Integrating HDIV Security Framework with Spring  

by ne on 2021-03-02 under Java

Security is one of the prime concerns of any application these days. And making a secure and robust application is kind of a necessity for developers.

Dealing with different type of security problems i.e. SQL Injection, URL Injection, XSS, CSRF ... etc is always a heck.

And in case you are working with an already developed project then you get to know what all loop holes you will have to cover to make it secure. Fixing each and every type of security issue yourself can be a bit of overhead.

And in doing so you may waste a lot of time and it's also possible that the fixes you made aren't enough.

Do not worry.

HDIV comes to the rescue.(download from here)

According to Open Web Application Security Project(OWASP) the top 10 types of attacks that can be targetted on an application are:

  1. Injection
  2. Broken authentication and session management
  3. Cross-Site Scripting (XSS).. Wow! So you can remove your Html sanitizing filters(if any)
  4. Insecure Direct Object References
  5. Sensitive Data Exposure
  6. Missing Function Level Access Control
  7. Cross-Site Request Forgery (CSRF)..  Hurray! No need of Spring's CSRF
  8. Using Components with Known Vulnerabilities
  9. Unvalidated Redirects and Forwards
  10. Security Misconfiguration 

HDIV takes care of all of them.

Here's a quick go through if you are working with Spring MVC. 

I will cover all the direct basic steps needed for HDIV integration with Spring

1. Add HDIVjar, make sure you use the latest version. 2.1.10 is the latest while I am writing this down. Entries for pom.xml if you are using maven.


<dependency>
    <groupId>org.hdiv</groupId>
    <artifactId>hdiv-config</artifactId>
    <version>2.1.10</version>
</dependency>
<dependency>
    <groupId>org.hdiv</groupId>
    <artifactId>hdiv-spring-mvc</artifactId>
    <version>2.1.10</version>
</dependency>

2. Add HDIV listener and filters to the web.xml


<listener>
    <listener-class>org.hdiv.listener.InitListener</listener-class>
</listener>
<!-- HDIV Validator Filter -->
<filter>
    <filter-name>ValidatorFilter</filter-name>
    <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ValidatorFilter</filter-name>
    <!-- Spring MVC Servlet name-->
    <servlet-name>SampleMvc</servlet-name>
</filter-mapping>

3. Multipart configuration. Replace Spring MVCs MultipartResolver with HDIVs one. If commons fileupload is used for multipart processing:


<bean id="multipartResolver" class="org.hdiv.web.multipart.HdivCommonsMultipartResolver">
    <property name="maxUploadSize" value="100000" />
</bean>

4. Editable data validation. In order to add editable validationerrors into Spring MVC binding and validation errors, configure'hdivEditableValidator' as application wide validator.


<mvc:annotation-driven validator="hdivEditableValidator"/>

5. JSTL jars / maven entries, if you are using JSTL in your JSP. Recommended 


<dependency>
    <groupId>org.hdiv</groupId>
    <artifactId>hdiv-config</artifactId>
    <version>2.1.10</version>
</dependency>
<dependency>
    <groupId>org.hdiv</groupId>
    <artifactId>hdiv-jstl-taglibs-1.2</artifactId>
    <version>2.1.10</version>
</dependency>

 

Now  after finishing with above. Now you are required to do some configurations for your application. 

1. Adding HDIV filter as a custom filter within your application security xml.


<security:http auto-config="true">
<security:form-login login-page="/login.html" authentication-failure-url="/login.html?error=true" />
<security:logout logout-url="/logout.html" logout-success-url="/" />
...
<security:custom-filter after="SECURITY_CONTEXT_FILTER" ref="hdivFilter" />
...
<security:intercept-url access="ROLE_USER" pattern="/authenticated/**" />
</security:http>
...

<bean id="hdivFilter" class="org.hdiv.filter.ValidatorFilter" />

 

2. Now make a new file, say hdiv-config.xml . It will contain the configurations required by HDIV to handle the types of security checks it has to perform on your application and it's components. A very basic footprint of hdiv-config.xml is shown below:


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.hdiv.org/schema/hdiv ">http://www.hdiv.org/schema/hdiv/hdiv.xsd">

<hdiv:config excludedExtensions="css,png">
<hdiv:sessionExpired loginPage="/login.html" homePage="/"/>
<hdiv:startPages>/attacks/.*</hdiv:startPages>
<hdiv:startPages method="get">/,/login.html,/logout.html</hdiv:startPages>
<hdiv:startPages method="post">/j_spring_security_check</hdiv:startPages>
</hdiv:config>

<!-- Accepted pattern within the application for all editable parameters (generated from textbox and textarea) -->
<hdiv:validation id="safeText">
<hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9@.\-_]*$]]></hdiv:acceptedPattern>
</hdiv:validation>

<!-- Finally, it's necessary to define editable data validation list for 
the application -->
<hdiv:editableValidations>
<hdiv:validationRule url="/secure/.*"></hdiv:validationRule>
<hdiv:validationRule url="/safetext/.*"enableDefaults="false">safeText</hdiv:validationRule>
</hdiv:editableValidations>

</beans>

 

After this step, include this xml in your context initialization.
 And you are good to go.

I will be writing about some common issues developers face while implementing HDIV, generally with AJAX, in few days.

Some helpful links:

http://www.hdiv.org/

https://www.owasp.org/index.php/Category:Attack

https://github.com/hdiv

 

If you are having trouble integrating HDIV to a spring project, feel free to comment below.

Thanks.