Skip to content

sjohnr/springone-2021

Repository files navigation

Spring Security 5.5 From Taxi to Takeoff

This repository is for the SpringOne 2021 presentation titled "Spring Security 5.5 From Taxi to Takeoff". It contains the following four applications:

  • spa - An Angular-based Single Page Application
  • flights-web - A Spring-powered OAuth 2.0 client application
  • flights-api - A REST API secured with Spring Security OAuth 2.0 Resource Server
  • sso - A Spring-powered OAuth 2.0 Authorization Server

The final state is a single-page application that authenticates the user with OpenID Connect 1.0 and collaborates with a REST API using OAuth 2.0 bearer tokens. It brings together the following concepts:

  • The spa is served as static content from the /static directory of flights-web
  • The sso application is configured as an OpenID Connect 1.0 provider that mints signed JWTs for an OAuth 2.0 client
  • The flights-api application is simplified to act as a resource server that verifies signed JWTs for authentication
  • The flights-web application acts as an OAuth 2.0 client, performs token relay with Spring Cloud Gateway, and implements the backend for frontend (bff) pattern to store access tokens on the server
  • The spa authenticates with flights-web using a standard session cookie (SESSIONID), and additionally uses a cookie/header pair for csrf protection (XSRF-TOKEN, X-XSRF-TOKEN)

Getting Started

First, start the authorization server, with the following command:

./gradlew :sso:bootRun

Next, start the REST API like so:

./gradlew :flights-api:bootRun

You will need the Angular CLI installed. Then, start the SPA and OAuth 2.0 Client application using the following command:

./gradlew :flights-web:bootRun

Finally, navigate to http://127.0.0.1:8000

NOTE: Ensure you have added 127.0.0.1 auth-server to your /etc/hosts file, which is used to keep the authorization server on a separate host to distinguish cookies from other apps running on localhost.

Running Natively

To run the application's natively, you can use spring-native to build the images locally, or pull the pre-built images from Docker Hub. A docker-compose.yml file is provided to run using the pre-built images.

docker-compose up

Following Along

To follow along with the presentation, start with the main branch:

git checkout main

Each checkpoint along the way contains a specific commit message you can use to quickly hop around in the presentation. For example, to switch to Step 1 - Secure by default, do the following:

./look-at 'Step 1'

This will safely attempt to switch to a particular commit, but you will be in 'detached HEAD' state. To reset to a particular point such as Step 12 - Secure BFF application ,git checkout main again, and do the following:

./jump-to 'Step 12'

This will hard-reset to the specified commit and discard changes in your working directory.

About

Spring Security 5.5 From Taxi To Takeoff

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •