Default Password Encoder in Spring Security 5

https://www.baeldung.com/spring-security-5-default-password-encoder

org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder


ref:
https://openhome.cc/Gossip/Spring/SpringSecurity.html

從 Spring Security 5 開始，強制必須對密碼進行編碼，具體而言，方式之一就是直接指定 PasswordEncoder，在這邊使用的是 BCryptPasswordEncoder，並透過 encode 對密碼編碼，實際上這會是在使用者註冊時進行這動作，不過這邊先暫且寫在設定檔裡。

BCryptPasswordEncoder 實作了 bcrypt 加密演算法，是 Spring 官方推薦的加密方式，它會使用一個加鹽的流程以防禦彩虹表攻擊，就算是相同的密碼，因為每次產生的鹽值不同，編碼後的結果也就不會相同（鹽值會包含在編碼後的結果之中，不過 bcrypt 屬於 Slow Hash Function 手法，也就是破解它的時間成本高，高到可以讓攻擊者放棄）。

Intro to Spring Security Expressions

https://www.baeldung.com/spring-security-expressions

Reload Templates without Restarting the Container

https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-hotswapping

Thymeleaf Templates

If you use Thymeleaf, set spring.thymeleaf.cache to false. See ThymeleafAutoConfiguration for other Thymeleaf customization options.

FreeMarker Templates

If you use FreeMarker, set spring.freemarker.cache to false. See FreeMarkerAutoConfiguration for other FreeMarker customization options.

Groovy Templates

If you use Groovy templates, set spring.groovy.template.cache to false. See GroovyTemplateAutoConfiguration for other Groovy customization options.

DEMO:
https://github.com/imrexhuang/Spring-Boot-Security-Thymeleaf-Demo

spring-projects-experimental/spring-native

https://github.com/spring-projects-experimental/spring-native

GraalVM Native Image: Spring VS Quarkus
https://medium.com/swlh/graalvm-native-image-spring-vs-quarkus-a738263df069

gu install wasm

Run WebAssembly
https://www.graalvm.org/docs/getting-started/#run-webassembly

gu install native-image

[xxxxx@localhost ~]$ gu install native-image
Downloading: Component catalog from www.graalvm.org
Processing Component: Native Image
Downloading: Component native-image: Native Image  from github.com
Installing new component: Native Image (org.graalvm.native-image, version 21.0.0.2)

ref:
https://www.graalvm.org/docs/getting-started/

Using the Quarkus Framework on Fedora Silverblue

https://fedoramagazine.org/using-the-quarkus-framework-on-fedora-silverblue-just-a-quick-look/

Installing Silverblue
https://docs.fedoraproject.org/en-US/fedora-silverblue/installation/

RHEL找出java實際安裝路徑

顯示安裝的是jdk11

顯示的版本卻是jdk8
[root@localhost ]# java -version
openjdk version "1.8.0_282"
OpenJDK Runtime Environment (build 1.8.0_282-b07)
OpenJDK 64-Bit Server VM GraalVM CE 21.0.0.2 (build 25.282-b07-jvmci-21.0-b06, mixed mode)


後來才發現是graalvm底下的jdk
[root@localhost ]# readlink -f $(which java)
/graalvm/bin/java

ref:
https://stackoverflow.com/questions/33104982/how-to-get-java-path-in-centos

RHEL和CentOS切換Java版本

sudo alternatives --config java

ref:
https://phoenixnap.com/kb/install-java-on-centos

QUARKUS - 用 MAVEN 构建应用

https://quarkus.pro/guides/maven-tooling.html

COMPILING YOUR QUARKUS APPLICATIONS TO NATIVE EXECUTABLES

https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/1.7/html-single/compiling_your_quarkus_applications_to_native_executables/index

Redhat官方的quarkus demo code

https://github.com/redhat-developer-demos/quarkus-tutorial

(1)
sudo yum install maven

備註:需要3.5.3以上版本
可用mvn --version指令查看目前版本

RHEL更新Maven方式：
https://computingforgeeks.com/installing-latest-apache-maven-on-centos-fedora/
需先sudo yum remove maven


