Who am I?
Marcus Hert da Coregio
● Joined the Spring Security team on May, 2021
@marcusdacoregio on social networks
Slide 3
Slide 3 text
How to?
Spring
Security
Single Page App
+
Slide 4
Slide 4 text
Cover w/ Image
Agenda
● CORS and Form Login
● CSRF
● Application Personalization
● IDOR (Insecure Direct Object Reference)
● Clickjacking and XSS
● BFF and OAuth2
Slide 5
Slide 5 text
Live Code!
Slide 6
Slide 6 text
How CSRF works
Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
Browser
In a malicious
website
Server
Request
🍪
User's Identity
📩
⚠
Attacker's Payload
Request domain == Cookie domain
Browser sends the cookies
Slide 7
Slide 7 text
Double-Submit Cookie Pattern
Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
Browser
Request
🍪
Cookie with CSRF Token
📩
CSRF Token in
Request
⚖
Do they match?
Request domain == Cookie domain
Browser sends the cookies
Browser does not add the CSRF Token in
the request
Slide 8
Slide 8 text
What we have now
Browser API Backend
Single Page App
🍪 Session
PUBLIC ZONE
🔓No Security Headers
Slide 9
Slide 9 text
End Product
BFF
Spring Security +
Spring Cloud
Gateway
Browser Resource Server
Spring Authorization
Server
Single Page App
🍪 Session
JWT
PRIVATE TRUSTED ZONE
https://github.com/spring-projects/spring-authorization-server/issues/297
🔒 Security Headers
TokenRelay Filter
Retrieve JWT Keys
Slide 10
Slide 10 text
BFF Pros and Cons
Pros
● No access token in the browser;
● No refresh token in the browser;
● Single trusted application instead of two apps;
● Better protection against XSS (CSP and Security
headers);
● APIs can be deployed in a private trusted zone.
Cons
● Performance worse if downstream APIs
required;
● High probability of code duplication and lower
reuse;
● Business logic may bleed to the BFFs;
● From a security perspective? None.