IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [spring-framework]

The Spring Framework is an application development framework for Java.

38 questions
37
votes
2 answers

Is emailing sign in links bad practice?

In my Spring application, I was planning to remove passwords from the authentication process by sending a "magic sign-in link" to a user's email address. However, in this question Rob Winch (lead of Spring Security) says the following: Be careful…
Utku
  • 724
  • 1
  • 7
  • 12
10
votes
2 answers

CSRF in microservice architecture

What should be proper way to implement CSRF protection in microservice architecture? Where services are stateless. To put CSRF verification on system entry? e.g. Gateway With this option I can't guarantee that customer gateway will do this. Or on…
d-sauer
  • 203
  • 1
  • 2
  • 6
7
votes
2 answers

Why does Spring Security unset and set the same Cookie in one Request?

In the CSRF implementation of Spring Security (https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java#L57) they first "delete" the XSRF-TOKEN-Cookie…
waXve
  • 173
  • 4
5
votes
2 answers

CSRF token not bound to session in Spring application

We're developing a Spring appication with Spring Security. After doing some pen testing, one of the test results was a vulnerability: Cross-Site Request Forgery Token is not bound to user context. We started to play around a little with tokens in…
flooose
  • 213
  • 1
  • 2
  • 8
4
votes
2 answers

False positive SQL Injection by ZAP with adding new parameter query

I have a spring MVC web application and am running ZAP Active scan on it. I noticed that ZAP will modify URL , and add additional parameter named query and value query+AND+1%3D1+--+ to test SQL Injection. And in my case, it raise HIGH MEDIUM SQL…
Hima
  • 41
  • 4
4
votes
1 answer

Need advices on API key & secret generation?

While working on a Java project using Spring-boot, Spring-security and JWT token, I need to provide access via API key and secret. After searching on Google for a while about key/secret generation, here is what I found: For key generation, it seems…
Eric
  • 151
  • 1
  • 1
  • 6
4
votes
2 answers

Securing Micro Services Architecture internally

I am implementing a solution with set of Micro Services (Spring Rest Services) with Rabbit MQ as the message broker. The Edge server is Authenticated using OAuth based Identity server. Internal Micro Sevices calls are not Authorized or…
user3496510
  • 1,257
  • 2
  • 12
  • 26
4
votes
0 answers

Calling methods with Expression Language Injection in Spring Framework?

I'm currently on a pentest and I've come across a URL parameter which is vulnerable to Expression Language (EL) injection and I can prove that by accessing properties such as ${pageContext}. However, it appears that I have access to Java object…
DarkMantis
  • 746
  • 1
  • 7
  • 19
3
votes
1 answer

Can a user be redirected to a malicious website if only a part of the url can be controlled by user input?

I have a site located at https://gooddomain.com/wonderful?returnPath=goodThings which redirects me to https://gooddomain.com/somegoodplace/goodThings At the server side, the redirect is defined by String path =…
hax
  • 3,851
  • 1
  • 16
  • 34
2
votes
0 answers

Is it correct to use AWS Cognito groups as user roles?

I trying to implement authN/authZ for my application using Spring Security 5.2.2 and OAuth2/openid connect protocols. I use AWS Cognito as an identity provider and I'm trying to implement role-based authorization for my application. I've created…
Kirill
  • 121
  • 2
2
votes
1 answer

How does one determine what strength parameter to pass to BCryptEncoder (default is 10) in Spring Java?

The spring documentation doesn't say much, just that the default strength is 10. How does one determine when using increased strength might be warranted and what the trade off is?
Chandler Prince
  • 23
  • 4
2
votes
1 answer

Am I missing any loopholes with my current session managment?

I'm building a site with Spring, which requires authentication in order for accessing certain pages. The site is actually composed of a client host, which render the views and handle the data binding, and a REST api host (built with Spring as well),…
Nadav96
  • 193
  • 6
2
votes
1 answer

Authentication Token storing after database authentication

I've worked on a Spring 4 MVC RESTful backend application. We authenticate to an OpenAM server, and a lengthy token is stored in a cookie on the front-end. The front-end takes the token out of the cookie, and passes it back as a header in every…
tjholmes66
  • 121
  • 2
1
vote
1 answer

spring4shell correction in tomcat

We use Tomcat, and version Tomcat 9.0.62 is supposed to fix the spring4shell vuln. To what extent is it the case? Are we safe not to upgrade to the latest Spring version?
veronicam
  • 11
  • 1
1
vote
0 answers

SPA Oauth2 and Backchannel (Client)

I am having a problems defining the flow of an application that is supposed to be authenticated / authorized securely with an SPA frontend. Currently using an SPA with a Spring application server as a backchannel / client for Oauth2. The spring…
user2742982
  • 11
  • 1
1
2 3