We have a set of APIs from two different resource servers. We need to call authorize endpoint for two resource servers as we can't combine the scopes in a single call. Is it possible in spring boot oauth2 client to call multiple resource servers and get access token and store them in the spring tokenstore ?
Related
I have multiple Spring boot micro-services deployed to kubernetes. Im also using Spring Gateway & Eureka Discovery.
Those micro-services are secured with Spring Security and require JWT token for access to the endpoints. Im using #PreAuthorize methods etc.
It all works fine when I'm accessing those endpoints from frontend application that is sending JWT token in request,
but, I can't bypass that security in service-to-service communication via FeignClient.
Ideally, my micro-services wouldn't need token at all to call other micro-service's methods via FeignClient. But I still need that security when endpoints are accessed from frontend or when requests are coming from Spring Api Gateway.
Do you know some elegant solution to this problem?
I was thinking about adding another pair of endpoints that don't have security annotations (#PreAuthorize) and somehow disable access to those endpoints on Spring Api Gateway, so they cannot be accessed from outside, but only directlly by one of the micro-services.
I need some understanding on over all flow of spring security.
I have implemented oauth2 Authorization Server and a Resource server in the same Spring Boot App.Where i am able to generate JWT tokens. And sample Rest api in this app is secured and accessible only with token.
I have another spring boot app which should be secured? What should i do in this. Also i need to read the token in this service to know the role of user.
Please clarify me how to implement the step2.
You can create a module where your spring security config is implemented.
In this module is the class that is annotated with the #EnableWebSecurity annotation, where you define the open routes. I guess you already have a class like this for your sample rest API, mentioned in step 1.
Now every microseconds that has to be secured uses this module by importing it, eg as maven dependency. By this it's api is automatically secured via spring security.
Your auth service serves a jwk endpoint where every microservice can verify a token via public key.
I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.
We are using Spring Boot Actuator Endpoints with our services.
We want to secure certain endpoints which are to be accessed only by the admin/support team for troubleshooting issues.
For example, /logfile,/env,/shutdown,/restart.
As per Spring Boot Actuator documentation, sensitive endpoints are secured by ACTUATOR role. We can also enable basic authentication and provide username and password in application.yml by adding Spring Security as a dependency.
My query is this works fine for basic authentication, but we want to use Token Based authentication.
We want the Admin Support team to first obtain a Token from a custom Token Service and then pass the token while the sensitive endpoints like /logfile and so on.
I am not sure how I can securely access these endpoint because they will be accessed via browser and not using a REST client. With REST client I see there are options supported for securing the same.
If someone has secured these endpoints with tokens and accessed them via browser can you please help me on the same.
I have an api running on spring boot along with spring security.
The app manages state with JWTs. The initial call issues a fresh JWT and all subsequent calls need to have it to get through spring security.
There is a new requirement for a couple of new endpoints (with uniquely identifiable resource paths)that are secured through basic auth. There would be no need for JWTs in this context.
So my question is, is it even possible to get both JWTs & Basic auth going in a single boot application ? Is it valid to think that I could direct auth requests to different auth filters/providers using an antMatcher on the resource path ?