30 Aralık 2019 Pazartesi

SpringCloud Binder Arayüzü

Giriş
Açıklaması şöyle.
The Binder SPI consists of a number of interfaces, out-of-the box utility classes, and discovery strategies that provide a pluggable mechanism for connecting to external middleware. The key point of the SPI is the Binder interface, which is a strategy for connecting inputs and outputs to external middleware. 
Açıklaması şöyle.
A typical binder implementation consists of the following: a class that implements the Binder interface; a Spring @Configuration class that creates a bean of type Binder along with the middleware connection infrastructure; a META-INF/spring.binders file found on the classpath containing one or more binder definitions,...
Kullanılabilen arakatmanlar şöyle.
Through the use of one of many Spring Cloud Stream Binders, many different messaging middleware products can be used. The following popular platforms are among the list supported by Spring Cloud Data Flow:
1.Kafka Streams
2.Amazon Kinesis
3.Google Pub/Sub
4.Solace PubSub+
5.Azure Event



26 Aralık 2019 Perşembe

SpringSecurity RememberMeConfigurer Sınıfı

Giriş

RememberMeServices Nedir?
RememberMeServices yazısına taşıdım.

Persistent Cookie İsmi
Çerezin varsayılan ismi "remember-me" şeklindedir. rememberMeCookieName() çağrısı ile çerez ismi değiştirilebilir.

Persistent Cookie Geçerlilik Süresi
Çerezin geçerlilik süresi tokenValiditySeconds() metodu ile değiştirilir. Varsayılan değer sanırım 2 hafta.

Spring Security Tarafından Sunulan RememberMe Servisleri
Açıklaması şöyle.
Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.
Her iki sınıf ta AbstractRememberMeServices ata sınıfından kalıtır.

1. Simple Hash-Based Token Approach Servisi
Bu servisi gerçekleştiren sınıf TokenBasedRememberMeServices sınıfı. 

2. Persistent Token Approach
Bu servisi gerçekleştiren sınıf PersistentTokenBasedRememberMeServices sınfı. Bu sınıf bir dataSource gerektirir. Ayrıca "persistent_logins" isimli bir tablo kullanır.

processAutoLoginCookie metodu
Persistent Cookie okunur ve tokenReposity.getTokenForSeries() çağrısı yapılır. Bu kullanıcıya ait PersistentRememberMeToken yüklenmeye çalışılır. Eğer cookie bulunamazsa, kullanıcının cookie bilgisi çalınmıştır.

onLoginSuccess metodu
tokenRepository'ye yeni bir PersistentRememberMeToken kaydedilir

key metodu
Bu metoda geçilen değer RememberMeAuthenticaitonProvider tarafından kullanılır.

Örnek
Şöyle yaparız.
rememberMe().key("superUniqueAndSecretKey")
rememberMeCookieName metodu
Şöyle yaparız.
//Persistant cookie
http.rememberMe()
  .rememberMeCookieName("example-app-remember-me")
  .tokenRepository(persistentTokenRepository())
  .tokenValiditySeconds(24 * 60 * 60)
  .and()
rememberMeServices metodu
Örnek
Şöyle yaparız.
HttpSecurity http = ...;
...
.and()
.rememberMe().rememberMeServices(rememberMeService())
...


@Bean
public TokenBasedRememberMeServices rememberMeService() {
  TokenBasedRememberMeServices tbrms = 
    new TokenBasedRememberMeServices("rememberMe", userDetailsService);
  tbrms.setAlwaysRemember(true);
  return tbrms;
}
tokenRepository metodu
Şöyle yaparız.
// Configuration for Remember me function (remember 24h).
http
  ....
  and()
  .rememberMe().tokenRepository(persistentTokenRepository())
  .tokenValiditySeconds(1 * 24 * 60 * 60);


@Bean
public PersistentTokenRepository persistentTokenRepository() {
  JdbcTokenRepositoryImpl jdbcTokenRepository = new JdbcTokenRepositoryImpl();
  jdbcTokenRepository.setDataSource(dataSource);
  return jdbcTokenRepository;
}

SpringSecurity SessionManagementConfigurer Sınıfı

Giriş
5 çeşit session management yöntemi var. Bunlar şöyle.
Long-lived access token.
Short  — Medium term lived access token used to get a new access token.
Short — Medium term access token whose usage extends its expiry.
Short-lived access token.
Short-lived access token with long-lived refresh token.
invalidSessionUrl metodu
Şöyle yaparız.
http
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
    .invalidSessionUrl("/login?invalidSession")
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .expiredUrl("/login?expired")
    .sessionRegistry(sessionRegistry());
maximumSessions metodu
Şöyle yaparız.
httpSecurity.sessionManagement().maximumSessions(1)                                      
                                        .maxSessionsPreventsLogin(true);
maxSessionsPreventLogin metodu
Şöyle yaparız.
http
  .sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .sessionRegistry(sessionRegistry)
setSessionCreationPolicy metodu
Bu alana atanan değer "SecurityContext"  nesnesinin yaşsam döngüsünü belirtir. Policy olarak ALWAYS, NEVERSTATELESS gibi değerler alabilir.
Açıklaması şöyle
We can control exactly when our session gets created and how Spring Security will interact with it:

always – a session will always be created if one doesn't already exist
ifRequired – a session will be created only if required (default)
never – the framework will never create a session itself but it will use one if it already exists
stateless – no session will be created or used by Spring Security
STATEFULL Olursa
Always seçeneği kullanılır

