I'm working on a very simple REST API using the Quarkus framework. I'd like to use client authentication, but after a few tries I eventually found the what I'm trying to achieve doesn't seem possible out of the box.
The API is dockerized and published on an azure app service environment. Unfortunately, I can't get the azure load balancer to talk to my app via SSL. Azure App Services passes the client certificate as a base64 payload in a header field dubbed X-ARR-ClientCert.
Maybe I'm missing some very important piece of knowledge here. Is there any way to leverage the TrustStore and Trust / accept the client certificate straight from the header field?
Should I implement my own Security Identity Provider for doing so
extracting the Certificate from the header
create a Security Identity instance
Related
I have an app running on AWS that has got a React JS front-end hosted through S3 and Spring Boot back-end hosted on EC2 instances behind a load balancer. I got my SSL certificate for my domain and I use CloudFront to redirect HTTP requests into HTTPS.
My issue is that I can connect through HTTPS to my load balancer, however, my Spring Boot API won't accept HTTPS from the load balancer. Therefore I use HTTP and anytime I send an API call to my backend, my site changes to "Not Secured".
Is there a way to use the Amazon issued certificate in my Spring Boot API in order for it to accept HTTPS calls? I have only found tutorials using self-signed certs and was wondering if I can use my AWS certificate instead.
If there is a way, could you please provide an example of code I need to insert in my application.properties file?
Cheers
Kris
This part of your question is really confusing, since you don't provide details about what you mean:
My issue is that I can connect through HTTPS to my load balancer,
however, my spring-boot API won't accept HTTPS from the load balancer.
Your load balancer should be serving the AWS ACM SSL certificate. You should code your application so that your website makes SSL calls to your API. The load balancer should communicate with your Spring Boot backend server over HTTP, by setting the HTTP protocol and port in the load balancer target group settings.
The traffic flow should look like this:
Web Browser -> (HTTPS) API call to Load Balancer -> (HTTP) call to backend Spring Boot server
I have been asked to create an oauth2 server to access multiple webapps of our company. And I am following this github project.
I dont have nay idea about creating Oauth2 server.And stuck while Getting Access token via authorization code (followed given process in link).
When you speak about an OAuth2 server you mean the interface between user storage (f.e. LDAP) and the web aplications?
The easiest way to have an OAuth2 server would be to install WSO2 IS and configure your LDAP as a secondary user store.
I have not coded the server side of OAuth2 but Apache OLTU is a project that has been very helpfull for me. It includes libraries for the server part.
Spring Security OAuth2 provides some sample code, one of which is an Auth Server.
http://projects.spring.io/spring-security-oauth/docs/oauth2.html
By default, it supports a single user. But it could be modified to be a more fully-featured Auth Server. But it does show how to use Spring Security inside the Auth Server as well as implement the OAuth server endpoints and return JWT
I want to host REST APIs over https. REST web services will be written in java probably using spring framework.
These web services will be accessed by java clients (not web browsers), probably using org.apache.http lib.
I am not getting clear picture of working with SSL certificates.
My questions are -
What configurations will be required to host REST web services over "https"?
What configurations will be required at client side for accessing these "https" URIs?
Do I need to buy trusted SSL certificate for REST server or open java keygen will do?
Do I need the same/different certificate copy on REST client too?
No particular configuration, you just need https activated.
No particular configuration, you just need to take care to use libs that check the certificate.
If you write the client, you can use a self signed one, and customize the client to check if it's your certificate. If anybody can write a client, it's better to have a publicly trusted certificate. WARNING : the free let's encrypt certificate are NOT trusted by java !
Why do you want a certificate on your client ?
Side note: if your API is publicly accessible, I strongly advise you do NOT redirect http to HTTPS but instead makes HTTP systematically answer an error. If you don't do so, a developer that use by mistake the http will NOT see the error and that will create security risks.
I am trying to write a Web Service test and it needs to connect to a Web Service using a client certificate. I have already set up a server that accepts client certificates and it works correctly when using a .NET client application.
The client certificate works as an authentication mechanism together with spring security plugin, therefore i need a way to write a client that can use my custom certificate when performing a request.
Now i am trying to write an integration test for testing this service but i cannot find any mean to attach client certificate when performing a request. I have thried wsclient for groovy, ws-lite for groovy and even cxf for java. Still no luck.
Is there any way that i can attach my own, custom client certificate to web service client request?
You can use HttpBuilder, specifically look here: http://groovy.codehaus.org/modules/http-builder/apidocs/groovyx/net/http/AuthConfig.html
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins