I am trying to do 3 nodes cluster with 2 of them are clones of currently active standalone nifi node. Firstly i wanted to build a cluster with 2 clone nodes and then if everything is ok i will add original node aswell but I have some problems and i couldnt find what is wrong with configurations.
My authorizers.xml file
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=server2.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
<property name="Initial User Identity 2">CN=server3.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=mnguser,CN=Users,DC=ABC,DC=gov,DC=tr</property>
<property name="Manager Password">mngpwd</property>
<property name="TLS - Keystore">./conf/nifitest2keystore.jks</property>
<property name="TLS - Keystore Password">nifitest2</property>
<property name="TLS - Keystore Type">JKS</property>
<property name="TLS - Truststore">./conf/nifitest2truststore.jks</property>
<property name="TLS - Truststore Password">nifitest2</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">WANT</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">true</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://ldaps.abc.tr:636</property>
<property name="Page Size">500</property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">CN=Users,DC=ABC,DC=gov,DC=tr</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(cn=*)</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">CN=Users,DC=ABC,DC=gov,DC=tr</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(cn=*)</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">mnguser</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity
1">CN=server2.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
<property name="Node Identity
2">CN=server3.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
**My authorizations.xml file** I had to add /proxy lines dont know why its not automatically created
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="0005d80d-a6e9-33a9-b9c2-b76af02a0b77"
resource="/data/process-groups/9860c729-017c-1000-a6ce-771f96f0e174" action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="c9813a3f-eb39-30f7-a509-5fc2022ce53e"
resource="/data/process-groups/9860c729-017c-1000-a6ce-771f96f0e174" action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="5cd4342d-4988-37d0-b37e-d223e3fd46aa" resource="/process-
groups/9860c729-017c-1000-a6ce-771f96f0e174" action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="1c18b17c-1596-3bd1-92c7-7b5025cbdfb3" resource="/process-
groups/9860c729-017c-1000-a6ce-771f96f0e174" action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-
components" action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants"
action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies"
action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller"
action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="efeb048a-a6ce-3e7d-89c2-9fd2417b8059" resource="/proxy"
action="R">
<user identifier="adec56c1-29ed-30f0-af36-10c513b1d843"/>
<user identifier="b2f95239-353c-3a12-80ab-2b2112da1b98"/>
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="20a75180-0463-393f-9bc6-b6dee87c174f" resource="/proxy"
action="W">
<user identifier="adec56c1-29ed-30f0-af36-10c513b1d843"/>
<user identifier="b2f95239-353c-3a12-80ab-2b2112da1b98"/>
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
</policies>
my users.xml file
enter code here
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555" identity="k016416"/>
<user identifier="adec56c1-29ed-30f0-af36-10c513b1d843"
identity="CN=server2.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR"/>
<user identifier="b2f95239-353c-3a12-80ab-2b2112da1b98"
identity="CN=server3.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR"/>
</users>
</tenants>
I also created a key store and trust store with certificates
CN=server2.abc.tr, O=ABC,L=Ankara, ST=Ankara, C=TR/ CN=server3.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR per node.
When I tried to start nifi here is some of my logs. The original standalone node was connected to nifi registry so these clones had some errors about it too but in my opinion its not the real issue .
nifi-user.log
2022-04-28 14:40:57,861 WARN [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.255.1.213 GET https://server2.abc.tr:8443/nifi-api/flow/current-user [Untrusted proxy CN=server2.abc.tr, O=TCMB, L=Ankara, ST=Ankara, C=TR]
Lastly my browser UI:
thanks for your help in advance
Related
I need help in Apache NIFI cluster configuration.
I configured standalone NIFI, cluster with no SSL, but during configuration NIFI cluster with SSL I faced some problems.
I guess the problem somethere between certificates generation and authorizers.xml file.
Error in ./logs/nifi-user.log:
2020-03-13 17:22:47,365 WARN [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=myhost, OU=NIFI
Error in web UI:
Insufficient Permissions
Untrusted proxy CN=myhost, OU=NIFI
Here is my authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">ANONYMOUS</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://myldap.org:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base">ou=People,dc=mydomain,dc=org</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">uid</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">ou=Group,dc=mydomain,dc=org</property>
<property name="Group Object Class">posixGroup</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">memberUid</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">iamadmin</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
I created certificates using this command:
./bin/tls-toolkit.sh standalone -n myhost1,myhost2,myhost3 --subjectAlternativeNames myhost1,myhost2,myhost3 -o ../standalonecerts/
Any help will be very appreciated.
