I have a question that might be really simple but I have been stuck at it for a while now. I have a program that receives requests and then forwards them in the correct instance of an third party application.
I keep on getting 401/Unauthorized and I have been told that all I need to do to make it work is that "I will get a request from the client with an authentication header and that all I need to do to get rid of the 401 response and get 200 is to add that authentication header to my request. I dont understand how I can get this header in the first place, or add it to my request.
Any pointer, link, or answer would be greatly appreciated.
Thank you
#RestController #Slf4j
#RequestMapping(Endpoints.PROVIDER.ROOT)
#PreAuthorize("#permissions.checkIfAdmin()")
public class AdminController {
#PostMapping(Endpoints.ADMIN.ACTIONS)
public ResponseEntity<ActionResponse> actions(#RequestBody ActionRequest actionsRequest) {
Autowire HttpServletRequest
#Autowired
HttpServletRequest request;
And fetch header through method request.getHeader("Authorization")
Note - Authorization is the name of the header I am trying to fetch.
Below is an example of similar issue. I am reading authorization header from my current request and passing it as header parameter to another request
public class UserDetailsService
{
#Autowired
WebClient.Builder webClientBuilder;
#Autowired
HttpServletRequest request;
#Value("${common.serverurl}")
private String reqUrl;
Logger log = LoggerFactory.getLogger(UserDetailsService.class);
public UserReturnData getCurrentUser()
{
log.info("Making API Call to fetch current user");
try
{
UserReturnData userDetails = webClientBuilder.build()
.get()
.uri(reqUrl+"user/me")
.header("Authorization", request.getHeader("Authorization"))
.retrieve()
.bodyToMono(UserReturnData.class)
.block();
return userDetails;
}
catch(Exception e)
{
log.info("Error API Call to fetch current user " + e);
return null;
}
}
Related
I'm new to springboot and am working on a legacy project. I'v searched but didn't find answer.
The current working project uses #Valid #RequestBody to validate body, and #ExceptionHandler to catch the exception.
Now the new requirement is dealing with request headers, and I will use the headers(to log for example) regardless of body is valid or not.
The question is I don't konw how to get the headers when #ExceptionHandler hits. Similiar question is How to get the #RequestBody in an #ExceptionHandler (Spring REST) but I cannot figure out how to get headers from injected RequestContext(I even cannot resolve getRequestBody() method in the answer).
The minimal, working and reproducible code is pushed to github.
The Model:
public class Book {
#NotBlank(message = "Title is mandatory")
public String Title;
}
the Controller
#RestController
public class BooksController {
final Log log = LogFactory.getLog(getClass());
#PostMapping("/")
public String add(#RequestHeader("id") String value, #Valid #RequestBody final Book book) {
log.info(value); // want this value even when hit #ExceptionHandler
return "added " + book.Title;
}
#ResponseStatus(HttpStatus.BAD_REQUEST)
#ExceptionHandler(value = MethodArgumentNotValidException.class)
public String handleInvalidRequest(final MethodArgumentNotValidException e) {
//log headers; ??
return e.getMessage();
}
}
the Client
curl -H "id:123" -H "Content-Type: application/json" http://localhost:8080 --data '{"Title":""}'
Additonal Information
jdk 11, springboot 2.5.3, intellij idea 2021.
model's code is in a library that i cannot change, so the validation logic is unknown to me.
I guess there should be a lot of ways to solve, such as defining some customized middlewares or handles, but I'm not familiar with those and I want to see a solution with least code changes. Thanks!
Inside #ExceptionalHandler you can accept HttpServletRequest to get headers
#ResponseStatus(HttpStatus.BAD_REQUEST)
#ExceptionHandler(value = MethodArgumentNotValidException.class)
public String handleInvalidRequest(final MethodArgumentNotValidException e, final HttpServletRequest req) {
//log headers; ??
req.getHeader("My-Header");
return e.getMessage();
}
How do I get the header and body of the current request from an application which called my Springboot application? I need to extract this information. Unfortunately this does not work. I tried to get the current request with this code sample (https://stackoverflow.com/a/26323545/5762515):
public static HttpServletRequest getCurrentHttpRequest(){
RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
if (requestAttributes instanceof ServletRequestAttributes) {
HttpServletRequest request = ((ServletRequestAttributes)requestAttributes).getRequest();
return request;
}
throw new IllegalArgumentException("Request must not be null!");
}
And then I tried to get the body
ContentCachingRequestWrapper requestWrapper = (ContentCachingRequestWrapper) currentRequest;
String requestBody = new String(requestWrapper.getContentAsByteArray());
Can someone tell me what im doing wrong?
