Securing SPAs with Spring

Marcus Hert da Coregio Spring Security @ VMware Securing SPAs
with Spring Copyright © 2022 VMware, Inc. or its aﬃliates.

Who am I? Marcus Hert da Coregio • Joined the
Spring Security team on May, 2021 @marcusdacoregio on social networks

How to? Spring Security Single Page App +

Cover w/ Image Agenda • CORS and Form Login •
CSRF • Application Personalization • IDOR (Insecure Direct Object Reference) • Clickjacking and XSS • BFF and OAuth2

Live Code!

How CSRF works Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser In a malicious website
Server Request 🍪 User's Identity 📩 ⚠ Attacker's Payload Request domain == Cookie domain Browser sends the cookies

Double-Submit Cookie Pattern Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser Request 🍪 Cookie with
CSRF Token 📩 CSRF Token in Request ⚖ Do they match? Request domain == Cookie domain Browser sends the cookies Browser does not add the CSRF Token in the request

What we have now Browser API Backend Single Page App
🍪 Session PUBLIC ZONE 🔓No Security Headers

End Product BFF Spring Security + Spring Cloud Gateway Browser
Resource Server Spring Authorization Server Single Page App 🍪 Session JWT PRIVATE TRUSTED ZONE https://github.com/spring-projects/spring-authorization-server/issues/297 🔒 Security Headers TokenRelay Filter Retrieve JWT Keys

BFF Pros and Cons Pros • No access token in
the browser; • No refresh token in the browser; • Single trusted application instead of two apps; • Better protection against XSS (CSP and Security headers); • APIs can be deployed in a private trusted zone. Cons • Performance worse if downstream APIs required; • High probability of code duplication and lower reuse; • Business logic may bleed to the BFFs; • From a security perspective? None.

Thank you Contact me at mhertdacoreg@vmware.com @marcusdacoregio on Twitter/GitHub ©
2022 Spring. A VMware-backed project. Sample code https://github.com/marcusdacoregio/springio-2022-securing-spas-with-spring

Securing SPAs with Spring

Securing SPAs with Spring

Marcus Hert Da Coregio

Other Decks in Technology

Featured

Transcript

Marcus Hert da Coregio Spring Security @ VMware Securing SPAs

Who am I? Marcus Hert da Coregio • Joined the

How to? Spring Security Single Page App +

Cover w/ Image Agenda • CORS and Form Login •

Live Code!

How CSRF works Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser In a malicious website

Double-Submit Cookie Pattern Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser Request 🍪 Cookie with

What we have now Browser API Backend Single Page App

End Product BFF Spring Security + Spring Cloud Gateway Browser

BFF Pros and Cons Pros • No access token in

Thank you Contact me at mhertdacoreg@vmware.com @marcusdacoregio on Twitter/GitHub ©

Q&A