Skip to content

milo-minderbinder/spring-ref

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
gradle
gradle
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradle.properties
gradle.properties
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 

Repository files navigation

spring-ref

This is a very basic Spring app I've cobbled together to demonstrate and test different security features and controls in Spring and Spring Security, as well as Thymeleaf (templating engine) and its integration with Spring Security, and Jasypt (simple crypto lib - used here to encrypt sensitive properties) [NOTE: Jasypt is no longer actively maintained, so it should not be used].

Areas of Interest

  • Spring Security Config
    • WebSecurityConfigurerAdapter where most web app security configuration is defined, including the HttpSecurity configuration (which defines authZ rules for paths and login/logout/session config) and defines the AuthenticationManager and AuthenticationProvider beans.
  • Authentication Provider
    • Custom PoC subclass of Spring Security's builtin DaoAuthenticationProvider, which adds authentication attempt rate limiting (with configurable rate and burstiness tolerance).
  • Password Policy
    • Implementation of policy that defines a basic password policy bean, which is used to enforce length and complexity requirements. It also enforces a "uniqueness"/"non-exposure" policy, which checks passwords against a list of 10,000 passwords collated from several public breaches. The list is stored in a bloom filter backed by Redis for quick/scalable checking.
  • UserValidator
    • An example Spring Validator implementation, which is used to validate that user model objects satisfy certain validation checks. It serves as a centralized enforcement point for the aforementioned password policy, as well as checking that fields are not empty, and other similar checks. Validator classes are a good place to define and execute checks against untrusted inputs from various sources, since Validators are not tied to a specific domain; in other words, the same class could be used to validate domain model objects for the persistence domain (e.g. database entity objects) as to validate web domain objects (e.g. objects exposed as ModelAttributes in the view).
  • UserDetailsService
    • Simple example of a UserDetailsService, used by the DaoAuthenticationProvider during authentication to populate the user object with user details from the repository.

How to Build

To build an application WAR for deployment in a servlet container, just run the following from the project root directory:

./gradlew clean build

How to Run

Due to the lack of flexibility in my deployment configuration and general implementation, there are intrinsic deployment environment dependencies on redis (for the password policy) and Postgres (for the User repository). To make testing the app on a local machine easier, see the companion 'docker-spring-ref' project, which greatly simplifies the process with Docker and docker-compose.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages