0

I have the spring boot application running on the domain A.It purpose is to expose some REST endpoints.

Also, I have angular 8 application. It could be deployed on the same domain A, or in other domain B. The spring boot app is aware of on which domain is angular app deployed.

I need to configure Spring security,so it will accept requests on particular endpoints ONLY from the angular app. But also, some of the endpoints need to be role-aware

For example:

  • /api/v1/resources/** - should be from angular app only
  • /api/v1/resources/admin/** - should be only from angular app AND user should have admin role
  • /api/v1/payments/** - this can accept requests not only from angular app (merchant callbacks for example)

I would highly appreciate some pieces of advice on the best approach for this

Improve this question
1
  • Protecting the backend by application authorization is not that easy and almost impossible. Mainly because is a webapp that is calling the your backend. Anyone can debug your app using the browser (since the code is in Javascript (client-side)) and create a client to your backend APIs using your Angular App credentials. That's why, for front-end, I always prefer user authentication over application authentication. Commented Oct 16, 2019 at 12:15

2 Answers 2

Reset to default
1

You can achieve this by applying URL specific filter in securityConfig.java class where you have extended WebSecurityConfigurerAdapter class also you need to pass one custom header from your Angular app.

@Autowired
private HeaderFilter headerFilter;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/api/v1/resources/**")
        .addFilterBefore(headerFilter, BasicAuthenticationFilter.class)
        .authorizeRequests()
        .anyRequest().authenticated();
}

You can create HeaderFilter.class and inside doFilter() method implement like below.

public class HeaderFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        Enumeration<String> headerNames = httpRequest.getHeaderNames();

        if (headerNames != null) {
            while (headerNames.hasMoreElements()) {
                request.getHeader("YOUR_CUSTOM_HEADER");
                //get Angular app specific header and it's value whether it is correct then true else stop filter chain.
                if(FOUND){
                   chain.doFilter(request, response);
                } else {
                   throw Exception();
                }
            }
        }

    }
}

You can also add ROLE BASED additional authentication for ADMIN access in securityconfig.java

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In your WebSecurityConfig class which extends from WebSecurityConfigurerAdapter (org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter) edit your configure mwthod as this

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().
            authorizeRequests()
            .antMatchers("/api/v1/resources/admin/**").hasRole("admin")
            .antMatchers("/api/v1/payments/**").permitAll()
            .anyRequest().authenticated()           
            ...
            ...
        }
Improve this answer

1 Comment

This won't work, because this provide solution based on USER role not based on platform from which API gets called.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.