I am using some angular ui routing in some places, and I wanted the java server to not control some of the urls.
Perhaps it makes more sense to run the java app elsewhere? The reason I have the angularJS in the same url is because there are some authentication checks for my springboot app. So I want most URLs controlled.
But there's a few where I may want to control the authentication----but not the templating.
I think my problem is my Spring Boot code is trying to use velocity, when some of those URLs should just forward to AngularJS routing.
So a URL=/myreport/
--> goes to Java 404 error, instead of just forwarding to Angular UI Routing
--> But in some cases, Java should return 404/500/403 et al
Is there a way to do like a RestController that just forwards to AngularJS after authenticating? or to disable velocity??
This would probably be more straightforward if you limit your Spring Boot code to just doing authentication and providing an API, and implement all of your UI in the Angular app.
You can then still use Spring Security to control access to the API.
On the Angular side, you can use AuthGuards in your routes to control access to parts of your UI based on the user's role.
To get a nice, clean separation, it is helpful to use token-based authentication instead of, say, Form-Based or Basic authentication. That way, the Angular app can present the login UI, and make a REST call to the Spring Boot app to log in, and get a token back, which is used on subsequent calls.
If you use JWT, you can have the back-end produce a token that includes the users' role, and then read that in the Angular app.
I recently wrote a 2-part blog post showing how to create an Angular 2 app with a Spring Boot back-end using JWT.
See http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part1 and http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part2
Related
Background:
I have some APIs routes (~15 or so) that I want to authenticate. Right now, I can run the spring boot server locally (mvn spring boot run) and call all of the APIs. I can also deploy to Heroku and call the APIs from the Heroku cloud platform. This is great!
Here are the problem:
I need to provide authentication for the APIs. The idea is that when running the spring boot server, I would need to pass in a token in order for the API call to work. If not, then I should get some unauthorized error(401 or 403 I think). Additionally, I would need to be able to seperate these APIs by roles (user, admin, etc).
Ideally, I would want to build a test client(perhaps a webpage) that could call these APIs. I'm not exactly sure how authentication would work here.
I'm a bit confused because I tried working with Auth0 but that only seems to apply for 1 API? Auth0 allows for me to generate tokens but I'm not exactly sure how to integrate it with SpringBoot. It asks for an audience but I'm not sure what that should(especially since I'm running the Spring Boot server locally).
The next thing I was going to look at was Spring Security.
Setup Sprint security for your application. There is even an example form Auth0 on hwoto do this: https://auth0.com/docs/quickstart/backend/java-spring-security5/interactive
Once you have spring security running you can annotate your methods accordingly. e.g. #PreAuthorize("isAuthenticated()")
If the authorization check fails spring will respond with the error code 403 automatically.
The audience of an access token is the resource-server the token was emitted for. In your case, probably http://localhost:8080. This will change in production. This audience should be requested by clients when getting an access-token.
Resource-servers should be configured with spring-boot-starter-oauth2-resource-server. Spring default HTTP status for unauthorized request is 302 (redirect to login), but it is best practice for resource-servers to return 401, and it's an easy task:
http.exceptionHandling().authenticationEntryPoint((request, response, authException) -> {
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Restricted Content\"");
response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
});
For more details about resource-server configuration, you can have a look at this tutorials I wrote. It cover authorities mapping and role based access-control. It is designed for Keycloak, but switching to any other OIDC authorization-server (including Auth0) is mostly a matter of editing properties (except for the 1st tutorial where authorities converter implementation must be slightly modified to read the claim(s) you configured in Auth0 to put groups / roles).
How clients get an access token depends on the use-case: if acting on behalf of a user, authorization-code flow (with PKCE for "rich" clients) should be used, but we client is a acting in its own name (without the context of a specific authenticated user), then client-credentials should be used. For Spring clients (Thymeleaf UI as well as REST clients like WebClient, use spring-boot-starter-oauth2-client.
I strongly recommend you use JUnit instead of a client UI to test your app. Refer to the tutorials I already linked if you don't know how to mock identities and HTTP requests.
If you still want to build a client with UI to query your API, you might save quite some time by exposing OpenAPI spec (see springdoc-openapi for that) and generate a client library with openapi-generator.
Current Model
I have one Angular application that calls a Java rest service (not a spring boot application) that have multiple rest end points. Initially the login will be called using username and password to acquire a JSESSIONID and this id will be passed in Authorization header of all subsequent rest calls.
New Model
Now I need to change the login scenario using Azure AD.
Angular will call the AAD login and this is working by registering the app as a SPA in Azure. Now how to implement the Rest calls flow using the token.
Do I need to register the Rest API also in Azure?
Is there a way to validate the token in java back end manually.?
Rest application Java - most of the samples uses Spring or spring boot. Is there any samples other than spring / spring security.
I would say that the best practice is to register the API and UI as a separate application in Azure AD.
You will have to grant the web application permissions to the web API and request an access token for it. Here is a good reading (the article is about Azure AD B2C, but it is the same for Azure AD):
Configure authentication in a sample single-page application
We are designing an application which can be accessible via both mobile app and web app.
Mobile app will get data using exposed REST API (we are using CXF). For web app, we are using Spring MVC, it will also get data from REST API. In both cases, we want to show data for the authenticated users. For authentication, we are using JWT token.
My question here is we are offering two ways of accessing data via REST or web, and both need authentication. How can we reuse our security code in both components.
URL for web component
http://localhost:8080/web/resource/
URL for REST API component
http://localhost:8080/rest/resource/
URL for authentication
http://localhost:8080/auth/
Initially, we thought of having two different filters for each component, i.e. web and REST. From each of them we'll make a REST call to authentication API for validating the token. One doubt with this approach is if user going through web, then with this design we are validating token twice. So the better would be calling to the authentication API from REST API, avoiding it in web because rest api will always going to make authentication call.
Is there any other better way to do the same?
iRecently my app got hacked by using sql map.We added few filters to avoid unwanted requests but how to integrate security to the api calls, in back end my app communicates with spring controllers.
Well are you using any authentication on the requests made from the mobile?
Like JWT or a security token. You can check this ionic or auth.
Also make sure your making the api call your making it you can hide it many ways. Store it in a object and then call that object when your making the http or ng-resource request.
I have a web application that contains ui based on jsf 2.0 and a set of rest apis.
The ui side of the application is accessed from a browser and rest apis are invoked from a mobile app.
For the authentication for the UI is managed by jsf , (no form nothing, jsf manages everything). Now, I want the user to be authenticated before he/she can access the rest apis.
Can I set up the web application to have Basic authentication so that I can set the username and password in the header when calling the rest apis?
You will need to have a security filter for your web application. (this can be done with spring security - Integrating Spring security with JSF 2 )
The user will have to pass a username and password to your application.
Then, you just need to configure your rest api to work with basic authentication. Since basic authentication is a HTTP feature, every time you call the rest service, you will need to pass the username/password in the request.