Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing SPAs with Spring

Avatar for Marcus Hert Da Coregio Marcus Hert Da Coregio
May 31, 2022
Technology
840
1

Securing SPAs with Spring

https://2022.springio.net/sessions/securing-spas-with-spring

Avatar for Marcus Hert Da Coregio

Marcus Hert Da Coregio

May 31, 2022

Other Decks in Technology

See All in Technology
OTel × Datadog で 「AI活用」を計測し、改善に繋げる
Avatar for Yuki Shiho shihochan
1
400
AI駆動開発を通して感じた、 AI時代のデザイナーの役割変化
Avatar for WHIsaiyo whisaiyo
4
2.3k
200個のGitHubリポジトリを横断調査したかった
Avatar for Issei.Komori icck
0
140
SONiCのLinuxベースを活かしたZabbix監視
Avatar for SONiC Users Group Japan sonic
0
230
Lightning近況報告
Avatar for Koji NAKAMURA kozy4324
0
180
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
Avatar for サイバーセキュリティクラウド cscengineer
PRO
2
140
LayerXにおけるセキュリティ管理の現在地と次の一手
Avatar for tosho tosho
0
240
Claude Codeをどのように キャッチアップしているか
Avatar for Oikon oikon48
13
8.5k
Oracle AI Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
2k
生成 AI 実践ガイド (概略版) AIガバナンス編
Avatar for Asei Sugiyama asei
0
110
SONiC Scale-Up Working Group から探る Scale-UpやUltraEthernet機能の実装方法
Avatar for ebiken ebiken
PRO
2
410
徹底討論!ECS vs EKS!
Avatar for 高棹大樹 daitak
0
160

Featured

See All Featured
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.7k
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
9.1k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
55k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
47
8.2k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
28
3.5k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
1
1.7k
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
340
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
1
490
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
270
14k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
440
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
16
2k

Transcript

  1. Marcus Hert da Coregio Spring Security @ VMware Securing SPAs

    with Spring Copyright © 2022 VMware, Inc. or its affiliates.

  2. Who am I? Marcus Hert da Coregio • Joined the

    Spring Security team on May, 2021 @marcusdacoregio on social networks

  3. How to? Spring Security Single Page App +

  4. Cover w/ Image Agenda • CORS and Form Login •

    CSRF • Application Personalization • IDOR (Insecure Direct Object Reference) • Clickjacking and XSS • BFF and OAuth2

  5. Live Code!

  6. How CSRF works Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser In a malicious website

    Server Request 🍪 User's Identity 📩 ⚠ Attacker's Payload Request domain == Cookie domain Browser sends the cookies

  7. Double-Submit Cookie Pattern Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser Request 🍪 Cookie with

    CSRF Token 📩 CSRF Token in Request ⚖ Do they match? Request domain == Cookie domain Browser sends the cookies Browser does not add the CSRF Token in the request

  8. What we have now Browser API Backend Single Page App

    🍪 Session PUBLIC ZONE 🔓No Security Headers

  9. End Product BFF Spring Security + Spring Cloud Gateway Browser

    Resource Server Spring Authorization Server Single Page App 🍪 Session JWT PRIVATE TRUSTED ZONE https://github.com/spring-projects/spring-authorization-server/issues/297 🔒 Security Headers TokenRelay Filter Retrieve JWT Keys

  10. BFF Pros and Cons Pros • No access token in

    the browser; • No refresh token in the browser; • Single trusted application instead of two apps; • Better protection against XSS (CSP and Security headers); • APIs can be deployed in a private trusted zone. Cons • Performance worse if downstream APIs required; • High probability of code duplication and lower reuse; • Business logic may bleed to the BFFs; • From a security perspective? None.

  11. Thank you Contact me at [email protected] @marcusdacoregio on Twitter/GitHub ©

    2022 Spring. A VMware-backed project. Sample code https://github.com/marcusdacoregio/springio-2022-securing-spas-with-spring

  12. Q&A