These are chat archives for spring-guides/tut-spring-security-and-angular-js

27th
Jan 2016
grelaxus
@grelaxus
Jan 27 2016 08:10
Hello @dsyer : I'm getting through the Spring Security and AngularJS tutorial (http://spring.io/guides/tutorials/spring-security-and-angular-js). And facing a problem in Part 5 (SSO with OAuth2): if I use separate SecurityConfiguration in the UI (like in vanilla or spring-session parts, https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/spring-session/ui/src/main/java/demo/UiApplication.java), then the custom csrfHeaderFilter doesn't get applied (at least I suspect so), the default version of OncePerRequestFilter is applied instead, which seems to be using X-CSRF-TOKEN, rather than X-XSRF-TOKEN. As a result I get following message when logout:
DEBUG 8634 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter: Invalid CSRF token found for http://localhost:8080/logout. If I do all configuration in the UiApplication (like here https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/oauth2-vanilla/ui/src/main/java/demo/UiApplication.java), then I don't get the invalid token message. The question is what is the difference and why this happens? What to do if I want my configuration in a separate class?
Another question wrt part5 is when I logout (the case above without csrf problem) I'm forwarded to '#/', which looks like logged out screen (no logout button, no greeting), but as soon as I refresh the page, I see the screen as I logged in (without logging in). Is it because I'm still logged in on AuthorizationServer or there is something wrong in my code?
Thank you.
Dave Syer
@dsyer
Jan 27 2016 08:38
Something wrong I would guess
Are you going to share your code?
the commented code doesn't show the error "Invalid CSRF token found for http://localhost:8080/logout". But the current code does
Dave Syer
@dsyer
Jan 27 2016 08:55
the commented out code doesn't have @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
Do you think that might be part of the problem?
grelaxus
@grelaxus
Jan 27 2016 08:57
I tried to run the app without this, but doesn't even start
let me try again
Dave Syer
@dsyer
Jan 27 2016 08:57
antMatcher("*") looks wrong as well
that only matches resources in the top level
/** would be more normal for a catch all
grelaxus
@grelaxus
Jan 27 2016 09:01
checked without @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) - didn't help. Now will check the /**
when I add /** in antMatcher, I get an AccessDeniedException on "localhost:8080" with Access is denied (user is anonymous); redirecting to authentication entry point
and the login page is shows up without redirecting to Auth Server end point
Sorry, not login, but index page. When I press login button on this screen, I get Whitelabel Error Page
Dave Syer
@dsyer
Jan 27 2016 09:41
The difference is the @EnableOAuth2Sso
For it to apply to your HttpSecurity filter chain, it has to be declared on the WebSecurityConfigurer
So when you moved that to an inner class you should have moved the annotation too
grelaxus
@grelaxus
Jan 27 2016 09:49
That was the cause! Thank you very much Dr. Syer!
Is it ok, that when I push logout button it doesn't really log me out: when I push "home" I still see the greetings and access token?
@dsyer ?
Dave Syer
@dsyer
Jan 27 2016 10:02
Probably not
But it only logs you out of the UI, not the auth server
so you don't have to re-authenticate when you press "login" (that's SSO)
grelaxus
@grelaxus
Jan 27 2016 10:04
I don't press login, I do logout, then "home" right away
Dave Syer
@dsyer
Jan 27 2016 10:05
Watch the HTTP traffic in your browser dev tools
grelaxus
@grelaxus
Jan 27 2016 10:06
I get "XMLHttpRequest cannot load http://localhost:9999/uaa/oauth/authorize?client_id=acme&redirect_uri=http://localhost:8080/login?logout&response_type=code&state=P1OUH9. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 401." "Logout failed"
Dave Syer
@dsyer
Jan 27 2016 10:06
It sounds like you are being re-directed from the home page to the auth server
That "XMLHttpRequest" thing is normal (it's only telling you that what you can't do)
But it means the logout failed, so you are still authenticated I guess
grelaxus
@grelaxus
Jan 27 2016 10:08
but "Logout failed"
I think so..
Dave Syer
@dsyer
Jan 27 2016 10:09
When I click "logout" in your app I get the home page (no greeting)
SO it seems to work for me
(you could tidy up the XHR error if you wanted, but it basically works)
grelaxus
@grelaxus
Jan 27 2016 10:10
what might be the cause of "Logout failed" in my case?
I
Dave Syer
@dsyer
Jan 27 2016 10:11
It's normal. I see that too. The XHR client is being told it cannot do a login on its own
It needs the user to click in the browser
grelaxus
@grelaxus
Jan 27 2016 10:11
yes, but I can see the greeting
Dave Syer
@dsyer
Jan 27 2016 10:11
That's not what I see
grelaxus
@grelaxus
Jan 27 2016 10:11
and the unique token
every time I refresh the page
Dave Syer
@dsyer
Jan 27 2016 10:12
Push your changes to bitbucket and let me try the same code
grelaxus
@grelaxus
Jan 27 2016 10:12
hm.., I restarted the UI and it works now, how it should!
Dave Syer
@dsyer
Jan 27 2016 10:14
Good
Always a good idea to use incognito as well to start the flow
grelaxus
@grelaxus
Jan 27 2016 10:14
is there any tutorial for making Spring Social work with OAuth2 and REST API?
Yeah, I follow your advise in the tutorial: always using incognito
basically I want to implement social login into REST API
grelaxus
@grelaxus
Jan 27 2016 10:18
is it applicable for RESTful service?
I mean the auth mechanism
in that tutorial
if resource server is RESTful
Dave Syer
@dsyer
Jan 27 2016 10:19
Well "social login" and "REST API" aren't really all that compatible without some glue
so I don't really know what you mean
grelaxus
@grelaxus
Jan 27 2016 10:21
What kind of 'glue' do you mean?
so I cannot just use spring-social features and apply it for my RESTful architecture?
what I mean is that I want different kinds of clients (web, Android, iOS) could be authenticated to my RESTful service in both ways: username\password and socal (facebook, google, twitter)
Dave Syer
@dsyer
Jan 27 2016 10:25
Spring Social has nothing to offer for android or ios
I don't really know what you mean
To use a REST service you don't normally have "social" login (unless it is the social network's own API I guess)
grelaxus
@grelaxus
Jan 27 2016 10:30
ok let me re-phrase a bit, what can I do to allow facebook users to have access to REST API?
may be issuing authentication token (if user is authenticated by facebook) or tricks like that?
grelaxus
@grelaxus
Jan 27 2016 10:36
Probably I misunderstand something... how all mobile apps work with their RESTful backends when user is logged in with facebook account
grelaxus
@grelaxus
Jan 27 2016 10:42
@dsyer sorry for keep bugging you.. Thank you for you help!
Dave Syer
@dsyer
Jan 27 2016 10:43
Spring Cloud has a "Token Relay" pattern
It's built into the @EnableZuulProxy that you already have
Follow an XHR request through the UI and down into the back end and you will see the token being relayed downstream
It would work with native or mobile front ends as well
grelaxus
@grelaxus
Jan 27 2016 10:47
and originally who issues this token?
ok, found the pattern in spring-cloud-security doc. Thanks a lot!
will be reading it