Java Web Application Security with Java EE, Spring Security and Apache Shiro - UberConf 2015

Blogger on raibledesigns.com Founder of AppFuse Father, Skier, Mountain Biker, Whitewater Rafter Web Framework Connoisseur Who is Matt Raible? Bus Lover

Why am I here? Purpose To explore Java webapp security options and encourage you to be a security expert Goals Show how to implement Java webapp security Show how to penetrate a Java webapp Show how to ﬁx vulnerabilities

What about YOU? Why are you here? Do you care about Security? Have you used Java EE 7, Spring Security or Apache Shiro? What do you want to get from this talk?

Security Development Java EE 7, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 & Zed Attack Proxy Tools and Services Action! Session Agenda

Java EE 7 Security constraints deﬁned in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS User Realm deﬁned by App Server Declarative or Programmatic Authentication Annotations Support

Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name)

Servlet 3.0 and JSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll

Servlet 3.1 Non-blocking I/O HTTP protocol upgrade mechanism Security Run-as security roles to #init and #destroy Session Fixation protection Deny HTTP methods not explicitly covered by security constraints

JSR 375: Java EE Security API Improvements to: User Management Password Aliasing Role Mapping Authentication Authorization Learn more on

Java EE Limitations No error messages for failed logins No Remember Me Container has to be conﬁgured Doesn’t support regular expressions for URLs

Spring Boot with Security Basic Authentication by default Fluent API for deﬁning URLs, roles, etc. Spring MVC Test with Security Annotations Password Encoding Remember Me WebSocket Security

Spring Security JavaConﬁg import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.*; import org.springframework.security.config.annotation.authentication.builders.*; import org.springframework.security.config.annotation.web.configuration.*; @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }

Enabling Spring Security Annotations <global-method-security pre-post-annotations="enabled"/> @EnableGlobalMethodSecurity(prePostEnabled=true) XML Conﬁg: Java Conﬁg: @EnableGlobalMethodSecurity(jsr250Enabled=true) @EnableGlobalMethodSecurity(secureEnabled=true)

Spring Security @PreAuthorize @PreAuthorize("hasRole('ROLE_USER')") public void create(Contact contact); @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); @PreAuthorize("#contact.name == authentication.name") public void doSomething(Contact contact); @PreAuthorize("hasRole('ROLE_USER')") @PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')") public List<Contact> getAll();

Spring Security @Secured @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount)}

Spring MVC Test with Security import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.*; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration @WebAppConfiguration public class CsrfShowcaseTests { @Autowired private WebApplicationContext context; private MockMvc mvc; @Before public void setup() { mvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity()) .build(); } }

Spring Security Test Annotations @WithMockUser // user:password,roles="ROLE_USER" @WithMockUser(username="admin",roles={"USER","ADMIN"}) @WithUserDetails @WithSecurityContext

Spring Limitations Authentication mechanism in WAR Securing methods only works on Spring beans

Apache Shiro Filter defined in WebSecurityConfig URLs, Roles can be configured in Java Or use shiro.ini and load from classpath [main], [urls], [roles] Cryptography Session Management

Shiro Limitations Limited Documentation Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work

Stormpath Authentication as a Service Authorization as a Service Single Sign-On as a Service A User Management API for Developers https://stormpath.com

Stormpath with Spring Boot <dependency> <groupId>com.stormpath.spring</groupId> <artifactId>spring-boot-starter-stormpath-thymeleaf</artifactId> <version>1.0.RC4.5</version> </dependency> /register /login /logout Includes Forgot Password

Testing with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to maven-failsafe- plugin as <systemPropertyVariables> Learn more: http://raibledesigns.com/rd/entry/integration_testing_with_http_https

Add CORS Support http://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery public class OptionsHeadersFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "GET,POST"); response.setHeader("Access-Control-Max-Age", "360"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with"); response.setHeader("Access-Control-Allow-Credentials", "true"); chain.doFilter(req, res); } public void init(FilterConfig filterConfig) { } public void destroy() { } } public class OptionsHeadersFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "GET,POST"); response.setHeader("Access-Control-Max-Age", "360"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with"); response.setHeader("Access-Control-Allow-Credentials", "true"); chain.doFilter(req, res); } public void init(FilterConfig filterConfig) { } public void destroy() { } }

Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth What have you used?

