I have Jax-RS REST API with Jetty Server in my Java 8 application. I am new to securing the REST API.
I have .pem file (certificate) in some path.
I want to use this certificate to validate the incoming request API.
Can someone point me a working example that how to validate APIs with ssl certificate?
Is there any way that I can validate only single API and not all.
SSL/TLS based authentication of a client certificate occurs very early in the connections/conversation with an HTTP server.
In java it happens entirely within the JVMs SSLEngine layer.
Basically like this (simplified)
Client connects to port 443
Jetty accepts the connection
Jetty tests to see what kind of traffic it is
Jetty sees that it's encrypted and sends the traffic through the JVM SSLEngine layer.
TLS negotiates encryption (JVM code)
TLS negotiates client certificate (JVM code)
Connection is established (JVM code)
Jetty reads the decrypted traffic on the connection and starts to parse the request
Jetty creates the request object and dispatches to the web app.
Web app (your REST layer) now handles the request and produces a response.
By the time the request reaches your API the client certificate has already been verified / validated by the TLS layer.
You will only ever receive requests that satisfy that layer.
You have the optional feature SecureRequestCustomizer that will include Request attributes that contains information from TLS layer, by way of the JVM's post-negotiated TLS layer.
Related
I am currently working on a project where each micro-service has it's own tls certificate.
I am thinking of using spring gateway to address a cross concerns like csrf (using the double submit pattern).
I would like the gateway to validate the csrf before proxying to micro-services and to create a new csrf value after each response of micro-service and mutate the response to include new csrf values.
Since each micro-service (that the gateway is proxying to) has it's own tls certificate is it possible to read and mutate the request before and after sending it to the micro-services?
I guess I am a little confused on how the gateway would work if it does not have the certificate to read the request.
The gateway will establish it's own tls connection. After which the gateway will then apply it's filters then proxy to a micro-service establishing another tls connection. In this senario we will have 2 different tls connections (from client browser to gateway, from gateway to service).
In my senario, I had micro-services with self signed certificates. The gateway settings will need to include the public keys for each service to establish a tls connection (since it will not be able to validate the certificate from a certificate authority). Spring gateway allows us to do this within the application properties file
spring:
cloud:
gateway:
httpclient:
ssl:
trustedX509Certificates:
- cert1.pem
- cert2.pem
Lastly, I was able to validate csrf value within the gateway before proxying to micro-services by creating a filter to do this. I have decided against changing the csrf value every request. For my use case I only needed to generate the csrf once for the user's session (I generated the csrf once after the user signs in).
Can anybody provide me with a code sample to access rest service url secured with https using spring rest template.
I have the certificate(.pfx format) password and send cient side certificate to server. server side is used on the client side certificate and established the connection
I want to create a springboot application that work as 2 way SSL between client and server.
Thanks.
I created a sample Spring Boot application that demonstrates how to create a RestTemplate that is configured for SSL client authentication. The sample application acts as the server as well which requires SSL mutual authentication (to demonstrate usage via the test case). In practice, the RestTemplate bean would interact with an external service. Hope this helps.
https://github.com/steve-oakey/spring-boot-sample-clientauth
I should note that the most important part of the example is creating the SSLContext. There are plenty of ways to create the SSLContext, I chose a method that uses the SSLContextBuilder from the org.apache.httpcomponents:httpclient library. Other methods such as using the Java API directly, or setting the javax.net.ssl.* JVM properties would also work.
I have structure where my rest service (SP) are build using spring boot + Spring SAML for authentication and UI using Nginx as reverse proxy.
If calling service by return/rewrite with direct URL everything is working fine : Calling IDP getting authenticated and return response.
But if I call same service using proxy_pass it fails with InResponseToField of the Response doesn't correspond to sent message
I have structure where UI using NGINX as web server and through NGINX calling SP.
SP having multiple instances under LB. Used SAMLContextProviderLB as context provider.
How can I do this calling using Nginx.
I suspect that your Nginx isn't configured to use sticky sessions. This causes that response from IDP can land on a server which isn't aware of the request which was originally sent from the other server, and therefore fail validating it. The Spring SAML manual says:
Make sure that your reverse-proxy or load-balancer is configured to
use sticky sessions.
There are multiple possible solutions:
enable sticky sessions on the Nginx, so the response goes to the same server which sent it
disable validations of InResponseTo fields (see manual for details)
enable HTTP session replication, so the HttpSession which contains the sent request is distributed to all servers - for doing this see e.g. spring-session
We are using a Jetty server along with Spring security framework. The server should accept requests from only from a known client (Which is also a server). We want to configure client certificates so that Jetty accepts only the requests with the known client certificate.
How can we configure the server?
All we need to do is set NeedClientAuth in jetty-ssl-config.xml to true. No change is needed in Spring config.
I need to implement https support for <int-http:outbound-gateway>.
Following is the scenario:
There is <int-http:inbound-gateway> which accepts inbound url to Spring integration. The reply-channel of <int-http:inbound-gateway> and <int-http:outbound-gateway> are same. Based on the HeaderValueRouter, the inbound request is forwarded from request-channel of <int-http:inbound-gateway> to request channel of <int-http:inbound-gateway> . Now response is received from the outbound url and put in the reply-channel.
The url-expression of <int-http:outbound-gateway> is built from the MesssageHeader "http_requestUrl" attribute.
Now if I host the external app in https. What configuration I need to make in <int-http:inbound-gateway> to get the response in reply-channel
Actually there is nothing to do with Spring Integration for SSL. It is a responsibility of the underlying HTTP engine. And, to be honest, it even doesn't depend on the ClientHttpRequestFactory implementation for the RestTemplate.
You just need to have the server SSL certificate and place it to the trustStore. That's is if your target service requires only trusting - single-way SSL.
If you need mutual SSL, you need to generate the key and store it in the keyStore for your Java and share with the server the public part - certificate.
More info you can find in the Java SSL documentation.