(2)
git clone https://github.com/redhat-developer-demos/quarkus-tutorial.git

(3)
cd quarkus-tutorial

(4)
export TUTORIAL_HOME='pwd'
export QUARKUS_VERSION=0.21.2

(5)
mvn "io.quarkus:quarkus-maven-plugin:$QUARKUS_VERSION:create" \
  -DprojectGroupId="com.example" \
  -DprojectArtifactId="fruits-app" \
  -DprojectVersion="1.0-SNAPSHOT" \
  -DclassName="FruitResource" \
  -Dpath="fruit"

(6)
確認檔案已產生
cd fruits-app
ls -al

(7)
已開發模式啟動(具備Hot Reload功能)
./mvnw compile quarkus:dev

(8)
啟動後會看到以下訊息
2021-02-24 21:10:49,700 WARN  [io.qua.dep.QuarkusAugmentor] (main) Using Java versions older than 11 to build Quarkus applications is deprecated and will be disallowed in a future release!
2021-02-24 21:10:52,875 INFO  [io.quarkus] (Quarkus Main Thread) fruits-app 1.0-SNAPSHOT on JVM (powered by Quarkus 1.12.0.Final) started in 0.700s. Listening on: http://localhost:8080
2021-02-24 21:10:52,882 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2021-02-24 21:10:52,882 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, resteasy]

=======以下是改用Native模式編譯
(9)
oc new-project quarkustutorial

(10)
編譯成native executable(需安裝GraalVM)
./mvnw package -DskipTests -Pnative

Windows平台編譯問題請參考以下文章
https://quarkus.io/guides/building-native-image#producing-a-native-executable

如果沒安裝GraalVM，使用container runtime(預設是使用docker，可用下方指令指定)
./mvnw package -DskipTests -Pnative -Dquarkus.native.container-build=true
https://quarkus.io/guides/building-native-image#quarkus-native-pkg-native-config_quarkus.native.container-build

https://quarkus.io/guides/building-native-image
By default Quarkus automatically detects the container runtime. If you want to explicitely select the container runtime, you can do it with:
# Docker
./mvnw package -Pnative -Dquarkus.native.container-build=true -Dquarkus.native.container-runtime=docker

# Podman
./mvnw package -Pnative -Dquarkus.native.container-build=true -Dquarkus.native.container-runtime=podman

Quarkus開發模式的Hot reload

指令
./mvnw compile quarkus:dev

log檔
2021-02-23 01:52:03,239 INFO  [io.qua.dep.dev.RuntimeUpdatesProcessor] (vert.x-worker-thread-5) Changed source files detected, recompiling [/home/javadev/fruits-app/src/main/java/com/example/FruitResource.java]
2021-02-23 01:52:04,184 INFO  [io.qua.dep.dev.RuntimeUpdatesProcessor] (vert.x-worker-thread-5) Application restart not required, replacing classes via instrumentation
2021-02-23 01:52:04,258 INFO  [io.qua.dep.dev.RuntimeUpdatesProcessor] (vert.x-worker-thread-5) Hot replace performed via instrumentation, no restart needed, total time: 1.020s

OWASP Encode forHtml和forJava的差異

Encode.forHtml：
可防範XSS(Cross-Site Scripting)，會把「<」、「&」、「>」、「"」、「""」這類的特殊字元取代成「&lt;」、「&amp;」、「&gt;」、「&#34;」、「&#34;&#34;」。
但是不會取代「換行字元」，無法防範Log Forging (日誌偽造)，防範Log Forging一定要取代「換行字元」

Encode.forJava：
可防範Log Forging (日誌偽造)，會把「換行字元」取代

Source Code：
https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encode.java

官網：
https://owasp.org/owasp-java-encoder/
目前最新版是1.2.3，可用在Java 5以上的專案。

encoder-jsp-1.2.3.jar是JSP tag方式使用，jsp檔需要聲明taglib如下
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>

encoder-1.2.3.jar是直接透過Method方式呼叫使用，可以用於一般java程式。

REF：
https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html

awesome-java-security

 https://github.com/guardrailsio/awesome-java-security