0

this is my sample application. GATEWAY is the entry point for all other applications. Basically it's the proxy. It's capable of csrf protection. When I access the url localhost:8080/login firstly csrf token is created for GATEWAY and then request is forwarded to backend service (UAA).
Problem is that UAA generates it's own token (_csrf) and one generated by GATEWAY in header as X-CSRF-TOKEN is completely different.

So how can I avoid this conflict? Is there any simple solution to share tokens between applications?

Thanks

bilak
  • 4,526
  • 3
  • 35
  • 75
  • I hope that it makes sense that the token generated by the Gateway would be different than the token from the UAA. If the UAA just accepted any token that the Gateway created, then there is most likely a security issue. There are several different things you can do though. 1. The Gateway is assigned a token by the UAA and the gateway uses this token for every request. 2. There is an api that the Gateway can request tokens from the UAA. 3. The gateway can generate and sign its own tokens that the UAA would accept based on a shared secret. – hooknc May 26 '16 at 15:15
  • I undestand that those tokens should be different. But I cannot get my head over that how can I connect those applications together. I'm using database for oauth2 and it also can be used for session storing (using spring session) so I'm wondering if this can somehow help me. I don't want to use jwt for now. For me your 2. options looks promissing. Can you please elaborate more on this? Thanks – bilak May 26 '16 at 15:19
  • Even in option 2, there has to be an understanding of the applications knowing about one another. The UAA has to know that some application (the Gateway) is authorized to make requests to get new tokens. How does the UAA do authentication and authorization now? – hooknc May 26 '16 at 17:02
  • Yes, authorization is based on oauth2 client. Currently I have there "demo" oauth client for this purposes. Authentication is currently only in memory, in future it will be in db. – bilak May 26 '16 at 17:59
  • You might have to load your memory store with the "Gateway" application. I don't see any real way around your problem besides that. Not a deal breaker really, just a bit of a pain. – hooknc May 26 '16 at 18:12
  • wait a second...authorization (oauth2) is in DB and authentication (users) are in memory for current simplicity in this project (hosted on github)... what do you mean by "load your memory store with the gateway"? – bilak May 26 '16 at 20:31

0 Answers0