Securing java web applications

  • Published on
    08-Aug-2015

  • View
    39

  • Download
    2

Embed Size (px)

Transcript

  1. 1. Securing Java Web Applications An introduction Jonas Flesch me@jonasesch.com
  2. 2. Index Spring Security Passwords Sql Injection JSTL Client sent content Stacktraces Test Legal issues
  3. 3. STEP 1 Use Spring Security!!
  4. 4. Spring Security Authentication .formLogin() .loginPage("/login") .loginProcessingUrl("/authenticate") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll();
  5. 5. Spring Security Authorization @Controller @Secured(Roles.ROLE_ADMINISTRATOR) @RequestMapping(UserController.BASE_URL) public class UserController extends BaseController {
  6. 6. Spring Security Cross Site Request Forgery Token
  7. 7. Spring Security Good practices headers
  8. 8. Step 2 Passwords
  9. 9. Passwords Store it using a strong salted hash Bcrypt Never send it by e-mail or store it in plain text Protect user creation/password recovery forms with captcha Recaptcha when possible JCaptcha second choice
  10. 10. Step 3 SQL Injection
  11. 11. SQL Injection Always use SQL Parameters: @SqlUpdate("UPDATE User ug " + " SET DsEmail = :dsEmail" + " WHERE idUser = :idUser")
  12. 12. Step 4 Use JSTL carefully
  13. 13. JSTL Wrong: Correct: Why? />/ > c:out escapes the string with html entities like <