Angular and Spring Security Architecture

Question

I've been trying to build an application which has angular (2) at it's front and a Spring Restful Service to fetch/manipulate the data from/in the database. Now, one thing that is constantly bugging me is how to ensure security. I have implemented Spring Security to deal with the authentication.

But, now there are certain things like CSRF attacks that are done through cross origin requests. Angular runs on a server (localhost:4200 by default) different than that of Spring Rest Service (eg tomcat - localhost:8080). When a request is made to the rest service it would be treated as a cross origin request. Whats confusing me is if I can use csrf protection offered by spring security in this scenario. If not then how can I prevent my Rest Service from being exploited by a malicious attack?

I've gone through questions like: CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource where I can see csrf protection being disabled and CORS being configured according to the needs. But, that doesn't address my question on if rest service is open to attacks or not?

PS I'm quite new to the security configuration of web applications so, please point out if I am doing something wrong or got the concept wrong.

Answer 1

To address your question around being vulnerable to CSRF attacks, you need to first decide on what authentication mechanism you going to use (token bases or cookie based). The crux of a CSRF attack relies on exploiting an application that keeps the user's logged on context using a Cookie, IP address or anything else that a browser automatically includes in requests (check out this post for more details on CSRF and example attacks).

Say, for example, you are using cookie based authentication, and you rely on the fact that the cookie is automatically included by the browser in subsequent Http requests (given the cookie is still valid ie has not expired etc.) to verify that a particular user has sent the request. Since the cookie is automatically included in the browser's requests, an attacker can reconstruct a request that your backend server can handle, and if they are able to get a user of your website to fire off this request in their browser, your backend server would not be able to discredit the request because it seem as though it is a legitimate request from one of your users.

In the case of token based authentication, this is not an issue because the browser does not automatically include your authentication token in the request headers. Therefore the attacker would not be able to rely on the browser alone to validate their fake request.

Now the next question with regards to the Cross-Origin policy. This is now enforced by all trusted browsers, so you can expect that majority of your users will be sending requests that conform to the Cross-Origin policy. Therefore, you will need to do one of the following on your backend server:

1. Seeing as you specify that your backned server is running on localhost:8080 , and your Angular app on localhost:4200 , I will assume that you have them running on the same host. If you intend to have them both running on the same host in your production environment as well, then you could just set the 'Access-Control-Allow-Origin' header to '*' in your backend server.
   This will let your backend server accept requests from any origin. Then you could use your firewall to make port 8080 in-accessible to external connections.
   This is a quick fix (especially to get things going locally), however not ideal because relying on your firewall alone is not advisable.
2. I would recommend you set the Access-Control-Allow-Origin header to only accept your Angular application as the source. So if your application is on the same host as the backend server eg for local development,then you should set it to http://localhost:4200 . If your Angular app will be on a different host to the Spring server, then you will need to specify the domain of your website eg. http://example.com in the Access-Control-Allow-Origin header (see this post for clearer explanation on how to use this header).

I hope this answers your questions.