# Importance of Security
```markdown
- security : Authentication , Authorization , [use OWASP]
- performance : require the speed for any type of web
- stable app- 1. Broken Access Control
- 2. Cryptographic failure
- 3. Injections
- [SQL injections : user 'or 1=1' : use the prepared Statement]
- 4. Insecure Design
- 5 . Security Misconfigurations (like using the default the configurations)
- 6. Vulnerable and Outdated Componenets
- 7. Identtificationand Authentication Failure (encrypt the passwod when storing in db)
- 8. Software and Data Integrity Failures
- 9. Security Logging nad Monitoring Failures (avoiding the log due to perfromance can lead to issue)
- 10. Server-side Request Forgery (SSRF)
# Spring Security -
- The Spring Security add the one more layer of Spring Security with multiple filter and - then Dispatch Servlet -- then the Servlet sends the request to the particular Controller
- By default Filters :
1. Filter Chain
(Client -> Servlet Container -->Filter1-filter2 (They can call eachother for checking the logic or filtering )----> Servlet )
@RestController
public class HelloController {
@GetMapping("hello")
public String greeting(HttpServletRequest request) {
return "Hello World" +request.getSession().getId();
}
@GetMapping("about")
public String about(HttpServletRequest request)
{
return "About Page " + request.getSession().getId();
}- Hardcoding the User and Password
- You can Send the Auth key value in the API client as well
-
When the user go the malicious website the website try to store the session id of the secure website and and this is called the cross site request forgery.
-
If every request is returning the token and next time when request is send need to submit the token as well
-
By request the Spring sec will implement the CSRF for the Post Put Update and Delete
{
"id": 1,
"name": "JP",
"tech": "Rust"
}
401 Unauthorize// Getting the csrf-token by servlet
@GetMapping("csrf-token")
public CsrfToken getCsrfToken(HttpServletRequest request)
{
return (CsrfToken) request.getAttribute("_csrf");
}
// TO send the post request add the csrf token in header with X-CSRF-TOKEN- this will not allow the cross site access
# application Properties :
server.servlet.session.cookie.same-stie=strict- REST API :
-
- Stateful(using the same session id for the one login and subsequent req)
-
- Stateless : in this we need to login with the user name and password
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception
{
return http.build();
}-
By default the spring security usages called the UserDetailsService to check for the applocation Properties for user and password
-
Defining the Own User Details Service
// UserDetailService for the MultiUsers
@Bean
public UserDetailsService userDetailsService() // Spring will lookup for the obj serDetailsService to lookup the user data
{
// UserDetails user = User.builder().build();
@SuppressWarnings("deprecation")
UserDetails user = User
.withDefaultPasswordEncoder() //defaultencoder
.username("user")
.password("super123")
.roles("USER")
.build();
@SuppressWarnings("deprecation")
UserDetails admin = User
.withDefaultPasswordEncoder() //defaultencoder
.username("Tor")
.password("super123")
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}# To connect the database using the JPA , add the dependencies
- db driver
- jpa dependencies
# auth provider layer
- need to add the authentication provider : ---> Authentication Object
- auth provider will be connected to the db using the DAO (Data Access Object ) layer
// Bean to
private UserDetailsService userDetailsService;
@SuppressWarnings("deprecation")
@Bean
public AuthenticationProvider authProvider() // setuserDetailsService is dependent on the authprovider
{
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
// specify pass encoder
provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance()); // to use the password encoder replace it
return provider;
}- Authenticating the Current user in Spring Security called the User Principal - using the Hashing you will get one hash for every hashed data : md5 , sha256
- Can use the SHA256 for multiple times on the same data like 2^16 = times encrytion
- bcrypt is the cryptography algo for the encrypting the password
@Service
public class UserService {
@Autowired
private UserRepo repo;
private BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(12);
public User saveUser(User user)
{
// setting the password with encoder
user.setPassword(encoder.encode(user.getPassword()));
System.out.println(user.getPassword());
return repo.save(user); // using the Jpa
}
} @Bean
public AuthenticationProvider authProvider() // setuserDetailsService is dependent on the authprovider
{
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(new BCryptPasswordEncoder(12));
return provider;
}
// same strength in the creation and authentication - for Cross origin backend run on the differnt origin or port number , and front-end on the different origin port.
- can apply on the particular controller or can apply in the application properties for whole controller.