Currently in my spring boot application.properties file, I am specifying following lines to connect to MSSql server.
spring.datasource.url=jdbc:sqlserver://localhost;databaseName=springbootd
spring.datasource.username=sa
spring.datasource.password=Projects#123
Instead of giving username and password, I want to authenticate user using kerberos, what all changes I will have to make.
I tried searching in the JPA official documentation but could not find any. Leads here are appreciated.
Basically, you need to set up your krb5.conf file properly. You can verify that configuration via the following command and entering your password:
kinit <user-name>
Additionally, make sure you have a JDBC URL like:
jdbc:sqlserver://servername=server_name;integratedSecurity=true;authenticationScheme=JavaKerberos;userName=user#REALM;password=****
See Microsoft JDBC driver documentation for details.
EDIT:
Forgot to mention the startup arguments. Add the following JVM argument:
-Djava.security.krb5.conf=<PATH_TO>/krb5.conf
I believe this is not neccessary if you use the default krb5.conf but not entirely sure.
Related
I am currently creating a Java Spring application that works with the spring security JWT. Everywhere I look and read about the "secret string", it says should be changed in production. Like this line in my application.properties: security.jwt.secret="this-is-a-512-bit-key-used-for-signing-jwt-tokens-that-should-be-changed-production"
As well as in stackoverflow question that are sort-of related like this one here: How to include jwt secret in application.yaml for Java Spring.
My question is, what should that string become in production? Am I supposed to generate this somewhere in a SecurityConfig class? Or should I generate a 512 bit string and just paste that in the application.properties file?
Thanks in advance.
Secrets should not be added in your regular application.properties file because that would be checked into your version control system. There are various ways to externalize configuration but the easiest is usually to define environment variables.
In your case, you would need an environment variable called SECURITY_JWT_SECRET and Spring Boot will pick this up automatically.
One way to change properties of a spring app is using Spring Cloud Config. Basically your config is in a GitHub repo and as soon as you modify, Spring cloud config server propagates it to other applications referencing it through application.properties.
https://cloud.spring.io/spring-cloud-config/reference/html/
I will share how it has been done in our application which I think one of the standard way of storing credentials.
There may be alternate ways also.
Its not ideal to store token or credentials in properties
We can externalize the token into Vault or config server
when server starts spring application can fetch the properties
Access to vault are controlled
As we have different vault servers across environments, we can store and change the token in runtime and refresh the application.
Regarding generating the jwt token, it should have some expiry time and refreshed periodically.
Here is what I have done so far: https://github.com/jnbdz/tutorial-baeldung-spring-security-cas-sso
In here you can see my configs: https://github.com/jnbdz/tutorial-baeldung-spring-security-cas-sso/tree/main/config
I am trying to follow this tutorial: https://www.baeldung.com/spring-security-cas-sso
But it seems a bit out of date. I have re-written in my own words in the README.md file the updated tutorial. But now I am stuck.
None of the default username passwords work. And I even tried this:
cas.authn.accept.users=casuser::Mellon
But doesn't work either.
I verified the path to the jsonResourcePassword.json and it is good.
Same for the application.properties when I switch ports it changes it... So it is loading it.
I tried also adding:
cas.authn.pm.enabled=true
Like it is documented but I get an error saying it's not supported in this version of CAS.
You can also see in my repo what I have in the build.gradle.
So the question. Why isn't it loading the json file with the username password and why isn't it working with the default username password found in values.yml?
UPDATE
The setting:
cas.authn.accept.users=casuser::Mellon
Now seems to work.
I did this: sudo sysctl -w fs.inotify.max_user_instances=256
The value used to be 128.
I saw this in config-metadata.properties that I generate with: ./gradlew exportConfigMetadata
But I still cannot get he username and password in the json file to work.
So that issue still persists.
It seems like cas.authn.pm.json.location is used for password management only. You can not login with the credentials from that file.