P.S.: Don't anybody have an example of secured cluser confuguration in containers? Docker-compose file or something.
UPD2:
I did exactly as you said and now that part of config looks like this on all hosts:
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">iamadmin</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">myhost1</property>
<property name="Node Identity 2">myhost2</property>
<property name="Node Identity 3">myhost3</property>
<property name="Node Group"></property>
</accessPolicyProvider>
But now nifi do not start at all.
Error myhost1:
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=myhost1, OU=NIFI to seed policies.
Error myhost2:
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=myhost2, OU=NIFI to seed policies.
UPD3
Ok, so I went to guide
NIFI Admin Guide
, and here is my new autorizers.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=myhost1, OU=NIFI</property>
<property name="Initial User Identity 2">CN=myhost2, OU=NIFI</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">ANONYMOUS</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://myldap:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base">ou=People,dc=mydomain,dc=org</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">uid</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">ou=Group,dc=mydomain,dc=org</property>
<property name="Group Object Class">posixGroup</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">memberUid</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">iamadmin</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=myhost1, OU=NIFI</property>
<property name="Node Identity 2">CN=myhost2, OU=NIFI</property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
But I still have error
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=myhost2, OU=NIFI to seed policies.
Please, can you tell me what I am doing wrong?
You need to specify the node identities in authorizers.xml so that the correct proxy policy is created for each node:
<property name="Node Identity 1"></property>
Since you have already started the application once, you will need to stop the application, delete users.xml and authorizations.xml, then edit authorizers.xml to add the node identities, then start.
Background
I have a Spring application with OAuth2 security.
I can easily obtain an OAuth Bearer token with the following request:
POST {{...}}/oauth/token
?grant_type=password
&client_id={{client_id}}
&username={{username}}
&password={{password}}
This returns a 200 OK request with my access_token in the response.
Problem
My problem is that one of my clients doesn't like the idea of sending plain text passwords in the query as a query parameter and they want to get the OAuth Bearer token using Basic Autentication.
However I can't make it work the following way:
POST {{...}}/oauth/token
Authorization: Basic base64encoded(username:password)
Content-Type: application/x-www-form-urlencoded
Request Body:
{
"grant_type": "password",
"client_id": {{client_id}}
}
It returns 401 Unauthorized, and
{
"error": "unauthorized",
"error_description": "Bad credentials"
}
My applicationContext.xml file looks like this:
<beans>
...
<!-- Definition of the Authentication Service -->
<security:http
pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:anonymous enabled="false"/>
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<security:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler"/>
</security:http>
<!-- Protected resources -->
<security:http
pattern="/v3/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false"/>
<security:intercept-url pattern="/v3/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler"/>
</security:http>
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="typeName" value="Basic"/>
</bean>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager"/>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<bean class="org.springframework.security.access.vote.RoleVoter"/>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService"/>
</security:authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="myAuthProvider"/>
</security:authentication-manager>
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="accessTokenValiditySeconds" value="86400"/>
<property name="tokenStore" ref="tokenStore"/>
<property name="supportRefreshToken" value="true"/>
<property name="clientDetailsService" ref="clientDetails"/>
</bean>
<bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg ref="clientDetails"/>
</bean>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:password/>
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices"/>
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="web-console"
authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
scope="read,write,trust"
access-token-validity="86400"
refresh-token-validity="86400"/>
</oauth:client-details-service>
...
</beans>
Question
Ideally I should be able to call the /oauth/token endpoint with Authorization Basic xxxxxxxxxxxxxxx header, and I would be able to obtain the OAuth bearer token.
I am attempting a very basic implementation of the Spring OAuth2 library; however, when I send a request off to the server I receive the following error:
{
"error": "invalid_client",
"error_description": "Bad client credentials"
}
When doing further debugging, I notice that for some reason the clientId is being passed in as the username within the resource owner flow.
I have included my XML configuration and am curious if anyone could tell me if anything seems inherently wrong or if anyone has any suggestions.
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetailsService" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<security:http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/oauth/token" access="isAuthenticated()" />
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<security:custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<authorization-server client-details-service-ref="clientDetailsService"
xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
<authorization-code />
<implicit />
<refresh-token />
<client-credentials />
<password authentication-manager-ref="authenticationManager" />
</authorization-server>
<oauth:resource-server id="resourceFilter" token-services-ref="tokenServices" authentication-manager-ref="authenticationManager" />
<security:authentication-manager id="authenticationManager">
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user name="user" password="password" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<client-details-service id="clientDetailsService"
xmlns="http://www.springframework.org/schema/security/oauth2">
<oauth:client client-id="my-trusted-client"
authorized-grant-types="password,authorization_code,refresh_token,implicit"
scope="read,write,trust" resource-ids="oauth2-resource"
access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
redirect-uri="http://anywhere" />
<oauth:client client-id="my-client-with-registered-redirect"
authorized-grant-types="authorization_code" scope="read,trust"
resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
redirect-uri="http://anywhere?key=value" />
<oauth:client client-id="my-client-with-secret" secret="secret"
authorized-grant-types="password,client_credentials" scope="read"
resource-ids="oauth2-resource" access-token-validity="60"
authorities="ROLE_CLIENT" />
</client-details-service>
Bellow is also the request that I am sending to the server, it is encoded as 'x-www-form-urlencoded'
grant_type:password
client_id:my-client-with-secret
client_secret:secret
username:user
password:password
scope:read write
The problem arises from here:
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
I am passing the user authentication manager rather than a client details authentication manager. Had to create an additional bean that is of type ClientDetailsAuthenticationManager and pass that within the ref.
I'm using Spring 4.3.8.RELEASE. I set up an OAuth application (to allow client applications to access certain functions via the client_credentials grant type) using the Spring org.springframework.security.oauth2.provider.token.store.JdbcTokenStore class to manage access tokens. We're using a MySQL 5 database. This is the table definition for those access tokens ...
CREATE TABLE `oauth_access_token` (
`token_id` varchar(255) COLLATE utf8_bin DEFAULT NULL,
`token` mediumblob,
`authentication_id` varchar(255) COLLATE utf8_bin NOT NULL,
`user_name` varchar(255) COLLATE utf8_bin DEFAULT NULL,
`client_id` varchar(255) COLLATE utf8_bin DEFAULT NULL,
`authentication` mediumblob,
`refresh_token` varchar(255) COLLATE utf8_bin DEFAULT NULL,
PRIMARY KEY (`authentication_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
Here is the relevant portion of our Spring OAuth configuration
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service id="userDetailsService">
<user name="marissa" password="koala" authorities="ROLE_USER" />
<user name="paul" password="emu" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
<constructor-arg ref="dataSource" />
<property name="authenticationKeyGenerator">
<bean class="org.springframework.security.oauth2.UniqueAuthenticationKeyGenerator" />
</property>
</bean>
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<!-- <property name="accessTokenValiditySeconds" value="30" /> -->
<property name="tokenStore" ref="tokenStore" />
<property name="tokenEnhancer" ref="tokenEnhancer" />
<property name="supportRefreshToken" value="false" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="tokenEnhancer"
class="org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter" />
<bean id="requestFactory"
class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="approvalStore"
class="org.springframework.security.oauth2.provider.approval.TokenApprovalStore">
<property name="tokenStore" ref="tokenStore" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:client-credentials />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" entry-point-ref="entry"
resource-id="myclientAssignment" token-services-ref="tokenServices" />
<bean id="entry" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/myresource" />
</bean>
<context:property-placeholder location="classpath:application.properties"/>
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="${myclient.client.id}"
access-token-validity="30"
authorized-grant-types="client_credentials" authorities="ROLE_CLIENT"
scope="read,write" secret="${myclient.client.secret}" />
</oauth:client-details-service>
<mvc:default-servlet-handler />
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<http pattern="/api/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<custom-filter ref="resourceServerFilter"
before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
My question is, once a token expires, what's the easiest way to set things up so that the row is deleted from the table? We would like to remove old data.
I have security-context.xml:
<security:http auto-config="true" >
<security:intercept-url pattern="/user*" access="hasRole('REGISTERED_USER')"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user password="password" name="user" authorities="REGISTERED_USER" />
<security:user password="password" name="manager" authorities="BOOKING_MANAGER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
As expected I was redirected to login when I am trying access /user.
But I expect access be granted after I login as user/password. It doesn't happen and I get:
HTTP Status 403 - Access is denied.
What do I understand wrong?
1st option: You have to add prefix ROLE_:
<security:user password="password" name="user" authorities="ROLE_REGISTERED_USER" />
http://websystique.com/spring-security/spring-security-4-secure-view-layer-using-taglibs/
2nd option: you can redefine RoleVoiter bean and make it work w/o prefix:
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
</list>
</constructor-arg>
</bean>