Tag: Spring Security
-
Spring Security: Propagating Security Context to Spawned Threads
PROBLEM Let’s assume we have the following Parent class… … and Child class… Let’s also assume the user has successfully logged in and Spring Security has set up the user authentication info. The Parent will spawn a new thread (through @Async) to run Child. When invoking the Parent, this is what we see:- The Child,… Read More…
-
JEE Security: Preventing Clickjacking Attacks
PROBLEM Clickjacking is an attack that tricks the users to perform unintended actions… see OWASP’s Testing for Clickjacking (OTG-CLIENT-009) SOLUTION To prevent clickjacking attacks, the app must set X-FRAME-OPTIONS header with an appropriate value:- If set correctly, the HTTPS response should show X-FRAME-OPTIONS header:- There are several ways to set this header. Solution 1: Using… Read More…
-
Spring Security: Invalid CSRF Token ‘null’ was found on the request parameter ‘_csrf’ or header ‘X-CSRF-TOKEN’
PROBLEM With Spring Security 4.x, the CSRF protection is enabled by default. You may disable it, but to be more aligned with OWASP and the industry security standard, it’s best to leave this setting the way it is. Learn more about CSRF attack… To prevent this attack, Spring Security 4.x requires you to attach a… Read More…
-
Spring Security: Forcing URLs to use HTTPS
PROBLEM Your web application supports both HTTP and HTTPS. You want to force all URLs to use HTTPS. SOLUTION Spring Security has a simple configuration that allows us to redirect all HTTP-based URLs to HTTPS. All we have to do is to set requires-channel=”https” on <security:intercept-url/> tag. For example:- With this configuration, when the user… Read More…
-
Spring Security: Handling 403 Error Page
If you are already using Spring, then you might want to use Spring Security to secure your web resources. To do that, we specify the URI to be secured with <security:intercept-url/> tag:- When users without role ROLE_TOPSECRET access /top-secrets/kfc-secret, they will see this default error page:- This proves that Spring Security is doing its job.… Read More…
-
Java: Invoking Secured Web Service with JSESSIONID
PROBLEM I wrote a JSP custom tag that invokes a secured web service within the same application to perform some evaluation. This custom tag is only used in the secured views where the user has successfully authenticated against Spring Security, and they have access to these views. The secured web service is also guarded by… Read More…