Spring Boot CSRF with session - spring

In my app I'm using Spring Session (with redis). Now I need to add CSRF prevention.
I have to handle the frontend app + clients over REST.
If my understanding is correct, without the use of spring security etc. on login I need to create a token, store it in redis with session id association and return it to the client (as header for example).
And then on every request I need to check the token passed as the header if it's correct to prevent CSRF?

Related

Can the Spring Boot + Spring Security Keycloak adapters automatically refresh the access token contained in the HttpSession on token expiration?

I am using Keycloak to provide SSO through OIDC for a bunch of applications that belong to the same realm. All of these applications are confidential clients that use the Authorization Code flow. They use JSP for the views, and all necessary redirects are managed by Spring Boot and Spring Security Keycloak adapters.
After successfully logging in I can switch from one application to another correctly (SSO). For each of them, an HttpSession is generated containing a org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken. This class, has a details object (SimpleKeycloakAccount) with a securityContext (RefreshableKeycloakSecurityContext) that contains the access token (tokenString), id token (idTokenString) and refresh token (refreshTokenString):
The contained access token has a 5 minute expiration time. Oddly enough, after this time has passed, although I'm still correctly authenticated in the Spring Boot application, I've checked that the access token is never refreshed.
I need to have a valid access token, since some of these applications invoke REST services, secured with the same adapters with bearer only authentication. The problem is I end up having an expired access token and have to deal (manually?) with its expiration.
Is there a way to make the adapter refresh the access token when it expires or are we expected to do so programmatically?
Can you show how to do it?

How to handle session expired in spring web flow?

I'm writing a web application with Spring boot, Spring web flow and thymeleaf. When the user session expires the csrf token in the registration form expires.
How can I handle the session expiration showing a template file in Spring web flow?
Session should be handled by Spring Security. You can redirect the current user to another page by adding configuration like this:
http.sessionManagement()
.expiredUrl("/sessionExpired.html")
.invalidSessionUrl("/invalidSession.html");
In Thymeleaf, you can use session variable and add th:if attribute to check if session exist or something similar:
${session.isEmpty()}
Check this answer https://stackoverflow.com/a/22120387/2230060

how destroy jwt token from spring boot backend

I want to destroy jwt token from spring-boot application.
Architecture is the following :
front-end: react
back-end : sring boot
I have to implement logout function. Now I developed the logout function in front-end and it removes the jwt token in redux storage but when I use the same jwt token before it removed from the front-end redux storage then I can use that token form postman and I can access secured rest end points.
How to remove the jwt in spring boot back-end.
Technically, as your application is stateless, your Spring Boot app won't know when your client logout cause it never keep track of all the tokens it has issued/generated. (That's why it's called stateless :D)
The best practice here is to keep your JWT expire shortly. This way it become expired before someone try to reuse the token.
To make the user journey seamless, you can refresh JWT token in background to make sure user always stay login.

Keycloak: Spring Boot project as bearer and reusing token from user

I am building an application with an angular frontend and spring boot on the backend. I was able to configure the angular and spring part.
So, the frontend requests a token and sends it with every request to the java backend. This works just fine.
My java backend is now in the need to reuse the client token to request data from another service, which uses the same mechanism.
What is the right way to go forward? Requesting an own token for my service or using the existing token from the authenticated user?
I have not found a way to do this.
Works as pointed out by ravthiru
While calling your 3rd service you can use the same token , Add your third service as bearer-only Client.

Can spring security parse headers and verify authentication information?

Spring Security is commonly used for authentication and authorization of web applications and web services. While spring can validate users based on credentials_id (user id) and credentails_secret (password) passed through web forms.
What I am looking at is
1) can spring work when these userid and password are passed through http headers.
2) on subsequent requests can spring validate user based on a session id (some thing like jsessionid) passed through http headers?
You can add spring-security module in your project.
passing username and password via http-headers for every request is stateless basic-authentication. Check this example
You can do a stateful authentication: authenticate once, maintain the session.
Check this sample
So, you should write a custom AuthenticationFilter extending referred UsernamePasswordAuthenticationFilter.
Checkout:
Spring Security using HTTP headers

Resources