I'm trying to make use of http headers to audit my Spring Repository, as mentioned here https://docs.spring.io/spring-data/commons/docs/current/reference/html/#auditing.reactive-auditor-aware
But the challenge I face is that I don't use Spring Security, my userId comes in as plain text in http header.
I got as far as working out that in WebFlux case I need to use Reactor Context, and if I understand it correctly there already is a filter that does it: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/reactive/ServerWebExchangeContextFilter.html, but I struggle to write the code to extract it.
Does any one know of any articles/blogs/snippets that could point me in the right direction?
Related
I am currently migrating the authorization server from old Spring Security OAuth2 to the new Spring Authorization Server.
It seems that the new Spring Authorization Server generates JWT tokens by default.
What if I dont want to use JWT and Opaque.
Is it possible to generate tokens same as the old Spring Security OAuth2?
By the way, I also dont have idea what type of token the old Spring Security OAuth2 generates...i am a noob here...any idea is appreciated.
Thanks.
You can generate any type of token you want, using OAuth2TokenGenerator, though it sounds like you don't have another type in mind.
Spring Authorization Server supports OAuth2TokenFormat.SELF_CONTAINED and OAuth2TokenFormat.REFERENCE as types, which are high level categories that map concretely to JWT and Opaque respectively. If you aren't interested in using a JWT, then I suggest using Opaque. It is quite simple to configure and use.
If you want to use another self-contained format, there are many areas of the framework you will need to customize and get right, which might be difficult without a spec. I don't remember off hand what formats were supported by the old project, but it was likely one or both of these.
I am working on to store request data and response data if there any exceptions encountered while sending response back to client I need to store the exception also.
My DB table will ID,RequestData,ResponseData,Exception,TimeTakenToRespond
lets say I have endpoint called /athenticateUser so my input data would be
RequestData :{"username":"mate","password":"swamy"}
ResponseData :{"FirstName":"mate","LastName":"swamy","Email":"manteswamy#gmail.com"}
Like the above way I need to store all the request data and response data if any exception while sending response back to client that also we need store and the web service time taken respond.
As I am beginner to spring boot please guide step by step
Though you can write Interceptors, Filters etc for this. But don't do it.
Please try to use Spring Boot feature Actuator for tracing. It provides HTTP request logging out of the box.
There's an endpoint mapped to /trace or /actuator/httptrace which will show you last 100 HTTP requests. You can customize it to log each request, or write to a DB.
You will need spring-boot-starter-actuator dependency.
You can also whitelist endpoints.
For the guide step by step, you can check this actuator tutorial.
You can do it by using spring boot actuator httptrace..
add below dependency:
implementation('org.springframework.boot:spring-boot-starter-actuator')
Look at this step by step guide..
The Spring-boot actuator doesn't support getting the request/response bodies, they even removed some mechanisms to do it.
Here's a blog post on how to do it with a Filter.
I got a Spring boot REST based proxy server application with standard REST End point exposed(GET, POST,PUT and DELETE) to outside world.
Any requests coming from external world then will be routed to actual functionality internally.
Now the requirement is to expose all the API supported by my REST proxy server. As I mentioned I do not have static controller path in my code for individual APIs. So would like to get your input how to create swagger support for all the internal APIs that my proxy server support. Is there are a way I can generate swagger schema manually to mimics the controller path? Or is there any other way to solve this problem?
Thanks in advance.
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..
I'm trying to figure out what the correct way to configure SpringSecurity is to receive, respond to json based authentication requests.
There appear to be two ways to do this :
Use the spring security configuration to route authentication requests to a Controller...see http://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery
Create a new AuthenticationFilter, AuthenticationSuccessHandler, AuthenticationFailureHandler...see https://github.com/loiane/spring-security-extjs-login
It looks like the AuthenticationFilter method fits into the framework better, and ensures that filters that come afterward in the chain execute.
Anyone know what the pros/cons of either approach are?