How to perform a basic Spring Boot application security [closed]

问题

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 9 months ago.

Improve this question

I'm looking forward to deploying my Spring Application on a production environment and i'd like to include some basic and solid security measures.

First things first, i extended WebSecurityConfigurerAdapter into my SecurityConfiguration.java

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    UserDetailsService userDetailsService ;


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // TODO Auto-generated method stub
        auth.userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // TODO Auto-generated method stub
        http.csrf().disable().authorizeRequests()
        .antMatchers("/admin").hasAuthority("ADMIN")
        .antMatchers("/ekab").hasAuthority("EKAB")
        .antMatchers("/dimos").hasAuthority("DIMOS")
        .antMatchers("/","/users/**","/aeds/**","/events/**","/reports/**","*/static/**").permitAll()
        .anyRequest().authenticated()
        .and()
    .formLogin().loginPage("/login")
    .defaultSuccessUrl("/dashboard",true)
        .permitAll()
        .and()
    .logout()
        .permitAll();
    }

    @Bean
    public PasswordEncoder getPasswordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }


}

On a production environment CSRF should be enabled, although i don't handle any csrf tokens for now

• GET Endpoints: Note that /users/** contains some GET endpoints containing User Information, can i apply limitations to who visits them?

• POST Endpoints: I've also found some ways to secure POST by using a JSON Web Token , is it a best practice?

Spring also provides OAuth2.0 , RSA, LDAP, dependencies to enhance security.

Which one should i use? Does these prevent DDOS attacks as well as brute force attacks?

Do i have to make modifications in the application's deployment environment?

回答1:

Spring security provides various default security attack implementation to make sure the application is secured.

Since you asked to include some basic and solid security measures.: Below are a few of my thoughts which can improve a bit.

1. As you told, You have disabled 'CSRF token' which is not good when you think your application should be highly secured. Usually, most of the people disable(in demo code) because they won't be able to call /logout URL with the GET method as it requires you to submit it via POST with _csrf token. Good that you have taken care of in production.

2. Session Fixation Attack: This is the type of attack where one can steal your current session by offering their URL of the same website and append JSESSIONID into URL, with the URL rewrite approach. Spring Security Framework has taken care of this by default and it migrates the session once the user logs in. The corresponding configuration would be -

   http.sessionManagement()
     .sessionFixation().migrateSession()
   

3. Securing session cookie: Malicious script can read your cookie information from the browser end so you need to make sure that your cookie is secured and are accessible by server-side code by making them HttpOnly. For that, you can use the below config in your application.properties -

   server.servlet.session.cookie.http-only=true
   

4. Running your app on Https: Make sure that you use https in production and also in that case you can force your cookies to travel over https protocol only by adding below config in your application.properties.

    server.servlet.session.cookie.secure=true
   

   and to force https connection add below lines in configure() method(this won't' be enough though because you have to get your public/private key setup also using keytool)

      http.requiresChannel().requiresSecure();
   

5. Applying CSP: User Content security policy to avoid any XSS attacks. Spring security by default provides various security headers. But it does not add Content security policy headers you can add them in your security config file like below

    @EnableWebSecurity
    public class WebSecurityConfig extends
    WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http)
    throws Exception {
    http.headers().contentSecurityPolicy("script-src
   'self' https://myclientscriptlocation.example.com; object-src
    https://myclientsideplugins.example.com; report-uri /cspreport-endpoint/");
   }
   

   }

6. Password hashing: Which you are not using your security config. You have to keep password hashed while storing them into the database.

7. Securing your application.properties' Security should be applied not only from outsiders, but it should also be protected from insiders as well. Like encryption and decryption of database passwords or any other config passwords. Follow here on how to secure your application properties.

GET Endpoints: Note that /users/** contains some GET endpoints containing User Information, can I apply limitations to who visits them?

Yes, you can apply. But that depends on your requirement what you want here. One example that I can think of is, IP Address filtering. Like if you want only those users can access which are in the US or if you know the IP range of user etc.

  .antMatchers("/foos/**").hasIpAddress("xx.xxx.xxx.xx")

POST Endpoints: I've also found some ways to secure POST by using a JSON Web Token , is it a best practice?

JWT mostly used in RESTful web services. If your application is exposing rest endpoints and requires authenticated access then JWT is the best option.

Spring also provides OAuth2.0, RSA, LDAP, dependencies to enhance security.

These are different ways of authentication and authorization. Some of them has multiple flows to do authentication and authorization but The same security factors would be applied to these when they are accessed by outside the users.

It totally depends on your project requirement whether you need them or not. For example, if you are developing an application for internal organization use where user/employee has everything set up at the organization level and you want everyone to access this application then LDAP integration is better.

OAuth2.0 is better when you have multiple microservices + you want any social login implementation like Login with Google or Login with Facebook then you can follow OAuth2.0 integration

Does these prevent DDOS attacks as well as brute force attacks?

No. This should be taken care of by tuning various security parameters like limiting the session time, checking security headers, handling memory leaks, applying timeout for POST requests so that no one could post a huge request payload, etc. You have to do a bit of leg work to mitigate such security attacks.

I hope this helps you to move forward.

PS: Remove permitAll() from security configution.

.defaultSuccessUrl("/dashboard",true)
    .permitAll()

来源：https://stackoverflow.com/questions/62092295/how-to-perform-a-basic-spring-boot-application-security