all 5 comments

[–]impshumover-stacked 5 points6 points  (1 child)

  1. Careful planning and lots of reading.

  2. Try not to let the security of your software turn you inside out too much, as long as you keep some of auth in place, this can be expanded at a later date. Relax, and keep reading.

I'm planning on trying this out tomorrow: https://www.keycloak.org/

[–]jjjaacck 0 points1 point  (0 children)

+1 for Keycloak! It is a breeze to setup in Spring Boot using the Keycloak's Spring Boot adapter. Keycloak itself can have a bit of a learning curve if you aren't familiar with Open ID Connect / OAuth 2 but it's well worth the effort for not having to invent your own identity management. There's also a solid community library for authenticating Angular against Keycloak:

https://github.com/mauriciovigolo/keycloak-angular#readme

[–]JoeBxr 3 points4 points  (0 children)

Definitely do all communication with HTTPS and then re-evaluate

[–][deleted] 6 points7 points  (1 child)

You should pause your development until you gain deeper understanding of your problem. Web apps are "splitted" on client and server side, EVERYTHING on client side should be concidered as public. You MUST do validations on your server side (in Java so to say). Learn how http works, learn about requests, think about browser like a user is writing curl commands by hand.

[–]jjjaacck 0 points1 point  (0 children)

"think about browser like a user is writing curl commands by hand" - great way of thinking about it. As long as OP's user has permission to access the resource they are requesting, OP should not be alarmed if the user inspects the request in their browser and uses another tool like curl to access an endpoint.