Skip to content

sjohnr/springone-2021

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits

flights-api

flights-api

 
 

flights-web

flights-web

 
 

gradle/wrapper

gradle/wrapper

 
 

spa

spa

 
 

sso

sso

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

docker-compose.yml

docker-compose.yml

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

jump-to

jump-to

 
 

look-at

look-at

 
 

run-native-api-linux

run-native-api-linux

 
 

settings.gradle

settings.gradle

 
 

Repository files navigation

Spring Security 5.5 From Taxi to Takeoff

This repository is for the SpringOne 2021 presentation titled "Spring Security 5.5 From Taxi to Takeoff". It contains the following four applications:

  • spa - An Angular-based Single Page Application
  • flights-web - A Spring-powered OAuth 2.0 client application
  • flights-api - A REST API secured with Spring Security OAuth 2.0 Resource Server
  • sso - A Spring-powered OAuth 2.0 Authorization Server

The final state is a single-page application that authenticates the user with OpenID Connect 1.0 and collaborates with a REST API using OAuth 2.0 bearer tokens. It brings together the following concepts:

  • The spa is served as static content from the /static directory of flights-web
  • The sso application is configured as an OpenID Connect 1.0 provider that mints signed JWTs for an OAuth 2.0 client
  • The flights-api application is simplified to act as a resource server that verifies signed JWTs for authentication
  • The flights-web application acts as an OAuth 2.0 client, performs token relay with Spring Cloud Gateway, and implements the backend for frontend (bff) pattern to store access tokens on the server
  • The spa authenticates with flights-web using a standard session cookie (SESSIONID), and additionally uses a cookie/header pair for csrf protection (XSRF-TOKEN, X-XSRF-TOKEN)

Getting Started

First, start the authorization server, with the following command:

./gradlew :sso:bootRun

Next, start the REST API like so:

./gradlew :flights-api:bootRun

You will need the Angular CLI installed. Then, start the SPA and OAuth 2.0 Client application using the following command:

./gradlew :flights-web:bootRun

Finally, navigate to http://127.0.0.1:8000

NOTE: Ensure you have added 127.0.0.1 auth-server to your /etc/hosts file, which is used to keep the authorization server on a separate host to distinguish cookies from other apps running on localhost.

Running Natively

To run the application's natively, you can use spring-native to build the images locally, or pull the pre-built images from Docker Hub. A docker-compose.yml file is provided to run using the pre-built images.

docker-compose up

Following Along

To follow along with the presentation, start with the main branch:

git checkout main

Each checkpoint along the way contains a specific commit message you can use to quickly hop around in the presentation. For example, to switch to Step 1 - Secure by default, do the following:

./look-at 'Step 1'

This will safely attempt to switch to a particular commit, but you will be in 'detached HEAD' state. To reset to a particular point such as Step 12 - Secure BFF application ,git checkout main again, and do the following:

./jump-to 'Step 12'

This will hard-reset to the specified commit and discard changes in your working directory.

About

Spring Security 5.5 From Taxi To Takeoff

springone.io/2021/sessions/spring-security-5-5

Resources

Readme
Activity

Stars

69 stars

Watchers

8 watching

Forks

27 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages