The Spring Framework is an application development framework for Java.
Questions tagged [spring-framework]
38 questions
1
vote
0 answers
Oauth2.0 | How to manage user session in Single Page application running in an iframe?
I'm new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.
Server
Application A: Spring boot back-end application sever,…
A.Huzaifa
- 11
- 2
1
vote
2 answers
2 Factor Authentication -> When to Request it?
I am wanting to implement 2FA in my application. I am a relatively new developer (~1 year Spring Boot / Android).
At the moment, my App uses Spring Security AuthenticationProviders to authenticate a user only by their username/password combo using…
Jcov
- 111
- 1
1
vote
1 answer
Who can access the X-CSRF token?
I'm really confused about a CSRF token implementation in a Spring web app that I've inherited.
Basically, everyone can request the token by looking at what Spring Security filters do:
http
.exceptionHandling()
…
phantasos
- 13
- 2
1
vote
1 answer
Anti-CSRF scanner still alerts after adding _csrf token to login form
I am working on a Spring MVC project. I applied CSRF Token to login form by enabling and using in Spring security. When I go to the login page, I can see that a CSRF Token generated automatically with name _csrf. But when I use ZAP to scan the…
1
vote
1 answer
Remote detection of spring framework
I would like to know if there is a remote way to understand if a web app uses the Spring framework. In particular Spring security.
Is there any kind of analysis on HTTP headers that can provide information about it?
sgargel
- 111
- 4
1
vote
0 answers
Reduce form spam without external dependencies or false positives
I'm working on a Java Spring with a team and have been facing form spam issues. We are seeing a large number of requests that use generated & falsified information (ie everyone's names are generic, emails follow the same syntax, birthdays are 1/1 of…
Chris
- 111
- 1
1
vote
1 answer
Server pagination with key in response to fetch next page
I want to introduce pagination in one of my server endpoints.
The endpoint will have an option to include in the parameter the last index of the previous page, and if included, the "page" returned will start from the first index bigger than the last…
Nadav96
- 193
- 6
1
vote
0 answers
Securing a B2B (server to server) multi-tenant REST API
I am developing a B2B multi-tenant REST API which will be invoked by tenant’s (wallet provider) server application (secure or confidential client) on to perform some operations on its user’s accounts. User’s authentication information stays with…
nitin
- 11
- 1
1
vote
0 answers
securing a REST end point for 3rd part applications to connect to
Im generating a REST database service for an android application to connect to, and have little to no security experience. the service currently uses OAuth2 to secure a web front end with a Spring Boot application. I want to expose a REST service…
StillLearningToCode
- 111
- 1
0
votes
0 answers
Modelling authorization on the basis of authentication method
At work we are starting to consider a replacement for an old system. The new system will use the Spring framework.
The security model is pretty simple: it is open to the general public. Each one of our customers can identify himself by one of…
SJuan76
- 103
- 3
0
votes
1 answer
Impact of setting allowUrlEncodedPercent to true in StrictHttpFirewall
I need to implement a public REST API that manipulates usernames.
So I have an endpoint that looks like GET http://.../api/users/ where username can contain special characters (slashes, percents...) that are URL encoded (e.g. if my…
R. Aubel
- 3
- 1
0
votes
2 answers
Storing Session Id in application logs
Short version: Is it not recommended to store sessionId in log files/database in plaintext (considering it may put active sessions at risk)? If yes, why do I see many queries on how to log sessionId?
Details:
I have come across multiple resources…
ramtech
- 103
- 3
0
votes
0 answers
Scope Narrowing Access Token with Refresh token
I have recently picked up the oauth2 spec and decided to use keycloak as an auth server. I am facing difficulties in a certain aspect. I want to be able to request multiple access tokens with narrow scope when a user is first authenticated or…
user2742982
- 11
- 1
0
votes
3 answers
Understanding the difference between POST and PUT when securing against CSRF
Several of my Spring Security based projects expose a RESTful API that support the full range of HTTP verbs: GET, POST, PUT, PATCH, DELETE, etc. For those projects only using GET and POST, everything works as expected. When using PUT, however, I…
Faron
- 103
- 1
0
votes
2 answers
Which Authentication mechanism to choose for PCI-DSS system
I want to create Angular 9 + Spring Boot application with strong security complaint to PCI-DSS security standard.
Which security protocol is preferred for user sessions in order to have high security when we use Angular and Spring Boot:
Session…
Peter Penzov
- 131
- 2