STATELESS Olursa
STATELESS seçeneği kullanılır

STATELESS kullanılırsa authentication bilgisinin her istekte gelmesi gerekir. 
- Form authentication için STATELESS kullanılamaz.
- Basic Authentication için STATELESS kullanılabilir.
- Digest Authentication için STATELESS kullanılabilir.
- JWT için STATELESS kullanılabilir.
Eğer STATELESS seçersek artık Cookie kullanılmaz. Açıklaması şöyle
Finally, the strictest session creation option – “stateless” – is a guarantee that the application will not create any session at all.

This was introduced in Spring 3.1 and will effectively skip parts of the Spring Security filter chain – mainly the session related parts such as HttpSessionSecurityContextRepository, SessionManagementFilter, RequestCacheFilter.

These more strict control mechanisms have the direct implication that cookies are not used and so each and every request needs to be re-authenticated. This stateless architecture plays well with REST APIs and their Statelessness constraint. They also work well with authentication mechanisms such as Basic and Digest Authentication.
Authentication sonucunda SecurityContextPersistenceFilter sınıfında NullSecurityContextRepository kulanıldığı için artık Http Session'a Cookie yazılmaz. Açıklaması şöyle
Before executing the Authentication process, Spring Security will run a filter responsible with storing the Security Context between requests – the SecurityContextPersistenceFilter. The context will be stored according to a strategy – HttpSessionSecurityContextRepository by default – which uses the HTTP Session as storage.

For the strict create-session=”stateless” attribute, this strategy will be replaced with another – NullSecurityContextRepository – and no session will be created or used to keep the context.
Örnek - ALWAYS
Şöyle yaparız.
HttpSecurity http = ...;
http.sessionManagement()
      .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
      .enableSessionUrlRewriting(true)
Örnek - NEVER
Şöyle yaparız.
@Override
public void configure(HttpSecurity http) throws Exception {
  http
  .csrf()
    .disable()
  .sessionManagement()
   .sessionCreationPolicy(SessionCreationPolicy.NEVER)
  .and()
  .authorizeRequests()
    .antMatchers("/v2/api-docs").permitAll()
    .antMatchers("/swagger-ui.html").permitAll()
    .antMatchers("/swagger-resources").permitAll()
    .antMatchers("/images").permitAll()
    .antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
}
Örnek - STATELESS
Şöyle yaparız.
http.sessionManagement()
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS); 
sessionFixation metodu
Her yeni giriş için yeni bir session id yaratır. Session Fixation saldırısına karşı korur
Örnek
Şöyle yaparız
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .sessionFixation().migrateSession()
        .sessionIds().useSecureCookie(true)
        .sessionIds().sessionConcurrency(1, 1);
  }
}
Açıklaması şöyle
By default, Java generates session IDs that are based on a predictable algorithm. This can make it easier for attackers to hijack a user’s session. To prevent this, you can use a secure session ID generator that uses a random number generator and a cryptographically secure hash algorithm to generate session IDs.

In this example, we are using Spring Security to configure our session management settings. We are setting the session creation policy to STATELESS to prevent the server from creating a session for each user. We are also enabling session fixation protection by calling the migrateSession() method, which ensures that a new session ID is generated each time a user logs in. Finally, we are setting the useSecureCookie flag to true to ensure that session cookies are transmitted over a secure HTTPS connection.
sessionConcurrency metodu
Örnek
Şöyle yaparız
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .sessionFixation().migrateSession()
        .sessionIds().useSecureCookie(true)
        .sessionIds().sessionConcurrency(1, 1)
        .invalidSessionUrl("/login?expired=true")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .expiredUrl("/login?expired=true");
  }
}
Açıklaması şöyle
In this example, we are using Spring Security to set a maximum session limit of one, which means that if a user logs in from a different device or browser, their original session will be invalidated. We are also setting the maxSessionsPreventsLogin flag to true, which means that if a user reaches their maximum session limit, they will be prevented from logging in from any other device or browser until they log out from their original session.

By using these secure session management techniques, you can help protect user sessions from attacks like session hijacking or session fixation. It’s important to choose a session management strategy that meets the specific needs of your application and to thoroughly test your session management implementation for vulnerabilities.
setSessionRegistry metodu
SessionRegistry yazısına taşıdım