Sicher in die Cloud mit Angular 2 und Spring Boot · OpenId Connect = Authentifizierung Spring...

Sicher in die Cloud mit Angular 2 und Spring Boot

Andreas Falk 16.02.2017

Andreas Falk / Germany NovaTec Consulting GmbH [email protected]

@andifalk

Agile Threat Modeling

Clo

ud

Spring

Security Scrum

Kan

ban

TDD

Code Review

Cle

an C

od

e

Static Analysis

Architecture

OWASP

Java EE

Mic

rose

rvic

es

IoT

BDD

Dev

Op

s

Web

Java

SSO

OAuth2

SAML


2

mailto:[email protected]




3

OWASP Top 10 (Neue Version in 2017)!

OWASP Mobile Top 10 (2016)

ASVS OpenSAMM

OWASP Zap ProActive Controls

Cheat Sheets

https://owasp.org

Lokale Chapters


4

Angular 2

API Gateway

Microservice

Microservice

DB

DB

Architektur / Threat Model

XSS CSRF

SQLi

Cloud Security

Authentifizierung

Autorisierung

Session Fixation

Auditing Logging Monitoring

Intrusion Detection

SSL / TLS

OUT OF SCOPE: Mobile und IoT Devices!


5

Angular 2 https://angular.io


6

https://angularjs.blogspot.de/2016/09/angular-16-expression-sandbox-removal.html

Angular 1.x

Angular 2


7

https://github.com/angular/angular/issues/8511


8

Sicherheitseinstufung in Angular 2

Alle Werte (Alles was ins DOM wandert)

Angular Templates (Vorsicht: Template-Injection)

Kontextabhängige Sanitization und Escaping

HTML (z.B. Bindings mit „innerHtml“)

Style (CSS Bindings)

URL (URL Eigenschaften wie <a href>)

Resource URL (z.B. <image src> oder <script src>)


9

https://angular.io/docs/ts/latest/api/platform-browser/index/DomSanitizer-class.html

Gefahr von XSS !!

bypassSecurityTrustHtml(value: string) : SafeHtml

bypassSecurityTrustStyle(value: string) : SafeStyle

bypassSecurityTrustScript(value: string) : SafeScript

bypassSecurityTrustUrl(value: string) : SafeUrl

bypassSecurityTrustResourceUrl(value: string) : SafeResourceUrl


10

https://angular.io/docs/ts/latest/api/core/index/ElementRef-class.html

Direkter Zugriff auf das DOM Gefahr von XSS !!

class ElementRef {

constructor(nativeElement: any)

nativeElement : any

}


11

@Component({ selector: 'app-root', templateUrl: 'app.component.html', styleUrls: ['app.component.css'] }) export class AppComponent { untrustedHtml:string = '<em><script>alert("hello")</script></em>'; }

<div>{{untrustedHtml}}</div> <div [innerHtml]="untrustedHtml"></div>


12

„Double Submit Cookie“ Support in Angular 2

Client Server

XSRF-TOKEN Cookie

X-XSRF-TOKEN Header + XSRF-TOKEN Cookie

CSRF Schutz


13

Backend https://spring.io/platform


14

Spring Boot

Spring Security / OAuth2

Spring Data JPA

Spring Framework


15

Eine sichere Web-Anwendung in 5 Minuten


16

Authentifizierung aller URLs

Session Fixation Schutz

Session Cookie (HttpOnly, Secure)

CSRF Angriffschutz

Security Response Header

„Secure By Default“ Konfiguration


17

@Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { … http .csrf().csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse() ); }

CSRF Konfiguration für Angular 2


18

public interface PasswordEncoder { String encode(CharSequence rawPassword); boolean matches( CharSequence rawPassword, String encodedPassword); }

Sichere Passwortverschlüsselung


19

Sichere Passwortverschlüsselung

Encoder Implementierungen:

BCryptPasswordEncoder

SCryptPasswordEncoder

Pbkdf2PasswordEncoder

BytesEncryptor (BouncyCastle)


20

Authentifizierung

Session Cookie Token (Bearer, JWT, …)

Mit jedem Request mitgesendet Manuell als Header gesetzt

Gefahr von CSRF!!! Kein CSRF möglich!!

Persistiert bei Unload von DOM Keine automatische Persistenz

Auf eine Domain begrenzt Domainübergreifend (mit CORS)

Sensitive Information (HTTPS)!! Sensitive Information (HTTPS)!!


