I am trying to add an exception for security rules in Spring but getting 401 meaning my mapping is not recognized. The uri is /test/acc#v1=1&v2=2...
I have security configured:
http.authorizeExchange().pathMatchers("/test/acc*{v:.+}")
and
http.authorizeExchange().pathMatchers("/test/acc*")
And my controller annotation is:
#GetMapping("/test/acc{suffix:.+}")
None of it works, I keep on getting 401. Can someone help me out here?
It is a general consensus that Server does not receive the URL fragmentation details and it is applicable for all major servers java based servers like tomcat, jetty..etc please refer for more details
Related
I am working on setting up an application using Spring Boot and Auth0. We are refactoring from a legacy codebase to use Spring Boot. In the legacy code, the Auth0 URL is created manually by appending the URL parameters:
https://[removed].auth0.com/authorize?
response_type=code
&client_id=[removed]
&scope=openid email profile
&connection=[removed]
&state=[removed]
&redirect_uri=http://localhost:8081/login/oauth2/code/auth0
With the Spring Boot configuration (guide here: https://auth0.com/docs/quickstart/webapp/java-spring-boot/01-login), this is the URL that generates:
https://[removed].auth0.com/authorize?
response_type=code
&client_id=[removed]
&scope=openid email profile
&state=[removed]
&redirect_uri=http://localhost:8081/login/oauth2/code/auth0
The Spring Boot URL is giving me an error "[invalid_request] no connections enabled for the client".
I am missing the "connection" parameter with the Spring Boot setup. I have tested by manually copying the URL and adding the "connection" parameter and I get the login page. Without it, I get the error.
On Spring's configuration page (https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-boot-property-mappings), I don't see an option for Connection. I didn't see anything on the SecurityFilterChain that would allow me to change this either.
I see that Auth0.js has a function that allows a "connection" parameter (https://auth0.com/docs/libraries/auth0js). How do I add this using Spring Boot/Java?
EDIT
application.properties:
spring.security.oauth2.client.registration.auth0.client-id=[removed]
spring.security.oauth2.client.registration.auth0.client-secret=[removed]
spring.security.oauth2.client.registration.auth0.scope[0]=openid
spring.security.oauth2.client.registration.auth0.scope[1]=email
spring.security.oauth2.client.registration.auth0.scope[2]=profile
spring.security.oauth2.client.provider.auth0.issuer-uri=[removed]
EDIT 2
We were working in conjunction with Auth0 Support - they provided us the following information:
In case an Enterprise connection is the only enabled connection for an
application and the "connection" parameter is not specified on the
/authorize request, you need to enable the "show as a button" setting
on that enterprise connection, otherwise you will get "no connections
enabled for the client" error.
The "Display connection as a button" checkbox is on the "Login
Experience" tab of the connection setting page.
Weird configuration requirement - you can't go directly to the login page. You have to have a button to take you there. This did resolve the original issue; however, I marked #Codo answer below as accepted, as it did answer this question and appears it would work from initial testing.
You are looking for a way to add an additional parameter to the authorization URI. It's isn't as straightforward as one would like but doable.
Fortunately, it's described in Customizing Authorization and Token Requests with Spring Security 5.1 Client.
You probably want to implement the steps 2 and 4:
Add your own implementation of OAuth2AuthorizationRequestResolver, override both resolve() methods to call customizeAuthorizationRequest()
Implement customizeAuthorizationRequest() to add the additional connection parameter (OAuth2AuthorizationRequest already support additional parameters)
Implement a security configuration class to register CustomAuthorizationRequestResolver as the authorization request resolver
Several issues on GitHub ask for a simpler way. But the issues are still open (or closed as duplicates).
Update
Instead of clientRegistrationRepository() (at the end of step 2), you could declare clientRegistrationRepository as an injected dependency and the use it without parentheses:
#Autowired
private ClientRegistrationRepository clientRegistrationRepository;
Spring Security comes with with mostly preconfigured Auth0 module. Unless you're doing something specific, there's no need to construct URL yourself.
Have you done Spring configuration as said in the link you've posted: https://auth0.com/docs/quickstart/webapp/java-spring-boot/01-login#configure-spring-security ?
# src/main/resources/application.yml
spring:
security:
oauth2:
client:
registration:
auth0:
...
Here's another option (untested):
In application.properties, specify all URLs separately. So instead of:
spring.security.oauth2.client.provider.auth0.issuer-uri=xyz.us.auth0.com
Specify:
spring.security.oauth2.client.provider.auth0.authorization-uri=https://xyz.us.auth0.com/authorize?connection=azuread
spring.security.oauth2.client.provider.auth0.token-uri=https://xyz.us.auth0.com/oauth/token
spring.security.oauth2.client.provider.auth0.jwk-set-uri=https://xyz.us.auth0.com/=.well-known/jwks.json
spring.security.oauth2.client.provider.auth0.user-info-uri=https://xyz.us.auth0.com/userinfo
Note that the authorization URI already includes the connection parameters. All the other parameters should then be appended.
You can get all the URIs at https://xyz.us.auth0.com/.well-known/openid-configuration (just replace "xyz" and put the URL in your browser).
I am creating endpoint that is dependent on another endpoint,i have created interface and did all of that stuff but when i requested https://example.com to give me info it did not responded and request timeout exception came up.the quarkus is not supporting https request i also have added certificates kindly let me know what i am doing wrong or what i need to do.
quarkus.http.ssl.certificate.file=META-INF/dev.crt
quarkus.http.ssl.certificate.key-file=META-INF/dev.com.key
com.package.xyz/mp-rest/url=https://example.com
You need to specify some properties in your application.properties file:
quarkus.http.ssl-port=8443
quarkus.http.insecure-requests=enabled
quarkus.http.ssl.certificate.key-store-file=keystore.jks
quarkus.http.ssl.certificate.key-store-password=password
Documentation source I used for this was the Quarkus cookbook available from RedHat: https://developers.redhat.com/books/quarkus-cookbook see section 3.8
Does anyone used this Jersey SSE feature already in a Dropwizard application? I tried it with DW 0.9.1 but all I get is this Exception at startup:
[main]: /:?:?- unavailable
org.glassfish.jersey.server.model.ModelValidationException: Validation of the application resource model has failed during application initialization.
[[FATAL] No injection source found for a parameter of type public org.glassfish.jersey.media.sse.EventOutput .......
Authentication and Authorization is also done like here with SecurityContext. I tried also a very simple no authentication/authorization app and there is the same problem. Perhaps I have to register SSE, but I dont know how if this solves my problem, because Jersey documentation says that there is a automated registering since version 2.8.x.
What i tried, but does not help:
environment.jersey().register(SseFeature.class);
environment.jersey().getResourceConfig().register(SseFeature.class);
System.out.println("sse feature:" + environment.jersey().getResourceConfig().getConfiguration().isRegistered(SseFeature.class));
Output:
...
sse feature:true
WARN [2015-11-11 10:12:58,845] [main]: org.glassfish.jersey.internal.Errors:?:?- The following warnings have been detected: WARNING: Cannot create new registration for component type class org.glassfish.jersey.media.sse.SseFeature: Existing previous registration found for the type.
...
Does anyone know how to solve this problem or have any ideas?
This is a really strange problem. Dont know why it works now. Perhaps if others have the same problem, I have done this:
environment.jersey().register(new EventOutputMesssageBodyWriter());
The MsgBodyWriter does no write (writeTo method is empty), but it works. Really strange ...
I am working on a web application using the Spring framework and Hibernate. My problem is that I often receive 404 errors caused by a mistake I have made somewhere in the codebase but there are no exception messages in the console. Because of this I am struggling to find where the mistake is because the project has become very large and manually trying to find the problem is impractical. I'm assuming that Spring is causing the problem so my question is: is there some way of enabling more detailed error messages? Thanks
404 is an http error and only your web server might be knowing of it. Very likely with these failed requests, your application server or Spring container was never hit. Look for web server logs to identify the problem.
