I have been experimenting with the Baeldung Keycloak tutorial here and did not specify the property
keycloak.security-constraints[0].authRoles[0] in the application.properties file e.g. application.properties file looks like this:
server.port=8081
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration
keycloak.auth-server-url=http://<keycloak_server>
keycloak.realm=SpringBootKeycloak
keycloak.resource=login-app
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/customers/*
I have NOT included the spring-boot-starter-security dependency for this so all keycloak settings are via application.properties
The application starts up fine but surprisingly (to me at least) it allows access to the /customers/* endpoint even though I have specified a pattern for it in the security-constraints. In my mind I would have expected the endpoint to either:
Reject ALL requests because no roles had been specified, or
Accept any and ONLY authorised requests because no roles have been specified, or
At least log to the console that no roles have been specified
Is there a reason for the behaviour I observed as it seems a little insecure to me particularly if something is mis-configured or a typo?
Also is it possible to NOT specify any roles and accept any authorised request?
Related
I'm using Spring Boot Keycloak Adapter in my backend application.
It has properties for extracting roles from JWT token:
keycloak:
use-resource-roles-mapping: true
If this option is set to true, then the toles of user will be extracted from token from the field resource_access.roles[]
If this option is set to false, then the roles of user will be extracted from token from the field realm_access.roles[]
But I have roles in my token in another field, roles[] are placed in root directly, without wrappers resource_access or realm_access
As I see, Keycloak adapter does not allow to customize the behaviour of extracting roles from token.
So, the question is, how do I ovveride this behaviour to extract roles from token from the field I want?
Actually, client roles are held in resource_access.{client-id}.roles, (not resource_access.roles).
Keycloak adapters were deprecated a year ago and are not compatible with spring-boot 3. Just don't use it.
You can refer to the accepted answer to "Use Keycloak Spring Adapter with Spring Boot 3" for alternatives. The solution exposed there works for spring-boot pulling versions of spring-security with SecurityFilterChain (boot 2.4 or so) with almost no modification (just a few configuration methods have been renamed in spring-security 6 (boot 3) to align reactive and servlet DSLs).
You should read the part of the answer with "my" starters which enable to configure role mapping from application.properties (or yaml): source claims (not just one claim at a time, but as many as you need), prefix and case transformation. All that for each issuer (possible to accept identities from as many realms, Keycloak instance or even from other OIDC authorization-servers than Keycloak).
I am using spring security in my microservice application, I also have actuator endpoint in place. Whenever I try to deploy my microservice and access the /actuator/prometheus URL it shows me the dialog box to enter Username and password. I want this to remove .
As described in the documentation (section named "Security")
If you deploy applications behind a firewall, you may prefer that all
your actuator endpoints can be accessed without requiring
authentication. You can do so by changing the
management.endpoints.web.exposure.include property, as follows:
management.endpoints.web.exposure.include=*
I have a config server using git and vault backends and several clients that access the config server, everything is working fine so far. Now I want to centralize the logging configuration as well (as they will all log to logstash) and have added the logback.xml to the repository.
Now I'm faced with a basic problem that has always existed but was never a problem: The config server only accepts requests that have the "X-Config-Token" header, otherwise it just rejects the request. The header value itself doesn't matter, it just has to be present. Is there a way around this limitation? I've put
logging:
config: ${spring.cloud.config.uri}/${spring.application.name}/${spring.profiles.active}/master/logback.xml
in my bootstrap.yml which obviously can't send any headers. It actually baffles me that requests without a token are rejected and that Spring doesn't just serve from git and ignores Vault when no token is present.
Thanks for any help!
This is a bug within Spring, see https://github.com/spring-cloud/spring-cloud-config/issues/1512
I have an authorization server and resource server contained under one single spring boot application. I only want to enable the password flow.
I believe that would mean I only need the /oauth/token endpoint, however my swagger UI is configured to autofind all endpoints and shows:
authorization-endpoint(/oauth/authorize)
check-token-endpoint (/oauth/check_token)
token-endpoint (/oauth/token)
whitelabel-approval-endpoint (/oauth/confirm_access)
whitelabel-error-endpoint (/oauth/error)
As per the spring-security-oauth2-boot src code:
Spring Security access rule for the check token endpoint (e.g. a SpEL expression like "isAuthenticated()") . Default is empty, which is interpreted as "denyAll()" (no access).
This is the same for the token key endpoint.
If all access is denied to this endpoint by default and I am not changing them, should I turn them off completely/is there a way. Also, if i cannot disable them, can i disable them in the swagger docs auto configure to reduce clutter?
We use spring cloud config as configuration tool. We store passwords and other sensitive things in the config git repository. We encrypt the config using Spring /encrypt endpoint and put the values in config.
There is an endpoint /env which returns all the properties. The problem here is, the values which are encrypted returned as plain text. Is there way, we make the endpoint to return encrypted value instead of plain text.
Disable server-side decryption by setting the following property:
spring.cloud.config.server.encrypt.enabled: false
The /env endpoint is an actuator endpoint added by Spring Cloud Config. You should take the usual steps to secure the actuator endpoints so as not to allow unwanted access.
You can set endpoints.configprops.keys-to-sanitize to whatever pattern you need. The default is password,secret,key,token,.*credentials.*,vcap_services Keys can be simple strings that the property ends with or regex expressions.
Refer: this