I have created an oauth module for my project.
It has the mechanism for authorization server, spring security and the resource server.
I need some of the end-points to be accessible only on authorization, so I configured the security in the resource-server:
#Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatcher(new OrRequestMatcher(new AntPathRequestMatcher("/secured/**")))
.authorizeRequests().anyRequest().authenticated();
}
So far access-token/refresh-token calls are working fine.
Now, I want to create a separate module for all the webservices API - where I would put all the controllers and the logic for processing the requests.
Is it advisable to do it in a different module than oauth?
If yes, how can I secure the calls and verify the tokens? How can I use the resource server in another module.
If the oauth module is where your spring boot app is you could add #ComponentScan("webservices API") to let it know where your api controllers are. Take a look at this question which may have your answer:
Related
Hello I recently received a demand to migrate the ldap authentication service to oauth2 from a jsf project, but I have no idea where to start, from what I've been seeing in the project I have an ldap security domain configured in wildfly where I can make use of some features that comes from FacesContext as:
.login(username, password)
.getUserPrincipal()
.isUserInRole(rule)
.logout()
.invalidateSession()
What I would like to know is if there is a possibility to make my own security domain the same as the configured ldap, where I would implement the methods above, any content where I can start is welcome
I made an implementation of org.jboss.security.auth.spi.UsernamePasswordLoginModule;
I've searched a little bit on the forum but I was not able to find something suitable. I recently published my spring boot multi maven project on my server(VPS). Everything was fine, but after I secured the site over HTTPS with Let's Encrypt, the static content of the site is not being served, instead it is blocked (403).
this is my app's structure:
app
--api
--src/main/resources/static
--business
--model
--repository
static resources are inside src/main/resources/static folder of the api maven module.
I'm able to reach my site homepage using (for example): https://example-app.com/index.html
js and other resources are on the same level of index.html.
inside my security configuration of spring boot security I have:
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.antMatchers("/api/public/**").permitAll()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
as I said, before https I was perfectly able to run my app, but now when I access my index.html I have many 403 inside the browser console(js, images, css, fonts). As you can see my security configuration is very permissive, so I don't think it's here the problem.
I presume it's a spring boot misconfigured option.
UPDATE
after some testing I saw the rest api called from within the app always end in 403, but if i try to call them outside app context(from url, postman...) they all works.
It's a bit of a guess work but let's see. httpSecurity.antMatcher(/api/public/**).permitAll() should only work for users that is already authenticated. Since you use SessionCreationPolicy.STATELESS it is possible that the AuthenticationContext is not available when you call a resource within your app.
If you don't mind exposing the resources to unauthenticated users, you can try doing this instead:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(/api/public/**);
}
}
I have migrated a Spring Boot web application from 1.5.10 to 2.0.0, which is deployed with Heroku and runs over several domains. For the main domain, that was the first one to be set, everything is working smoothly but for the rest any of the static resources; like Javascript, CSS, images and icons (Webjars) are not accessible.
maindomain.com/js/example.js works fine and can be directly accessed with the browser. secondarydomain.com/js/example.js can't be accessed by the browser and running the app arises this error, I guess because instead of the .js file is returning some text message:
Refused to execute script from '' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled
The static resources are located at:
/resources/static/css
/resources/static/js
/resources/static/images
I have set the Spring security configuration with an extension of WebSecurityConfigurerAdapter, where I have withdrawn the annotation #EnableWebSecurity and I have added this code, with the intention to make sure that those resources are accessible, without success:
http
.authorizeRequests()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
There is a HandleInterceptor, which deals with the directories accessible by each secondary domain. The main one, has access all over the application.
In this other question, with a different approach to the same problem, there is an extract of the HandleInterceptor.
Spring Boot 2.0.0 & static resources with different domains for the same app
Spring Security with boot is on the classpath, the auto-configuration secures all endpoints by default.
However, when it comes to complex applications, we need different security policies per endpoints. We also need to configure which endpoints should be secured, what type of users should be able to access the endpoints, and which endpoints should be public.
WebSecurity allow we to configure adding RequestMatcher instances that Spring Security should ignore.
HttpSecurity allow we can configure the endpoints that should be secured and the endpoint that should be public
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/image/**"").permitAll()
}
}
Hope it help.
I have a spring boot service with security over Keycloak.
The Service is working fine: http://localhost:8080/api/resource (is restricted) and only after authentication via keycloak accessible.
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests().antMatchers("/open/*").permitAll()
.anyRequest().authenticated();
}
Now i am using Kong as reverse proxy for the wolrd outside: The entry for that is (for instance): https://gateway.example.com/customer which redirects to http://localhost:8080
After calling https://gateway.example.com/customer/api/resource, something goes wrong, instead to call https://gateway.example.com/customer/sso/login it calls https://gateway.example.com/sso/login and so i get "404 Not Found".
It seems that the security part remove or let's say ignore "customer" in the location.
There is a possibility to correct the location?
Thanks
If you're using a route matching by path and you won't that this will be stripped you need to set strip_path to true
Check the documentation.
I know this question is old, but just had this happen. In application.properties, try using this setting:
server.use-forward-headers=true
That will tell spring boot to forward requests relative to the proxy, not your app.
NOTE: My application uses the latest version of the Spring framework, 4.0.6, 3.2.4 for security, and, it uses no xml but only Java-Config to configure the application.
I have a set of services which I would like to secure with roles and other business specific authorization conditions. This services are grouped into a module (a jar) which is used by a REST application and a web application. I already have an AuthenticationProvider in the web application (REST application is in initial phase). I use #EnableGlobalMethodSecurityin the web application. Having said that, I now need to secure the methods in the services too. In that case, do I need to provide another authentication provider? Or, is right to move the authentication provider to the services module so that the web/rest apps uses the authentication provider in the services jar? If I configure #EnableGlobalMethodSecurity in the ApplicationServiceConfig.java of the services module, I get the blow exception.
com.name.mvoice.project.service.ApplicationServiceConfig: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: An AuthenticationManager is required
How do I configure the security if the application requires double authentication, one from the RDBMS and the other from the LDAP. The condition should be that the user information should be present and be enabled in both the systems. Do I need to write this in the existing authentication manager itself or shall I provide separate auth provider for the LDAP? If so how?
WebSecurityConfig.java
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
AuthenticationProvider dbAuthenticationProvider = new DatabaseAuthenticationProvider();
auth.authenticationProvider(dbAuthenticationProvider );
// is it right to do like this
AuthenticationProvider ldapAuthenticationProvider = new LDAPAuthenticationProvider();
auth.authenticationProvider(ldapAuthenticationProvider );
}
Though, I seeAuthenticationManagerBuilder.authenticationProvider adds the supplied authenticationprovider to a list!
No, this won't give you the desired result. The default Spring Security implementation uses only one AuthenticationProvider at a time. Your second call to auth.authenticationProvider() would force Spring Security to use just the LDAP provider.
To achieve what you want
Step 1: Create a class of your own, say
public class CompositeAuthenticationProvider implements AuthenticationProvider {}
Step 2: Then, inject the Database and LDAP providers into it.
Step 3: In the authenticate method of the class CompositeAuthenticationProvider, orchestrate the request between the Database and LDAP providers as you see fit. Return a response based on the results you obtain from both the providers.