This repository is for the SpringOne 2021 presentation titled "Spring Security 5.5 From Taxi to Takeoff". It contains the following four applications:
- spa - An Angular-based Single Page Application
- flights-web - A Spring-powered OAuth 2.0 client application
- flights-api - A REST API secured with Spring Security OAuth 2.0 Resource Server
- sso - A Spring-powered OAuth 2.0 Authorization Server
The final state is a single-page application that authenticates the user with OpenID Connect 1.0 and collaborates with a REST API using OAuth 2.0 bearer tokens. It brings together the following concepts:
- The
spais served as static content from the/staticdirectory offlights-web - The
ssoapplication is configured as an OpenID Connect 1.0 provider that mints signed JWTs for an OAuth 2.0 client - The
flights-apiapplication is simplified to act as a resource server that verifies signed JWTs for authentication - The
flights-webapplication acts as an OAuth 2.0 client, performs token relay with Spring Cloud Gateway, and implements the backend for frontend (bff) pattern to store access tokens on the server - The
spaauthenticates withflights-webusing a standard session cookie (SESSIONID), and additionally uses a cookie/header pair for csrf protection (XSRF-TOKEN,X-XSRF-TOKEN)
First, start the authorization server, with the following command:
./gradlew :sso:bootRunNext, start the REST API like so:
./gradlew :flights-api:bootRunYou will need the Angular CLI installed. Then, start the SPA and OAuth 2.0 Client application using the following command:
./gradlew :flights-web:bootRunFinally, navigate to http://127.0.0.1:8000
NOTE: Ensure you have added 127.0.0.1 auth-server to your /etc/hosts file, which is used to keep the authorization server on a separate host to distinguish cookies from other apps running on localhost.
To run the application's natively, you can use spring-native to build the images locally, or pull the pre-built images from Docker Hub. A docker-compose.yml file is provided to run using the pre-built images.
docker-compose upTo follow along with the presentation, start with the main branch:
git checkout mainEach checkpoint along the way contains a specific commit message you can use to quickly hop around in the presentation. For example, to switch to Step 1 - Secure by default, do the following:
./look-at 'Step 1'This will safely attempt to switch to a particular commit, but you will be in 'detached HEAD' state. To reset to a particular point such as Step 12 - Secure BFF application ,git checkout main again, and do the following:
./jump-to 'Step 12'This will hard-reset to the specified commit and discard changes in your working directory.