I want to protect all http endpoints with spring security annotations. Is there a way to punish developers that forget setting annotations on methods. Spring configuration? Or do I have to write my own AOP/Reflection code that does this at compile time?
just add spring security core maven dependency on your pom file , with this configuration spring will secure your all endpoints.
it will generate username as user and password will show on your console and you can also configure it manually.
Related
I have a web application NOT implemented on Spring Boot or Spring itself. It has no Spring whatsoever, it was made using RESTEasy running on Tomcat.
I'm supposed to add ADFS authentication to this web application through the use of Spring's Security SAML Extension.
I've seen a lot of projects online that implement this feature but all of them use Spring Boot or run on Spring. At the same time I've seen mentions of being able to implement Spring SAML without having a Spring project. So I'm a little confused now.
Is this feat achievable?
If so, could you guide me on how to do it?
Which Maven dependencies do I need exactly?
Which web.xml configs do I need?
Which Beans do I need to implement?
Thank you in advance.
I have to change my custom defined spring properties (defined via #ConfigurationProperties beans) during runtime of my Spring Boot application.
Is there any elegant way of doing this using Spring Cloud Config?
I don't want to use an external application.properties in a git repository (as the spring boot application gets shipped to customers and I dont' want to create a git repository for everyone of them).
I just want to access and change the local application.properties (the one in the classpath, located in src/main/resources) file in my Spring container or (if thats not possible) in the Spring Cloud Config Server, which I could embed into my Spring Boot app. Is that possible somehow?
BTW: The goal is to create a visual editor for the customers, so that they can change the application.properties during runtime in their spring boot app.
Spring Boot supports profile based application configuration. Just add application-<profile>.properties file. Then just when running the application select a profile depending on the environment making use of spring.profiles.active.
-Dspring.profiles.active=dev
This will run the application with application-dev.properties file (overriding the default application.properties, i.e you can just leave the common stuff in the default file and change the rest depending on the env)
On a side note, having a repo for configuration is not a must. You could just place them in the class path and give a search-location.
spring:
application:
name: config-server
profiles:
active: native
cloud:
config:
server:
native:
search-locations: classpath:configs/
It actually is possible and in the end quite easy to achieve. It just took me a whole day to get all the information together. Maybe this helps someone:
You basically just need Spring Actuator, but for a certain endpoint, you also need the spring cloud dependency. (to make Post requests to the /env endpoint of Spring Actuator)
To alter your config at runtime, just add the following to your application.properties:
management.endpoints.web.exposure.include: env,refresh
management.endpoint.env.post.enabled: true //this property is only available when spring cloud is added as dependency to your project
If you (like me) don't need the feature of an externalized config, then you also have to add the following (otherwise, your Spring app will not start and throw an error that some config is missing)
spring.cloud.config.enabled: false
Now, if you send a POST request to /actuator/env endpoint with an object in the HTTP body in the form of {"name":"...", "value":"..."} (name is the name of a config property), then your config gets changed. To check that, you can do a GET request to /actuator/env/[name_of_config_property] and see that your config property has changed. No need to restart your app.
Don't forget to secure the /actuator endpoint in your SecurityConfig if you use a custom one.
It seems to me that you neither need the #RefreshScope annotation at your config classes nor the /actuator/refresh endpoint to "apply" the config changes.
Maybe what your looking for could be achieved with Spring cloud config and spring cloud bus. It's explained here: https://cloud.spring.io/spring-cloud-config/reference/html/#_push_notifications_and_spring_cloud_bus
In summary, any change on configuration sent an event to the spring cloud bus and you can then reload app context or configuration with new properties.
I am in desperate need of help. So as a prerequisite I am tasked with creating a simple web application. The application requirements are to create a simple web form that collects user data and then sends an email verification to the user that just provided information. The difficult aspect of this project is CAS Integration with the Marist College CAS authentication system. A requirement of this project was that I use Spring Boot to create the project. At the moment I have already implemented Spring Security to authenticate users. I have been trying everything online to integrate CAS with my existing project. I was hoping that someone on StackOverflow may have more knowledge on how to integrate CAS with SpringSecurtiy. Also please don't be harsh on me I have never used the spring framework before this project and this is all new to me. The Url of the CAS server is "https://login.marist.edu/cas/". I have looked into https://github.com/apereo/java-cas-client spring support I just don't know how to integrate it with my current application. Thank you to anyone in advance that lends me a hand with this.
As I previously stated I would provide the solution to the problem that I experienced during the processes of integrating a spring application with the Marist CAS 2.0 Authentication System. As Stated above there is a Spring Boot AutoConfiguration that can be used. While this may not be the best method for securing your application it satisfied my needs for the project that I was working on. The Steps to configure your spring application with CAS 2.0 are bellow.
Add Maven Dependency
Maven:
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
Add the following required properties in Spring Boot's application.properties or application.yml
cas.server-url-prefix=https://cashost.com/cas
cas.server-login-url=https://cashost.com/cas/login
cas.client-host-url=https://casclient.com
3)Annotate Spring Boot application (or any #Configuration class) with #EnableCasClient annotation
#SpringBootApplication
#Controller
#EnableCasClient
public class MyApplication { .. }
4)For CAS3 protocol (authentication and validation filters) - which is default if nothing is specified
cas.validation-type=CAS3
For CAS2 protocol (authentication and validation filters)
cas.validation-type=CAS
For SAML protocol (authentication and validation filters)
cas.validation-type=SAML
I am using Spring boot.
I want to check which logging implementation is printing the message - I know with Spring boot default is Logback, and I have excluded it as mentioned in this post so mostly Logback will not be printing the messages, but I want to show it as a proof that Logback implementation is not printing and probably Log4j is printing.
Basically I need an API which I can call and I can get the details of which is the logging implementation, the way we can know Java version etc.
You can enforce Spring Boot to use a certain implementation by setting this property:
org.springframework.boot.logging.LoggingSystem
with any of:
org.springframework.boot.logging.logback.LogbackLoggingSystem
org.springframework.boot.logging.log4j2.Log4J2LoggingSystem
org.springframework.boot.logging.java.JavaLoggingSystem
none (to swith off completely)
This explicit configuration would be your proof.
To check configuration you can install spring actuator framework. Through web endpoints all config params can be queried.
I'm setting up a microservice architecture using Spring Boot and Eureka. I followed several tutorials. However, the Eureka server is showing a login when trying to open the dashboard. Also, registration of a client fails (I think because of the enabled security).
How can I disable the security?
This is my configuration:
eureka.instance.hostname=localhost
eureka.client.registerWithEureka=false
eureka.client.fetchRegistry=false
eureka.environment=dev
server.port=1112
I'm using a .properties file instead of .yml. What I tried is to add the property
security.basic.enabled=false
but the result was the same. So I tried to configure Spring Boot Security by myself but this caused 404 HTTP errors because the '/login'-controller was not found (and I don't want to develop this at the moment).
You have added two starter security dependencies in your Gradle. Those are configuring basic username password security. Please remove them.
you can also exclude the SecurityAutoConfiguration in your spring application main class
#SpringBootApplication(exclude = {SecurityAutoConfiguration.class})