8 hours
- Hard
Free online content available in this course.
course.header.alt.is_video
course.header.alt.is_certifying
Got it!Last updated on 2/18/22
Leverage Security Techniques Provided Within Spring Security
Evaluated skills
- Leverage security techniques provided within Spring Security
Question 1
How do you manually configure your security filter chain in Spring Security to prevent a CSRF attack to your web application?
csrf()
clears your session using a POST request and invalidates the cookie in the browser, hence getting rid of any dynamic content the CSRF attacker can use.@Overrideprotected void configure(HttpSecurity http) throws Exception{http.formLogin().and().logout().invalidateHttpSession(true);}csrf()
clears your session using a GET request and invalidates the cookie in the browser, hence getting rid of any dynamic content the CSRF attacker can use.@Overrideprotected void configure(HttpSecurity http) throws Exception{http.formLogin().and().logout().onlyHttpSession(false);}csrf()
clears your session using a POST request and invalidates the cookie in the browser, hence getting rid of any dynamic content the CSRF attacker can use.@Overrideprotected void configure(HttpSecurity http)throws Exception{http.formLogin().and().csrfLogout().onlyHttpSession(false);}csrf()
clears your session by closing your browser and restarting your computer to clear your browser of all cookies and cached files.@Overrideprotected void configure(HttpSecurity http)throws Exception{http.formLogin().and().csrf().browserClose(Firefox(),Chrome());.browserOpen(false);.clientRestart(MACOSX(),Windows86x());}
Question 2
Choose the code snippet below that allows you to disable CSRF.
- @Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable();}
- @Overrideprotected void configure(Authentication auth) throws Exception {auth.csrf().disable();}
- @Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().enable();}
- @Controllerpublic class HomeController{@GetMapping(path="/*")public String csrf(HttpSecurity http) {return "enable";}}
Question 3
CORS attack protection is used to prevent attacks that redirect a user from your site to a malicious host. How does Spring Security prevent this type of an attack through the out-of-box-protection?
By default,
cors()
checks each authenticated GET, POST, PUT, OPTIONS, HEAD, and DELETE, HTTP requests for a cookie proving authentication. If the cookie is not there, the request is blocked. It also blocks requests from a different host, but allows it if it's the same host and a different port.By Spring Security default,
cors()
checks the header of HTTP requests for an authorization token or cookie to allow the request. It also blocks any requests with a destination different from the origin host and/or port.By default,
cors()
checks each HTTP requests for an OAuth 2.0 authorization code from the server. If the code is not there, the request is blocked. It also blocks requests from the same originBy default,
cors()
checks each authenticated GET, POST, PUT, and DELETE, HTTP request for a chocolate chip cookie. If the cookie is not there, the request is blocked.
- Up to 100% of your training program funded
- Flexible start date
- Career-focused projects
- Individual mentoring