I am quite new to spring boot, And i was asked to implement post microservice endpoint to expose to other system to post some data in db(which I have handled through java code)
And I am planning to add basic auth with some client certificates (for eg: Tls).
Here the question is when I am trying to test the above Post api through postman csrf is enabled in spring boot automatically and it is blocking. Then I have added csrf.disable() in my config method and it works. But in production ready code we cannot disable using the above method I guess I think we have to handle bit different with it. Should i have to allow domain specific?? If yes how to achieve it?? Please let me know.
Related
I'm trying to use spring-authorization-server, and it seems to work very well, but as i can see it relies on servlet api which makes it not usable with spring webflux and netty. Does anyone knows how to tackle this? Or maybe correct me if my assumption is wrong.
thanks
WebFlux is not on the roadmap for Spring Authorization Server.
From the Spring Authorization Server GitHub repository:
We are strictly focusing on a Servlet implementation for the initial set of features that would qualify for a MVP version. We haven't decided whether we'll provide a WebFlux version at this point.
Quite honestly, I'm not convinced it's needed. The client and resource server(s) are the most active, whereas, the authorization server is not as active as it simply issues a token and may validate a token, which is limited activity between the many interactions that follow between a client and resource server after a token is issued.
Quote taken from this issue.
there is my application in which I am using Angular on the UI side and on the API side I have a spring boot app and for managing users- using the AWS Cognito user pool. currently, I am able to connect with my user pools in my application, which means I have manually implemented the verification, decoding, and filtering id tokens and access tokens based on role manually. but I want to use the spring oauth2 feature to do the same and want to remove manual verification and boilerplate code.
can anyone help me please to provide the steps how can I achieve it, if you know certain steps,
it will be really helpful for me.
Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I am currently working on Grails Application where I have REST API using jaxr PlugIn. The scenario is that there is a Third Party who says that give us a URL and we will send you the notifications on that URL.So I created a REST API with post method. So I can send data using this post method. So,I gave this URL to that third party which now sends me notifications over that URL. And in the body of that POST method in my REST API gets the notification and do what I want to.
So, I used Spring Security Core to authenticate my other features of application. And I wasn't intended to secure this REST API that I implemented using Jaxr PlugIn. But after using that Spring Security Core plugin my Rest API stopped working as it has restricted this REST API too. I tested it on my machine too and send post requests but this plugin is not allowing me to make request due to authentication issue.
Please guide me that what I should do in this scenario? I don't want to secure my REST, can I proceed with this?
Thanks for your precious time :)
With Spring security you define urls that are secured. Specify correct url patterns and it should be ok.