycle of production starting from research and development

About Opticoelectron Opticoelectron Group JSCo is one of the most advanced companies specialized in optomechanical, optoelectronic and laser devices and systems for defense and security, medicine, device-building, machine-building. The company

509 views • 29 slides
THE BIGGEST OPTICAL It has a closed cycle of production starting from research and development

THE BIGGEST OPTICAL It has a closed cycle of production starting from research and development

About Opticoelectron Opticoelectron Group JSCo is one of the most advanced companies specialized in optomechanical, optoelectronic and laser devices and systems for defense and security, medicine, device-building, machine-building. The company

548 views • 26 slides
THE BIGGEST OPTICAL It has a closed cycle of production starting from research and development

THE BIGGEST OPTICAL It has a closed cycle of production starting from research and development

About Opticoelectron Opticoelectron Group JSCo is one of the most advanced companies specialized in optomechanical, optoelectronic and laser devices and systems for defense and security, medicine, device-building, machine-building. The company

763 views • 28 slides
Online Security Michael Hutchinson My First line of Defense Making Things Secure Router

Online Security Michael Hutchinson My First line of Defense Making Things Secure Router

Online Security Michael Hutchinson My First line of Defense Making Things Secure Router Security Anti-Malware Programs Browser Security Internet Searching Router Security Router is First Line of Defense Router typically

472 views • 23 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security Widely-adopted defense mechanisms Hundreds of

1.34k views • 57 slides

More recommend