Forgot Password

How to Boost development Using spring security?

Friday, September 27, 2019

The ecosystem of Spring has two stable, mature stacks that help in building web apps in the Java ecosystem. The spring framework is the primary solution when you consider popularity and adoption rate of the framework in the industry. There are robust ways offered by Spring to build a web app, using support for dependency injection, transaction management, application security, polygot persistence, first-hand REST API support, and MVC framework, etc.

Since beginning, spring apps have always needed critical configuration and due to this, it can build up more complexity during development phase. This is the area where Spring boot can help.

Spring Boot is a spring framework extension where the boilerplate configurations have been expelled. The platform brings a faster and effective ecosystem for app development.

Major features of using Spring Boot –

·        You get an embedded server support that eliminates all types of complications during the time of application deployment.

·        It also assists with opinionated ‘starter’ dependencies that make it easy for programmers to configure and develop apps.

·        Spring boot assists with the automatic configuration feature that enables programmers to use Spring functionality when needed.

·        The spring boot framework work closely with features like health check, externalized configuration, and metrics.

 

In this post, we will share top spring boot security best practices for java developers-

1.      Use of HTTPS in Production

TLS/SSL certificates are usually expensive, and HTTPS was taken as a slow option. Machines are performing at much faster rate than expected, and solving the performance issue. Let’s Encrypt offers free certificates of TLS. The two developments have evolved the scenario and brought TLS into mainstream.

To use HTTPS in your Spring boot app, you need to extend the web security configured adapter and a secure connection.

Cloud providers can vastly make TLS certificates simpler. Amazon Certificate Manager lets you provision 100% free SSL certificates and manages automatic renewal and more without any effort or configuration. Heroku is also having an automated certificate management.

2.      Testing dependencies

It is possible that you are not aware of the amount of direct dependencies used by your applications. It’s okay if you don’t know the number of transitive dependencies used by your developed application.

Unethical hackers target open source dependencies more since the reuse of such dependencies provides several victims to them. It’s necessary to check that there is no known vulnerabilities in the entire dependency tree of your developed application.

Using Snyk will help you in testing the app build artifacts. It flags those dependencies with vulnerabilities and offers you a complete list of vulnerabilities existing in the packages used by you in the app as a dashboard. Snyk is available through a web UI and as a CLI, which means you can simply integrate it with your CI environment. You can also configure it to break your build in the presence of vulnerabilities.

3.      CSRF protection enabling

Cross-site request forgery is a type of attack that forces a user to run unnecessary actions in an application they’re presently logged into.

Spring security offers incredible CSRF support by default. If you are using Spring MVC’s form tag - <form: form> or Thymeleaf and @EnableWebSecurity, Spring security will automatically add the CSRF token as a hidden input field.

In case you are applying JS framework such as React or Angular, you need to configure CookieCsrfTokenRepository to allow Javascript to read the cookie.

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


  @Override

  protected void configure(HttpSecurity http) throws Exception {

      http

          .csrf()

              .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

  }

}

Spring security will add a secure flag automatically to the XRSF-TOKEN cookie when the request happens over HTTPS. SameSite-Strict flag is used by Spring security when using spring session or WebFlux session handling.

4.      Content security policy against XSS attacks

CSP or Content Security Policy is an added layer of security that protects against XSS and data injection attacks. If you want to enable this security, you need to configure your developed app to return a content-security-policy header.

There are numerous security headers available in spring security by default. You should know that you need to add a CSP because spring security doesn’t add it by default. Use the below configuration to enable the CSP header in your spring boot app-

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   @Override
   protected void configure(HttpSecurity http) throws Exception {
       http.headers()
           .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
   }
}

 

The spring boot framework and spring security features have completely evolved the model of java based applications. Java developers can now boost their app development using such features. There will be no denial if they experience more advancements and developments in their field. Hope you now know how spring security and spring boot are beneficial to java world. There are several tutorials readily available online to start spring and spring boot and Java Development with ease.

 





Be the first to comment.