Securing Application Endpoints

[00:00:00]
>> Josh Long: We're going to talk about security. We're going to talk about what it looks like to do security in a spring application. Typically. Now I'm going to build a new service here called Auth, right. And it's going to be a web application. I'm going to use spring security.

[00:00:13]
I'm also going to bring in the OAUTH authorization service support. We'll come back and talk about that means in just a second. I also want a SQL database, so you know our old friend JDBC and Postgres. Okay, there's that uao, auth, zip. Okay, do I have a Docker image running?

[00:00:39]
Good, go back here. Okay, I don't think I created a Docker compose file. Do I need it? Maybe not. Copy, go to my Downloads directory. Touch compose, YAML, subol compose YAML paste that in. Same old same, okay. Same old PostgreSQL directory thing since time immemorial. So Docker compose up.

[00:01:15]
Okay, so I'm going to talk about security. Security is really hard and I'm doing the, I've done you a disservice by leaving security to the very end of this. Really, this should be a conversation you have at the very beginning of your system design, right? It's one of those things where if you get it right, as my dad, my late father, I have two dads, my late father he would have said it's a cinch by the inch, hard by the art.

[00:01:37]
Apologies to everybody else who doesn't. Doesn't use freedom units, but it just means that it's easy by the centimeter, hard by the meter, right? It's more difficult if you wait until it accrues and do it later. Whereas if you do it as you go, it's a very easy thing to kind of contend with.

[00:01:51]
So security is one of the things you really want to do up front. And my central thesis today is that security with passwords is fundamentally just broken. It's not a good way to build a system. So what we're going to look at today is a number of things that you can use to make your system more secure.

[00:02:06]
I'm going to use. This is the rare Josh editing. Upon that XML moment here, I'm going to add a dependency called Webauthn core. Look at that. So that's very important. Blink and you'll miss it. Dependency for Webauthn. Now what I want to do is I want to secure this application.

[00:02:31]
I've got a Java application here. Let's just get a simple HTTP controller Response body. Hello, controller Git mapping. Hello, okay, and what am I going to put in here? Yes, you guessed it, a simple message. So string hello, hello, principal return map of. So what did I just do there?

[00:02:56]
I injected the principle. This is a Java security printable object. And what does it do? This has been in the Java security specification for, I don't know, 20 years, as long as I can remember. And the principal has just one interesting method, which is give me the name of the currently authenticated principle.

[00:03:13]
Where does that come from? Well, somebody's got to put that there. It's got to make it available to the rest of the system. That's where Spring security comes in. Think of Spring security as a big filter that sits around your application, guarding it from requests from the outside world and, you know, demanding that there be some sort of authentication.

[00:03:29]
That happens. And then once you're authenticated, handling authorization, right? That is to say, authentication is the question what who is making the request? Authorization is what permissions do they have once they're inside the system? Okay, so I want to handle that. So I'm going to create a security filter chain.

[00:03:49]
So my auth security filter chain and I'm going to throw an exception. I'm going to inject something called HTTP security, HTTP security, and I will use that to call build. So this is in theory a functioning Spring Security app, right. It'll do the job, right. In fact, this doesn't do anything different.

[00:04:13]
In fact, if you just left it out, it would still do something in that this endpoint is no longer accessible. I've got Spring security in the class path and by default everything is locked down on the class. But let me spring data source JDBC, PostgreSQL, Localhost my database.

[00:04:33]
Okay, username. My user password is secret. Okay, so I'm going to start that again. Go to localhost8080. Hello? Nothing, right? It wouldn't let me log in.