Secure User Form is a web application designed to demonstrate best practices in secure web development. This project focuses on building a user authentication system with a strong emphasis on security, using JWT (JSON Web Tokens) for session management, secure password storage, and input validation.
Developed as part of a Secure Development course, this application aims to implement key security concepts, including RBAC (Role-Based Access Control) and PBAC (Policy-Based Access Control), to control user access. The project serves as a foundation for building secure and scalable web applications.
- π User Registration: Secure user registration with validation and role assignment.
- π User Login: Secure login functionality using JWT-based authentication.
- πΌ Secure User Dashboard: After successful login, users can access a dashboard displaying their details.
- π Token-Based Authentication: JWT tokens are used for secure session management.
- β Input Validation: Both client-side (JavaScript) and server-side (Spring Boot) validation to prevent vulnerabilities.
- π Password Encryption: User passwords are hashed using BCrypt, ensuring secure storage.
- π CORS Handling: Proper handling of cross-origin requests, restricting access to authorized domains only.
- π RBAC (Role-Based Access Control): User roles (ADMIN, USER) define access rights to resources.
- π οΈ PBAC (Policy-Based Access Control): Custom JWT claims are used for managing user permissions.
- β³ JWT Expiration: Tokens expire after a set period, enhancing session security.
-
Frontend
- HTML, CSS, JavaScript (for creating the user interface and interactions)
- JWT for secure authentication and authorization
- Fetch API to make secure HTTP requests
-
Backend
- Spring Boot (Java) for building the backend RESTful API
- JWT for token-based authentication
- Spring Security for securing endpoints and managing user sessions
-
Security Features
- π‘οΈ CSRF Protection: Disabled for token-based authentication, handled by JWT.
- π Password Security: Passwords are hashed using BCrypt for secure storage.
- π HTTPS: Ensures secure communication between the client and server.
- π CORS Configuration: Allows cross-origin requests only from trusted domains.
-
Session Management
- JWT tokens with expiration to ensure secure and controlled sessions.
-
Logging and Monitoring
- Basic audit logs for monitoring authentication and access events.
-
Docker
- Dockerfile: Configured to build and run the application in a container.
- Docker Compose: Defines and manages services needed for the app.
To get the project running locally, follow these steps
git clone https://github.com/tatilimongi/Secure-UserForm.git
cd Secure-UserForm- Ensure that you have Java and Maven installed for the backend (Spring Boot).
- The frontend can be run directly from your browser by opening the HTML, CSS, and JavaScript files.
-
Backend
- Navigate to the backend directory and run the Spring Boot application:
mvn spring-boot:run
-
Frontend
- Open the
index.htmlin your browser to interact with the application.
- Open the
- POST /auth/login: User login (returns JWT token on success)
- POST /auth/register: User registration (you need to register first)
- GET /welcome: Secure user dashboard (requires JWT token for authentication)
Use tools like Postman or Insomnia to test the API endpoints.
Before logging in, you need to register a user. Send a POST request to http://localhost:8080/register with the following JSON body:
Example 1 (Admin User)
{
"name": "Tatiana",
"email": "[email protected]",
"password": "Password1",
"role": "ADMIN"
}Example 2 (Regular User)
{
"name": "Tatiana",
"email": "[email protected]",
"password": "Password1",
"role": "USER"
}After registering, send a POST request to http://localhost:8080/auth/login with the following JSON body:
{
"username": "[email protected]",
"password": "Password1"
}Upon success, you will receive a JWT token.
Once logged in, you can access the secure user dashboard by sending a GET request to http://localhost:8080/welcome with the Authorization header
Bearer <JWT_TOKEN>
Replace <JWT_TOKEN> with the token you received during login.
-
Build the Docker image
- From the project directory, run
docker-compose build
-
Start the application with Docker
- To start the application in a container, use
docker-compose up
-
Access the application
- Once the containers are running, you can access the frontend at
http://localhost:8080.
- Once the containers are running, you can access the frontend at
This project emphasizes the following security aspects
- π Authentication Security: Ensures secure login with token-based authentication using JWT.
- π Authorization: Restricts access to resources based on user roles (RBAC) and custom policies (PBAC) defined in JWT claims.
- β Input Validation: Prevents common security vulnerabilities such as SQL injection and XSS by validating user inputs on both the client and server side.
- π Secure Communication: Enforces HTTPS to protect data during transmission.
- π Password Security: Implements BCrypt to securely hash and store passwords.
- π Session Management: Manages sessions using JWT tokens with expiration to enhance security.
While the application covers the essentials of secure authentication, there are several potential areas for future enhancement
- π OAuth 2.0 Integration: Allow users to authenticate via third-party services (Google, Facebook, etc.).
- π§ Email Verification: Implement email verification during the registration process to ensure valid user emails.
- π§βπ€βπ§ Advanced User Roles: Expand the RBAC system to support more granular roles and permissions.
- π Comprehensive Logging and Monitoring: Integrate advanced logging and monitoring tools (e.g., ELK stack, Prometheus) to track and analyze application behavior.
This project is licensed under the MIT License - see the LICENSE file for details.
This project is part of the Secure Development course at Centro UniversitΓ‘rio Tiradentes and aims to apply secure coding practices in web applications. π