Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I'm making an Spring MVC application, with some users but only ONE role for all (user_role). Do you think is necessary to implement Spring Security even taking only one role in my application?
Thanks,
Security is more than simply authorization (given I know how the user is, are they allowed to access the resource). Fortunately, Spring Security provides an easy means to do more than authorization:
Security is also about authentication. Authentication is securely identifying who the user is (i.e. comparing a username/password). This may seem trivial, but keep in mind you should store passwords securely (i.e. using BCrypt), ensure you protect against session fixation attacks, protect against timing attacks, etc. All of these Spring Security provides for you out of the box.
There are all sorts of attack vectors that Spring Security helps protect against (i.e. CSRF, XSS, Content Sniffing, Click Jacking, etc). You can implement all of these protections yourself, but first you need to know the attack exists (many of these are protected without any additional work on your side), then you need to understand how to secure your application from the attack (and keep this information up to date), the list goes on.
Providing defense in depth is critical to security. Spring Security allows you to easily add method based security as well as URL based security.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
Im currently new to end to end testing and planning to do load testing for a website I am currently working on. Im currently looking into jmeter and studying how to use it. My question is, would it make sense to only use one credential for the test? So basically I will be using my credentials then would throwing same HTTP requests multiple times to the server to simulate several users logging in and using the website.
Also if there are other ways to do load testing without using more than one credentials would be helpful!
Thanks in advance for the help!
It depends on your use cases and your site implementation, possible problems could be:
The site may not allow multiple logins under the same credentials like subsequent login will "throw out" the previously logged in user(s)
Depending on how session is being established/maintained you may receive the same Cookies for the same login
Most probably you will be able to implement browsing, but CRUD operations can be a big question mark
From JMeter's perspective it is not a problem to use only one account, any constraints will be on the system under test side.
Ideally you should treat each JMeter thread (virtual user) as the real user and it worth creating that many users as you plan to simulate and use CSV Data Set Config to parameterize your JMeter test so each virtual user could have its own credentials
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
My spring OAuth2.0 authorization micrservice is extremely slow. It takes 450+ms to check a token.Generating tokens takes 1.6s and above. What could be the reason? How can I improve the performance of my microservice ?
Details:
Auth and Microservices are running on my laptop
The time I mentioned is for the auth server with requests from only one microservice
Thanks in advance
Download a tool such as VisualVM to perform profiling of your application.
I would also record the elapsed time of individual methods to determine exactly which methods are taking the longest amounts of time.
Once you can verify exactly what code is taking awhile, you can attempt JVM optimizations, or review the code (if you're using an external library) and verify the implementation.
There might be three reasons,
Your services might be in different regions and OAuth2 server might be central one and in different region. If this is the case create instance of OAuth servers in all regions which you use so that your latency can be improved.
Check the Encryption techniques you used. always it's preferred to use SHA-256 Hashing but this might not be complete reason in some cases this could help.
Check your OAuth server Capacity, i.e. it's RAM processor and Storage volume. It might also be reason that multiple services makes same /generatetoken call to server and Tomcat makes it as One Thread per request and if this the case configuring your connection pool will also help.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
In my microservice architecture project ,it would have oauth service to authenticate the user and the gateway work as the front end api.
My question is where to write the register logic ?
In the oauth service or in the gateway?
Finally solution:
I do that in the user service and call from the gateway. Everything seems to work fineļ¼
I believe best way is to place all authorization logic into library that is shared across microservices via private artifact repository. This library can configuration beans that can be component scanned when this JAR library is on classpath. component scan might be automatic, if you structure your packages wisely. Or you may want to make that scanning or including this shared logic explicit.
This way you might remove OAuth authorization logic duplication, which would otherwise be present.
Of course I am assuming that your microservices are Spring/Java based. If your microservices would vary programming languages, your authorization logic will be duplicated.
BTW, via shared library, you can cover also other cross cutting concerns of your Java/Spring microservices (monitoring, error hangling...). I've seen this working very well for teams working on 20+ microservices.
EDIT: Original response container workd "authentication", but I meant "authorization". Sorry for that confusion. "Authentication" should be in OAuth performed by separate dedicated service. This is not cross cutting concern, because there will be only one service accepting crendentials and returning back Oauth token. The best solution is to use third party OAuth provider, because you don't need to deal with credentials -> less security concerns for you. "Authorization" is cross cutting concern.
User registration is a separate bounded context so a separate microservice is the best approach. There is a blog post about this here.
Authentication is a cross cutting concern that could be handled by the API Gateway. This would free the upstream microservices of this responsibility - their main job is not verifying that a user is who he claims to be.
Authorization should be the responsibility of a dedicated microservice. It could be called by the API Gateway or by individual microservices.
P.S. My answer assumes that the microservices are not directly accessible from the outside, they can be reached only by the API Gateway.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I usually worry about memory corruption with leaving my public and private keys in memory for access throughout my applications. I'm very new to Go and I'm wondering what the best practice is for making these keys available.
Is Go safe enough that I should be able to store these in memory, no problem. Or should I only keep my public key in memory for validation and load my private key every time I need to sign a token?
What you're probably looking for is called a Hardware Security Module (HSM). With AWS and Google Cloud the HSM is wrapped and access is provided via a Key Management Service API.
This essentially separates your keys from your server in a similar way a Yubikey affords protection for laptop/desktop encryption keys.
AWS provides both "CloudHSM" and "KMS";
https://aws.amazon.com/cloudhsm/
https://aws.amazon.com/kms/
https://docs.aws.amazon.com/sdk-for-go/api/service/kms/
Google Cloud provides "Cloud KMS"
https://cloud.google.com/kms/
https://cloud.google.com/kms/docs/reference/libraries#client-libraries-install-go
If you use these services it means you submit raw data to the API and receive back encrypted data or to decrypt submit the encrypted data. In practise this limits the ability of an attacker to steal your keys, offsite the data, and decrypt in bulk. Access Control is managed through IAM. If your sites compromised they can still decrypt the data on the compromised servers which requires that you monitor "normal" behaviour for KMS requests. It doesn't eliminate the threat but it can help minimise the impact.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm writing an web application where I'm using python-eve + mongodb for rest api and angular2 for front end.
Now I'm not sure how to manage user session in python-eve after authentication.
Do I need to write custom middle-ware like Django provide by default?
Any help would be appreciated.
Thanks,
Shashank
Well you are using a REST API and one of the core principles of REST is, precisely, the lack of state/session. Each request carries an authorisation token (or equivalent info depending on the type of authentication) since the server does not maintain state between sessions.
With this being said I know that people have been doing exactly what you are asking for, but really, I would not do that in a REST context.