jwts in java for csrf and microservices

••••

User Data

User Workflows Google ID

Your ApplicationsApplication SDK

Application SDK

ID Integrations

Facebook

Active Directory

encodeSecret =

"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="

computeHMACSHA256(

header + "." + payload,

base64DecodeToByteArray(encodedSecret)

Signature Computation Pseudo-code

.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

Short but not Sweet

String b64EncodedSecret =

"Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS256,

b64EncodedSecret.getBytes("UTF-8")

You’re Doing it Wrong

String b64EncodedSecret =

"Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS512,

TextCodec.BASE64.decode(b64EncodedSecret)

Supersize that Secret!

AuthenticationServiceAuthorizationServiceApplicationService

OrganizationServiceDirectoryServiceAccountServiceGroupService

DatabaseInfrastructure

GroupServiceAccountService

AuthenticationService AuthorizationService

ApplicationService OrganizationService DirectoryService

●○○

●●●●●●

○●

jwts in java for csrf and microservices

Technology

advanced csrf and stateless anti-csrf - owasp · advanced...

java jwts for csrf prevention and microservices

csrf change dns

of microservices and microservices

building secure user interfaces with jwts

neat tricks to bypass csrf-protection

rest api security: oauth 2.0, jwts, and more!

advanced csrf and stateless anti-csrf

neuropsychological changes following - csrf

csrf not all defenses are created equal

php security crash course - 3 - csrf

tamper data: csrf examined toolsmith

common websites security issues - il...

csrf final

csrf(crosss-site request forgeries)

csrf national pension system (nps) - subscriber

web security: xss & csrf - university of maryland · xss &...

csrf and xss - wiki.elvis.science

building secure user interfaces with jwts (json web tokens)

dissecting csrf attacks & defenses - mike shema - csrf...