angular – Coding Capital Markets

SpringOne Platform 2016: Building Applications with Angular JS and Spring Security

Speaker: Dave Syer, @david_syer

Agenda

Real quick intro to Spring Security, Spring Session, Angular JS
Focus on features to build secure, modern, single-page applications
High level view of sample apps presented in tutorial (from blog series)
More Details look at some features of the apps

Most valuable links

Spring Security

Generic Filter based solution for Servlet applications
Authentication (a.k.a. identity) and Authorization (a.k.a. access decisions)
OAuth2 module useful for SSO and token-based API authentication
lots of other features
http://projects.spring.io/spring-security

Angular JS

Javascript Framework
“Magic” binding (dependency injection and MVC)
Has a lot of traction in the enterprise
Nothing about the architecture of the apps presented here requires Angular JS
Really basic usage in sample, but representative

Security Features in Modern Browsers

HTTP Basic
X.509 authentication
Kerberos
Kerberos
Cookies
CORS (Common Origin Resource Sharing)
HSTS (HTTP Strict Transport Security
CSP (Content Security Policy)

Sub-text: “use them, they’re reliable and free…”

Spring Session

Not tied to Spring Security, but works well with it
Easy, declarative, distributed sessions
Redis works out of the box, other backends easy to add
Servlet Filter
http://cloud.spring.io

Add HTTP Basic Security

Add spring-boot-starter-security dependency
Set security.user.password=password to application.properties
Add SecurityConfiguration extends WebSecurityConfigurerAdapter
Suppress the Browser Dialog by adding X-Requested-With XmlHttpRequest in HTTP request

Cross Site Request Forgery (CSRF)

Spring Security and Angular JS both have good support for CSRF protection
HTTP Request Header: X-CSRF-TOKEN

CORS

Use @CrossOrigin on your @RequestMapping and this: http.cors()
Tip: there is also CorsUtils::isCorsRequest method you can use in a request matcher