Browser not sending jsession id with requests - spring

I am writing an Angular4 app with Spring Boot backend. I am using a SessionScoped bean to store the logged in user (I know this is not RESTful and stuff and I am ok with it for now) and RestControllers for the endpoints.
Logging in and querying data with Postman works nicely, but it does not work from my angular app, so I debugged it a little and saw that I get jsessionid-s in the response-headers, but they are not appended in the requests.
What might be the problem? How can I use Angular with Spring Boot and session scoped beans?

It depends on how your are calling the backend.
If you are using angular-cli and the proxying the calls to spring boot it should work out of the box since same domain requests always pass cookies.
This is the preferred way because usually this is how you then deploy it live using a nginx location block to get all /api/ calls go to spring and everything else to angular.
https://github.com/angular/angular-cli/blob/master/docs/documentation/stories/proxy.md
If you have the api on a different host you will need to pass withCredentials: true to all requests going to the backend to force the request to include the cookies.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
this.http.post('http://localhost:3000/api/thing', { withCredentials: true }).subscribe()

Related

CAMUNDA API REST Authentication

I am trying to connect from my javascript front to the REST API of my camunda orchestration which is deployed as part of a spring boot application.
the called url is :
GET http://localhost:8081/oms-orchestrator-ms/api/engine/engine/default/history/process-instance
i get an 401 error for non authenticated queries which is normal
First question : is it the right way to query the Engine Rest API for process definition/ instances and history?
In order to make it work , i add the JSESSIONID cookie as header to my requests,
how can i use the basic auth to query the orchestrator api instead of using the cookie?
Thanks for your Help
the /api path is part of the cockpits REST backend which is secured by the same rules as the cockpit webapp.
You can additionally deploy the rest api (camunda-bpm-spring-boot-starter-rest if you are using spring boot). This will add an almost identical REST api for the engine under the path /rest. This one is open by default and can be secured manually if required (and advised for prod environments).

Keycloak: Spring Boot project as bearer and reusing token from user

I am building an application with an angular frontend and spring boot on the backend. I was able to configure the angular and spring part.
So, the frontend requests a token and sends it with every request to the java backend. This works just fine.
My java backend is now in the need to reuse the client token to request data from another service, which uses the same mechanism.
What is the right way to go forward? Requesting an own token for my service or using the existing token from the authenticated user?
I have not found a way to do this.
Works as pointed out by ravthiru
While calling your 3rd service you can use the same token , Add your third service as bearer-only Client.

Firebase authentication implementation for a single page angular application and spring-boot backend

I'm trying to secure my single page Angular 5 application that has a spring boot backend with firebase authentication.
Is the following a good way to implement this.
All requests that do not start with /api are forwarded to index.html with forward:/index.html. The AuthGuard in my Angular app will then handle whether the user has access or needs to login.
All requests going to /api/** have to be authenticated. Here the firebase user token will be set in the header of the request by Angular and my custom Spring authentication filter and authentication provider vill handle it.
Are there any tutorials, specifically for the spring part of the implementation, that I can look at. I haven't found any thing similar and I want to be sure that the security implementation is done correctly.

How to integrate keycloak in Spring Boot with a different context root and reverse proxy

We are currently developing a microservice application using Spring Boot 1.4 and Keycloak 2.5.0 (configured as openid-connect service) using the Keycloak Spring Adapter (not the Spring Boot adapter).
All of our microservices are put behind a load balancer and an additional reverse proxy as the application will be hosted on an existing domain behind a context root (so the root of our application is http://foo.bar/foobar/ and the rest services are http://foo.bar/foobar/rest/).
We are facing a couple of problems with Keycloak in this given scenario:
Keycloak forward to /sso/login if a sign-in is needed. This is in our case unwanted behaviour because http://foo.bar/sso/login will not exist. I have found a way to change the forward but there is no way to make Keycloak listen to the same url; we end up with a 404 in this case.
After signing in, Keycloak redirects back to the /sso/login url with the correct tokens, but if this is not the same server, the request fails and it redirects us to http://foo.bar/. Since every microservice exposes /sso/login, this can be in fact a completely different server.
If keycloak is hosted on the same domain, we end up in a redirect loop. We would also like to have Keycloak hosted on the same domain and on the context root http://foo.bar/foobar/auth/ .
We've already tried using the "token-store": "cookie" but this did not resolve the problem.
Is there a way to resolve these problems or is Keycloak maybe not the correct solution for our use-case ?
Update 05/05/2017:
Move my answer from here to an answer
We are now up and running with Keycloak so I'll briefly explain what we did. The front-end of our application runs Angular2 and we created a custom login page in the Angular application itself (so it's not a theme for Keycloak) which will directly query the Keycloak API for an OAuth2 Bearer token. The front-end will send this token on each request in the Authorization header (as per the OAuth standards).
On the service side we have configured keycloak as a bearer-only solution (bearer-only: true in the keycloak.json), this way the application just returns a 401 or a 403 instead of forwarding to the login page.
Using this configuration the user will never see anything from the /sso/login page and there is also no redirect issue anymore.
TLDR; the use-case I described was also not realistic, calling a REST URL and then forwarding to a login page is kind of bad stuff :)

How to secure a Spring RESTful webservice for Angular.js or Ember.js

I have a Spring MVC application that uses Spring Security to handle user login authentication, which works fine.
Now I want to add some Ember.js and Angular.js code to the HTML pages that accesses the Spring RESTful web services (which just return JSON data).
How do I bind the user login authentication to the authentication for the RESTful web services? In other words, I want to make it so that the RESTful web services can only be accessed once a user has logged in. That way, the Angular.js and Ember.js libraries can access these RESTful web services securely from my user pages only without anyone else being able to directly call them.
I read on one other post that Spring Security was never meant to be used with a full Ajax framework, is that true? I hope this is not the case. I'd imagine that this type of thing must be pretty common now as there are so many AJAX client side frameworks that work based off accessing a JSON/RESTful API.
It is certainly not true that Spring Security was never meant to be or cannot be used in AJAX applications. I have two applications in production that use Spring Security as well as AJAX and more applications under development with the same mix.
If you are going to use EmberJS or AngularJS in an existing web application with Spring Security working, you should not face too many problems if you simply add the JavaScript library to your project. This is because once your users are authenticated, any normal HTTP requests will be treated as authenticated as well because the browser will ensure that session information is passed back and forth using cookies or URL parameters, as appropriate. You can see one of my working examples on Github for Spring Security and EmberJS integration.
The only thing you may need to worry about is CSRF tokens for form submissions using AJAX. The latest Spring Security documentation has a small section dedicated to this so you should not face too many problems getting that to work either. However, I would like to clarify that this particular issue is not specific to Spring Security. CSRF protection typically involves including a secure, randomly generated token with every HTTP POST request. The challenge arises from making existing JavaScript libraries aware of this token and how it should be included in HTTP POST requests. This would be a challenge in any application, not just those using Spring Security.
If however you will work with stateless clients, such as, mobile devices, you will be unable to rely on the default Spring Security mechanism of storing the user credentials in HTTP Session because HTTP requests will not have information to tie them to a session. This again is not specific to a Spring or Spring Security application because the constraint is imposed by the nature of the client and the client-server communication rather than any server-side technology. In such circumstances you will need to pass some authentication token in the HTTP headers for the application to maintain security state on the server side. I have a working example for this as well. If you need more details, there are articles on the web that explain how to do something like this with Spring Security.

Resources