Troubleshooting 404 on IIS server
http://blogs.iis.net/tomkmvp/archive/2009/04/27/troubleshooting-a-404.aspx
Troubleshooting 404 on RAD web server
http://www-304.ibm.com/support/docview.wss?uid=swg27035752&aid=1
As a couple of people have already alluded to it, the issue here is that certain errors (like the 404 exception) get intercepted by the Servlet container, therefore never reaching Spring and whatever logging mechanisms you have may have set up. So the trick here is to change the order of importance of your Exceptions so that Spring gets a crack at it.
The best approach I have ever come across to catch, handle and adequately log all exceptions in Spring is described in this article: http://steveliles.github.io/configuring_global_exception_handling_in_spring_mvc.html
I have been implementing this setup since I came across that blog post, and it has been a lifesaver to say the least. It will give you the detailed error messages you need. The key is to basically create a custom Exception Handler by implementing Spring's HandlerExceptionResolver and Ordered interfaces, then returning the lowest possible order number, thus moving your exception handling up the totem pole:
import org.springframework.core.*;
import org.springframework.web.servlet.*
public class LoggingHandlerExceptionResolver
implements HandlerExceptionResolver, Ordered {
public int getOrder() {
return Integer.MIN_VALUE; // we're first in line, yay!
}
public ModelAndView resolveException(
HttpServletRequest aReq, HttpServletResponse aRes,
Object aHandler, Exception anExc
) {
anExc.printStackTrace(); // again, you can do better than this ;)
return null; // trigger other HandlerExceptionResolver's
}
}
The problem ended up being that there were a couple of missing annotations from one of my Hibernate entities. Following the procedure from the link below helped track it down by providing more detailed error messages:
http://www.captaindebug.com/2011/07/using-hibernate-validation-annotation.html
I also hit the problem of no console output while 404 error.
As in The Saint's answer, one of the causes of no console log:
the issue here is that certain errors (like the 404 exception) get intercepted by the Servlet container
"spring-framework-reference-3.2.3.pdf" --> 1.3 --> Logging --> Using Log4J, solved the problem in my environment.
I have a java web application that use spring security for log in users, restriction access etc. , and it is working without problems on Glassfish 2.1, Tomcat, jetty, but on glassfish v3 doesn't work, when I try to login, and press button login, I'm getting login box from glassfish server(the box "The server xxxx requires user name and password").
Has somebody got such issue? Please let me know how I can solve this.
Thanks,
Iurie
Try to comment the following fragment:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
in ".../glassfish/domains/domain1/config/default-web.xml" file
I don't know what is causing this (and potentially it could be one of a number of things), but I suggest that you turn the logging level up to the max and see if that gives you some clues as to what is going on. (When the logging level is DEBUG or higher, SpringSecurity generates lots of logging.)
... the request is not sent to spring security, the glassfish stopped it with his basic authentication, the question is why.
I don't know what the cause of this is, but it sounds like some aspect of Glassfish authentication / authorization needs to be turned off if you want to use SpringSecurity. (Maybe you did this in your Glassfish 2.1 installation ...)
The way that SpringSecurity works, you will definitely see logging messages if a request goes to a servlet that has the SS filter chain in place. It is possible that there is a SS misconfiguration that means that you've not got the SS filter chain in place, but I suspect that the real problem is that Glassfish is doing its bit before the requests get sent to the filter chain.
Did you create a JDBC Connection pool and Resource in Glassfish server?
For ex:
User: root
Password: java
databaseName: theDatabase
serverName: localhost
portNumber: 3306
driverClass: com.mysql.jdbc.Driver
URL: jdbc:mysql://localhost:3306/dbname
The issue seems to be confusion over the /j_spring_security_check url, if you change it everything works again.
<security:form-login login-processing-url="/whatever_security_check" />
See this.