Application Server

Authentifizierung im Java EE Monolith

https://docs.oracle.com/javaee/7/tutorial/security-intro001.htm

Client

Access protected resource 1

4 Provide protected resource

Show login form 2

Provide credentials 3

21


OAuth2 = Authorization

https://oauth.net/2

22


23

Authorization Server

Client Resource

Server

OAuth2 = Autorisierung

https://oauth.net/2


Authorization Server

https://oauth.net/2

Client


Resource Server

Resource Owner

Access Protected Resource 1

2 3

Access Token 4

Protected Resource 5

24


25

OpenID Connect = Authentifizierung

https://openid.net/connect

OAuth 2

JWT JWS JWE

OpenID Connect

JWK


OpenID Provider

Relying Party Resource

Server

End User

1

2

Access Token 3

Protected Resource 6

OpenID Connect = Authentifizierung

https://openid.net/connect

26


27

OAuth2 / OpenId Connect mit

Spring Security ?


28

Tweetable OAuth2 Application

https://projects.spring.io/spring-security-oauth


29

https://github.com/spring-projects/spring-security/issues/3907

Spring Security OAuth in „Maintenance Mode“!


30

https://github.com/IdentityServer/IdentityServer3

http://www.keycloak.org

Identity Server


31

Angular 2

API Gateway

Microservice

Microservice

DB

DB



32

public class UserBoundaryService { @PreAuthorize("hasRole('ADMIN')") public List<User> findAllUsers() {…} } ------------------------------------- public class TaskBoundaryService { @PreAuthorize("hasPermission(#taskId, 'TASK', 'WRITE')") public Task findTask(UUID taskId) {…} }

Autorisierung der REST API

Rollen- oder Rechtebasiert


33

public class AuthorizationIntegrationTest { @WithMockUser(roles = "ADMIN") @Test public void verifyFindAllUsersAuthorized() {…} @WithMockUser(roles = "USER") @Test(expected = AccessDeniedException.class) public void verifyFindAllUsersUnauthorized() {…} }

Test der REST API

Serverseitige Tests (Autorisierung)


34

@Entity public class Person extends AbstractPersistable<Long> { @NotNull @Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$") private String lastName; @NotNull @Enumerated(EnumType.STRING) private GenderEnum gender; ... }

Input Validierung

Typisierung und Bean Validation (REST Interface UND in JPA Entity)


35

@Query( "select u from User u where u.username = " + " :username and u.password = :password") User findByUsernameAndPassword( @Param("username") String username, @Param("password") String password);

SQL Injection Schutz

Prepared Statements mit Spring Data JPA


36

Ist die Cloud Sicher?


37

Netzwerk

Speicher

Server

Virtualisierung

OS

Runtime

Middleware

Daten

Applikationen

Netzwerk

Speicher

Server

Virtualisierung

OS

Runtime

Middleware

Daten

Applikationen

Netzwerk

Speicher

Server

Virtualisierung

OS

Runtime

Middleware

Daten

Applikationen

Netzwerk

Speicher

Server

Virtualisierung

OS

Runtime

Middleware

Daten

Applikationen

On Premise IaaS PaaS SaaS

Cloud Service Modelle

Public

Private

Hybrid


38

PaaS https://www.cloudfoundry.org/


39

Rotate

Repair

Repave

https://www.youtube.com/watch?v=NUXpz0Dni50

Justin Smith, Pivotal


40

What if every server inside my data center had a maximum lifetime of two hours?

This approach would frustrate malware writers, because it limits the amount of time to exploit known vulnerabilities before they are patched.

“

“ Justin Smith, Pivotal

Repave


41

Rotate

Microservice

DB JDBC

Service Binding Credentials


42

Repair

Spring Boot + Spring Plattform

CloudFoundry Java Buildpack

CloudFoundry OPS Manager

AWS Azure OpenStack

Identity Server


43

Angular 2

API Gateway

Microservice

HTTPS

Microservice

HTTPS

HTTPS HTTPS

DB

DB

JDBC

JDBC


HTTPS


44

Angular 2: XSS-Schutz + CSRF-Token Support


OpenId Connect = Authentifizierung

Spring Security kann (nur) OAuth2 mit JWT

Prepared Statements mit Spring Data JPA

Input Validierung mit Bean Validation

Summary (1)


45

Cloud = Infrastruktur Security

HTTPS, HTTPS, HTTPS!

Korrekte Fehlerbehandlung

Logging, Monitoring, Auditing!

Code-Reviews

Summary (2)


46

Weiterführendes

https://www.owasp.org/index.php/OWASP_Proactive_Controls

https://tools.ietf.org/html/rfc6819

OAuth 2.0 Threat Model and Security Considerations

https://openid.net/specs/openid-connect-implicit-1_0.html

OpenID Connect Implicit Client Implementer's Guide

https://angular.io/docs/ts/latest/guide/security.html

Angular2 Security Guide

Andreas Falk / Germany NovaTec Consulting GmbH [email protected]

@andifalk


47




Date post:	29-Aug-2019
Category:	Documents
Upload:	hoangdien
View:	217 times
Download:	0 times

Sicher in die Cloud mit Angular 2 und Spring Boot · OpenId Connect = Authentifizierung Spring...

Documents