![]() Here we show how to use Spring Security OAuth together with Spring Cloud to extend our API Gateway to do Single Sign On and OAuth2 token authentication to backend resources. In this section we continue our discussion of how to use Spring Security with Angular in a "single page application". That code is not business logic, and it isn’t making you any money, it’s just an overhead, so even worse, it costs you money. It’s not that you can’t do it without sessions, it’s just that you’d have to write all that code yourself, and what would be the point because it’s already implemented and works perfectly well on top of HttpSession (which in turn is part of the container you are using and baked into specs since the very beginning)? Even if you decide you don’t need CSRF, and have a perfectly "stateless" (non-session based) token implementation, you still had to write extra code in the client to consume and use it, where you could have just delegated to the browser and server’s own built-in features: the browser always sends cookies, and the server always has a session (unless you switch it off). Here’s a rule of thumb (attributed to Rob Winch): if your application or API is going to be accessed by a browser, you need CSRF protection. ![]() you use JWT encoded tokens), how are you going to provide CSRF protection? It’s important. It’s probably not stateless if you stored the token somewhere, but even if you didn’t (e.g. If that was your response to the last section, then read it again because maybe you didn’t get it the first time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |