Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing SPAs with Spring

Marcus Hert Da Coregio
May 31, 2022
Technology
1
750

Securing SPAs with Spring

https://2022.springio.net/sessions/securing-spas-with-spring

Marcus Hert Da Coregio

May 31, 2022
Tweet

Other Decks in Technology

See All in Technology
Why and Why not of enabling swap in Kubernetes
hwchiu
0
480
LeSSに潜む「隠れWF病」とその処方箋
lycorptech_jp
PRO
2
110
Kubernetes Summit 2024 Keynote:104 在 GitOps 大規模實踐中的甜蜜與苦澀
yaosiang
0
280
グローバル展開を見据えたサービスにおける機械翻訳プラクティス / dp-ai-translating
cyberagentdevelopers
PRO
1
120
AI Builder について
miyakemito
1
140
入門『状態』#kaigionrails / "state" for beginners with Rails
shinkufencer
2
820
新卒1年目が向き合う生成AI事業の開発を加速させる技術選定 / ai-web-launcher
cyberagentdevelopers
PRO
3
1.3k
CI/CDやテスト自動化の開発プロジェクトへの適用
megascus
3
680
Java x Spring Boot Warm up
kazu_kichi_67
2
440
バクラクにおける可観測性向上の取り組み
yuu26
2
290
Data Migration on Rails
ohbarye
7
4.9k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
106
49k
Writing Fast Ruby
sferik
626
60k
Happy Clients
brianwarren
97
6.7k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
GraphQLとの向き合い方2022年版
quramy
43
13k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k

Transcript

  1. Marcus Hert da Coregio Spring Security @ VMware Securing SPAs

    with Spring Copyright © 2022 VMware, Inc. or its affiliates.

  2. Who am I? Marcus Hert da Coregio • Joined the

    Spring Security team on May, 2021 @marcusdacoregio on social networks

  3. How to? Spring Security Single Page App +

  4. Cover w/ Image Agenda • CORS and Form Login •

    CSRF • Application Personalization • IDOR (Insecure Direct Object Reference) • Clickjacking and XSS • BFF and OAuth2

  5. Live Code!

  6. How CSRF works Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser In a malicious website

    Server Request 🍪 User's Identity 📩 ⚠ Attacker's Payload Request domain == Cookie domain Browser sends the cookies

  7. Double-Submit Cookie Pattern Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser Request 🍪 Cookie with

    CSRF Token 📩 CSRF Token in Request ⚖ Do they match? Request domain == Cookie domain Browser sends the cookies Browser does not add the CSRF Token in the request

  8. What we have now Browser API Backend Single Page App

    🍪 Session PUBLIC ZONE 🔓No Security Headers

  9. End Product BFF Spring Security + Spring Cloud Gateway Browser

    Resource Server Spring Authorization Server Single Page App 🍪 Session JWT PRIVATE TRUSTED ZONE https://github.com/spring-projects/spring-authorization-server/issues/297 🔒 Security Headers TokenRelay Filter Retrieve JWT Keys

  10. BFF Pros and Cons Pros • No access token in

    the browser; • No refresh token in the browser; • Single trusted application instead of two apps; • Better protection against XSS (CSP and Security headers); • APIs can be deployed in a private trusted zone. Cons • Performance worse if downstream APIs required; • High probability of code duplication and lower reuse; • Business logic may bleed to the BFFs; • From a security perspective? None.

  11. Thank you Contact me at [email protected] @marcusdacoregio on Twitter/GitHub ©

    2022 Spring. A VMware-backed project. Sample code https://github.com/marcusdacoregio/springio-2022-securing-spas-with-spring

  12. Q&A