Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing SPAs with Spring

Marcus Hert Da Coregio
May 31, 2022
Technology
1
760

Securing SPAs with Spring

https://2022.springio.net/sessions/securing-spas-with-spring

Marcus Hert Da Coregio

May 31, 2022
Tweet

Other Decks in Technology

See All in Technology
Terraform Stacks入門 #HashiTalks
msato
0
360
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
420
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
650
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
190
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
130
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
390
Taming you application's environments
salaboy
0
190
アジャイルチームがらしさを発揮するための目標づくり / Making the goal and enabling the team
kakehashi
3
110
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
190

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
What's new in Ruby 2.0
geeforr
343
31k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Ruby is Unlike a Banana
tanoku
97
11k
Designing for Performance
lara
604
68k
Become a Pro
speakerdeck
PRO
25
5k
Code Reviewing Like a Champion
maltzj
520
39k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
RailsConf 2023
tenderlove
29
900
The Cult of Friendly URLs
andyhume
78
6k
Practical Orchestrator
shlominoach
186
10k

Transcript

  1. Marcus Hert da Coregio Spring Security @ VMware Securing SPAs

    with Spring Copyright © 2022 VMware, Inc. or its affiliates.

  2. Who am I? Marcus Hert da Coregio • Joined the

    Spring Security team on May, 2021 @marcusdacoregio on social networks

  3. How to? Spring Security Single Page App +

  4. Cover w/ Image Agenda • CORS and Form Login •

    CSRF • Application Personalization • IDOR (Insecure Direct Object Reference) • Clickjacking and XSS • BFF and OAuth2

  5. Live Code!

  6. How CSRF works Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser In a malicious website

    Server Request 🍪 User's Identity 📩 ⚠ Attacker's Payload Request domain == Cookie domain Browser sends the cookies

  7. Double-Submit Cookie Pattern Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser Request 🍪 Cookie with

    CSRF Token 📩 CSRF Token in Request ⚖ Do they match? Request domain == Cookie domain Browser sends the cookies Browser does not add the CSRF Token in the request

  8. What we have now Browser API Backend Single Page App

    🍪 Session PUBLIC ZONE 🔓No Security Headers

  9. End Product BFF Spring Security + Spring Cloud Gateway Browser

    Resource Server Spring Authorization Server Single Page App 🍪 Session JWT PRIVATE TRUSTED ZONE https://github.com/spring-projects/spring-authorization-server/issues/297 🔒 Security Headers TokenRelay Filter Retrieve JWT Keys

  10. BFF Pros and Cons Pros • No access token in

    the browser; • No refresh token in the browser; • Single trusted application instead of two apps; • Better protection against XSS (CSP and Security headers); • APIs can be deployed in a private trusted zone. Cons • Performance worse if downstream APIs required; • High probability of code duplication and lower reuse; • Business logic may bleed to the BFFs; • From a security perspective? None.

  11. Thank you Contact me at [email protected] @marcusdacoregio on Twitter/GitHub ©

    2022 Spring. A VMware-backed project. Sample code https://github.com/marcusdacoregio/springio-2022-securing-spas-with-spring

  12. Q&A