How to perform a basic Spring Boot application security [closed]

自闭症网瘾萝莉.ら 提交于 2021-02-20 04:11:08

问题


I'm looking forward to deploying my Spring Application on a production environment and i'd like to include some basic and solid security measures.

First things first, i extended WebSecurityConfigurerAdapter into my SecurityConfiguration.java

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    UserDetailsService userDetailsService ;


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // TODO Auto-generated method stub
        auth.userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // TODO Auto-generated method stub
        http.csrf().disable().authorizeRequests()
        .antMatchers("/admin").hasAuthority("ADMIN")
        .antMatchers("/ekab").hasAuthority("EKAB")
        .antMatchers("/dimos").hasAuthority("DIMOS")
        .antMatchers("/","/users/**","/aeds/**","/events/**","/reports/**","*/static/**").permitAll()
        .anyRequest().authenticated()
        .and()
    .formLogin().loginPage("/login")
    .defaultSuccessUrl("/dashboard",true)
        .permitAll()
        .and()
    .logout()
        .permitAll();
    }

    @Bean
    public PasswordEncoder getPasswordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }


}


On a production environment CSRF should be enabled, although i don't handle any csrf tokens for now

  • GET Endpoints: Note that /users/** contains some GET endpoints containing User Information, can i apply limitations to who visits them?

  • POST Endpoints: I've also found some ways to secure POST by using a JSON Web Token , is it a best practice?

Spring also provides OAuth2.0 , RSA, LDAP, dependencies to enhance security.

Which one should i use? Does these prevent DDOS attacks as well as brute force attacks?

Do i have to make modifications in the application's deployment environment?


回答1:


Spring security provides various default security attack implementation to make sure the application is secured.

Since you asked to include some basic and solid security measures.: Below are a few of my thoughts which can improve a bit.

  1. As you told, You have disabled 'CSRF token' which is not good when you think your application should be highly secured. Usually, most of the people disable(in demo code) because they won't be able to call /logout URL with the GET method as it requires you to submit it via POST with _csrf token. Good that you have taken care of in production.
  2. Session Fixation Attack: This is the type of attack where one can steal your current session by offering their URL of the same website and append JSESSIONID into URL, with the URL rewrite approach. Spring Security Framework has taken care of this by default and it migrates the session once the user logs in. The corresponding configuration would be -

    http.sessionManagement()
      .sessionFixation().migrateSession()
    
  3. Securing session cookie: Malicious script can read your cookie information from the browser end so you need to make sure that your cookie is secured and are accessible by server-side code by making them HttpOnly. For that, you can use the below config in your application.properties -

    server.servlet.session.cookie.http-only=true
    
  4. Running your app on Https: Make sure that you use https in production and also in that case you can force your cookies to travel over https protocol only by adding below config in your application.properties.

     server.servlet.session.cookie.secure=true
    

    and to force https connection add below lines in configure() method(this won't' be enough though because you have to get your public/private key setup also using keytool)

       http.requiresChannel().requiresSecure();
    
  5. Applying CSP: User Content security policy to avoid any XSS attacks. Spring security by default provides various security headers. But it does not add Content security policy headers you can add them in your security config file like below

     @EnableWebSecurity
     public class WebSecurityConfig extends
     WebSecurityConfigurerAdapter {
     @Override
     protected void configure(HttpSecurity http)
     throws Exception {
     http.headers().contentSecurityPolicy("script-src
    'self' https://myclientscriptlocation.example.com; object-src
     https://myclientsideplugins.example.com; report-uri /cspreport-endpoint/");
    }
    

    }

  6. Password hashing: Which you are not using your security config. You have to keep password hashed while storing them into the database.

  7. Securing your application.properties' Security should be applied not only from outsiders, but it should also be protected from insiders as well. Like encryption and decryption of database passwords or any other config passwords. Follow here on how to secure your application properties.

GET Endpoints: Note that /users/** contains some GET endpoints containing User Information, can I apply limitations to who visits them?

Yes, you can apply. But that depends on your requirement what you want here. One example that I can think of is, IP Address filtering. Like if you want only those users can access which are in the US or if you know the IP range of user etc.

  .antMatchers("/foos/**").hasIpAddress("xx.xxx.xxx.xx")

POST Endpoints: I've also found some ways to secure POST by using a JSON Web Token , is it a best practice?

JWT mostly used in RESTful web services. If your application is exposing rest endpoints and requires authenticated access then JWT is the best option.

Spring also provides OAuth2.0, RSA, LDAP, dependencies to enhance security.

These are different ways of authentication and authorization. Some of them has multiple flows to do authentication and authorization but The same security factors would be applied to these when they are accessed by outside the users.

It totally depends on your project requirement whether you need them or not. For example, if you are developing an application for internal organization use where user/employee has everything set up at the organization level and you want everyone to access this application then LDAP integration is better.

OAuth2.0 is better when you have multiple microservices + you want any social login implementation like Login with Google or Login with Facebook then you can follow OAuth2.0 integration

Does these prevent DDOS attacks as well as brute force attacks?

No. This should be taken care of by tuning various security parameters like limiting the session time, checking security headers, handling memory leaks, applying timeout for POST requests so that no one could post a huge request payload, etc. You have to do a bit of leg work to mitigate such security attacks.

I hope this helps you to move forward.

PS: Remove permitAll() from security configution.

.defaultSuccessUrl("/dashboard",true)
    .permitAll()


来源:https://stackoverflow.com/questions/62092295/how-to-perform-a-basic-spring-boot-application-security

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!