These are chat archives for spring-guides/tut-spring-security-and-angular-js

29th
Jul 2015
ccit-spence
@ccit-spence
Jul 29 2015 09:19
@dsyer do you get this error in Chrome with your examples?
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.
Dave Syer
@dsyer
Jul 29 2015 09:20
In the JS console?
ccit-spence
@ccit-spence
Jul 29 2015 09:20
dev tools in chrome
Dave Syer
@dsyer
Jul 29 2015 09:20
In the console?
ccit-spence
@ccit-spence
Jul 29 2015 09:20
yes
Dave Syer
@dsyer
Jul 29 2015 09:20
Don't remember
Is there a specific sample you were trying?
ccit-spence
@ccit-spence
Jul 29 2015 09:21
the Double version
without angular, spring mvc only
I see some chatter in stackoverflow that it is a chrome issue. wasn’t sure if you had seen it
Dave Syer
@dsyer
Jul 29 2015 09:22
Probably I have then
I must have ignored it
ccit-spence
@ccit-spence
Jul 29 2015 09:22
ok, I can do that
I see that you have security configured within the UI services. Is that required if they are behind a firewall?
Dave Syer
@dsyer
Jul 29 2015 09:23
Up to you
ccit-spence
@ccit-spence
Jul 29 2015 09:23
can zuul be the only place security is configured
Dave Syer
@dsyer
Jul 29 2015 09:23
It certainly can.
That makes the session handling a lot simpler
ccit-spence
@ccit-spence
Jul 29 2015 09:24
all other services in our case are behind aws security groups
I do have spring session implemented, with redis atm
if it is all zuul then that really is not needed?
Dave Syer
@dsyer
Jul 29 2015 09:25
I guess you need it if the backends make their own security decisions
Or have content that is user-specific
ccit-spence
@ccit-spence
Jul 29 2015 09:26
that makes sense, very easy to leave in anyways
I just didn’t want to have to keep track of security configs in every service
Dave Syer
@dsyer
Jul 29 2015 09:27
I guess the business requirements dictate whether it is needed or not
ccit-spence
@ccit-spence
Jul 29 2015 09:28
sure, most of this is public. only a handful are authenticated services. either extjs or vaadin
I am hoping to track down the 302 issue. not seeing it so far
ccit-spence
@ccit-spence
Jul 29 2015 11:08
Pretty sure I have the security through zulu working now. At least the test are going well.
One question: Am I wrong but if you have a lot of non-secure services the antMatchers will be very large. Is there a better way?
Dave Syer
@dsyer
Jul 29 2015 11:11
Don't use ant matchers?
I guess it depends
You mean the matchers in the proxy?
ccit-spence
@ccit-spence
Jul 29 2015 11:13
yes, in the proxy
Dave Syer
@dsyer
Jul 29 2015 11:13
You could use a custom matcher I guess.
Or a regex
Or stick them all behind a common prefix (that's probably the easiest)
ccit-spence
@ccit-spence
Jul 29 2015 11:14
maybe a regex looking for what to secure since there would be fewer secure and put a not in front of it?
Dave Syer
@dsyer
Jul 29 2015 11:14
Or do the opposite - stick the secure ones behind a common prefix
Yeah, that too.
Prefix is easier and faster to match.
But regex would work I think
ccit-spence
@ccit-spence
Jul 29 2015 11:15
I made the mistake many years ago of learning regex fairly well so that fits for me
I did notice that you still have to have spring security within the pom of the spring mvc ui even if not using it i.e. turning it off within properties
would get csrf errors otherwise
is that normal?
Dave Syer
@dsyer
Jul 29 2015 11:18
csrf errors can only be generated by Spring Security
So switching it off or leaving it out should be the same
Your proxy end might enforce csrf I guess
ccit-spence
@ccit-spence
Jul 29 2015 11:19
the error was generated by the the ui not being able to deserialize the csrf being sent from zuul
Dave Syer
@dsyer
Jul 29 2015 11:20
I guess it makes some sense
But if you are sending the csrf token as a cookie there's no need for the UI to decode it at all is there?
The proxy should be handling cookies and csrf
ccit-spence
@ccit-spence
Jul 29 2015 11:21
apparently it must be passing it along
Dave Syer
@dsyer
Jul 29 2015 11:21
It's an interesting topic for a new blog maybe
ccit-spence
@ccit-spence
Jul 29 2015 11:21
all I did was remove security from the pom and got the error
Dave Syer
@dsyer
Jul 29 2015 11:21
It doesn't matter if it passes it along if there's nothing to decode it
So removing Spring Security would mean it was just ignored in the UI
The proxy should enforce it (at least)
ccit-spence
@ccit-spence
Jul 29 2015 11:23
trying it again now, one thing I have noticed is the lack of ability to provide a fallback for ribbon with UIs results in 500s
So all I did was remove the security properties and remove security from the pom and this is the error
There was an unexpected error (type=Internal Server Error, status=500). Cannot deserialize; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload. Is the byte array a result of corresponding serialization for DefaultDeserializer?; nested exception is org.springframework.core.NestedIOException: Failed to deserialize object type; nested exception is java.lang.ClassNotFoundException: org.springframework.security.web.csrf.DefaultCsrfToken
Dave Syer
@dsyer
Jul 29 2015 11:27
That's because you are sharing sessions
and there is no need for a session in the UI
It's not a csrf protection error
Just a session deserialization
ccit-spence
@ccit-spence
Jul 29 2015 11:28
that is true, spring session / redis is still there
Dave Syer
@dsyer
Jul 29 2015 11:28
If there's no security it should be stateless
ccit-spence
@ccit-spence
Jul 29 2015 11:29
since I do want sessions throughout the app, then what seems to work is add security and then turn it off in properties
thsi is what I add in properties: security.basic.enabled = false
Dave Syer
@dsyer
Jul 29 2015 11:30
I guess I don't understand why you need a session in the UI. But it is an interesting use case
ccit-spence
@ccit-spence
Jul 29 2015 11:30
to track users, browsers etc.
tell who they are if the are logged in and where they are going
Dave Syer
@dsyer
Jul 29 2015 11:31
You can't track users without security
So I guess you're saying you need security
But not authentication
ccit-spence
@ccit-spence
Jul 29 2015 11:31
both for some areas
unless you can see a problem with just disabling where it is not needed it does work
thanks for the quick answers. I am off for now. Will try the 302 stuff tomorrow.