Spring Application Security
Spring provides significant security capabilities that developers can leverage to improve the security of applications.
For web applications, recent Spring releases make it easy to set browser headers that enable security. Simply use a SecurityContext and the defaults are sound as of Spring 4. Here are some exmaples illustrating how to use Spring to set browser security headers:
Spring also provides authentication through Spring security which can be wired into a variety of identity providers. As a general rule, this is recommended. One pitfall with Spring security configuration is accidentally leaving resources unprotected - in other words, having the rules that allow access be too permissive.
Authorization is really hard to get right or set out a stable model that will work across different use cases. Spring provides function level access control (A7) through annotations to controllers or services. It is recommended that a style and approach be adopted and used consistently throughout the application.
Spring also provides instnace based authorization (A4) through ORM lifecycle events. Instance based security is what ensures that a user can only see their timesheet and not someone else's.
As a general rule, unless the application is using ThymeLeaf, Java/JSP applications can be susceptible to XSS (A3). It is recommended that all output be encoded using a library level function to ensure that user input doesn't get sent to the browser in a way that will be executed.
Spring and Jasypt provide a relatively straightforward way to prevent committing sensitive information like database credentials to source control. This is recommended.
Spring pulls a large number of dependent libraries, so it is recommended that a tool such as OWASP's Dependency Check be used to identify vulnerabilities in dependent libraries. Also, committing to updating libraries and dependencies is important in this ecosystem.
Most applications written with Spring use JDBCTemplate or Hibernate for persistence. Note that these do not universally protect from SQL Injection, though they generally encourage safer practices. Always use parameterized queries and ensure that String concatenation is not happening with queries.
Spring MVC provides an easy and clear place to perform input validation (Validators). Use input validation and prefer whitelists.
Resources
Support or Contact
Having trouble with the developer pages? Help us update them or [email protected] and we’ll help you sort it out. See something wrong? Get involved and help us fix it!