Set X-Frame Options to allow in Spring Boot without spring security - spring-boot

I am building a small spring boot/ angular app that will be diplayed inside an iframe of another app. Basically a small tool for adding / editing contracts. I have not implemented spring security, because the whole authentication thing is done by the parent app. There is only 1 way to reach my app, through that another app. The parent app will send me the login and thats all.
The problem is, I cannot open my app inside the another, because of the x-frame-options: deny header. Is there a way to change this header without implementing the whole spring security thing. Or maybe implementing only the HttpSecurity part with disabling x-frame-options. Implementing the whole spring security would be an overkill for that small app, so I really hope there is some another option in spring boot, or maybe server side (WildFly 20).
I am using spring boot 2.7.0.
Thanks in advance.

If you implement Content-Security-Policy frame-ancestors directive it will override X-Frame-Options (Except for IE, which no longer should be a problem). You need to find a way to set the header in the same response as X-Frame-Options, this could likely be in code, webserver, proxy, or a load balancer. In the frame-ancestors directive, list the host names of all allowed hosts.

Related

How to integrate keycloak in Spring Boot with a different context root and reverse proxy

We are currently developing a microservice application using Spring Boot 1.4 and Keycloak 2.5.0 (configured as openid-connect service) using the Keycloak Spring Adapter (not the Spring Boot adapter).
All of our microservices are put behind a load balancer and an additional reverse proxy as the application will be hosted on an existing domain behind a context root (so the root of our application is http://foo.bar/foobar/ and the rest services are http://foo.bar/foobar/rest/).
We are facing a couple of problems with Keycloak in this given scenario:
Keycloak forward to /sso/login if a sign-in is needed. This is in our case unwanted behaviour because http://foo.bar/sso/login will not exist. I have found a way to change the forward but there is no way to make Keycloak listen to the same url; we end up with a 404 in this case.
After signing in, Keycloak redirects back to the /sso/login url with the correct tokens, but if this is not the same server, the request fails and it redirects us to http://foo.bar/. Since every microservice exposes /sso/login, this can be in fact a completely different server.
If keycloak is hosted on the same domain, we end up in a redirect loop. We would also like to have Keycloak hosted on the same domain and on the context root http://foo.bar/foobar/auth/ .
We've already tried using the "token-store": "cookie" but this did not resolve the problem.
Is there a way to resolve these problems or is Keycloak maybe not the correct solution for our use-case ?
Update 05/05/2017:
Move my answer from here to an answer
We are now up and running with Keycloak so I'll briefly explain what we did. The front-end of our application runs Angular2 and we created a custom login page in the Angular application itself (so it's not a theme for Keycloak) which will directly query the Keycloak API for an OAuth2 Bearer token. The front-end will send this token on each request in the Authorization header (as per the OAuth standards).
On the service side we have configured keycloak as a bearer-only solution (bearer-only: true in the keycloak.json), this way the application just returns a 401 or a 403 instead of forwarding to the login page.
Using this configuration the user will never see anything from the /sso/login page and there is also no redirect issue anymore.
TLDR; the use-case I described was also not realistic, calling a REST URL and then forwarding to a login page is kind of bad stuff :)

Container Managed Security, Spring Security and Authentication

I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am just not familiar enough with XML based config. I have read many examples that talk about using a PreAuthenticatedAuthenticationProvider but the examples are poor not to mention the Spring documentation is quite confusing IMHO. I even downloaded the sample preauth code from the Spring Security GIT hub but I still cannot see how the example code is tied to the authentication that Tomcat is performing. When I run the Spring sample code for preauth, it doesn't authenticate with any of the users in my tomcat-users XML file as I deployed my code to Tomcat 8. Wondering if anyone has any ideas on where I can look in order to understand how Spring Security and the authentication performed by Tomcat (container managed) happens?
UPDATE:
It appears I had to start from scratch and simply get the authentication to work with a very simply app created in my IDE. Basically I had a folder that was called secure, one folder that was called unsecure and I mapped the paths according to the Servlet 3 spec to secure and unsecure what I needed. I had to use a web.xml in order to contain the security constraints. Once I tested in both Tomcat 7 and 8, where I tried to hit a secure URL, I was challenged to enter an ID and password. Please note you have to define the path to a login page, mine was a simple JSP. I also had to submit to the j_security_check and also make sure to use the j_username and j_password field names. Once I knew I could hit a secure page, I then started introducing the Spring components. This involved Spring Security, Spring Boot etc. The key was in the WebSecurityConfigurerAdapter. Where I normally would have basic auth or form based security enabled, I removed those and instead used the jee() setting based on the same fluent builder API used to configure your security settings. I left all antmatcher settings in the web.xml, so my WebSecurityConfigurerAdapter was very basic. When you are debugging controllers, you can inject the HttpServletRequest directly in the method and that request contains a userPrincipal request value containing things such as the user ID, and roles. Good luck, hope this helps others because it was painfully long for me to figure out such a simple solution.
See the update for a detailed explanation on my solution.

