Reputation: 21
How to secure Angular & Spring Application
We have developed one application with Angular 5 as frontend and Spring Boot as backend. First page is the login page, which invokes a rest api to authenticate with LDAP at backend. We are using OAuth implementation with JWT. So when the user logins, the credentials username and password are via. POST request in body to the rest api for auth. In headers we are sending clientId and secret for Oauth. The issue is that the credentials are getting exposed in the request and can be seen in the browsers developer options. I need a way to mask/encrypt these credentials.
Upvotes: 2
Views: 5499
Answers (2)
Reputation: 3253
Well, the password being exposed in the request in the network tab is quite "normal" - Your API needs to read the password after all and check if it is valid.
There are still a couple of things you can do:
- You definitely should communicate over https and can use several additional security headers as well
- You can Hash the password in the browser side and treat the hash as it would be the user password
- Changing the hash function in the client is nearly impossible since it requires all users to re-new their password
- You can't do any API side password strength verification
- You can encrypt the password in the browser side and decrypt it in the API.
- You still should hash the password in your API, and do NOT store the encrypted password from the client (since the encryption is visible in the source code to the user)
I actually don't like the Hash variant, since you loose the control over password strength, and somebody theoretically can use the API and create a user with password "Test" or something similar.
The second approach sure does help you so it is not visible in the Network tab. But just be aware that if someone really cares he can lookup the encryption in your source code and still decrypt it in the request if he has access to it
Upvotes: 0
Reputation: 5801
You can use the cypto-js library for encrypting your password from your angular application.
Installation :
npm install crypto-js
Usage :
var AES = require("crypto-js/aes");
var SHA256 = require("crypto-js/sha256");
var MD5 = require("crypto-js/md5");
console.log(AES("YOUR PASSWORD"));//AES ENCRYPTION
console.log(SHA256("YOUR PASSWORD"));//SHA256 ENCRYPTION
console.log(MD5("YOUR PASSWORD"));//MD5 ENCRYPTION
Thanks hope this helps!
Upvotes: 1
Related Questions
- Spring Boot and Angular authentication - how to secure the app?
- Spring Boot + Security configuration for communication with Angular app
- Integration of Spring Boot application with Angular application
- Angular and Spring Security Architecture
- Authentication spring Security in angular 5
- Spring Security with Angular2
- How to deal with Spring Boot Angular application security
- Spring security with angular
- AngularJS Web Application with Spring Security
- Spring + Angular set up and security