- Session based version
- Modification of Version 1 to Remove Session
- Starter Code for Sessionless / HMAC HASH version
- Implementation of HMAC HASH version
- Added JPA/MySQL Database Support
- Added Special Instructions (for testing reflective XSS)
-
Port of 3.0 from Spring Boot 2.6 to 2.7
- Implementation of HMAC HASH version (with Injected Config)
- With JPA/MySQL Database Support
- With Spring Security Added
- Default Spring Security Login Form Enabled
-
Added Spring Security Bare Bones Configuration Class
-
Added In-Memory User Config for Authentication
-
Disabled CSRF Protection for POST Processing
-
Added Home Controller (Redirects to Console)
Spring Security:
Storage Mechanisms
Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms:
- Simple Storage with In-Memory Authentication
- Relational Databases with JDBC Authentication
- Custom data stores with UserDetailsService
- LDAP storage with LDAP Authentication
- Added Support for CSRF Protection
- Added Login Controller & Custom Login Page
- Login Page & CSRF will not work behind a Load Balancer
- Need to use Spring Session + Redis
- Workaround is to Enabled LB Sticky Sessions
Cross Site Request Forgery (CSRF)
- https://docs.spring.io/spring-security/reference/features/exploits/csrf.html
- https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html
Custom Login Form Example
- https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/form.html
- https://codepen.io/khadkamhn/pen/ZGvPLo
- Added Redis In-Memory Database Service
- Add Spring Session to Replicate CSRF Tokens
- Configured Spring Session to use Redis as Session Store
- Added Logout Button to end Session
Scaling Out with Spring Sessions
- https://spring.io/projects/spring-session
- https://docs.spring.io/spring-session/docs/current/api
- https://docs.spring.io/spring-session/reference/guides/boot-redis.html
Redis Documentation
- https://hub.docker.com/_/redis
- https://redis.io/docs/manual
- https://redis.io/docs/getting-started
- https://redis.io/docs/manual/security
- https://cloud.google.com/memorystore/docs/redis
- https://www.baeldung.com/spring-session
Redis Config
- https://www.docker.com/blog/how-to-use-the-redis-docker-official-image
- https://github.com/redis/redis/blob/unstable/redis.conf
Jedis (Redis Client for Java)
Jumpbox
- Install Curl & Ping in your "Jump Box"
apt-get update
apt-get install curl
apt-get install iputils-ping
apt-get install telnet
apt-get install httpie
- Install Redis Client in your "Jump Box"
apt install redis-server
redis-cli -h <host> -p 6379
auth <password>
keys '*'
set <key> "<value>"
get <key>