Spring disable security for tests

Spring disable security for tests


  • Spring Microservices Security Best Practices
  • 10 Spring Boot security best practices
  • Securing Applications using Spring Boot Keycloak Integration – Part 2
  • Using the H2 Database Console in Spring Boot with Spring Security
  • Spring Microservices Security Best Practices

    Published by Saurabh Dashora on August 9, August 9, In this post, we will continue with our topic about securing applications using Spring Boot Keycloak Integration. Primarily, we will be dealing with the Spring Boot side of things in this post. If you wish to know more about how we setup Keycloak, you can refer to Part 1 of this topic.

    Below is how the pom. However, Spring Security, Web and Keycloak are mandatory. Basically, this class sets up Keycloak to work with Spring Security. Below is the configuration class for your reference. For our example, we will just use a few simple GET endpoints as below: package com.

    ResponseEntity; import org. GetMapping; import org. RestController; import javax. The first one is for Unknown User. In other words, no authentication required. The second is for a normal user.

    Basically, a user with the role of USER. We specify these details using RolesAllowed annotation. See below the properties we have to mention: server. By default it is However, since our keycloak instance uses , we change the port for our application so that there is no conflict. The second property is the keycloak realm that we created in Part 1. Next, we have the keycloak uth server url. This is basically the URL we have to hit for authenticating users. Next is the SSL-required flag.

    Currently, we set it to external. The fifth property is the resource we are protecting through Keycloak. We name it demo-springboot-app. Next, we have the keycloak client credentials. This should be obtained from the keycloak server and here, I have entered a dummy value.

    The next property is to signify using the resource role mappings. Lastly, we set keycloak bearer as true to signify that we will be using the bearer token. Our application is ready to work with Keycloak. We can make the request using any tool or even CURL. It can be obtained from keycloak admin dashboard under the particular client menu.

    When we make the request, we will get an access token back from keycloak for that particular user. We can check what is in that token by visiting jwt.

    Basically, if you see the above screenshot, the token provides all the details about our demo-user. Also, most importantly, it provides details on the user roles.

    In this case, the demo-user has a role of USER. This is because this endpoint is open for all users. To authenticate and authorize the user, we have to also pass the access token as a Bearer token. After using the token, we get the response back saying Hello Normal User. With this, we have successfully setup our Spring Boot Keycloak integration and thereby, secured our API endpoints using Keycloak authentication and authorization mechanism. As you can see, the configuration is pretty easy with most of the heavy-lifting done by Spring Boot.

    The application code is available on Github for reference. If you have any comments or queries, please do mention in the comments section below.

    Have your security team do a code review 1. These two developments have changed the game and caused TLS to become mainstream. Heroku has Automated Certificate Management too. This is often true, despite dependencies making up the majority of your overall application and can contain Spring Boot security vulnerabilities. Attackers target open source dependencies more and more, as their reuse provides many victims for a malicious hacker.

    Snyk tests your application build artifacts, flagging those dependencies that have known Spring Boot security vulnerabilities. Additionally, it will suggest upgrade versions or provide patches to remediate your security issues, via a pull request against your source code repository.

    Snyk also protects your environment, by ensuring that any future pull requests raised on your repository are automatically tested via webhooks to make sure they do not introduce new known Spring Boot security vulnerabilities. Snyk is available via a web UI as well as a CLI, so you can easily integrate it with your CI environment, and configure it to break your build when vulnerabilities exist with a severity beyond your set threshold. Find and fix Spring Boot vulnerabilities for free Find vulnerabilities in seconds.

    Fix quickly with an automated pull request. Fix for free 3. To enable it, you need to configure your app to return a Content-Security-Policy header. Spring Security provides a number of security headers by default. Spring Security does not add a CSP by default. It also adds an endpoint discovery feature and dynamic client registration. The diagram below shows how OIDC works for authentication.

    Use password hashing Storing passwords in plain text is one of the worst things you can do for the security of your app. It also ships with a crypto module you can use for symmetric encryption, key generation, and password hashing a. Use the latest releases There are various reasons to regularly upgrade the dependencies in your application. Security is one of the most important reasons that will give you the motivation to upgrade. The start. Infrastructure upgrades are often less disruptive than dependency upgrades, as library authors vary in their sensitivity to backward compatibility and behaviour changes between releases.

    That being said, you have three options when you find a security vulnerability in your configuration: Upgrade, Patch or Ignore. When this is the case, patches can eliminate vulnerabilities from your package, which you can often get from a security specialist, like Snyk. Ignoring a vulnerability is, of course, an option, but not a good one.

    Perhaps you know of a vulnerability, but do not believe it is directly exploitable. Keep in mind that it might not be in your application flow today, but at some point, a developer might add additional code that uses a vulnerable path.

    Store secrets securely As part of your Spring Boot security strategy, we also need to think about your data. Sensitive information such as passwords, access tokens, etc. You cannot leave these around, pass them in plain text, or be predictable if keeping them in your local storage. As GitHub history has proved time and time again, developers do not think carefully enough about how they store their secrets.