Thanks in advance
#RestController
public class SampleController {
#PostMapping("/RestEndpoint")
public ResponseEntity<?> sampleEndpoint(#RequestHeader Map<String, String> headers,#RequestBody Map<String,String> body) {
//Do something with header / body
return null;
}
}
If the application's are communicating through a rest endpoint I believe this would be the simplest solution. In spring you can add RequestHeader and RequestBody annotations to method arguments to have them setup to be used.
Of course you can map RequestBody directly to some POJO instead of using a map but just as an example.
Let me know if this is what you were looking for !
#TryHard, You're using spring boot then following way is more preferable for you,
#RestController
public class SampleController {
#RequestMapping("/get-header-data")
public ResponseEntity<?> sampleEndpoint(HttpServletRequest request) {
// request object comes with various in-built methods use as per your requirement.
request.getHeader("<key>");
}
}
you can get header with your code but need apply some changes.
private String getRequest() throws Exception {
RequestAttributes attribs = RequestContextHolder.getRequestAttributes();
if (attribs != null) {
HttpServletRequest request = ((ServletRequestAttributes) attribs).getRequest();
return request ;
}
throw new IllegalArgumentException("Request must not be null!");
}
after you can extract header info from request. For example if you want get Accept-Encoding
String headerEncoding = getRequest().getHeader("Accept-Encoding");
obliviusly you don't use this approce if not necessary.
If you want exract the body NOT use this solution
Problem
I'm trying to create an app that uses Auth0 SPA + React on the frontend to auth users without ever having to deal with passwords. Then, I'd like to secure any endpoints I create using an Auth server that I'm required to create using the Spring Framework.
Just to clarify, the flow would be
Frontend ->
Auth through Auth0 ->
Redirect to users dashboard on frontend ->
Make HTTP request to endpoint sending JWT returned from Auth0 ->
Endpoint makes request to my Auth Server sending JWT returned from Auth0 ->
Auth server either either returns 401 or user object based on JWT ->
Endpoint grabs data specific to that user from DB ->
Returns data to frontend
I've managed to get my frontend to work just fine using the Quickstart Guide that Auth0 provides but I'm having a lot of trouble figuring out how to get my Auth Service to verify the user.
I believe I've come to the conclusion that I need to create an "API" on Auth0 and grab an access token and use that to validate the JWT, which in this case is just the access token and not the JWT that my frontend contains. I've also got this part working but there doesn't seem to be a way to know who the user is. When testing this "API", after sending a valid request I am returned
{
"iss": "https://${username}.auth0.com/",
"sub": "${alphanumericCharacters}#clients",
"aud": "${ApiIdentifier}",
"iat": ${issuedAt},
"exp": ${expiresAt},
"azp": "${alphanumericCharacters}",
"gty": "client-credentials"
}
While it's good to know I'm on the right track I can't seem to figure out what to do with this response to find the user.
Expected
I expect to be able to identify a specific user after validating an access_token from my Auth Service
Code
I don't have much code to show but I'll provide what I can from my Auth Service
SecurityConfiguration.java
#EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Value("${auth0.audience}")
private String audience;
#Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuer;
#Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests()
.mvcMatchers("/api/validate")
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
#Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoderJwkSupport jwtDecoder = (NimbusJwtDecoderJwkSupport)
JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
}
AudienceValidator.java
public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private final String audience;
public AudienceValidator(String audience) {
this.audience = audience;
}
public OAuth2TokenValidatorResult validate(Jwt jwt) {
OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
if (jwt.getAudience().contains(audience)) {
return OAuth2TokenValidatorResult.success();
}
return OAuth2TokenValidatorResult.failure(error);
}
}
ValidateController.java
#RestController
#RequestMapping("/api/validate")
public class ValidateController {
#GetMapping
public boolean validate() {
return true; // only returns if successfully authed
}
}
After reading through the docs I've found my solution.
It turns out that I don't need to create an "API" on Auth0 but instead need to use my Applications endspoint(s) from Auth0. Auth0 provides many endpoints based on your account that you can take advantage of from any of your applications (CLI, Server, Client, etc.) as long as you can:
Make an HTTP Request
Provide credentials
So the way to get a users information is explained here.
