Springboot Security

1---2name: springboot-security3description: Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.4origin: ECC5---6 7# Spring Boot Security Review8 9Use when adding auth, handling input, creating endpoints, or dealing with secrets.10 11## When to Activate12 13- Adding authentication (JWT, OAuth2, session-based)14- Implementing authorization (@PreAuthorize, role-based access)15- Validating user input (Bean Validation, custom validators)16- Configuring CORS, CSRF, or security headers17- Managing secrets (Vault, environment variables)18- Adding rate limiting or brute-force protection19- Scanning dependencies for CVEs20 21## Authentication22 23- Prefer stateless JWT or opaque tokens with revocation list24- Use `httpOnly`, `Secure`, `SameSite=Strict` cookies for sessions25- Validate tokens with `OncePerRequestFilter` or resource server26 27```java28@Component29public class JwtAuthFilter extends OncePerRequestFilter {30  private final JwtService jwtService;31 32  public JwtAuthFilter(JwtService jwtService) {33    this.jwtService = jwtService;34  }35 36  @Override37  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,38      FilterChain chain) throws ServletException, IOException {39    String header = request.getHeader(HttpHeaders.AUTHORIZATION);40    if (header != null && header.startsWith("Bearer ")) {41      String token = header.substring(7);42      Authentication auth = jwtService.authenticate(token);43      SecurityContextHolder.getContext().setAuthentication(auth);44    }45    chain.doFilter(request, response);46  }47}48```49 50## Authorization51 52- Enable method security: `@EnableMethodSecurity`53- Use `@PreAuthorize("hasRole('ADMIN')")` or `@PreAuthorize("@authz.canEdit(#id)")`54- Deny by default; expose only required scopes55 56```java57@RestController58@RequestMapping("/api/admin")59public class AdminController {60 61  @PreAuthorize("hasRole('ADMIN')")62  @GetMapping("/users")63  public List<UserDto> listUsers() {64    return userService.findAll();65  }66 67  @PreAuthorize("@authz.isOwner(#id, authentication)")68  @DeleteMapping("/users/{id}")69  public ResponseEntity<Void> deleteUser(@PathVariable Long id) {70    userService.delete(id);71    return ResponseEntity.noContent().build();72  }73}74```75 76## Input Validation77 78- Use Bean Validation with `@Valid` on controllers79- Apply constraints on DTOs: `@NotBlank`, `@Email`, `@Size`, custom validators80- Sanitize any HTML with a whitelist before rendering81 82```java83// BAD: No validation84@PostMapping("/users")85public User createUser(@RequestBody UserDto dto) {86  return userService.create(dto);87}88 89// GOOD: Validated DTO90public record CreateUserDto(91    @NotBlank @Size(max = 100) String name,92    @NotBlank @Email String email,93    @NotNull @Min(0) @Max(150) Integer age94) {}95 96@PostMapping("/users")97public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) {98  return ResponseEntity.status(HttpStatus.CREATED)99      .body(userService.create(dto));100}101```102 103## SQL Injection Prevention104 105- Use Spring Data repositories or parameterized queries106- For native queries, use `:param` bindings; never concatenate strings107 108```java109// BAD: String concatenation in native query110@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)111 112// GOOD: Parameterized native query113@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)114List<User> findByName(@Param("name") String name);115 116// GOOD: Spring Data derived query (auto-parameterized)117List<User> findByEmailAndActiveTrue(String email);118```119 120## Password Encoding121 122- Always hash passwords with BCrypt or Argon2 — never store plaintext123- Use `PasswordEncoder` bean, not manual hashing124 125```java126@Bean127public PasswordEncoder passwordEncoder() {128  return new BCryptPasswordEncoder(12); // cost factor 12129}130 131// In service132public User register(CreateUserDto dto) {133  String hashedPassword = passwordEncoder.encode(dto.password());134  return userRepository.save(new User(dto.email(), hashedPassword));135}136```137 138## CSRF Protection139 140- For browser session apps, keep CSRF enabled; include token in forms/headers141- For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth142 143```java144http145  .csrf(csrf -> csrf.disable())146  .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));147```148 149## Secrets Management150 151- No secrets in source; load from env or vault152- Keep `application.yml` free of credentials; use placeholders153- Rotate tokens and DB credentials regularly154 155```yaml156# BAD: Hardcoded in application.yml157spring:158  datasource:159    password: mySecretPassword123160 161# GOOD: Environment variable placeholder162spring:163  datasource:164    password: ${DB_PASSWORD}165 166# GOOD: Spring Cloud Vault integration167spring:168  cloud:169    vault:170      uri: https://vault.example.com171      token: ${VAULT_TOKEN}172```173 174## Security Headers175 176```java177http178  .headers(headers -> headers179    .contentSecurityPolicy(csp -> csp180      .policyDirectives("default-src 'self'"))181    .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)182    .xssProtection(Customizer.withDefaults())183    .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));184```185 186## CORS Configuration187 188- Configure CORS at the security filter level, not per-controller189- Restrict allowed origins — never use `*` in production190 191```java192@Bean193public CorsConfigurationSource corsConfigurationSource() {194  CorsConfiguration config = new CorsConfiguration();195  config.setAllowedOrigins(List.of("https://app.example.com"));196  config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));197  config.setAllowedHeaders(List.of("Authorization", "Content-Type"));198  config.setAllowCredentials(true);199  config.setMaxAge(3600L);200 201  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();202  source.registerCorsConfiguration("/api/**", config);203  return source;204}205 206// In SecurityFilterChain:207http.cors(cors -> cors.configurationSource(corsConfigurationSource()));208```209 210## Rate Limiting211 212- Apply Bucket4j or gateway-level limits on expensive endpoints213- Log and alert on bursts; return 429 with retry hints214 215```java216// Using Bucket4j for per-endpoint rate limiting217@Component218public class RateLimitFilter extends OncePerRequestFilter {219  private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();220 221  private Bucket createBucket() {222    return Bucket.builder()223        .addLimit(Bandwidth.classic(100, Refill.intervally(100, Duration.ofMinutes(1))))224        .build();225  }226 227  @Override228  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,229      FilterChain chain) throws ServletException, IOException {230    String clientIp = request.getRemoteAddr();231    Bucket bucket = buckets.computeIfAbsent(clientIp, k -> createBucket());232 233    if (bucket.tryConsume(1)) {234      chain.doFilter(request, response);235    } else {236      response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());237      response.getWriter().write("{\"error\": \"Rate limit exceeded\"}");238    }239  }240}241```242 243## Dependency Security244 245- Run OWASP Dependency Check / Snyk in CI246- Keep Spring Boot and Spring Security on supported versions247- Fail builds on known CVEs248 249## Logging and PII250 251- Never log secrets, tokens, passwords, or full PAN data252- Redact sensitive fields; use structured JSON logging253 254## File Uploads255 256- Validate size, content type, and extension257- Store outside web root; scan if required258 259## Checklist Before Release260 261- [ ] Auth tokens validated and expired correctly262- [ ] Authorization guards on every sensitive path263- [ ] All inputs validated and sanitized264- [ ] No string-concatenated SQL265- [ ] CSRF posture correct for app type266- [ ] Secrets externalized; none committed267- [ ] Security headers configured268- [ ] Rate limiting on APIs269- [ ] Dependencies scanned and up to date270- [ ] Logs free of sensitive data271 272**Remember**: Deny by default, validate inputs, least privilege, and secure-by-configuration first.