Skip to content

Security

Ignacio del Valle Alles edited this page Feb 29, 2016 · 13 revisions

Brutusin-RPC seamless integrates with Spring security.

Configuration

Configuration can be performed according to the AbstractSecurityWebApplicationInitializer without Existing Spring topic.

Usage

Programmatic security via getPrincipal() and isUserInRole(String roleName) obtained from RpcActionSupport.getInstance().

Non-authorized action executions must throw a java.lang.SecurityException.

Spring CSRF tokens

Add the following Spring CSRF meta tags to your client pages using the Javascript API:

<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf.parameterName" content="${_csrf.parameterName}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>

The Javascript API will make use of them as needed.

Websockets

The framework uses JSR-356 Websockets, with a custom implementation to integrate with Spring security with the following characteristics:

  • Websocket enpoint is deployed behind spring springSecurityFilterChain
  • In order to avoid CSRF attacks the following origin verification algorithm is performed (see WebsocketEndpointConfigurator):
    1. If the handshake request doesn't have an Origin header skip validation
    2. If a org.brutusin.rpc.cors-host environment variable has been configured, verify Origin header matches this value
    3. Else (default case): Verify Origin and Host header values match

Example

See rpc-demo-security-jar demo project