Step 12 - Secure BFF application

Author: marcusdacoregio

flights-api/src/main/java/com/example/api/SecurityConfiguration.java

@@ -4,18 +4,13 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 @Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
@@ -26,24 +21,11 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, AccessRuleAuth
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authz) -> authz.anyRequest().access(access))
-			.cors(Customizer.withDefaults())
 			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
 		// @formatter:on
 		return http.build();
 	}
 
-	@Bean
-	CorsConfigurationSource corsConfigurationSource() {
-		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-		CorsConfiguration config = new CorsConfiguration();
-		config.addAllowedHeader("*");
-		config.addAllowedMethod("*");
-		config.addAllowedOrigin("http://127.0.0.1:8000");
-		config.setAllowCredentials(true);
-		source.registerCorsConfiguration("/**", config);
-		return source;
-	}
-
 	@Bean
 	public JwtAuthenticationConverter jwtAuthenticationConverter() {
 		JwtGrantedAuthoritiesConverter authoritiesConverter = new JwtGrantedAuthoritiesConverter();

flights-web/build.gradle

@@ -17,6 +17,7 @@ ext {
 }
 
 dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
 	implementation 'org.springframework.boot:spring-boot-starter-webflux'
 	implementation 'org.springframework.cloud:spring-cloud-starter-gateway'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'

flights-web/src/main/java/com/example/web/CsrfCookieWebFilter.java

@@ -0,0 +1,29 @@
+package com.example.web;
+
+import java.time.Duration;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties;
+import org.springframework.http.ResponseCookie;
+import org.springframework.security.web.server.csrf.CsrfToken;
+import org.springframework.stereotype.Component;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+
+@Component
+public class CsrfCookieWebFilter implements WebFilter {
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		String key = CsrfToken.class.getName();
+		Mono<CsrfToken> csrfToken = null != exchange.getAttribute(key) ? exchange.getAttribute(key) : Mono.empty();
+		return csrfToken.doOnSuccess(token -> {
+			ResponseCookie cookie = ResponseCookie.from("XSRF-TOKEN", token.getToken()).maxAge(Duration.ofHours(1))
+					.httpOnly(false).path("/").sameSite(WebFluxProperties.SameSite.LAX.attribute()).build();
+			exchange.getResponse().getCookies().add("XSRF-TOKEN", cookie);
+		}).then(chain.filter(exchange));
+	}
+
+}

flights-web/src/main/java/com/example/web/SecurityConfiguration.java

@@ -1,8 +1,28 @@
 package com.example.web;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
 
 @Configuration
 public class SecurityConfiguration {
 
+	@Bean
+	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+		// @formatter:off
+		http
+			.authorizeExchange((authorize) -> authorize
+				.anyExchange().authenticated()
+			)
+			.oauth2Login(Customizer.withDefaults())
+			.csrf((csrf) -> csrf
+				.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
+			);
+		// @formatter:on
+		return http.build();
+	}
+
 }

flights-web/src/main/resources/application.yml

@@ -6,13 +6,28 @@ logging:
     org.springframework.security: TRACE
 
 spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          air-traffic-control-client:
+            provider: spring
+            client-id: air-traffic-control
+            client-secret: secret
+            scope: openid,flights:read,flights:write
+            client-name: Spring
+        provider:
+          spring:
+            issuer-uri: http://auth-server:9000
   cloud:
     gateway:
       routes:
         - id: resource
           uri: http://localhost:8090
           predicates:
             - Path=/flights/**, /user/**
+          filters:
+            - TokenRelay=
         - id: default
           uri: forward:/index.html
           predicates:

spa/src/app/interceptors/gateway.interceptor.ts

@@ -13,8 +13,7 @@ export class GatewayInterceptor implements HttpInterceptor {
     }
 
     const newReq = req.clone({
-      url: 'http://127.0.0.1:8090' + req.url,
-      withCredentials: true
+      url: 'http://127.0.0.1:8000' + req.url
     });
 
     return next.handle(newReq);