Security
Reader small image

You're reading from  Spring Security - Third Edition

Product typeBook
Published inNov 2017
Reading LevelIntermediate
PublisherPackt
ISBN-139781787129511
Edition3rd Edition
Languages
Java
Tools
Spring
Concepts
Cybersecurity
Right arrow
Authors (3):
Mick Knutson
Mick Knutson
author image
Mick Knutson

With nearly two decades of experience working in the IT industry in various roles as Enterprise technology consultant, Java Architect, project leader, Engineer, Designer and Developer, Mr. Knutson has gained a wide variety of experience in disciplines including JavaEE, Web Services, Mobile Computing and Enterprise Integration Solutions. Over the course of his career, Mr. Knutson has enjoyed long lasting partnerships with many of the most recognizable names in the Health Care, Financial, Banking, Insurance, Manufacturing, Telecommunications, Utilities, Product Distribution, Industrial and Electronics industries employing industry standard full software life cycle methodologies including the Rational Unified Process (RUP), Agile, SCRUM, and Extreme Programming (XP). Mr. Knutson has also undertaken speaking engagements, training seminars, white paper and book publishing engagements world-wide. As an active Blogger and tweeter, Mr. Knutson has also been inducted in the prestigious DZone.com Most Valuable Blogger (MVB) group and can be followed at http://www.dzone.com/page/mvbs, http://www.dzone.com/users/mickknutson and twitter at http://twitter.com/mickknutson.
Read more about Mick Knutson

Peter Mularien
Peter Mularien
author image
Peter Mularien

Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.
Read more about Peter Mularien

ROBERT WILLIAM WINCH
ROBERT WILLIAM WINCH
author image
ROBERT WILLIAM WINCH


Read more about ROBERT WILLIAM WINCH

View More author details
Right arrow

Remember-Me Services

In this chapter, we'll add the ability for an application to remember a user even after their session has expired and the browser is closed. The following topics will be covered in this chapter:

  • Discussing what remember-me is
  • Learning how to use the token-based remember-me feature
  • Discussing how secure remember-me is, and various ways of making it more secure
  • Enabling the persistent-based remember-me feature, and how to handle additional considerations for using it
  • Presenting the overall remember-me architecture
  • Learning how to create a custom remember-me implementation that is restricted to the user's IP address

What is remember-me?

A convenient feature to offer frequent users of a website is the remember-me feature. This feature allows a user to elect to be remembered even after their browser is closed. In Spring Security, this is implemented through the use of a remember-me cookie that is stored in the user's browser. If Spring Security recognizes that the user is presenting a remember-me cookie, then the user will automatically be logged into the application, and will not need to enter a username or password.

What is a cookie?
A cookie is a way for a client (that is, a web browser) to persist the state. For more information about cookies, refer to additional online resources, such as Wikipedia (http://en.wikipedia.org/wiki/HTTP_cookie).

Spring Security provides the following two different strategies that we will discuss in this chapter:

  • The first is the token-based remember-me...

MD5

MD5 is one of the several well-known cryptographic hash algorithms. Cryptographic hash algorithms compute a compact and unique text representation of input data with arbitrary length, called a digest. This digest can be used to determine if an untrusted input should be trusted by comparing the digest of the untrusted input to a known valid digest of the expected input.

The following diagram illustrates how this works:

For example, many open source software sites allow mirrors to distribute their software to help increase download speeds. However, as a user of the software, we would want to be sure that the software is authentic and doesn't include any viruses. The software distributor will calculate and publish the expected MD5 checksum on their website with their known, good version of the software. Then, we can download the file from any location. Before we install...

Is remember-me secure?

Any feature related to security that has been added for user convenience has the potential to expose our carefully-protected site to a security risk. The remember-me feature, in its default form, runs the risk of the user's cookie being intercepted and reused by a malicious user. The following diagram illustrates how this might happen:

The use of SSL (covered in the Appendix, Additional Reference Material) and other network security techniques can mitigate this type of attack, but be aware that there are other techniques, such as cross-site scripting (XSS), that can steal or compromise a remembered user session. While convenient for the user, we don't want to risk financial or other personal information being inadvertently changed or possibly stolen if the remembered session is misused.

