Does the application's encrypted private key need to be exposed on the client side? This is about backbaseservices
poc
Related
Currently our cloudera manager on AWS uses the internal IP for Consumer service.
Is there a way to change the AssertionConsumerServiceURL so that the redirect login can be on a public IP/DNS instead on private IP/DNS so that keycloak feature can be used in public facing website SSO?
Below is the image of the SAML tracer
I have decided to rebrand my question, I am looking for a way to provide a custom keymanager and trustmanager for my Spring Boot application.
Basically I have an application that provides users with custom URLs for example:
https://user1.mydomain.com https://user2.mydomain.com etc these url are forward to my spring boot application, and as each user connects to his/her custom url a different SSL certificate is presented. so i want to makesure i serve a different SSL certificate for each connection a backend store of the certificate should be a database or ldap.
any ideas?
How do you manage your Private / Public Keys for signing / validating JWTs in Spring Cloud environment?
The "problem":
At the moment I generate a Key Pair. Then copy Private + Public Key to my auth-server application. And also copy the Public Key to each and every Resource Server.
When I now want to implement "Key Rotation" I have to somehow populate the new keys to every service.
The idea:
Maybe I could use the spring-cloud-config-server to store and distribute the Key Pairs?
The config server already provides database login credentials. So why not store even more sensitive information there?
Question(s):
If this is the way to go: How would you implement the key pair distribution with spring-cloud-config-server?
Do you have any security concerns?
How did you solve this problem? I guess there are better solutions.
EDIT:
Maybe there's some solution using Spring Oauth's security.oauth2.resource.jwt.keyUri property for JWKs?
First of all, I would had a gateway to hide the JWT mechanism. It will allow you to revoke tokens from the gateway. If an user know about his token, you can't revoke it without revoke the public key. It will look like this :
It's easy to implement with zuul's filters and session-scoped beans.
Secondly, has you said it in comments, you can simply create a new private key to generate new tokens. But all your resource servers must be able to read all the previously generated tokens. So you need to have a list of public key on each resource servers, and each time you receive a request, you must try to verify it with each public key. Maybe you can had a public key id (and put the id on each generated token) to avoid to do dumb look for this task.
For key distribution, use spring cloud bus and rabbit mq seems right to me.
You should consider the use of Spring Cloud Consul Config instead:
Consul provides a Key/Value Store for storing configuration and other
metadata. Spring Cloud Consul Config is an alternative to the Config
Server and Client. Configuration is loaded into the Spring Environment
during the special "bootstrap" phase. Configuration is stored in the
/config folder by default. Multiple PropertySource instances are
created based on the application’s name and the active profiles that
mimicks the Spring Cloud Config order of resolving properties.
You can POST to /refresh to update your key, or watch for changes:
The Consul Config Watch takes advantage of the ability of consul to
watch a key prefix. The Config Watch makes a blocking Consul HTTP API
call to determine if any relevant configuration data has changed for
the current application. If there is new configuration data a Refresh
Event is published.
I have a rest application in Spring Boot, with security configured and JWT tokens implemented for the services it exposes. But this application also connects to other 3rd party applications, also secured with JWT and with different tokens per application.
My question is: what is the best strategy to store these 3rd party tokens? Is there something like SecurityContextHolder, but for storing the tokens that the application uses to authenticate on other services?
While configuring your
OAuth2RestOperations restTemplate
You can persist the token in the client
public OAuth2RestOperations restTemplate() {
OAuth2RestTemplate template = new OAuth2RestTemplate(resource(), new
DefaultOAuth2ClientContext(accessTokenRequest));
AccessTokenProviderChain provider = new
AccessTokenProviderChain(Arrays.asList(new AuthorizationCodeAccessTokenProvider()));
provider.setClientTokenServices(clientTokenServices());
return template;
}
As described by in spring security oauth docs here
Persisting Tokens in a Client
A client does not need to persist tokens, but it can be nice for users to not be required to approve a new token grant every time the client app is restarted. The ClientTokenServices interface defines the operations that are necessary to persist OAuth 2.0 tokens for specific users. There is a JDBC implementation provided, but you can if you prefer implement your own service for storing the access tokens and associated authentication instances in a persistent database. If you want to use this feature you need provide a specially configured TokenProvider to the OAuth2RestTemplate
Can anybody provide me with a code sample to access rest service url secured with https using spring rest template.
I have the certificate(.pfx format) password and send cient side certificate to server. server side is used on the client side certificate and established the connection
I want to create a springboot application that work as 2 way SSL between client and server.
Thanks.
I created a sample Spring Boot application that demonstrates how to create a RestTemplate that is configured for SSL client authentication. The sample application acts as the server as well which requires SSL mutual authentication (to demonstrate usage via the test case). In practice, the RestTemplate bean would interact with an external service. Hope this helps.
https://github.com/steve-oakey/spring-boot-sample-clientauth
I should note that the most important part of the example is creating the SSLContext. There are plenty of ways to create the SSLContext, I chose a method that uses the SSLContextBuilder from the org.apache.httpcomponents:httpclient library. Other methods such as using the Java API directly, or setting the javax.net.ssl.* JVM properties would also work.