What is the best way to implement SSL in Spring Boot & Angular application (frontend with backend)?
Should I configure SSL in both applications separately?
Or should I configure SSL in Nginx web server and not taking care about securing applications?
Should I configure SSL in both applications separately?
If you've built out a microservice architecture and both your spring boot application and your Angular application are served off different domains, then yes you should configure SSL on both applications.
Or should I configure SSL in Nginx web server and not taking care about securing applications?
If you are using NGINX to serve your Angular application, then yes you should setup SSL on it.
I'll add that SSL is not the only step required to secure an application. Many applications will require some user management with role based permissions and control access to screens in your app or REST APIs based on user permissions.
Related
I have a spring boot application and a traditional javax web servlet running on the same ssl port on an application server.
I want to make a https request to the webservlet from the spring boot app.
Is it possible to communicate between these applications without using SSL? Or, can i reuse the client cert from the client who hit the spring boot app, and pass SSL easily that way?
It seems strange to me that the browser can hop around between the apps easily but the apps cannot communicate directly without proper cert handling.
From what I know of sockets, I don't think this model works. Two applications can't listen to the same port AFAIK.
I have an app running on AWS that has got a React JS front-end hosted through S3 and Spring Boot back-end hosted on EC2 instances behind a load balancer. I got my SSL certificate for my domain and I use CloudFront to redirect HTTP requests into HTTPS.
My issue is that I can connect through HTTPS to my load balancer, however, my Spring Boot API won't accept HTTPS from the load balancer. Therefore I use HTTP and anytime I send an API call to my backend, my site changes to "Not Secured".
Is there a way to use the Amazon issued certificate in my Spring Boot API in order for it to accept HTTPS calls? I have only found tutorials using self-signed certs and was wondering if I can use my AWS certificate instead.
If there is a way, could you please provide an example of code I need to insert in my application.properties file?
Cheers
Kris
This part of your question is really confusing, since you don't provide details about what you mean:
My issue is that I can connect through HTTPS to my load balancer,
however, my spring-boot API won't accept HTTPS from the load balancer.
Your load balancer should be serving the AWS ACM SSL certificate. You should code your application so that your website makes SSL calls to your API. The load balancer should communicate with your Spring Boot backend server over HTTP, by setting the HTTP protocol and port in the load balancer target group settings.
The traffic flow should look like this:
Web Browser -> (HTTPS) API call to Load Balancer -> (HTTP) call to backend Spring Boot server
I have a web based Java application made using Spring Framework. I have a spring security file that authenticates users. I need to enable SSO on my application using Azure Active Directory so that I can integrate it with myapps.microsoft.com. Can someone provide me any pointers or direction.
Thanks.
SSO with with protocol? SAML or OAUTH?
In any case you have to register your app in the Active Directory as SSO Application. In this configuration you also define the OAUTH or SAML Options.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
I am working on an application architecture which will have independent UI Layer(HTML5 and Angular2) and Service Layer(Spring Boot Project) . Both will be hosted on independent servers. The UI layer will fetch data from DB using REST Calls. I Have few queries.
1. I am building my UI with Angular2 which basically runs on node.js. How can i integrate spring security using ldap.
2. How can i make REST Calls to my service which is hosted on a different server.
3. How do i solve the issue of authentication/authorization with REST Service using Spring security.
Looking forward to your responses.
Thanks,
Avinash
How can i integrate spring security using ldap.
Use Spring Security LDAP module to wire up the security services of your backend. Secure the URIs and that is all that you require.
Spring LDAP Guide
Spring LDAP Reference
How can i make REST Calls to my service which is hosted on a different server.
I presume that you will have the backend on a server and there is connectivity between your nodejs server and the backend server. Use the hostname and port if you want things to be simple. Please allow CORS on your backend server either programmatically, or by using a proxy server such as nginx.
How do i solve the issue of authentication/authorization with REST Service using Spring security.
Spring security will enable end points for Authentication and Authorization. Your angular application must need to check for the authentication at the start of every request ideally, and when there is a (401) Authentication Failure, redirect to a login controller. Keep the default route to the angular application to the login controller too.
We have over a dozen legacy web applications (each with their own app contexts) that use Tomcat's container managed security for simple form-based authentication. We currently use Tomcat's single sign on valve to allow authenticated users to jump between web apps without the need of re-authenticating. We are also developing new web applications using the Spring Security framework.
Is it possible to get users who are authenticated via the new Spring Security apps to also be able to jump to the older legacy (non-Spring) apps without the need of re-authenticating? Is their a way to bridge Spring Security with the Tomcat SSO valve?
I prefer to avoid making any changes to the legacy web apps, but understand if it doesn't seem possible.
You will be able to do it using J2eePreAuthenticatedProcessingFilter:
http://static.springsource.org/spring-security/site/docs/3.2.x/reference/htmlsingle/#d4e2766
Please note:
When Tomcat SSO is configured it provides Java EE authentication for a web application.
It means that for an application is transparent if it was authenticated by form authentication or for Tomcat SSO. Finally it is Java EE authentication.
So, you need to use J2eePreAuthenticatedProcessingFilter to be able to use Java EE authentication provided by Tomcat.