简体繁体 English

Angular和Spring安全架构

[英]Angular and Spring Security Architecture

原文 2017-05-12 09:43:25 9 1 java/ angularjs/ spring/ rest/ spring-security

I've been trying to build an application which has angular (2) at it's front and a Spring Restful Service to fetch/manipulate the data from/in the database. 我一直在尝试构建一个应用程序，该应用程序的前端有angular（2），并且有一个Spring Restful Service来从数据库中获取/操作数据。 Now, one thing that is constantly bugging me is how to ensure security. 现在，不断困扰我的一件事是如何确保安全性。 I have implemented Spring Security to deal with the authentication. 我已经实现了Spring Security来处理身份验证。

But, now there are certain things like CSRF attacks that are done through cross origin requests. 但是，现在有些事情是通过跨源请求完成的，例如CSRF攻击。 Angular runs on a server (localhost:4200 by default) different than that of Spring Rest Service (eg tomcat - localhost:8080). Angular在不同于Spring Rest Service的服务器（默认为localhost：4200）上运行（例如tomcat-localhost：8080）。 When a request is made to the rest service it would be treated as a cross origin request. 对其余服务的请求将被视为跨源请求。 Whats confusing me is if I can use csrf protection offered by spring security in this scenario. 令我困惑的是，在这种情况下我是否可以使用Spring Security提供的csrf保护。 If not then how can I prevent my Rest Service from being exploited by a malicious attack? 如果不是，那么如何防止我的Rest Service被恶意攻击利用？

I've gone through questions like: CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource where I can see csrf protection being disabled and CORS being configured according to the needs. 我遇到了以下问题： CORS问题-所请求的资源上不存在“ Access-Control-Allow-Origin”标头，在此我可以看到csrf保护被禁用并且CORS根据需要进行了配置。 But, that doesn't address my question on if rest service is open to attacks or not? 但是，这不能解决我的问题，即休息服务是否易于受到攻击？

PS I'm quite new to the security configuration of web applications so, please point out if I am doing something wrong or got the concept wrong. PS：我对Web应用程序的安全性配置还很陌生，因此请指出我做错了什么还是概念错误。

1 个解决方案

To address your question around being vulnerable to CSRF attacks, you need to first decide on what authentication mechanism you going to use (token bases or cookie based). 要解决有关易受CSRF攻击的问题，您需要首先决定要使用的身份验证机制（基于令牌库或基于cookie的）。 The crux of a CSRF attack relies on exploiting an application that keeps the user's logged on context using a Cookie, IP address or anything else that a browser automatically includes in requests (check out this post for more details on CSRF and example attacks). CSRF攻击的症结在于利用一个应用程序，该应用程序使用Cookie，IP地址或浏览器自动包含在请求中的任何其他内容来保持用户的登录上下文（有关CSRF和示例攻击的更多详细信息，请参阅此帖子）。

Say, for example, you are using cookie based authentication, and you rely on the fact that the cookie is automatically included by the browser in subsequent Http requests (given the cookie is still valid ie has not expired etc.) to verify that a particular user has sent the request. 假设您使用的是基于cookie的身份验证，并且您依赖于以下事实：浏览器会自动将cookie包含在后续Http请求中（假设cookie仍然有效，即尚未过期等），以验证特定的用户已发送请求。 Since the cookie is automatically included in the browser's requests, an attacker can reconstruct a request that your backend server can handle, and if they are able to get a user of your website to fire off this request in their browser, your backend server would not be able to discredit the request because it seem as though it is a legitimate request from one of your users. 由于Cookie会自动包含在浏览器的请求中，因此攻击者可以重建后端服务器可以处理的请求，并且如果他们能够让您网站的用户在浏览器中触发该请求，则后端服务器将不会能够抹黑该请求，因为它似乎是来自您的一个用户的合法请求。

In the case of token based authentication, this is not an issue because the browser does not automatically include your authentication token in the request headers. 对于基于令牌的身份验证，这不是问题，因为浏览器不会在请求标头中自动包含您的身份验证令牌。 Therefore the attacker would not be able to rely on the browser alone to validate their fake request. 因此，攻击者将无法仅依靠浏览器来验证其假请求。

Now the next question with regards to the Cross-Origin policy. 现在是有关跨域政策的下一个问题。 This is now enforced by all trusted browsers, so you can expect that majority of your users will be sending requests that conform to the Cross-Origin policy. 现在，所有受信任的浏览器都强制执行此操作，因此可以预期，大多数用户将发送符合跨域策略的请求。 Therefore, you will need to do one of the following on your backend server: 因此，您将需要在后端服务器上执行以下操作之一：

Seeing as you specify that your backned server is running on localhost:8080 , and your Angular app on localhost:4200 , I will assume that you have them running on the same host. 看到您指定后备服务器在localhost:8080上运行，而Angular应用程序在localhost:4200 ，我将假定您在同一主机上运行它们。 If you intend to have them both running on the same host in your production environment as well, then you could just set the 'Access-Control-Allow-Origin' header to '*' in your backend server. 如果您还打算使它们都在生产环境中的同一主机上运行，则可以在后端服务器中将'Access-Control-Allow-Origin'标头设置为'*' 。
This will let your backend server accept requests from any origin. 这将使您的后端服务器接受来自任何来源的请求。 Then you could use your firewall to make port 8080 in-accessible to external connections. 然后，您可以使用防火墙使外部连接无法访问端口8080 。
This is a quick fix (especially to get things going locally), however not ideal because relying on your firewall alone is not advisable. 这是一个快速解决方案（尤其是使事情在本地进行），但是并不理想，因为不建议仅依靠防火墙。
I would recommend you set the Access-Control-Allow-Origin header to only accept your Angular application as the source. 我建议您将Access-Control-Allow-Origin标头设置为仅接受Angular应用程序作为源。 So if your application is on the same host as the backend server eg for local development,then you should set it to http://localhost:4200 . 因此，如果您的应用程序与后端服务器位于同一主机上（例如，用于本地开发），则应将其设置为http://localhost:4200 。 If your Angular app will be on a different host to the Spring server, then you will need to specify the domain of your website eg. 如果您的Angular应用程序将与Spring服务器位于不同的主机上，则需要指定网站的域，例如。 http://example.com in the Access-Control-Allow-Origin header (see this post for clearer explanation on how to use this header). Access-Control-Allow-Origin标头中的http://example.com （有关如何使用此标头的更详细说明，请参阅此帖子）。