Secure session management using spring security for microservices

Hola folks 👋 I’m Ankita Sinha, an MTech CSE student doing a specialization in Information Security. This is a team project. All the team members Soumadeep Dhar, Ankita Sinha, and Ravi Kumar Gubbala. This article is about secure session management using spring security as the title suggests.

A Web application is a widely used technology today due to its flexibility in delivering serval services worldwide. With this, various factors like security, authentication, session management, etc., are managed. Session management pacts with how the specific users will be logged in the application for a granted time span during which stipulated. However, it might be possible that multiple attacks can happen. These threats can be mitigated using the Spring security framework. We are implementing secure session management for microservices that can be tamper or intrusion-proof for web-based applications.

1. INTRODUCTION

Microservices is a service-oriented architecture where the applications are developed to collect small services instead of a single whole application. Rather than a monolithic application, numerous autonomous applications can operate independently and are built using different programming languages. Using microservices, large and complex applications can be created with more straightforward and independent programs which are implementable by themselves. These small programs are clustered together to provide all the features of the extensive, monolithic application. Microservices are gradually more utilized in developing an application worldwide as developers create more extensive and more complex applications. These applications are developed and administered as a combination of relatively small services that run cohesively for more comprehensive, application-wide functionality. Tools have been developed to fulfill the demands and develop applications using a piece-by-piece methodology which is, easy to handle and less disorienting than the traditional way of developing an application.

Figure 1: Components of Network

A web application is a software that is running on a web server. Web applications can be accessed by a user through a web browser like chrome, brave, internet edge, etc., along with an active network connection. Such applications have been programmed using a client-server architecture where the user, i.e., the client, provides service via an off-site server hosted by a third party. Thus, web applications are known as websites. Web application security is an approach to protect websites and their online services against various threats that exploit the application’s vulnerabilities. Some common targets for web application attacks are content management systems, database administration tools, session management systems, etc.

Session management is the procedure of securely managing several requests of a web-based application or service from a user or an entity. Websites and browsers make use of HTTP services to communicate, and the session is a set of HTTP requests and transactions, i.e., initiated by the same user. Usually, a session is triggered whenever a user authenticates their identification via a password or a different authentication protocol. Session management involves sharing confidential information with users who are authenticated, i.e., certified. Secure cryptographic network communications are crucial in maintaining such session management security. The critical point is the session will be unique to each user. JSON Web Token (JWT) is a core document in the JSON Web Token Standard (RFC 7519). It defines a secure way for storing and communicating securely with others as JSON objects. JWT is a form of standardization to facilitate the use of tokens on the web for authentication, not only for REST-based services. Despite its small size, it is still easy to use because it is robust and can carry much information. For example, a JWT token can pass the authentication information between a service provider and an identity provider (which might not be the same system). A token can also hold all the claim data the user has, such as authorization information, so the service provider does not need to go into the database or other external systems to verify access permissions and roles of the user on request; it is infused with that information on the token.

From the survey, we found there are various solutions for session management and security in web applications in which multiple acts can be conducted. These solutions offer protection against the web application’s vulnerability and threats. We will propose a model that will prevent unauthorized access in the sessions using the spring security and spring framework.

2. DESIGN/FRAMEWORK

The proposed solution prevents unauthorized users from accessing confidential information and against threats. The solutions given are enhanced to provide a smooth and secure session while accessing a web application. We will be proposing the model based on the spring framework, such as using the JWT. The proposed model provides tokens based on users and passwords given by the client.

Figure 2.1 is the generalized diagram for our proposed system through which 4 components are displayed: Session level, Spring security, Authorization Tokens, and HTML, CSS, JS for UI. We can access the session using sets of JWT that are Java Web Tokens based on the time factor such that each user can get into the session for that amount of time. If any other users try to inject into the system that user will not be able to gain access since the code is written in such a way that only one user with the key will be able to access the system. This type of model is very much useful for banking domains especially while doing the transactions, each can uphold only a particular time gaining the system access, and once the session is ended or closed again a new pair of tokens is generated that will be again used by the users to enter at the session. Logs for the session are also maintained in a linear manner so that any unauthorized access can be easily monitored and handled instantly.

Figure 2: High-Level Architecture — Components

We have used eclipse IDE (Oxygen version +) or Spring Tool Suite with Maven 3.5 (and above ), Java 1.8 (and above), jjwt 0.9.1, and Postman API or ARC for testing purpose. This proposed architecture is environment friendly and can be used in Windows, Linux, Mac OS for deployment as well as compatible with browsers. This project was build using spring boot + spring security package in order to manage the session using maven as the plugins. We have four packages which are com.vit.springsecurityjwt, com.vit.springsecurityjwt.filters, com.vit.springsecurityjwt.models and com.vit.springsecurityjwt.util.

Each and every package are responsible for making ‘autowired’ connections with each other such that they can be used as a complete microservice. Inside ‘com.vit.springsecurityjwt’ package, we have two different classes — ‘MyUserDetailsService’ and ‘SpringSecurityJwtApplication’. The first class is responsible for maintaining the database for the existing ‘Users’ which is used during the maintaining of sessions during the web management. Initially, we required that the users should be present in the directory for the database, but we need to check the authenticity and authorization also since during handling the sessions it’s more important to verify the credentials which are ‘Username’ and ‘Password’. This microservice is having two endpoints which are used for the purpose of ‘authentication’ and ‘authorization’. The ‘SessionController’ is the main spot for the project in which two endpoints/API calls are made using requestmapping method. The first API is — ‘authorize’ which uses the GET method and responsible for making the authorization of the service. The second API is — ‘authenticate’ which uses the POST method and responsible for authentication purposes. The separate authenticationManager is provided by default to fetch the username and password from the interface. There is also a function for the exception handling provided in the microservice such that if any user is trying to enter the wrong password or username it will automatically throw a message as ‘Incorrect username or password’. Generation of the JWT is one of the important parameters which will be considering as session handling since JWT(JSON Web Tokens) will be created on the basis of various methods which is given as: extractUsername, extractExpiration, extractClaim, extractAllClaims, isTokenExpired, generateToken, createToken and validateToken.

