• 8 hours
  • Hard

Free online content available in this course.

course.header.alt.is_video

course.header.alt.is_certifying

Got it!

Last updated on 12/11/19

Leverage Security Techniques Provided Within Spring Security

Log in or subscribe for free to enjoy all this course has to offer!

Evaluated skills

  • Leverage security techniques provided within Spring Security
  • Question 1

     How do you manually configure your security filter chain in Spring Security to prevent a CSRF attack to your web application? 

    • csrf()  clears your session using a POST request and invalidates the cookie in the browser, hence getting rid of any dynamic content the CSRF attacker can use.  

      @Override
      protected void configure(HttpSecurity http) throws Exception
      {
      http
      .formLogin()
      .and()
      .logout()
      .invalidateHttpSession(true);
      }
    • csrf() clears your session using a GET request and invalidates the cookie in the browser, hence getting rid of any dynamic content the CSRF attacker can use.  

      @Override
      protected void configure(HttpSecurity http) throws Exception
      {
      http
      .formLogin()
      .and()
      .logout()
      .onlyHttpSession(false);
      }
    • csrf() clears your session using a POST request and invalidates the cookie in the browser, hence getting rid of any dynamic content the CSRF attacker can use.  

      @Override
      protected void configure(HttpSecurity http)throws Exception{
      http
      .formLogin()
      .and()
      .csrfLogout()
      .onlyHttpSession(false);
      }
    • csrf() clears your session by closing your browser and restarting your computer to clear your browser of all cookies and cached files.

      @Override
      protected void configure(HttpSecurity http)throws Exception{
      http
      .formLogin()
      .and()
      .csrf().browserClose(Firefox(),Chrome());
      .browserOpen(false);
      .clientRestart(MACOSX(),Windows86x());
      }
  • Question 2

    Choose the code snippet below that allows you to disable CSRF.

    • @Override
      protected void configure(HttpSecurity http) throws Exception {
      http.csrf().disable();
      }
    • @Override
      protected void configure(Authentication auth) throws Exception {
      auth.csrf().disable();
      }
    • @Override
      protected void configure(HttpSecurity http) throws Exception {
      http.csrf().enable();
      }
    • @Controller
      public class HomeController
      {
      @GetMapping(path="/*")
      public String csrf(HttpSecurity http) {
      return "enable";
      }
      }
  • Question 3

    CORS attack protection is used to prevent attacks that redirect a user from your site to a malicious host.  How does Spring Security prevent this type of an attack through the out-of-box-protection?

    • By default,  cors()  checks each authenticated GET, POST, PUT, OPTIONS, HEAD, and DELETE, HTTP requests for a cookie proving authentication. If the cookie is not there, the request is blocked. It also blocks requests from a different host, but allows it if it's the same host and a different port.

    • By Spring Security default,  cors()  checks the header of HTTP requests for an authorization token or cookie to allow the request. It also blocks any requests with a destination different from the origin host and/or port.

    • By default,  cors() checks each HTTP requests for an OAuth 2.0 authorization code from the server. If the code is not there, the request is blocked. It also blocks requests from the same origin

    • By default,  cors()  checks each authenticated GET, POST, PUT, and DELETE, HTTP request for a chocolate chip cookie.  If the cookie is not there, the request is blocked.