Bootiful Security: A secure web application in 5 minutes
Application security is constantly gaining more importance in the information technology world. There is hardly a day without any news on data breaches or security hacks.
Even more security is a crucial part in new IT trends like microservices and the internet of things.
In this bootiful security tutorial blog series I will show step by step how to develop a secure web application using spring boot and spring security.
In this first part I will describe a fast-start on creating a secure web application from scratch in just a few minutes. The finished application will already include basic security features like authentication and protection against common attacks like CSRF (Cross site request forgery) or session fixation.
Creating the application
To create a new bootiful application with spring boot we will use the Spring Initializr. To start with this simply open the url http://start.spring.io in your web browser.
The Spring Initializr is a generator that creates maven or gradle projects based on spring boot. It also adds selectable features as dependencies like for example web, JPA or security. Modern IDE’s like IntelliJ or the Spring Tool Suite already include similar built-in wizards.
For our application we will just use the following settings:
- Generate a maven project with spring boot 1.3.2 (or some later release version)
- Group ‘info.novatec’ and artifact ‘bootiful-security’
- Select dependencies ‘Web’ and ‘Security’ (The bootiful security)
Finally the project will be created by clicking on ‘Generate Project’ button. What you will get is a zip file containing a maven pom file and some java source code. You may now open the project in your favorite IDE.
When looking at the generated pom.xml file you will notice that it is quite small. The spring-boot-starter-parent project used as parent manages versions for all used dependencies. For each selected feature in the spring initializr spring-boot-starter-xxx dependencies have been added. These starters basically are pom projects managing all transitive dependencies for features. For example the spring-boot-starter-web adds spring mvc as further dependency. You will also notice that maven will package the project as a jar not war (as you may have expected for a web app).
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
... <packaging>jar</packaging> ... <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.3.2.RELEASE</version> <relativePath/> </parent> ... <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> ... </dependencies> ... |
In addition to maven pom the following artifacts are contained in the generated zip file:
- BootifulSecurityApplication.java: This is the starter class for the web-project. It includes a main() method.
- BootifulSecurityApplicationTests.java: This is a sample spring integration test just verifying correct application context loading
- application.properties: This file is the standard location for application-specific configuration settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
package info.novatec; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class BootifulSecurityApplication { public static void main(String[] args) { SpringApplication.run( BootifulSecurityApplication.class, args); } } |
With spring boot the manual deployment of a web application into a web container like Apache Tomcat is not required any more. Instead an embedded container will automatically be started together with the web-application.
We could already start the application now but it does not have any visible web content yet. So we will add a very basic RESTful service to BootifulSecurityApplication.java first.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
package info.novatec; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController @SpringBootApplication public class BootifulSecurityApplication { public static void main(String[] args) { SpringApplication.run( BootifulSecurityApplication.class, args); } @RequestMapping(path = "/") public String hello() { return "Hello security"; } } |
Running the application
After building the maven project we are now ready to start the web-application. This is done by using the BootifulSecurityApplication as main starter class.
When the application has started successfully point your web browser to url http://localhost:8080. This will present a login dialog (using basic authentication by default).
If you get errors when starting the application, then the default port 8080 may already be bound by another application on your machine. To get around this just configure an alternative port in the application.properties file.
|
1 |
server.port=8090 |
The default username to be used in login dialog is ‘user’. The default password is generated automatically at each application start and can be copied from console log output of the application.
Just locate a line similar to this in the log to capture the password:
|
1 2 3 |
...INFO 13132 --- [ost-startStop-1] b.a.s.AuthenticationManagerConfiguration : Using default security password: d8c96fd3-bba9-4750-bf9e-5380e0f131aa |
After successful authentication you should see the message ‘Hello security’ in the web page.
Of course it is quite inconvenient to search for new password in console log after each application start. You can easily configure your own username and password in the application.properties file using two predefined spring boot properties.
|
1 2 |
security.user.name=myuser security.user.password=secret |
Now you will be able to log in using ‘myuser’ and ‘secret’.
As spring security has built in a secure by default configuration, the created web application already has enabled basic protection against threats like
- session fixation
- CSRF (Cross site request forgery)
All HTTP responses already include recommended security headers as well. These will be described in one of the next parts of this tutorial.
|
1 2 3 4 |
Strict-Transport-Security:max-age=31536000 ; includeSubDomains X-Content-Type-Options:nosniff X-Frame-Options:DENY X-XSS-Protection:1; mode=block |
Conclusion
In this first part we have created a basically secure web application in a few small steps which can be performed in just minutes.
As you have noticed this can be done because of the ‘convention over configuration’ principle of spring boot. This especially includes the auto configuration for web and web security.
What to expect next
In the next parts of this bootiful security tutorial I will show you
- how to integrate form-based login dialog for authentication
- how to authenticate using a persistent user/password store
- easily switching from cleartext http to transport security (https)
- what is needed to use securely encrypted passwords
- how authorization is added to UI and service level
Recent posts
Comment article