Secure WebSocket with Spring Security OAuth 2.0, AngularJS and SockJs - angularjs

I'm trying to implement WebSocket support with Angular+SockJs on front-end, and Spring on backend. We are using Spring Security with OAuth 2.0 token based authorization.
Spec tell us that i should pass token via STOMP client at connect time and use Interceptor on backend to provide Principal. But i don't like this approach because i need to copy logic from Security configuration to get Principal from Token.
Is it possible to catch SockJs request in Angular Interceptor and add Authentication header?

Related

secured spring boot backend with React Frontend

i managed to secure my spring boot backend (localhost:8081) with keycloak as an authorization server (with an access token needed), but i want my frontend (react with port localhost:3000) to access the data which is secured. Thus meaning that localhost:3000/products should fetch data from localhost:8081/products after a successful login.
Could anyone guide me on this problem?
You choose an OIDC client lib for react. It should handle
redirection to authorization server for login
redirection back from authorization server with authorization code
exchange of authorization code for access, refresh and ID tokens
automatic access token refreshing
(maybe) automatically insert authorization header with bearer access token for configured routes
The requests your React app will issue to Spring resource server will then have required JWT access token.
PS
Make sure your Spring back-end is configured as resource-server (and not as client).
Also make sure that you do not use the deprecated Keycloak adapters for spring.

CSRF enable between reactjs and springboot application in different domain

We have react js app as frontend application and springboot api as backed enabled with CSRF, which run in different domain.
What is the best way to pass csrf token between rest API and react application.
Normally CSRF tokens are passed in payload of HTTP Request.
If your REST API has no cookie dependency (eg: for Authentication), I dont see any need for CSRF Protection.
You can refer this link for more details.
https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints

React SSO using SAML without web server

I have a web app developed using Create-react-app
I host it on IIS, the IIS only response to load the app, there is no server side logic on it (no Express or any other web server)
The app is using a RESTful API on the same IIS, it is out of my control (I cannot make change).
Now one of my client request to add SAML SSO to our app.
I would like to know:
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
For my case, I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Could any one give me some React implement SAML SSO tutorial or article for reference?
Thanks for any help, any information or suggestion are welcome!
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
I assume the client wants to authenticate the users using their internal IdP. So your application is the SP. But you will have to define different token service (details below).
With SPA (a single-page-applications) I see the problem, in SAML the user is redirected or posted away from the SAML request and SAML response.
I have a login page to enter id/pw, post them to API server Login endpoint to authenticate and get back a JWT token. After that we use that token in API calls for authentication
The API services are using a JWT token issued based on the provided username/password. I'd recommend to extend the token service (or use a different service) to issue a JWT token based on the provided SAML response - a token swap service. In many OAuth implementations it's called SAML grant type.
I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Usually after the authentication the user is redirected or posted to the SAML ACS endpoint URL, where the server can create sort of session (cookie, parameters, token, ..) and the user is redirected to a URL returned the web page with the session information.
If you are using an SPA, you could use a popup window or SAML with redirect (not with post), where the page could read the SAML response parameters (assertion, signature, ..) and use them in the token swap service mentioned above.
When processing the SAML response, try to use some mature, known, out-of-box libraries, it's a security service and not doing it properly may cause security weaknesses. But you need to do that on the server side, as at the end you need the JWT token consumed by the APIs.

SAML 2.0 integration for Angular(SPA) front end and spring Boot backend

I need to integrate angular front end with spring boot backend (REST API's) with SAML 2.0 and my identity provider is keycloak.
I have used SAML2-js library to integrate with the front end, now how do I secure my backend spring rest apis with the saml assertion that I have received after successful login in the frontend. What I can get in front is nameID and session index. If anyone has integrated to secure the spring backend rest API using SAML please let me know any documentation or any write up on these.
Thanks!
What I have done for the above problem is I've used OIDC integration for login flow with 2 clients one for frontend with authorization code flow and another client with bearer only for my backend to secure the REST APIs.
For providing SSO with SAML 2.0 I have used identity brokering from Keycloak which provides seamless SSO.

Example of Spring Security JWT library for work with AngularJS

I want to authenticate and authorization a REST Spring API with Spring Security JWT for work with AngularJS App. but I confused and I don't know what should I do? I need to simple example for authenticate AngularJS app with Spring Security JWT.
I used Jhipster token based authentication with spring security, you can easily modify the code to use JWT instead.
link to Jhipster

Resources