I have a working standard Spring Boot/Hibernate multi tenancy (schema) solution but failing to intercept the oauth token request on /oauth/token.
It seems that HandlerInterceptor instances are getting called for any request but not those pointing to my token endpoint. Which is a problem as I require multi tenancy there.
So I need some class that gets called at the start of any request to extract the tenant information from the request which will then be stored in some ThreadLocal. And also I need a method called after the request processing to remove the tenant information from the ThreadLocal to be safe.
I guess a WebFilter is not sufficient as it will get called only once per request. And any MVC handler/interceptor is not getting called for my oauth endpoints which are configured by spring boot auto configuration and seem to bypass the mvc invocation.
Can the oauth resource get intercepted by mvc handlers?
Is there any other solution to my problem than using RequestContextHolder?
Any ideas hints - thanks in advance!
Gerrit
Related
I want to use Crnk Client 3.4 to consume a JSON:API endpoint that is secured with OAuth2. I am using a client_credentials grant and Spring Security OAuth2 (with Boot) to configure the credentials.
Since the Spring team has decided to try to force everyone onto reactive WebClient, there is no out-of-the-box RestTemplate interceptor that can retrieve an access token from Spring Security OAuth2, which suggests that I'll have to do some level of integration on my own.
Is there a best practice for supplying an access token to a CrnkClient instance? The documentation mentions SecurityModule in passing, but it doesn't seem that it actually supports adding credentials. I could write a module, but it appears that to add headers I want to implement HttpAdapterListener, and modules don't provide a mechanism to register them; instead they have HttpRequestProcessor, which is not used at all by the client.
I can see two possible clean integration options; is either of these recommended or discouraged?
Write the missing ClientHttpRequestInterceptor to integrate Spring Security OAuth2. Create a RestTemplate in a bean method using RestTemplateBuilder and add the OAuth2 interceptor. Call crnkClient.setHttpAdapter(new RestTemplateAdapter(interceptedRt)).
Write a Crnk Module implementing HttpAdapterAware that is a Spring bean and contributes an HttpAdapterListener that retrieves the access token and calls HttpAdapterRequest#header.
Small question on how to create traceID, but when the app is not Spring-based please.
My application is the first, the initiator of a HTTP call. Therefore, the app can be considered as client.
The destinations, the servers, are all Spring Boot Spring Cloud based web applications. I would like to emphasize, while the servers are Spring-based, me, the client, I am not a Spring Boot app.
While my app, being a non-Spring app, I do use the Spring Webflux WebClient in order to create the HTTP requests to those servers. To emphasize, it is not because I use the Spring Webflux WebClient, that makes the app a Spring app!
Since I am the first of the call chain, I would like to create some kind of traceID, so the subsequent services will carry the traceID I created.
I am puzzled as what should come inside this piece of code that I tried:
final var response = webClient.post().uri("http://some-third-party-api.com/someroute").header("X-B3-TraceId", "How to create a traceID?").body(BodyInserters.fromValue(payload)).retrieve().bodyToMono(String.class).block();
Therefore, I would like to ask, being the first, the HTTP call initiator, using a Spring Webflux WebClient, but in a non-Spring app, how to create those traceID so the subsequent services get the one that I created?
By default Sleuth is using OpenZipkin's tracing library called Brave. If your application is java-based, you can use Brave, if not, you can find official implementations for other platforms in the
OpenZipkin org or official and non-official ones in https://zipkin.io/pages/tracers_instrumentation.html
I am quite new to spring boot, And i was asked to implement post microservice endpoint to expose to other system to post some data in db(which I have handled through java code)
And I am planning to add basic auth with some client certificates (for eg: Tls).
Here the question is when I am trying to test the above Post api through postman csrf is enabled in spring boot automatically and it is blocking. Then I have added csrf.disable() in my config method and it works. But in production ready code we cannot disable using the above method I guess I think we have to handle bit different with it. Should i have to allow domain specific?? If yes how to achieve it?? Please let me know.
I am trying to intercept a every request in zuul, I tried to follow Interceptor not getting called when zuul.routes configured in gateway link but in this case they are using WebMvcCounfigurerAdapter but I am not being able to use it since my application is not mvc application. Can we have some other approach to so that.
I have misunderstanding security in microservices in spring boot (and general). I want to build a project using Spring framework and microservices but in architecture planning I stuck. How should be security in microservices at all? In my opinion that in all project should be one component which all request go throw the component and spread to other components. What I could find it's Spring Cloud Zuul which is api gateway in microservices and I got idea to make a project which is response for gateway and add security in the component as well. I mean it will be something like a project that contains Spring Cloud Zuul, Spring Security, Spring Data JPA dependencies. How do you think is it good way to provide a security or not? Is it possible to build something like that?
In the project I was involved, we used security at a couple of different levels:
Security at individual route level in Zuul.
Security at each internal service
Here is the flowchart for the security model used in our Spring Cloud project,
When Zuul receives a request, it checks if a route exists for the request.
If a route exists, checks if the route is secured based on custom configuration.
If the route is secured, authenticates the request.
Once the request is authenticated at Zuul, Zuul again checks if the internal service, to which request is to be routed, is secured based on configuration.
If the internal service is secured, creates a new Authentication header based on the user credentials (stored in the custom configuration) before routing the service to the internal service.
Once the internal service receives the request from Zuul, it checks if the request needs to be authenticated.
Once authenticated, processes the request and sends the response back.
I think the answer here might help you, they are talking about using firewall to limit the access from the outbound IP and only allow zuul gateway to access all microservice.
Don't allow direct calls to Microservices. Only allow through API Gateway
I think you can consider using OAuth.
It uses JWT(Jason web token), which is a token passed along with all request/response.
you can find detailed information here: https://nordicapis.com/api-security-oauth-openid-connect-depth/