Description:
1)Spring Security protects your application from many common security threats right out of the box. You don't have to re-invent the wheel for the same but the problem is usually developer tends to ignore it but spring security framework provides protection against those threats right out the of the box it just matters how you tend to implement it.
2)In fact the increased adoption of such frameworks has resulted in significant declines in occurrences of many of the threats. 3)In Spring Framework: Securing Spring Applications against Common Security Threat like Man of the Middle Attack, Cross-site scripting, and many more. you should learn how to configure Spring Security with Spring Boot to get security up and running from the very get-go of your project. So here I am basically telling you how to deal with these common threats without much effort and you just need to configure your spring app correctly you just need the skills and knowledge of Spring Security needed to effectively secure your application against common security threats. I am mentioning a few of the security risks and threats to any spring boot-based application effectively. These are very common threats but very effective So before disabling anything in spring, make sure you are confident and are aware of the risks to your users before going ahead. 1)HTTP Headers: The First Line of Defense 2)The Cache-Control Header 3)MIME Type Sniffing and Browser XSS Protection 4)Understanding Spring Security Cross-Site Request Forgery 5)Default Clickjacking Protection 6)Additional Optional Security Headers 7)Spring Securities HTTP Firewall The main takeaway from this is just don't try to reinvent the wheel. Increased adoption of frameworks like Spring Security has resulted in many of the common security threats like cross‑site scripting, cross‑site request forgery, dropping out of the OWASP top 10 as you're getting a lot of protection right out of the box, often threats you don't even know about. Spring Security is very configurable, and it's easy to unintentionally disable some of the default security protection. Hence, before disabling anything, make sure you are confident and are aware of the risks to your users before going ahead. This will give you the foundational knowledge required to customize the framework in the spring boot app. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .mvcMatchers("/login").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .and() .logout(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("abhinaw").password("{noop}password").roles("USER"); auth.inMemoryAuthentication().withUser("tripathi").password("{noop}password").roles("ADMIN"); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/css/**", "/webjars/**"); } } @Bean public ServletWebServerFactory servletContainer() { TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() { @Override protected void postProcessContext(Context context) { SecurityConstraint securityConstraint = new SecurityConstraint(); securityConstraint.setUserConstraint("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection(); collection.addPattern("/*"); securityConstraint.addCollection(collection); context.addConstraint(securityConstraint); } }; tomcat.addAdditionalTomcatConnectors(redirectConnector()); return tomcat; } private Connector redirectConnector() { Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol"); connector.setScheme("http"); connector.setPort(8080); connector.setRedirectPort(8443); return connector; } @Controller public class LoginController { @GetMapping("/login") public String login() { return "login"; } } public class AuthenticationUtil { public static String getUsername() { UserDetails user = (UserDetails)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); return user.getUsername(); } }
Below is my YAML file:
server: port: 8443 ssl: key-store-password: ENC(8e+G1W2rkvi1EglUn6uTheBzZ4IY2hhl) key-store: classpath:keystore.p12 key-store-type: PKCS12 key-alias: tomcat logging: level: root: INFO com.memorynotfound: INFO org.springframework.web: INFO org.springframework.security: INFO jasypt: encryptor: password: password iv-generator-classname: org.jasypt.iv.NoIvGenerator algorithm: PBEWithMD5AndTripleDES For detailed implementation you can check out my GitHub code for better understanding: Git Hub URL: https://github.com/Abhinaw/SpringSecirityAgainstCommonThreats Just visit and check out the code and you will understand correctly.