Web App Security for Java Developers - UberConf 2021

Matt Raible | @mraible
October 8, 2021
Web App
Security for

Java Developers
Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas

@mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter

Bus Lover

Web Developer and Java Champion

Okta Developer Advocate

Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible

@mraible
Today’s Agenda
What is web app security?

7 simple ways to better app security

3 quick demos

🍃 Spring Boot

🅰 Angular

🤓 JHipster

1. Use HTTPS

2. Scan your dependencies

3. Use the latest releases

4. Secure your secrets
7 Simple Ways to Better Web App Security
5. Use a Content Security Policy

6. Use OAuth 2.0 and OIDC

7. Prevent Cross-site request
forgery (CSRF)

@mraible
1. Use HTTPS Everywhere!
Let’s Encrypt offers free HTTPS certificates

certbot can be used to generate certificates

mkcert can be used to create localhost certificates

Spring Boot Starter ACME for automating certificates

What is HTTPS?
https://howhttps.works

How HTTPS Works
https://howhttps.works

HTTPS for Static Sites too!
https://www.troyhunt.com/heres-why-your-static-website-needs-https

Force HTTPS in Spring Boot
@Configuration

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override

protected void configure(HttpSecurity http) throws Exception {

http.requiresChannel().anyRequest().requiresSecure();

}

}

Force HTTPS in the Cloud
@Configuration


@Override


http.requiresChannel()

.requestMatchers(r
-
>
r.getHeader("X-Forwarded-Proto")
!
=
null)

.requiresSecure();

}

}

Force HTTPS in Spring WebFlux
@EnableWebFluxSecurity

public class SecurityConfiguration {

@Bean

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

http.redirectToHttps(withDefaults());

return http.build();

}

}

Force HTTPS in Spring WebFlux + Cloud
@EnableWebFluxSecurity

public class SecurityConfiguration {

@Bean

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

http.redirectToHttps(redirect
-
>
redirect

.httpsRedirectWhen(e
-
>

e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))

);

return http.build();

}

}

@mraible
“Why do we need HTTPS

inside our network?”

@mraible
2. Scan Your Dependencies

@mraible
Full-featured Dependency Scanners

How well do you know your dependencies?
Dependency
Health
Indirect
Dependencies
Regular
Releases
Regular
commits
Dependencies

Check for Updates with npm
npm i -g npm-check-updates

ncu

Check for Updates with Maven
mvn versions:display-dependency-updates

https://www.mojohaus.org/versions-maven-plugin

Check for Updates with Gradle
plugins {

id("se.patrikerdes.use-latest-versions") version "0.2.17"

id("com.github.ben-manes.versions") version “0.39.0"

.
.
.

}
$ ./gradlew useLatestVersions
https://github.com/patrikerdes/gradle-use-latest-versions-plugin

@mraible
4. Secure Your Secrets

HashiCorp Vault and Azure Key Vault

https://developer.okta.com/blog/2020/05/04/spring-vault
Secure Secrets With Spring Cloud Config and Vault

Default Spring Security Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options: DENY

X-XSS-Protection: 1; mode=block

Add a Content Security Policy with Spring Security
@EnableWebSecurity


@Override


http.headers()

.contentSecurityPolicy("script-src 'self' " +

"https:
/
/
trustedscripts.example.com; " +

"object-src https:
/
/
trustedplugins.example.com; " +

"report-uri /csp-report-endpoint/");

}

}

Test Your Security Headers
https://securityheaders.com

@mraible
6. Use OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
OpenID Connect is for
authentication

 
OAuth 2.0 is for authorization

@mraible
Authorization Code Flow Example
https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

@mraible
Does OAuth 2.0 feel like a maze of specs?
https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

@mraible
OAuth 2.1 to the rescue!
https://oauth.net/2.1
PKCE is required for all clients using the authorization code flow

Redirect URIs must be compared using exact string matching

The Implicit grant is omitted from this specification

The Resource Owner Password Credentials grant is omitted from this specification

Bearer token usage omits the use of bearer tokens in the query string of URIs

Refresh tokens for public clients must either be sender-constrained or one-time use

Configure CSRF Protection with Spring Security
@EnableWebSecurity


@Override


http

.csrf()

.csrfTokenRepository(

CookieCsrfTokenRepository.withHttpOnlyFalse());

}

}

@mraible
Demos!
🍃 🅰 🤓

1. Use HTTPS

2. Scan your dependencies

3. Use the latest releases

4. Secure your secrets
Recap: 7 Simple Ways to Better Web App Security

6. Use OAuth 2.0 and OIDC

7. Prevent Cross-site request
forgery (CSRF)

developer.okta.com/blog

@oktadev

Curious About Microservice Security?
https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Or Auth Security Patterns?
https://bit.ly/mraible-springone-2021

https://youtu.be/CebTJ7Nq1Hs

Thanks!

Keep in Touch

raibledesigns.com

@mraible

Presentations

speakerdeck.com/mraible

Code

github.com/oktadev
developer.okta.com

Web App Security for Java Developers - UberConf 2021

More Related Content

What's hot

Similar to Web App Security for Java Developers - UberConf 2021

More from Matt Raible

Recently uploaded

Web App Security for Java Developers - UberConf 2021