At the moment I am developing an authorization server using spring security + OAUTH2 and JWT, but in the examples there are many different ways, some of them are deprecated.
Tell me, please, the most current?
When creating a project, I plug dependency the Cloud OAuth2, then a dependency appears in
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
I also customize the annotating #EnableAuthorizationServer
I use this method, tell me how relevant is it?
I saw other ways where it was necessary to register and configure filters, providers, etc., this is closer to me, but I don’t understand which option is the most relevant now.
Related
I'm trying to rewrite existing OAuth2 authorization service using Spring Boot 3.0.2 and newly released Spring OAuth2 Authorization Server 1.0.0.
Faced a trouble combing objects from Reactive Security and Standard Security libraries: unable to apply default security to OAuth2AuthorizationServerConfiguration class, because it's not applicable to reactive ServerHttpSecurity.
Code part
#Bean
#Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityWebFilterChain authServerSecurityFilterChain(ServerHttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http
.formLogin()
...;
return http.build();
}
Can't pass HttpSecurity to applyDefaultSecurity() method.
Tried to find any reactive implementations of OAuth2AuthorizationServerConfiguration class but found nothing.
Is there any way to convert ServerHttpSecurity to HttpSecurity? Or Spring OAuth2 Authorization Server is completely incompatible with reactive approach?
Main dependencies of Maven pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>1.0.0</version>
</dependency>
Thanks is advance.
UPD
Searched badly. Seems like it's not supported yet:
https://github.com/spring-projects/spring-authorization-server/issues/152
Or there are still some ways make it work?
Official answer:
We are strictly focusing on a Servlet implementation for the initial set of features that would qualify for a MVP version. We haven't decided whether we'll provide a WebFlux version at this point.
Quite honestly, I'm not convinced it's needed. The client and resource server(s) are the most active, whereas, the authorization server is not as active as it simply issues a token and may validate a token, which is limited activity between the many interactions that follow between a client and resource server after a token is issued.
Either way, I'm going to close this issue as WebFlux is not on the roadmap as of now.
Source - https://github.com/spring-projects/spring-authorization-server/issues/152
I'm currently working on a spring webflux project using Spring cloud sleuth dependency.
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-sleuth</artifactId>
<version>2.2.8.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
<version>2.5.1</version>
</dependency>
I'm working on a set of APIs which get a request payload that contains 3 Strings. I want to concatenate these 3 strings to use as my custom trace id. I also want to achieve the following requirement.
This custom_trace_id should be able to be added to every log. (We are getting sleuth trace id in logs by adding %X{traceId} within our log4j.xml file to print the traceId in all logs)
This custom trace id must be sent to the calls that are made by WebClient (Sleuth sets the X-B3-TraceId header to all calls made by WebClient, I want the same but using the custom_trace_id)
If possible I want to change the name of X-B3-TraceId header to a different value such as correlation-id so that if someone makes a request to our spring webflux application the sleuth should first check the correlation-id and use it as trace id. (Note: custom_trace_id = correlation-id)
Note that the spring sleuth already does the above 3 things. I want to have custom value for the trace id instead. Can someone please help or suggest something for my usecase
Spring Boot 2.5.x is not compatible with Spring Cloud Hoxton (Sleuth 2.2.x).
You need to use Spring Cloud 2020.0.x aka Ilford (Sleuth 3.0.x).
You can set spring.sleuth.propagation.type to CUSTOM and implement your own Propagation and Propagation.Factory, please see the docs: How to Change The Context Propagation Mechanism?.
This should help you achieving your goals above, however, there are some downsides. This is mostly my opinion, please feel free to ignore it and do whatever you would like to:
B3, W3C and AWS propagation types are standards with support of other projects/tooling
You are trying to create a 4th "standard" that is not supported by anything (but maybe by an internal system)
You need to add support for this custom propagation type to every new component so that they will also understand this "standard"
Sometimes it worth consider moving to a universal standard rather than using a custom one even if there is a legacy system behind it
I am in desperate need of help. So as a prerequisite I am tasked with creating a simple web application. The application requirements are to create a simple web form that collects user data and then sends an email verification to the user that just provided information. The difficult aspect of this project is CAS Integration with the Marist College CAS authentication system. A requirement of this project was that I use Spring Boot to create the project. At the moment I have already implemented Spring Security to authenticate users. I have been trying everything online to integrate CAS with my existing project. I was hoping that someone on StackOverflow may have more knowledge on how to integrate CAS with SpringSecurtiy. Also please don't be harsh on me I have never used the spring framework before this project and this is all new to me. The Url of the CAS server is "https://login.marist.edu/cas/". I have looked into https://github.com/apereo/java-cas-client spring support I just don't know how to integrate it with my current application. Thank you to anyone in advance that lends me a hand with this.
As I previously stated I would provide the solution to the problem that I experienced during the processes of integrating a spring application with the Marist CAS 2.0 Authentication System. As Stated above there is a Spring Boot AutoConfiguration that can be used. While this may not be the best method for securing your application it satisfied my needs for the project that I was working on. The Steps to configure your spring application with CAS 2.0 are bellow.
Add Maven Dependency
Maven:
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
Add the following required properties in Spring Boot's application.properties or application.yml
cas.server-url-prefix=https://cashost.com/cas
cas.server-login-url=https://cashost.com/cas/login
cas.client-host-url=https://casclient.com
3)Annotate Spring Boot application (or any #Configuration class) with #EnableCasClient annotation
#SpringBootApplication
#Controller
#EnableCasClient
public class MyApplication { .. }
4)For CAS3 protocol (authentication and validation filters) - which is default if nothing is specified
cas.validation-type=CAS3
For CAS2 protocol (authentication and validation filters)
cas.validation-type=CAS
For SAML protocol (authentication and validation filters)
cas.validation-type=SAML
My Spring Boot application calls other providers and I'd like to measure the time a response takes, but also would nice to measure other stuff. Is there a clean way of doing this maybe some library or package?
I'd need something which integrates seamlessly with existing apps, and I do not need to wrap the calls with System.getCurrentTimeMillis() etc.
You can use Spring Actuator,Prometheus Server/Client and Grafana Server to monitoring your application. There are 4 types of metrics available in Prometheus, you can use according to your requirements.
Prometheus Documentation
https://prometheus.io/
Grafana Documentation
http://docs.grafana.org/
Install Prometheus and Grafana servers.
You have to add the dependencies for Prometheus Client. Also Spring Actuator dependency need to add.
<dependency>
<groupId>io.prometheus</groupId>
<artifactId>simpleclient_spring_boot</artifactId>
<version>0.0.26</version>
</dependency>
<dependency>
<groupId>io.prometheus</groupId>
<artifactId>simpleclient_hotspot</artifactId>
<version>0.0.26</version>
</dependency>
<dependency>
<groupId>io.prometheus</groupId>
<artifactId>simpleclient_servlet</artifactId>
<version>0.0.26</version>
</dependency>
In Configuration file you have to define bean for metrics.
#Bean
public ServletRegistrationBean servletRegistrationBean() {
DefaultExports.initialize();
return new ServletRegistrationBean(new MetricsServlet(), "/prometheus");
}
You can follow https://g00glen00b.be/monitoring-spring-prometheus-grafana/ for more detail.
Prometheus can monitor some metrics in the jvm.
But you may want to see the javamelody spring-boot-starter which will give metrics on the jvm and on the application and also on #Service Spring components and on RestTemplate when defined as bean to measure calls to some other providers.
I went via almost all docs and all but not able to get grip on this mysterious stuff.
so my question - Can I use my standalone spring boot app to monitor health and other metrics of my app via http jmx url? Do I need to configure something else for this?
I have added below dependency in boot app.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.jolokia</groupId>
<artifactId>jolokia-core</artifactId>
</dependency>
I have also configured below properties in my config file.
management.endpoints.web.exposure.include=*
management.endpoints.jmx.unique-names=true
management.server.port=8080
management.server.ssl.enabled=false
When I try to hit URL : http://localhost:8080/actuator/jolokia/health I am not able to see any results.
Also tried adding custom end point like below but not working.
#Endpoint(id="mypoint")
#Component
public class myPointEndPoint {
#ReadOperation
public String mypoint(){
return "Hello" ;
}
with additional property
management.endpoint.mypoint.enabled=true
The problem is the url you are trying to invoke.
First, retrieve the possible mbeans with: http://localhost:8080/actuator/jolokia/list
When you take a look at the Health mbean, you must provide the unique name and the operation (op).
In my case, it looked like: http://localhost:8080/actuator/jolokia/exec/org.springframework.boot:type=Endpoint,name=Health,identity=4200098/health
Also check the Jolokia documentation: https://jolokia.org/reference/html/index.html