If you want a JSON file with username/passwords to use while logging in, you need to use permissive authentication: https://apereo.github.io/cas/6.5.x/authentication/Permissive-Authentication.html
Tested on CAS 6.5.3:
Add implementation "org.apereo.cas:cas-server-support-generic" to your build.gradle.
Change cas.authn.pm.json.location to cas.authn.json.location.
Change your JSON file contents to the example given in the link above.
I have database configuration in application.properties, like the one below:
spring.database.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/deebee
spring.datasource.username=postgres
spring.datasource.password=shivendra
Somehow, directly writing the username and password seems to be a security concern to me. Is it ok to have a database configuration like the one I have now?
Also, I haven't done anything for database security in my application, does spring boot provides anything for the securing database?
I'm developing a simple web application with spring boot. In the first step, I implemented everything about the page itself and a simple login. Additionally, I implemented a database access using mysql and hibernate. My database runs on a local easyphp devserver.
In the first step, everything worked fine. However, after a reset of the database and recreating the user with the same credentials, Hibernate is not able to get a connection:
2018-02-09 21:17:11.487 ERROR 9592 --- [ restartedMain] o.a.tomcat.jdbc.pool.ConnectionPool : Unable to create initial connections of pool.
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Access denied for user ''#'localhost' to database 'db'
As I can understand, no username was configured. But in my application.properties, a username is set:
spring.datasource.url=jdbc:mysql://localhost:3306/db?userSSL=false
spring.datasource.username=user
spring.datasource.password=
The exception occurres on startup, so it has to be the configuration. At the database, the user 'user' has all priviliges at the database 'db', but no one on others.
The data source URL might be causing the issue. Is that a typo? Can you check by resetting it to the following? It has to be "useSSL" instead of "userSSL"
spring.datasource.url=jdbc:mysql://localhost:3306/db?useSSL=false
spring.datasource.username=user
spring.datasource.password=
If the above does not work, your problem might be related to permissions for the user. A question posted here relates to yours (although it is in PHP).
Hopefully this resolves it, let us know.
Ok, found the solution by myself. The real username contained a '_' like 'user_name'. Somehow this character was the problem why the username was not read.
Edit: Worked a few times, but the problem still exists...
In my J2EE 5 application I have a JDBC Realm based security with Form method. Encrypt method is MD5 as default.
The database is PostgreSQL 8.4 installed locally (or 8.3 available via lan).
My app used to work finely on GlassFish v2.1 server with PostgreSQL 8.3, but now I need to deploy it on GlassFish v3.
I am absolutely sure I have done all the same config on GFv3 like creating Connection Pool (which pings with no problem), JDBC Resource and JDBC Realm.
But on GFv3 I get login exception with "invaliduserreason" while the database schema is just created from the working database script.
I have checked the data and entered login/password thousand times and it seems that data is all right.
So where can I find the reason of unworking security? Please, advice.
NetBeans 6.8
Thanks.
I had the same issue here.
I resolved setting the security log to finest.
I saw that jaas was querying the db in lowercase even though I used a camel notation in naming my fields in postgresql table.
The only solution I found was to name all my table and fields in lowercase in Postgresql server as well.
You might want to increase the logging for the security system. Go to Logger Settings -> Log Warnings and set logger name 'javax.enterprise.system.core.security' to trace. Try again and check the logs.
Try changing database tablenames to UPPERCASE. I had the exactly same problem as you have and changing tablenames to uppercase solved the problem for me.
Setting Digest Algorithm to "none" worked for me. I am using Glassfish 3.1 with Derby. In realm config i have name of tables in lowercase and userid and groupid are columns in the same table, so these things do not cause problems on Derby.
Here is a nice article about jdbc security realm in glassfish and how to configure it: http://jugojava.blogspot.com/2011/02/jdbc-security-realm-with-glassfish-and.html
try adding database name to the property Url in your connection pool.. the sqlexception hidden here states that database name is not specified.. worked for me