    A good practice is to store secrets in a vault that can be used to store, provide access to, and even generate credentials to services that your application may use. Vault by HashiCorp makes storing secrets trivial, as well as offering a number of additional services. You can also integrate with common authentication mechanisms such as LDAP to obtain tokens.

    If this interests you, be sure to invest some time looking at the Spring Vault which adds an abstraction over the HashiCorp Vault, providing Spring annotation based access for clients, allowing them to access, store and revoke secrets without getting lost in the infrastructure. The following code snippet shows how easy it is to extract a password from the Spring Vault using an annotation. The Spider tool starts with a seed of URLs, which it will access and parse through each response, identifying hyperlinks and adding them to a list.

    The Active Scan tool will automatically test your selected targets against a list of potential vulnerabilities. It provides you with a report that shows where your web application is exploitable, with details about the vulnerability.

    Have your security team do a code review Code reviews are essential for any high performing software development team. At Okta, all the production code and official open source projects are required to go through an analysis from our expert security team. When Adding Spring Security to your Spring Boot application begins with adding the security starter dependency.

    You can configure the credentials by setting the properties spring. By default, Spring Security is enabled whenever you include the spring-boot-starter-security package. This can by easily disabled by excluding the SecurityAutoConfiguration in the application. Find Spring Boot vulnerabilities in seconds. Get started for free with Snyk. SnykCon is a wrap!

    The second property is the keycloak realm that we created in Part 1. Next, we have the keycloak uth server url. This is basically the URL we have to hit for authenticating users. Next is the SSL-required flag.

    Currently, we set it to external. The fifth property is the resource we are protecting through Keycloak. We name it demo-springboot-app. Next, we have the keycloak client credentials. This should be obtained from the keycloak server and here, I have entered a dummy value. The next property is to signify using the resource role mappings. Lastly, we set keycloak bearer as true to signify that we will be using the bearer token. Our application is ready to work with Keycloak.

    We can make the request using any tool or even CURL. It can be obtained from keycloak admin dashboard under the particular client menu.

    10 Spring Boot security best practices

    When we make the request, we will get an access token back from keycloak for that particular user. We can check what is in that token by visiting jwt. Basically, if you see the above screenshot, the token provides all the details about our demo-user. Also, most importantly, it provides details on the user roles. In this case, the demo-user has a role of USER. This is because this endpoint is open for all users. To authenticate and authorize the user, we have to also pass the access token as a Bearer token.

    After using the token, we get the response back saying Hello Normal User. A rate limiter defines all parameters per a single key returned by the resolver. Generate and propagate certificates dynamically Should we use SSL in microservice to microservice communication? Of course yes. But the question is how will you handle certificates used by your microservices.

    There are several best practices related to SSL certificate management. For example, you should not issue certificates for long time periods. You should also automatically renew or refresh them. There are some tools that can help in following best practices. One of the most popular of them is Vault from Hashicorp. It provides the PKI secrets engine, which is responsible for generating dynamic X. The simplest way to try vault is to run it locally on a Docker container.

    The fragment of code visible below shows how to create a certificate request with 12h TTL and localhost as a Common Name.

    Then we will invoke the issueCertificate method on the VaultPkiOperations object. The generated CertificateBundle contains both certificate and private key. The default behavior of our webserver needs to be overridden.

    Securing Applications using Spring Boot Keycloak Integration – Part 2

    Depending on the webserver we need to customize a different WebServerFactory. NEED ; ssl. Use SSL in microservices communication Since using SSL on the edge of a microservices-based system is obvious, inter-service communication is sometimes considered to be non-secure.

    My recommendation is always the same. One of them will probably be a config server. Since it is built on top of Spring MVC we may easily enable a secure connection on the server-side.

    Since it is responsible for connecting with the server, we also need to handle SSL there. The fragment of code visible below uses a self-signed certificate, but we can easily implement here a strategy described in the previous section. We just need to define the right settings using properties with a prefix spring. What about encrypting communication between applications and a discovery server?

    You can choose between several available discovery servers support in Spring Cloud.

    Using the H2 Database Console in Spring Boot with Spring Security

    Similarly to Spring Cloud Config we use a high-level client to communicate with a server. Bean public DiscoveryClient. Since we use RestTemplate or WebClient instances directly on the client-side it is relatively easy to implement secure communication in that case. Keep configuration data encrypted The current one of best practices for Spring microservices security is related to a configuration server.

    We should encrypt at least sensitive data like passwords or secrets stored there. Spring Cloud Config Server provides a built-in mechanism for that. But we can as well use Vault as a backend store for Spring Cloud Config Server, where all data is encrypted by default.

    We will start with a default encrypt mechanism provided by Spring Cloud Config Server. Firstly, we need to enable it in the configuration properties. To do that you should enable a Spring profile called vault. Restrict access to the API resources In the previous sections, we discussed such topics as authentication, traffic, and data encryption.

    But another important aspect of securing your applications is authorization and access to the API resources. If you think about web app authorization, the first approach that probably comes to your mind is OAuth 2. OAuth 2. Of course, it is supported by Spring Security.


    thoughts on “Spring disable security for tests

    Leave a Reply

    Your email address will not be published. Required fields are marked *