Although we don't cover malicious user behavior in detail...

Configuring the persistent-based remember-me feature

Finally, we'll need to make some brief configuration changes to the rememberMe declaration to point it to the data source we're using, as shown in the following code snippet:

   //src/main/java/com/packtpub/springsecurity/configuration/SecurityConfig.java

   @Autowired
   @SuppressWarnings("SpringJavaAutowiringInspection")
        private DataSource dataSource;
    @Autowired
    private PersistentTokenRepository persistentTokenRepository;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
       ...
       http.rememberMe()
           .key("jbcpCalendar")
           .tokenRepository(persistentTokenRepository)
       ...
    }
    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
       JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
       db.setDataSource...

The remember-me architecture

We have gone over the basic architecture of both TokenBasedRememberMeServices and PersistentTokenBasedRememberMeServices, but we have not described the overall architecture. Let's see how all of the remember-me pieces fit together.

The following diagram illustrates the different components involved in the process of validating a token-based remember-me token:

As with any of the Spring Security filters, RememberMeAuthenticationFilter is invoked from within FilterChainProxy. The job of RememberMeAuthenticationFilter is to inspect the request, and if it is of interest, an action is taken. The RememberMeAuthenticationFilter interface will use the RememberMeServices implementation to determine if the user is already logged in. The RememberMeServices interface does this by inspecting the HTTP request for a remember-me cookie that is then validated...

Custom cookie and HTTP parameter names

Curious users may wonder if the expected value of the remember-me form field checkbox to be remember-me, or the cookie name to be remember-me, can be changed to obscure the use of Spring Security. This change can be made in one of two locations. Take a look at the following steps:

  1. First, we can add additional methods to the rememberMe method, as follows:
        //src/main/java/com/packtpub/springsecurity/configuration/
        SecurityConfig.java

        http.rememberMe()
               .key("jbcpCalendar")
               .rememberMeParameter("jbcpCalendar-remember-me")
               .rememberMeCookieName("jbcpCalendar-remember-me");
  1. Additionally, now that we've declared our own RememberMeServices implementation as a Spring bean, we can simply define more properties to change the checkbox and cookie names...

Summary

This chapter explained and demonstrated the use of the remember-me feature in Spring Security. We started with the most basic setup and learned how to gradually make the feature more secure. Specifically, we learned about a token-based remember-me service and how to configure it. We also explore how persistent-based remember-me services can provide additional security, how it works, and the additional considerations necessary when using them.

We also covered the creation of a custom remember-me implementation that restricts the remember-me token to a specific IP address. We saw various other ways to make the remember-me feature more secure.

Up next is certificate-based authentication, and we will discuss how to use trusted client-side certificates to perform authentication.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 8 of 19
Next Chapter
You have been reading a chapter from
Spring Security - Third Edition
Published in: Nov 2017Publisher: PacktISBN-13: 9781787129511
© 2017 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (3)

author image
Mick Knutson

With nearly two decades of experience working in the IT industry in various roles as Enterprise technology consultant, Java Architect, project leader, Engineer, Designer and Developer, Mr. Knutson has gained a wide variety of experience in disciplines including JavaEE, Web Services, Mobile Computing and Enterprise Integration Solutions. Over the course of his career, Mr. Knutson has enjoyed long lasting partnerships with many of the most recognizable names in the Health Care, Financial, Banking, Insurance, Manufacturing, Telecommunications, Utilities, Product Distribution, Industrial and Electronics industries employing industry standard full software life cycle methodologies including the Rational Unified Process (RUP), Agile, SCRUM, and Extreme Programming (XP). Mr. Knutson has also undertaken speaking engagements, training seminars, white paper and book publishing engagements world-wide. As an active Blogger and tweeter, Mr. Knutson has also been inducted in the prestigious DZone.com Most Valuable Blogger (MVB) group and can be followed at http://www.dzone.com/page/mvbs, http://www.dzone.com/users/mickknutson and twitter at http://twitter.com/mickknutson.
Read more about Mick Knutson

