Currently our cloudera manager on AWS uses the internal IP for Consumer service.
Is there a way to change the AssertionConsumerServiceURL so that the redirect login can be on a public IP/DNS instead on private IP/DNS so that keycloak feature can be used in public facing website SSO?
Below is the image of the SAML tracer
Related
I have a spring boot application which runs on Azure Kubernetes Service and it exposes a private IP, using this IP I have configured this API on Azure API Manager. All the traffic will be coming to this spring boot application via API manager. Client to APIM connection is secured with SSL certificate coming from azure API manager. But from API manager to back end API application is not secured it is plain http. Is there any security issues for this architecture?
For your situation, since you already use SSL certificate to protect your APIM, I think the architecture is no problem even though there isn't any security configuration between APIM and backend api. APIM will not expose your backend, so others can't get your backend IP or backend url according to the APIM. So I think you do not need to add any other security configuration for your architecture.
For the comment about Azure AD mentioned by Tiny, you can also use Azure AD to protect your api or APIM, but I think it is unnecessary.
My spring boot application is running in a docker environment. It is managed by docker swarm.
I am trying to restrict some of the api to certain apis but the spring security is receiving private ip address instead of public.
I want the application to recieve the public address for the request so that I can use spring security to restrict access apis to certain apis.
If this is not possbile is there another solution to this?
I'm trying to implement a Zuul reverse proxy with #EnableOAuth2Sso so I can relay the access tokens obtained from the authentication server to my resource server.
The question is how do I configure the Zuul proxy to forward the username and password to the authentication server, since I am using the password grant flow to obtain the tokens.
If the question is still relevant...
I had a task to configure Authorization and Resource servers behind Zuul using password grant type.
This article and example on github helped me a lot, but mostly I've used debug to configure the environment.
Please check my example of configuration OAuth2 Password Grant Type behind Zuul.
To run the example, inside every service folder run mnv spring-boot:run
In browser go to http://localhost:8765, credentials user/user, admin/admin
http://localhost:8761/ - eureka
I have not used #EnableOAuth2Sso, but instead #EnableOAuth2Client and configure only ResourceOwnerPasswordAccessTokenProvider (more details here).
#EnableOAuth2Sso is configured all token providers, but I need only password provider.
Example uses JwtTokens.
I'm working with the Spring OAuth2 sparklr and toner examples. I've broken up sparklr into two applications to separate the Resource server and Authentication server. They're both running on Spring Boot and Java Config.
The Resource server (API) has a /account resource I would like to expose to the Authentication server (MVC) so that the Auth server can create accounts, but of course the resource is protected.
How can I grant the Authentication server access to the /account on the Resource server?
If your /account resource is an oauth protected resource then your auth server is now a client. I don't see any in principle problem with that (copy the client side config from tonr and use an OAuth2RestTemplate like it was a vanilla RestTemplate). You haven't really provided enough information to know what kind of client and grant type should be used (maybe client_credentials?).
I had recently been able to secure my web application and authenticate the user by using basic authentication. An added requirement was to check against user's ip address from request parameter and I leveraged use of Custom authentication details source and override of BASIC_AUTH_FILTER. (see:http://stackoverflow.com/questions/9854592/accessing-httpservletrequest-during-daoauthenticationprovider-authenticate-in-sp)
Now I have a Spring Web Service that uses SimplePasswordValidationCallbackHandler and the same AuthenticationManager / Provider configuration as above (except for the http namespace configuration which has all my custom filter logic).
I would like to do a similar activity to authenticate a user completely only if their ip addresses match when authenticating in a Web Service.
I pass the username and password in the SOAP headers and authentication happens without any issues.
Any thoughts if i can reuse my existing configuration here for the AuthenticationDetailsSource and Custom filter. Is this even achievable or am I on a completely different track here?
Thanks.
I added a RequestContext Listener to my web.xml and got access to the HttpServletRequest using a RequestContextHolder during my authentication process in a custom DAOProvider.
Anyone with a better solution, let me know !