Spring Security 5.5 From Taxi to Takeoff

This repository is for the SpringOne 2021 presentation titled "Spring Security 5.5 From Taxi to Takeoff". It contains the following four applications:

• spa - An Angular-based Single Page Application
• flights-web - A Spring-powered OAuth 2.0 client application
• flights-api - A REST API secured with Spring Security OAuth 2.0 Resource Server
• sso - A Spring-powered OAuth 2.0 Authorization Server

The final state is a single-page application that authenticates the user with OpenID Connect 1.0 and collaborates with a REST API using OAuth 2.0 bearer tokens. It brings together the following concepts:

• The spa is served as static content from the /static directory of flights-web
• The sso application is configured as an OpenID Connect 1.0 provider that mints signed JWTs for an OAuth 2.0 client
• The flights-api application is simplified to act as a resource server that verifies signed JWTs for authentication
• The flights-web application acts as an OAuth 2.0 client, performs token relay with Spring Cloud Gateway, and implements the backend for frontend (bff) pattern to store access tokens on the server
• The spa authenticates with flights-web using a standard session cookie (SESSIONID), and additionally uses a cookie/header pair for csrf protection (XSRF-TOKEN, X-XSRF-TOKEN)

Getting Started

First, start the authorization server, with the following command:

./gradlew :sso:bootRun

Next, start the REST API like so:

./gradlew :flights-api:bootRun

You will need the Angular CLI installed. Then, start the SPA and OAuth 2.0 Client application using the following command:

./gradlew :flights-web:bootRun

Finally, navigate to http://127.0.0.1:8000

NOTE: Ensure you have added 127.0.0.1 auth-server to your /etc/hosts file, which is used to keep the authorization server on a separate host to distinguish cookies from other apps running on localhost.

Running Natively

To run the application's natively, you can use spring-native to build the images locally, or pull the pre-built images from Docker Hub. A docker-compose.yml file is provided to run using the pre-built images.

docker-compose up

Following Along

To follow along with the presentation, start with the main branch:

git checkout main

Each checkpoint along the way contains a specific commit message you can use to quickly hop around in the presentation. For example, to switch to Step 1 - Secure by default, do the following:

./look-at 'Step 1'

This will safely attempt to switch to a particular commit, but you will be in 'detached HEAD' state. To reset to a particular point such as Step 12 - Secure BFF application ,git checkout main again, and do the following:

./jump-to 'Step 12'

This will hard-reset to the specified commit and discard changes in your working directory.