OAuth https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

JHipster Security Improved Remember Me Cookie theft protection CSRF protection Authentication HTTP Session Token-based OAuth2 ⚭ ⚭

JHipster HTTP Session @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Inject private AjaxAuthenticationSuccessHandler ajaxAuthenticationSuccessHandler; @Inject private AjaxAuthenticationFailureHandler ajaxAuthenticationFailureHandler; @Inject private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;

JHipster Token-based @Override protected void configure(HttpSecurity http) throws Exception { http .exceptionHandling() .authenticationEntryPoint(authenticationEntryPoint) .and() .csrf().disable().headers().frameOptions().disable() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/register").permitAll() // additional rules for URLs .and() .apply(securityConfigurerAdapter()); } private XAuthTokenConfigurer securityConfigurerAdapter() { return new XAuthTokenConfigurer(userDetailsService, tokenProvider); }

JHipster OAuth2 @Configuration public class OAuth2ServerConfiguration { @Configuration @EnableResourceServer protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { } @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter implements EnvironmentAware { } }

API Security Projects Spring Security OAuth - version 2.0.7 Spring Social - version 1.1.2 Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings

Penetrate OWASP Testing Guide and Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP WebGoat

OWASP The Open Web Application Security Project (OWASP) is a worldwide not-for-proﬁt charitable organization focused on improving the security of software. At OWASP you’ll ﬁnd free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org

Penetration Testing Demo http://raibledesigns.com/rd/entry/java_web_application_security_part4

Fixing ZAP Vulnerabilities <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> <form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off">

7 Security (Mis)Configurations in web.xml 1. Error pages not configured 2. Authentication & Authorization Bypass 3. SSL Not Configured 4. Not Using the Secure Flag 5. Not Using the HttpOnly Flag 6. Using URL Parameters for Session Tracking 7. Not Setting a Session Timeout http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files

OWASP Top 10 for 2013 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconﬁguration https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

OWASP Top 10 for 2013 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Protect [SWAT] Checklist Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools

[SWAT] Checklist http://software-security.sans.org/resources/swat

Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010

Content Security Policy An HTTP Header with whitelist of trusted content Bans inline <script> tags, inline event handlers and javascript: URLs No eval(), new Function(), setTimeout or setInterval Supported in Chrome 16+, Safari 6+, and Firefox 4+, and (very) limited in IE 10

Content Security Policy: Can I use?

Relax Web App Firewalls: Imperva, F5, Breach Open Source: WebNight and ModSecurity Stateful Firewalls: Juniper, Check Point, Palo Alto IDP/IDS: Sourceﬁre, TippingPoint Open Source: Snort Audits: ENY, PWC, Grant Thornton Pen Testing: WhiteHat, Trustwave, Electric Alchemy

Remember... “Security is a quality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” -- Erlend Oftedal From a comment on raibledesigns.com: http://bit.ly/mjufjR

Action! Use OWASP and Open Source Security Frameworks Follow the Security Street Fighter Blog http://software-security.sans.org/blog Use OWASP ZAP to pentest your apps Don’t be afraid of security!

Additional Reading Securing a JavaScript-based Web Application http://eoftedal.github.com/WebRebels2012 Michal Zalewski’s “The Tangled Web” http://lcamtuf.coredump.cx/tangled

Stay hip by following me! http://raibledesigns.com @mraible Presentations http://slideshare.net/mraible Code https://github.com/mraible/java-webapp-security-examples Questions?

Additional Information OWASP Denver http://www.meetup.com/Denver-OWASP/ AppSec USA 2015 September 25 - 28 in San Francisco

Devoxx4Kids Denver Teaching Kids to Program Java, Minecraft, robots, oh my! Non-proﬁt, looking for speakers! http://www.meetup.com/Devoxx4Kids-Denver/

Java Web Application Security with Java EE, Spring Security and Apache Shiro - UberConf 2015

More Related Content

What's hot

Viewers also liked

Similar to Java Web Application Security with Java EE, Spring Security and Apache Shiro - UberConf 2015

More from Matt Raible

Recently uploaded

Java Web Application Security with Java EE, Spring Security and Apache Shiro - UberConf 2015