How to secure Java-based web apps right

21 November 2022

Increase web app security with Spring Security, Keycloak and other safeguards

Web app security has never been as critical to revenue as it is today. Entire industries have been sucked into the digitalisation maelstrom. And many software providers can no longer avoid the SaaS model for their platforms. To ensure that services on the internet are secure and GDPR-compliant in Europe, it is helpful to take a look at the risks in order to be able to initiate appropriate preventive measures.

The non-profit organisation “Open Web Application Security Project” (OWASP) publishes its Top 10 web application security risks each year. It includes risks directly related to web app identity and access management. It is an integral part of overall web app security. After all, no one can afford to make mistakes in this area nowadays. User security is paramount. If you make a mistake here, you risk irreparable damage to your image that may be impossible to repair. These incidents can be extremely expensive and, often, the whole business may depend on it.

Inadequate access control is the biggest danger

In 2021, OWASP cited “Broken Access Control” as the biggest threat to web apps. That alone should be enough to show how important clean user authentication is. One recommendation here is to use the OAuth Standard (OAuth 2.0). For Java-based web apps, it can be implemented with the Spring Security Framework. This makes it possible to separate simple access control to an application from authorisation provided by the application itself. This task is then taken over by an “Authorisation Server”, which informs the application (client) of the authorisation of a user or another entity and, so to speak, enables the authorisation for access. The application trusts the authorising entity and then grants access itself.

Spring Security is not a 360° solution for web app access management 

Spring Security is not nearly enough to guarantee user security  on web apps. Why not? Because a separate implementation is necessary for each connected application. This costs a lot of time and requires the utmost concentration for each individual integration, which can only be done with in-house programming.

The whole thing is already available out-of-the-box with Keycloak. This means that you do not have to go through the trouble of implementing it for each additional connected application, nor do you have to implement it at all via programming.

Keycloak offers OAuth 2.0 out-of-the-box

If you already have Spring Security implemented for your Java application, it is easy to add the multi-functionality and the resulting comfort with Keycloak via the  Keycloak Adapter provided. In the medium term, however, Keycloak will discontinue Java adaptor support. It is therefore recommended to use both together now and not in stages. For this reason, the Keycloak community recommends the use of Spring Security.

You can look into more information about securing web apps with Spring Security 5 and Keycloak. Spring Security is continuously evolving and, as from November 2022, if offers the possibility to set up a private server for authentication. You can read more about it here.

With regard to this function, it remains to be seen whether this could become an alternative to Keycloak. After all, the open-source software comes with a lot of features out-of-the-box, so it will be difficult for alternative providers to keep up. For example, Keycloak’s own admin console is a very strong advantage, which is why many continue to rely on Keycloak.

Keycloak, like Spring Security, cannot provide all-round security for user identities.

In principle, however, neither Spring Security nor Keycloak itself can separate unlawful access from unauthorised access. And exactly this became a worldwide problem in December 2020. Two weeks before Christmas, SolarWinds’ security platform Orion was compromised, as discovered by the IT security firm FireEye, who was also affected by the hack.

The attackers obtained the single sign-on key and proceeded to move through the hierarchy, using the corresponding admin rights in the SolarWinds platform. There, they installed the so-called Sunburst Trojan, which was delivered to all Orion customers with an update. An overview of this landmark coup can be read on techtarget. (Note to ST: I replaced the German resource with an English one. Please check!!!)

The installation of a trojan is no longer possible with the separation of login and access.

This would not have happened if SolarWind had separated login from the authorisation of access rights in their system. This is made possible by implementing the authorisation framework SecuRole®, which ensures end-to-end security. This creates an additional security layer that checks and approves access authorisation independently of the login. It does this by relying on a further checking instance that is not affected if the SSO key is stolen. Hackers would have the possibility to gain access in some way if they got hold of the credentials, but they can only move laterally, i.e. on the level of a simple registered user without real rights in the system. Thus, they would not have the chance to act like an administrator and install a trojan.

You can find out more about end-to-end security for internet identities in the free webinar with our partner KuppingerCole: The evolution of access control

Conclusion: The interaction of Spring Security, Keycloak and extensions constitutes comprehensive user protection.

We maintain that not one of the aforementioned add-ons represents comprehensive IAM-related security for web apps. Instead, a combination of all these components makes the most sense and only together can they offer a real increase in protection for web applications.

Overview of the differences: Spring Security, Keycloak and Login-Master

The following table provides an overview of the points raised. It also shows the wider differences between Spring Security, Keycloak and a comprehensive IAM solution for web apps and services:

FeatureKeycloakLogin-Master
User self-service and GDPR No out-of-the-box support for GDPR Login-Master takes into account all the necessary GDPR regulations based on Keycloak.
Including: different consent levels, download of personal information, “forget me” process

The functionalities are called via the REST interface for complete integration of the registration process in your application.

In Login-Master, there is the possibility to check data via the POSTIDENT process of Deutsche Post. That is the only process for age verification.
User login Keycloak is outstanding here, and provides a solid foundation for enhancements (implementation of 2-factor authentication). Keycloak as a Service:
The offer from Login Alliance is to implement the authentication process as desired.
Access rights Assignment of default roles Completely, refined role management system:
· Granting/revoking roles depending on the values of the user attributes (ABAC)
· A role shop allows the user to make a request for additional access.
· A background process continually performs housekeeping tasks. The same process makes it possible to remove a role when it has expired.
· Synchronisation with legacy IAM systems
· Enhanced access control technology SecuRole®
Existing users Keycloak does not know any “existing users”. Login-Master implements a complete metadirectory and synchronises the existing user base with that of Keycloak. Users and the access rights are synchronised.
Batch processesREST interfaces Login-Master uses workflows to start backend processes.That way, the most frequent, different tasks are implemented: housekeeping, removal of expired rights, reminder to users to change an old password or about an expiring contract.
This happens in a multilingual environment with support from adaptable e-mail templates.
Delegated administration Keycloak doesn’t know this concept.The Login Alliance introduces well thought-out delegated administration in which we define user communities. There are one or more administrators for each community. They can invite other registered users to the community, grant or revoke specific access rights and exclude users from a community.
This leads to prompt administration of user communities. It is used with portals for project and business partners, for suppliers (communities) or also for families.
ServicesOpen Source ResourcesLogin Alliance - Solutions and Services
SupportCommunity supportBasic support: Monday to Friday 9:00 am - 5:00 pm, 24*7 is planned
HostingSelf-hosted Keycloak- Managed Keycloak on dedicated instances / Keycloak as a Service, ready-made test environments
- Login-Master licenses for self-hosting or as Identity as a Service
ConsultingCommunity forumsProof-of-concept, IAM consulting (infrastructures, hardening, high availability, trouble shooting), Keycloak / IAM workshops

This article covered:

Extensions with Spring Security, Keycloak, the authorisation framework SecuRole®and Login-Master’s security and IAM functions for web applications