Category: Java

403 Forbidden on web clients against cookie-based secured REST services

You are developing your web client (AngularJS or any other) against your REST services' server, secured using cookies-based sessions and CSRF tokens sent as cookies. You've done everything by the book, followed the tutorials to make your security work, especially CORS and CSRF tokens. And yet you still get a pesky 403 when trying to login!

Read more

AngularJS web apps for Spring-based REST services security: the server side part 2 (CSRF)

Part 2 of examining a full, secure implementation of a solution for web-client, REST-based systems using AngularJS and Spring and addressing authentication, CORS and CSRF aspects. The full, working code is available on GitHub. In this part, we look at how we can prevent CSRF attacks from a server's perspective.

Read more

AngularJS web apps for Spring-based REST services security: the server side part 1

A full, secure implementation of a solution for web-client, REST-based systems using AngularJS and Spring and addressing authentication, CORS and CSRF aspects. The full, working code is available on GitHub. In this part, we setup the project and examine how CORS is configured on the server side.

Read more

Spring Security’s CSRF protection for REST services: the client side and the server side

Spring Security offers CSRF (cross-site request forgery) protection by default for Java web applications. In this post I will examine how you can make that CSRF protection work for a web client interacting with REST-based CSRF-protected services. Both the web client's code and the server application's configuration will be described.

Read more

Validating Spring REST controllers’ beans using the Bean Validation API… and writing the tests for it!

So you want to validate the data sent to your application's REST services? Nowadays you can quite easily do that using Spring and the Bean Validation API. And to help you test that validation process, how about bringing in Spring Boot to programmatically start your application and run your tests against it?

Read more