Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Friday, 20 January 2023

Spring Boot Security module best practice

Spring Boot Security is a module of the Spring Framework that provides a set of features for securing Spring-based applications. It is built on top of Spring Security, which is a powerful and highly customizable authentication and access-control framework. 



Spring Boot Security provides several features out of the box, including: 

Authentication: Spring Boot Security supports several authentication mechanisms, including basic authentication, token-based authentication (JWT), and OAuth2/OpenID Connect. 

Authorization: Spring Boot Security supports role-based access control (RBAC) and can be configured to check for specific roles or permissions before allowing access to an endpoint. 

CSRF protection: Spring Boot Security provides built-in protection against cross-site request forgery (CSRF) attacks. 

Encryption: Spring Boot Security supports HTTPS and can be configured to encrypt all traffic to and from the application. 

Security Configuration: Spring Boot Security allows to secure the application by providing a set of security configuration properties that can be easily integrated into different security scenarios. 

It also provides support for the integration of Spring Security with other Spring modules such as Spring MVC, Spring Data, and Spring Cloud.

Securing a Spring Boot API is important for several reasons: 

  • Confidentiality: By securing an API, you can prevent unauthorized access to sensitive data and protect against data breaches. 
  • Integrity: Securing an API can prevent unauthorized changes to data and ensure that data is not tampered with in transit. 
  • Authentication: By securing an API, you can ensure that only authorized users can access the API and perform specific actions. 
  • Authorization: Securing an API can also ensure that users can only access the resources and perform the actions that they are authorized to do. 
  • Compliance: Many industries and governments have regulations that mandate certain security measures for handling sensitive data. Failing to secure an API can result in non-compliance and penalties. 
  • Reputation: Security breaches can lead to loss of trust and damage to an organization's reputation. 
  • Business continuity: Security breaches can lead to loss of revenue, legal action, and other negative consequences. Securing an API can help to minimize the risk of a security breach and ensure business continuity.

There are several ways to secure a Spring Boot API, including: 

  • Basic authentication: This method involves sending a username and password with each request to the API. Spring Security can be used to implement basic authentication. 
  • Token-based authentication: This method involves sending a token with each request to the API. The token can be generated by the server and passed to the client, or the client can obtain the token from a third-party service. JSON Web Tokens (JWT) are a popular choice for token-based authentication in Spring Boot. 
  • OAuth2 and OpenID Connect: These are industry-standard protocols for authentication and authorization. Spring Security can be used to implement OAuth2 and OpenID Connect. 
  • HTTPS: All data sent to and from the API should be encrypted using HTTPS to protect against eavesdropping. Input validation: 
  • Input validation should be used to prevent malicious data from being passed to the API. Spring Boot provides built-in support for input validation. 
  • Regularly monitoring and maintaining the security of the application and its dependencies It's important to note that the best approach will depend on the requirements of your specific application and the level of security that is needed.
Token-based authentication is one of the most commonly used methods to secure Spring Boot API. The reason token-based authentication is so popular is that it provides several advantages over other authentication methods: 
  • Stateless: Tokens are self-contained and do not require the server to maintain a session, which makes it easy to scale the API horizontally. 
  • Decoupled: Tokens are decoupled from the API, which means that the API does not need to know anything about the user. This makes it easy to add or remove authentication providers without affecting the API. 
  • Portable: Tokens can be passed between different systems, which makes it easy to authenticate users across different platforms. 
  • JSON Web Tokens (JWT) which is a widely used token format, is an open standard and can be easily integrated into different systems. 
  • It can also be used in combination with OAuth2 and OpenID Connect. 
It's important to note that token-based authentication is not suitable for all use cases, but it is widely used and can be a good choice for many Spring Boot API.

Happy Coding and Keep Sharing!!

Saturday, 14 July 2018

SDL WEB and TLS 1.2 or higher

Are you still using the SSL/early TLS protocols? 


Do you work with partners or customers who haven’t yet started the migration away from SSL/early TLS to a more secure encryption protocol? It's time to say goodbye to SSL/early TLS and reducing the risk of being breached.

On 30 June 2018?

30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS).

What is TLS?

TLS stands for Transport Layer Security and is the successor to SSL (Secure Sockets Layer). However, both these terms are commonly thrown around a lot online and you might see them both referred to as simply SSL.  TLS provides secure communication between web browsers and servers. The connection itself is secure because symmetric cryptography is used to encrypt the data transmitted. The keys are uniquely generated for each connection and are based on a shared secret negotiated at the beginning of the session, also known as a TLS handshake. Many IP-based protocols, such as HTTPS, SMTP, POP3, FTP support TLS to encrypt data.

In my last project, we faced this issue where client's security and infra team enabled TLS 1.3 on servers and while implementing SDL WEB 8.5 we start getting this issue.

Issue because of TLS 1.3

After investigating and consulting it with SDL we've found the solution for this, SDL WEB 8.5 supports till 1.2 and for that, we need to make some adjustment in the registry. Below are the registry entry details that fixed the algorithm and TLS issue for us.

TLS 1.0
TLS 1.0 Client

TLS 1.1 Client

TLS 1.2 client

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
New Entry Required  

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
New Entry Required

Happy Coding and Keep Sharing !!!