Spring MVC and Web Application separated

I have been Googling a lot lately, but I find myself coming up short on answers.
I have a complete Spring MVC application secured by Spring Security and with services exposing logic to controllers (controllers -> service -> repository -> POJO's).
Currently all my controllers, except the login controller, serve nothing but JSON/XML and I want it to stay this way. I do not want to render different views on each controller.
However, what I want to be able to, is to separate the web application from the backend because in time I want to be able to integration with my service using more platforms than just a web browser.
Currently I have the regular Spring MVC application:
Configuration
Domain(POJO's)
Repository
Service
Controller
Login is done using a Thymeleaf rendered view and Spring Security which does nothing more than filtering all urls under the application root. After this, it is just a bunch of static files being served as resources:
Spring Controllers send a "{ontrollerName}/layout" to serve the AngularJS HTML partial used for all data under that given Spring Controller.
What I want, is a way to separate everything in the /webapp directory from the rest of my project. I have looked into a few different solutions here such as using Apache Proxy where my Apache Http server hosts the client code which communicate with the backend using Ajax to rest controllers, and Tomcat hosting the backend. However, I hear that proxying like this is not safe. I could however be dead wrong here.
So, the questions I hope to receive answers to are:
1. Is it fine to just write a client that uses Apache http server's Proxy to provide access to Ajax on the server?
If not; How should I proceed? Is it any point in trying to extract the client side from the /webapp directory or is this just some stupid idea I created because it seemed cool to be able to deploy them without having to relay on each others?
Is there any best practices in regards to how I structure a project with separate modules? Think Gradle build scripts for multi modules.
Should I think in different terms and use an approach not based on Spring MVC at all? If so, please advice me.
I hope this was clear enough to make sense for you guys.
The solution was to use the simpler approach of a restful API that did authentication over OAuth 2.
Basically the two best alternatives are a hybrid solution (part restful API and part server side rendering of pages) or a full blown restful API where you implement all functionality in a static web client. This way there is no need for multi-module projects and packing things together in one package.

How to secure a Spring RESTful webservice for Angular.js or Ember.js

I have a Spring MVC application that uses Spring Security to handle user login authentication, which works fine.
Now I want to add some Ember.js and Angular.js code to the HTML pages that accesses the Spring RESTful web services (which just return JSON data).
How do I bind the user login authentication to the authentication for the RESTful web services? In other words, I want to make it so that the RESTful web services can only be accessed once a user has logged in. That way, the Angular.js and Ember.js libraries can access these RESTful web services securely from my user pages only without anyone else being able to directly call them.
I read on one other post that Spring Security was never meant to be used with a full Ajax framework, is that true? I hope this is not the case. I'd imagine that this type of thing must be pretty common now as there are so many AJAX client side frameworks that work based off accessing a JSON/RESTful API.
It is certainly not true that Spring Security was never meant to be or cannot be used in AJAX applications. I have two applications in production that use Spring Security as well as AJAX and more applications under development with the same mix.
If you are going to use EmberJS or AngularJS in an existing web application with Spring Security working, you should not face too many problems if you simply add the JavaScript library to your project. This is because once your users are authenticated, any normal HTTP requests will be treated as authenticated as well because the browser will ensure that session information is passed back and forth using cookies or URL parameters, as appropriate. You can see one of my working examples on Github for Spring Security and EmberJS integration.
The only thing you may need to worry about is CSRF tokens for form submissions using AJAX. The latest Spring Security documentation has a small section dedicated to this so you should not face too many problems getting that to work either. However, I would like to clarify that this particular issue is not specific to Spring Security. CSRF protection typically involves including a secure, randomly generated token with every HTTP POST request. The challenge arises from making existing JavaScript libraries aware of this token and how it should be included in HTTP POST requests. This would be a challenge in any application, not just those using Spring Security.
If however you will work with stateless clients, such as, mobile devices, you will be unable to rely on the default Spring Security mechanism of storing the user credentials in HTTP Session because HTTP requests will not have information to tie them to a session. This again is not specific to a Spring or Spring Security application because the constraint is imposed by the nature of the client and the client-server communication rather than any server-side technology. In such circumstances you will need to pass some authentication token in the HTTP headers for the application to maintain security state on the server side. I have a working example for this as well. If you need more details, there are articles on the web that explain how to do something like this with Spring Security.

Sharing security context between few web applications

I need to have web application which actually consist from few separate wars unified into same navigration bar on UI, i need to have all system secured but have authentication only to main web application and after automatic propagation of this security context to sub web applications. I'm using spring security, could someone help me with advice? thanks
This can be achieved by following approach. In Spring, SecurityContext by default is stored in HttpSession. Instead you can configure it to store in some shared repository.
So, configuration should be changed to use your own SecurityContextRepository implementation instead of HttpSessionSecurityContextRepository. Once configured, the security framework will look at the Repository which is available to all your web applications.
The Repository can be either a database or a cached server.
Spring Security stores the login data in the http session. So what I would try is to share the session between the applications.
It seams that this is possible (in Tomcat) by using the Single Sing On attribute.
But be warned, sharing the session between two applications is not without danger. See this Stack Overflow question.

Resources