spring-ref

This is a very basic Spring app I've cobbled together to demonstrate and test different security features and controls in Spring and Spring Security, as well as Thymeleaf (templating engine) and its integration with Spring Security, and Jasypt (simple crypto lib - used here to encrypt sensitive properties) [NOTE: Jasypt is no longer actively maintained, so it should not be used].

Areas of Interest

• Spring Security Config
  • WebSecurityConfigurerAdapter where most web app security configuration is defined, including the HttpSecurity configuration (which defines authZ rules for paths and login/logout/session config) and defines the AuthenticationManager and AuthenticationProvider beans.
• Authentication Provider
  • Custom PoC subclass of Spring Security's builtin DaoAuthenticationProvider, which adds authentication attempt rate limiting (with configurable rate and burstiness tolerance).
• Password Policy
  • Implementation of policy that defines a basic password policy bean, which is used to enforce length and complexity requirements. It also enforces a "uniqueness"/"non-exposure" policy, which checks passwords against a list of 10,000 passwords collated from several public breaches. The list is stored in a bloom filter backed by Redis for quick/scalable checking.
• UserValidator
  • An example Spring Validator implementation, which is used to validate that user model objects satisfy certain validation checks. It serves as a centralized enforcement point for the aforementioned password policy, as well as checking that fields are not empty, and other similar checks. Validator classes are a good place to define and execute checks against untrusted inputs from various sources, since Validators are not tied to a specific domain; in other words, the same class could be used to validate domain model objects for the persistence domain (e.g. database entity objects) as to validate web domain objects (e.g. objects exposed as ModelAttributes in the view).
• UserDetailsService
  • Simple example of a UserDetailsService, used by the DaoAuthenticationProvider during authentication to populate the user object with user details from the repository.

How to Build

To build an application WAR for deployment in a servlet container, just run the following from the project root directory:

./gradlew clean build

How to Run

Due to the lack of flexibility in my deployment configuration and general implementation, there are intrinsic deployment environment dependencies on redis (for the password policy) and Postgres (for the User repository). To make testing the app on a local machine easier, see the companion 'docker-spring-ref' project, which greatly simplifies the process with Docker and docker-compose.