JWT is the secret key that is generated using the signature algorithm ‘HS256’ which will give the secret key for the session management purpose. This is a two-step process that will be happening in the background and hence JWT tokens can be used for subsequent API calls till the time it gets expired. Once it’s getting expired, we need to generate a new JWT for the signing purpose as well. In the model section, we have two classes — AuthenticationRequest and AuthenticationResponse which is having the data objects that are used for making the request calls. For request, we have username and password fields. For the response object, we have JWT which takes the string value as the parameter.

3. RESULT AND ANALYSIS

The referred models proposed by the authors are all different types of sessions that can cause vulnerabilities to the system. Hence, it is required to predicate and make correspondence web security based on the tokens which are time-based so that the users can be verified while logging into the system especially while considering the web application. Hence, we proposed a model which is based on the spring framework such that using the JWT. And we can provide tokens based on users and passwords given by the client.

REST services will work with prior standardized security measures (session cookie, HTTP Basic, and HTTP Digest), but each of them has problems that would be easier avoided by using a greater standard. JWT is approaching the IETF standardization stage with great speed. The main strength of JWT is its stateless authentication model that is scalable without state changes while keeping everything secure with the latest cryptography standards. With distributed system architectures in which the server is responsible for authenticating requests, storing the authentication data within the token itself creates significant benefits. Session cookies are inappropriate from a security perspective because of the stateless approach of REST, but they are still widely used. Cookies are most vulnerable to man in the middle (MiTM), session hijacking, and cross-site request forgeries (CSRF). But JWT is a secure alternative that will cope with all the security issues of HTTP Basic, HTTP Digest, or session cookies. JWT is approaching the IETF standardization stage with great speed.

Our proposed model is evaluated using postman where we performed API testing and table 3.1 and table 3.2 demonstrates the results. Both the POST and GET HTTP methods are evaluated and have passed the test cases.

Table 3.1: Test Script result for POST.

Table 3.2: Test Script result for GET.

Then based on various scenarios we have tested our proposed model. The test cases are mentioned below in table 3.3:

Table 3.3: Test Scenarios

4. CONCLUSION

Security is an essential part of technology to protect and prevent any kinds of threats and intrusions. Session management aids secure communication between tiers. Software development has progressed into n-tier architecture for ease of development as it has been logically & physically separated into multiple functions/layers [Ex: presentation layer, business layer, database layer, etc.]. Session Management is very important in n-tier architecture where multiple layers are present and to link them for end-user functionality [ex: Browser-based banking applications]. JWT is a stateless authentication model that is scalable and robust while keeping everything secure with the latest cryptography standards. With cloud computing becoming popular, applications are out there for attacks, so session management becomes very important to foil the attacks of the malicious elements.

REFERENCES

1. Wijitrisnanto, Fajar, Suhardi, and Purnomo Yustianto. 2020. “HTTPS Contribution in Web Application Security: A Systematic Literature Review.” 2020 International Conference on Information Technology Systems and Innovation, ICITSI 2020 — Proceedings, 347–56.
2. Sun, Kyoungjae, and Younghan Kim. 2019. “PMIP-Based Distributed Session Mobility Management for 5G Mobile Network.” International Conference on Information Networking 2019-January: 453–56.
3. Gutzmann, Kurt. 2001. “Access Control and Session Management in the HTTP Environment.” IEEE Internet Computing 5 (1): 26–35.
4. Mateus-Coelho, Nuno, Manuela Cruz-Cunha, and Luis Gonzaga Ferreira. “Security in Microservices Architectures.” Procedia Computer Science 181 (2021): 1225–1236.
5. Alizai, Z. A., Tahir, H., Murtaza, M. H., Tahir, S., & McDonald-Maier, K. (2019). Key-Based Cookie-Less Session Management Framework for Application Layer Security. IEEE Access, 7, 128544–128554. https://doi.org/10.1109/ACCESS.2019.2940331
6. Singh, A., Sharma, A., Sharma, N., Kaushik, I., & Bhushan, B. (2019). Taxonomy of Attacks on Web Based Applications. 2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies, ICICICT 2019, 1231–1235. https://doi.org/10.1109/ICICICT46008.2019.8993264
7. Qiao, X., Ren, P., Chen, J., Tan, W., Blake, M. B., & Xu, W. (2019). Session persistence for dynamic web applications in Named Data Networking. Journal of Network and Computer Applications, 125(September 2018), 220–235. https://doi.org/10.1016/j.jnca.2018.10.015
8. Z. A. Alizai, H. Tahir, M. H. Murtaza, S. Tahir, and K. McDonald-Maier, “Key-Based CookieLess Session Management Framework for Application Layer Security,” IEEE Access, vol. 7, pp. 128544–128554, 2019, doi: 10.1109/ACCESS.2019.2940331.
9. M. Islam, S. Rahaman, N. Meng, B. Hassanshahi, P. Krishnan, and D. D. Yao, “Coding Practices and Recommendations of Spring Security for Enterprise Applications,” Proc. — 2020 IEEE Secur. Dev. SecDev 2020, pp. 49–57, 2020, doi: 10.1109/SecDev45635.2020.00024.

Github links

Project: https://github.com/s0umadeep/session-management-spring

Soumadeep Dhar: https://github.com/s0umadeep

Ankita Sinha: https://github.com/AnkitaSinha98

Ravi Kumar Gubbala: https://github.com/ravikumar-gubbala