Scribd
Upload
26 views

Curso de Java Spring Security Autenticación y Seguridad Web

The document discusses Spring Security including configuring authentication using Basic Authentication and JWT tokens, enabling CORS, implementing user details service, and applying method security and roles.

Uploaded by

Rafael Niño Muirllo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

Curso de Java Spring Security Autenticación y Seguridad Web

The document discusses Spring Security including configuring authentication using Basic Authentication and JWT tokens, enabling CORS, implementing user details service, and applying method security and roles.

Uploaded by

Rafael Niño Muirllo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 63

Curso de

Spring
Security
Alejandro Ramírez
Seguridad en
aplicaciones
web
/movements/alejandro

✅ Alejandro’s movements
Alejandro
/movements/alejandro

✅ Alejandro’s movements
Alejandro

/movements/alejandro

⛔ HTTP 403 Forbidden


Pedro
OWASP
Top 10
Open Worldwide Application Security Project®
¿Qué es Spring
Security?
Spring APP

Spring Security
Filter Chain Controller A

Incoming Security Filter A


Dispatcher
HTTP Controller B
Security Filter B Servlet
request

Controller N
Security Filter N
Configurar
Spring Security
Usar la
autenticación
por defecto
Basic Authentication
HTTP Header
Authorization: Basic YwxhZGRpbjpvcGVuc2VzYW1l

Base64 user:password
Basic Authentication flow
Basic Authentication flow
Client Server

GET /

401 Unauthorized
Basic Authentication flow
Client Server

GET /

401 Unauthorized

GET /
Authorization: Basic YWxxhZGRpbjpvcGV2VzYW11

200 OK
Crear la
configuración
inicial de
seguridad
Cómo funciona
el Basic
Authentication
Filter
Spring Security
Filter Chain

Security
Filter A
Authentication
request
Basic
Authentication
Filter

Security
Filter N
Spring Security
Filter Chain

Security
Filter A
Authentication
request
Basic
Authentication
Filter
Authentication
Manager

Security
Filter N
Spring Security
Filter Chain

Default provider:
Security DaoAuthentication
Filter A Provider
Authentication
request
Basic
Authentication
Filter
Authentication Authentication
Manager Provider

Security
Filter N
Spring Security
Filter Chain

Default provider:
Security DaoAuthentication
Filter A Provider
Authentication
request
Basic
Authentication
Filter
Authentication Authentication User Details
Manager Provider Service

Security Default user


Filter N service:
InMemoryUser
DetailsManager
Spring Security
Filter Chain

Default provider:
Security DaoAuthentication
Filter A Provider
Authentication
request
Basic
Authentication
Filter
Authentication Authentication User Details
Manager Provider Service

Authentication
response
Security Default user
Filter N service:
InMemoryUser
DetailsManager
Deshabilitar
protección
CSRF
<form method="post" action="/transfer">
<input type="text" name="amount" />
<input type="text" name="account" />
<input type="submit" value="Transfer" />
</form>
<form method="post"
action="https://bank.platzi.com/transfer">
<input type="hidden" name="amount" value="1000" />
<input type="hidden" name="account" value="765432-1"/>
<input type="submit" value="Show frenchies videos" />
</form>
<form method="post" action="/transfer">
<input type="text" name="amount"/>
<input type="text" name="account"/>
<input type="hidden" name="_csrf"
value="4bfd1575-3ad1-4d21-96c7-4ef2d9f86721"/>
<input type="submit" value="Transfer"/>
</form>
Y entonces, ¿por qué
deshabilitar la
protección ante CSRF?
(Stateless + JWT)*
Crear la
configuración
de CORS
Browser
example.com
Server
request /func endpoint
JavaScript
fetch("api.example.com/func") response
Aplicar
requestMatchers
Crear la
autenticación
en memoria
Aplicar
requestMatchers
con roles
Crear los
usuarios en la
base de datos
Implementar
la interface
UserDetailsService
Spring Security
Filter Chain

Default provider:
Security DaoAuthentication
Filter A Provider
Authentication
request
Basic
Authentication
Filter
Authentication Authentication
Manager Provider

Authentication
response
Security
Filter N
Spring Security
Filter Chain

Default provider:
Security DaoAuthentication
Filter A Provider
Authentication
request
Basic
Authentication
Filter
Authentication Authentication User Details
Manager Provider Service

Authentication
response
Security User Security
Filter N Service
Asignar roles
a usuario
Aplicar
authorities a
los usuarios
Controlar
métodos con
Method Security
Añadir JWT
al proyecto
¿Qué es
un JWT?
● Estándar de código abierto basado
en JSON para crear tokens de
seguridad.
● La autenticación viaja en el header
de la petición:

Authorization: Bearer <token>


1 2
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3O
DkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.Sfl
KxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
3

1 2 3
Header Payload Signature

HMACSHA256(
{
{ base64UrlEncode(head
"sub": "1234567890",
"alg": "HS256", er) + "." +
"name": "John Doe",
"typ": "JWT" base64UrlEncode(payl
"iat": 1516239022
} oad),
}
secret)
Crear JWT
cuando un
usuario inicie
sesión
Authentication
request

AuthController
/login endpoint
Default provider:
DaoAuthentication
Authentication Provider
request

AuthController Authentication Authentication User Details


/login endpoint Manager Provider Service

User Security
Service
Default provider:
DaoAuthentication
Authentication Provider
request

AuthController Authentication Authentication User Details


/login endpoint Manager Provider Service

Authentication
response with
JWT token User Security
Service
Crear servicio
para validar
un JWT
Crear filtro
para verificar
el JWT
Aplicar
filtro en la
configuración
Spring Security
Filter Chain

Security Filter A
HTTP
request Security Filter B

JwtFilter

Security Filter N
Spring Security
Filter Chain

Security Filter A
HTTP
request Security Filter B
Spring
JwtFilter Security
Context
Security Filter N
Bonus: auditar
usuario en base
de datos

You might also like