author image
Peter Mularien

Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.
Read more about Peter Mularien

author image
ROBERT WILLIAM WINCH


Read more about ROBERT WILLIAM WINCH

Other recommended products

Related to this chapter

Hands-On Spring Security 5 for Reactive Applications

Hands-On Spring Security 5 for Reactive Applications

Security is one of the most vital concerns for any organization. The complexity of an application is compounded when you need to integrate security with existing code, new technology, and other frameworks. This book will show you how to effectively write Java code that is robust and easy to maintain.

BookJul 2018268 pages
OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications.

BookOct 2017420 pages
Spring Boot 2.0 Projects

Spring Boot 2.0 Projects

Spring is one of the best tools to develop web, enterprise, and cloud ready software in the market. The goal of Spring Boot is to provide a set of tools for building Spring applications that run production-grade based applications. This book will teach you features of Spring Boot 2.0 by building interesting real-world projects.

BookJul 2018336 pages
Spring 5.0 Cookbook

Spring 5.0 Cookbook

The upcoming version of the Spring Framework has a lot to offer, above and beyond the platform upgrade to Java 9, and this book will show you all you need to know to overcome the common to advanced problems you might face while developing in Spring 5.0.

BookSep 2017670 pages
Spring 5.0 Projects

Spring 5.0 Projects

Spring makes it simple to create RESTful applications, interact with social services, communicate with modern databases, secure your system, and make your code modular and easy to test. This book will show you how to build various projects in Spring 5.0, using its various features as well as third party tools.

BookFeb 2019442 pages
Mastering Spring 5

Mastering Spring 5

Spring 5.1 is the latest new release of the widely used Spring framework and consists a myriad of exciting new features that has changed the way the framework is used. Mastering Spring 5 shows you this evolution - from solving the problems of developing testable applications to building distributed applications on the cloud.

BookJul 2019598 pages
Learning Spring 5.0

Learning Spring 5.0

Spring is the most widely used framework for Java programming and with its latest update to 5.0, the framework is undergoing massive changes. Built to work with both Java 8 and Java 9, This book will teach you to simplify the way you write code, while still being able to create robust, enterprise applications using Spring 5.0.

BookJun 2017422 pages
Spring Boot 2 Fundamentals

Spring Boot 2 Fundamentals

Through the Spring Boot Fundamentals book, you will learn how the Spring Framework works and how it helps you to get the job done. You will be able to build a new application from scratch for desktops and mobiles. Your application will persist data in a relational database and provide users a rich user experience using HTML or a RESTful API for JavaScript.

BookNov 2018288 pages
Mastering Spring 5.0

Mastering Spring 5.0

Spring 5.0 is due to arrive with a myriad of new and exciting features that will change the way we’ve used the framework so far. This book will show you this evolution—from solving the problems of testable applications to building distributed applications on the Cloud.

BookJun 2017496 pages
Keycloak - Identity and Access Management for Modern Applications

Keycloak - Identity and Access Management for Modern Applications

This book is your guide to learning how to install, configure, and manage Keycloak optimally for securing your applications. With the help of easy-to-follow examples, you will gain a complete understanding of Keycloak's various features and how to enable authentication and authorization in applications using it.

BookJun 2021362 pages
Learning Spring Boot 2.0

Learning Spring Boot 2.0

Spring Boot provides a variety of features that address today’s business needs with a powerful database and state of the art MVC framework. This practical guide will help you get up and running with all the latest features of Spring Boot.

BookNov 2017370 pages
Hands-On High Performance with Spring 5

Hands-On High Performance with Spring 5

Spring 5.0 brings major advancements in the rich APIs provided by the Spring framework and thus creates a need for developers to master its tools and techniques to achieve high-performing applications. This book will help you improve the speed of your code and optimize the performance of your apps.

BookJun 2018408 pages

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages