Home > database >  Best practice for Spring Security
Best practice for Spring Security

Time:08-13

Can you please suggest which Spring Security should I use to secure a real world Spring Boot Application, say for example banking application, where no social media login is used?

Should I go for Bcrypt / OATH 2.0 / OIDC/ Okta / any other?..

CodePudding user response:

Well, Bcrypt means you gonna have your own user database, which is a completely different thing from an external IdP. You'll have to take care of user registration, self-service, MFA and many other things.

External IdPs are more or less similar, one word though... If you are hosting your app inside one of big clouds, then check if you can harness their user pools (for AWS it's Cognito, as an example). From one perspective it makes you vendor locked, but opens other doors for using their internal services with a proper IAM in mind.

If you go with a completely external one, then they all should be pretty similar functionality-wise. Okta, Auth0 are some which I had experience with, but doesn't mean there are no other ones.

As for a protocol, no preference, though OIDC is pretty well supported by vendors and third parties. SAML sometimes is considered bit outdated, though is completely reliable and bullet proof. If your app will be calling some other services, then OIDC seems more natural way to go, as you will have to go with OAuth (I suppose) to call external providers.

Bottom line: decide if you are up to taking all the burden, mentioned in the first paragraph, onto your shoulders. If no desire -> go with an external one (I'd recommend that, but you'll have to pay for that, of course).

CodePudding user response:

Quoted from your question:

Should I go for Bcrypt / OATH 2.0 / OIDC/ Okta / any other?..

They way your question is formulated, brings a notion that you don't clearly understand about these tools, protocols or products in detail and that is perfectly fine my friend, Security is another jungle that we must venture.

Unfortunately there are no easy answers to this question. Security is important and we must pay attention on how we want to secure our apps and there are multiple layers to secure, underestimating or belittling this subject can be very dangerous and costly down the road.

My suggestions:

  • Start learning the subject more intense and patiently because it is wide subject to be covered
  • Consult with the experts, companies like Okta, Auth0, Keycloak (Community) has amazing people whom has created best product to ease our hardships in this matter, so by using their product and get their support should guarantee that your apps follow the best security practices out there so we can be more confident about our apps security, cheers.
  • Related