Data flow
Using my projects auth/data flow it's pretty much:
Using #auth0/auth0-spa-js on the frontend, you can grab a users access token after a successful auth by using the getTokenSilently() method.
Send up HTTP request to your Rest Service
Rest Service sends that token to your Auth Service
Auth Service sends GET request to https://myAuth0Username.auth0.com/userinfo with the Authorization: Bearer ${access_token} header. Example
If successfully authed from Auth0
Returns your users information such as "name", "email", etc.
Else
Returns a 403 Forbidden HTTP Status
Auth Service then returns user object to Rest Service
Rest Service then does necessary logic for that endpoint (DB query, another HTTP request, etc.)
Example Auth Service endpoint to validate tokens and return a user
ValidateController.java
package x.SpringTodo_Auth.Controllers;
import x.SpringTodo_Auth.Models.User;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.client.RestTemplate;
#RestController
#RequestMapping("/api/validate")
public class ValidateController {
#GetMapping
public Object validate() {
// Create and set the "Authorization" header before sending HTTP request
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "Bearer " + access_token);
HttpEntity<String> entity = new HttpEntity<>("headers", headers);
// Use the "RestTemplate" API provided by Spring to make the HTTP request
RestTemplate restTemplate = new RestTemplate();
Object user = restTemplate.exchange("https://myAuth0Username.auth0.com/userinfo", HttpMethod.POST, entity, User.class);
return user;
}
}
User.java (This is the class passed to the restTemplate.exchange(...) method as the last argument
package x.SpringTodo_Auth.Models;
public class User {
private String sub;
private String given_name;
private String family_name;
private String nickname;
private String name;
private String picture;
private String locale;
private String updated_at;
private String email;
private boolean email_verified;
// Getters/setters (or you can use Lombok)
}
I have a small test, which should return a HttpStatus with Temporary Redirect with HttpStatus Code 307.
But it always returns a 302.
#RestController
#RequestMapping(value = "/")
public class Controller {
#ResponseStatus(HttpStatus.TEMPORARY_REDIRECT )
#RequestMapping(value= "test", method = RequestMethod.GET)
public void resolveUrl(HttpServletResponse response) throws IOException {
response.setStatus(HttpServletResponse.SC_TEMPORARY_REDIRECT);
response.sendRedirect("https://www.google.com");
}
}
When I look into the documentation of response.sendRedirect() I can read this:
Sends a temporary redirect response to the client using the specified
* redirect location URL.
and the documentation of temporary redirect is a 307:
10.3.8 307 Temporary Redirect
The requested resource resides temporarily under a different URI.
Since the redirection MAY be altered on occasion, the client SHOULD
continue to use the Request-URI for future requests. This response is
only cacheable if indicated by a Cache-Control or Expires header
field.
(I know, that I don't need the #ResponseStatus(HttpStatus.TEMPORARY_REDIRECT) or the response.setStatus(HttpServletResponse.SC_TEMPORARY_REDIRECT); but I want to show that it will not work with this things too!)
But my test shows that it was a 302 and not a 307
java.lang.AssertionError: Status expected:<307> but was:<302>
Can somebody explain this?
My small test for this:
#RunWith(SpringRunner.class)
#WebMvcTest(Controller.class)
public class ControllerTest {
#Autowired
private MockMvc mvc;
#Test
public void test() throws Exception {
MockHttpServletRequestBuilder requestBuilder = get("/test");
mvc.perform(requestBuilder).andExpect(status().isTemporaryRedirect())
.andExpect(redirectedUrl("https://www.google.com"));
}
}
Complete code can be found at github
Instead using sendRediect , set Location header in response object.
response.setStatus(HttpServletResponse.SC_TEMPORARY_REDIRECT);
response.setHeader("Location","https://we.google.com");
I need to authentication SOAP header and give the response accordingly in my web service. The authentication header will verify the userId and password information.
If authenticated, then SOAP body of the request will be processed, else Invalid Authentication message will be returned
Below is my controller
package com.ws.controller;
#Endpoint
public class MyWSEndpoint
#Autowired(required=true)
private WSService service;
#PayloadRoot(localPart = "myWSRequest", namespace = Constants.TARGET_NAMESPACE)
public #ResponsePayload MyWSResponse getInfo(#RequestPayload MyWSRequest request) throws Exception
{
MyWSResponse response = new MyWSResponse();
response=service.getResponse();
return response;
}
}
i'm using Spring + SOAP
Please advise if i do right or better approach to solve.
Any working samples or projects will be much appreciated