Skip to content

joshlong-attic/2025-03-26-rob-and-josh-security-talk

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

2025-03-26-rob-and-josh

Hi, Spring fans! In which the heroes secure the way.

For the configuration, see this repo

where we are (rob + his trusty sidekick josh)

  • both: intros

  • introduce authentication in the abstract (call it auth)

  • start.spring.io

  • jdbc, postgresql, jdbc, web, authorization server, security, devtools , testcontainers

  • add webauthn manually

  • go to test main method, add @RestartScope

  • RW: security 101 + spring security 101 (authentication, authorization)

  • introduce in-memory UserDetailsService for user management

  • PasswordEncoderFactories to encode passwords

  • great but this is a password and its in memory

  • copy ~/Desktop/desjardins/auth/src/main/resources ~/Downloads/auth/src/main/resources

  • rm application.properties

  • JDBC + JdbcUserDetailsManager + UserDetailsPasswordService (which injects JdbcUserDetailsManager)

  • inspect SQL DB and verify passwords are sha prefixed: run bin/db.sh to login to DB

  • login

  • inspect SQL DB again and verify passwords are bcrypt

  • passwords done well are still passwords.

  • passkeys: josh does code but no idea where to go after

  • passkeys + webauthn: http://localhost:8080

  • RL: walk josh through registering and using a passkey via iPhone / separate device

  • passkeys + webauthn: http://localhost:8080

  • MAKE SURE TO START QuickTime and use Josh’s iPhone as the camera from macOS so people can see my iPhone activity

  • RL: walk josh through registering and using a passkey via iPhone / separate device

  • RL: explanation of the details

  • alternatively, sometimes u may just want a slightly easier-to-ensure alternative factor. Enter OTT.

  • one time tokens/magic links: use localhost:8080: login/ott?token=…​

  • this is great but its only one service, lets centralize. maybe OAuth

  • RW: OAuth for fun and profit!

  • turn into a Spring Auth Server

  • stand up a trivial service resource server

  • hello, rwinch!

  • stand up a client (oauth client)

  • RestClient + token manually

  • RestClient + autoconfig

  • proxy with Spring Cloud Gateway + Oauth client

  • /api/**resource

  • /** → CDN with vue app

++ (rob)

  • Testjars

  • Lots of moving parts require a detailed README, but we saw testcontainers can help for database, but what about our apps

  • testcontainers simple for authz and service

  • testcontainers for the real authz and service

- method security

where we’re going (rob)

TBD

curtsy.

TBD

About

Hi, Spring fans! In which the hero secures the way

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors 2

  •  
  •