I have a Spring MVC application where interceptors are added and it is working fine.
Example:
For https://example.com/some.action is been intercepted and serve.action is been served
I have recently seen request https://example.com/.;/some.action is serving serve.action but not passing through interceptor.
Please help me understand what happens when '/.;/' is passed and why interception doesn't work in that case.
Related
I have created a sample SOAP Web Service project (spring boot) and trying to integrate Okta as a resource server for authentication.
I am able to deploy the application to WebLogic, but when testing the service using SOAP UI, it gives the response even when there is no Token included in the header.
When I access WSDL from a browser using my wsdl url, http://myhost:port/appservice/app.wsdl I see the 401 error, so I think it is picking up the Security config changes. But it is not working for SOAP requests, I would get response even with out Okta token.
Is it because for SOAP requests, do I need to include any interceptors on top of Security Config java file. Or am I taking a wrong path for security with SOAP. Can someone let me know what am I missing or point me to right direction. Is token validation part of WS-Security? or the authentication manager in Okta resource server enough for this?
I followed this documentation to create it.
I have read most of the SO questions related to this and spring documentation, but could not connect the missing dots. Please help me with this. After spending lot of time, I felt like I was moving in circles.
UPDATE:
I have enabled spring security debug logs by doing below
#EnableWebSecurity(debug=true)
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG
UPDATE2:
I haven't made any big changes to my configuration, but when I ran the project on embedded tomcat locally, it started working. To run on Tomcat, I changed packaging from war to jar, excluded Tomcat in my POM and in my Main class, I had to remove the SpringBootServletInitializer and WebApplicationInitializer. That's it. I tested SOAP UI with the Okta bearer token and it gave me response. With out the token it did not give me response.
Spring Security not working only in case of WebLogic12c. I don't know what I am missing to include for that to work in WebLogic. when deployed through Tomcat, request is passed through all the beans in Security Filter Chain {
WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter,
LogoutFilter,
BearerTokenAuthenticationFilter,
RequestCacheAwareFilter,
SecurityContextHolderAwareRequestFilter,
AnonymousAuthenticationFilter,
SessionManagementFilter,
ExceptionTranslationFilter,
FilterSecurityInterceptor}
But on WebLogic, the request is passed only through first four beans in Security Filter Chain {WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter}
I just wanted to update the alternate solution I found for this problem, for completeness.
Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4.
I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4.
Thanks to #Toerktumlare, I have implemented logging with logback-spring.xml
I am having trouble as I have a sample app working with spring-boot and primefaces but can't manage to build a rest endpoint. I know there must be a configuration thing to be done between DispatcherServlet and FacesServlet but I still can't discover it. Can someone provide an example ?. I understand I could set each servlet to start working on a different path but its like being a turkish in the fog...
I am writing an Angular4 app with Spring Boot backend. I am using a SessionScoped bean to store the logged in user (I know this is not RESTful and stuff and I am ok with it for now) and RestControllers for the endpoints.
Logging in and querying data with Postman works nicely, but it does not work from my angular app, so I debugged it a little and saw that I get jsessionid-s in the response-headers, but they are not appended in the requests.
What might be the problem? How can I use Angular with Spring Boot and session scoped beans?
It depends on how your are calling the backend.
If you are using angular-cli and the proxying the calls to spring boot it should work out of the box since same domain requests always pass cookies.
This is the preferred way because usually this is how you then deploy it live using a nginx location block to get all /api/ calls go to spring and everything else to angular.
https://github.com/angular/angular-cli/blob/master/docs/documentation/stories/proxy.md
If you have the api on a different host you will need to pass withCredentials: true to all requests going to the backend to force the request to include the cookies.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
this.http.post('http://localhost:3000/api/thing', { withCredentials: true }).subscribe()
I have a Spring MVC application that uses Spring Security to handle user login authentication, which works fine.
Now I want to add some Ember.js and Angular.js code to the HTML pages that accesses the Spring RESTful web services (which just return JSON data).
How do I bind the user login authentication to the authentication for the RESTful web services? In other words, I want to make it so that the RESTful web services can only be accessed once a user has logged in. That way, the Angular.js and Ember.js libraries can access these RESTful web services securely from my user pages only without anyone else being able to directly call them.
I read on one other post that Spring Security was never meant to be used with a full Ajax framework, is that true? I hope this is not the case. I'd imagine that this type of thing must be pretty common now as there are so many AJAX client side frameworks that work based off accessing a JSON/RESTful API.
It is certainly not true that Spring Security was never meant to be or cannot be used in AJAX applications. I have two applications in production that use Spring Security as well as AJAX and more applications under development with the same mix.
If you are going to use EmberJS or AngularJS in an existing web application with Spring Security working, you should not face too many problems if you simply add the JavaScript library to your project. This is because once your users are authenticated, any normal HTTP requests will be treated as authenticated as well because the browser will ensure that session information is passed back and forth using cookies or URL parameters, as appropriate. You can see one of my working examples on Github for Spring Security and EmberJS integration.
The only thing you may need to worry about is CSRF tokens for form submissions using AJAX. The latest Spring Security documentation has a small section dedicated to this so you should not face too many problems getting that to work either. However, I would like to clarify that this particular issue is not specific to Spring Security. CSRF protection typically involves including a secure, randomly generated token with every HTTP POST request. The challenge arises from making existing JavaScript libraries aware of this token and how it should be included in HTTP POST requests. This would be a challenge in any application, not just those using Spring Security.
If however you will work with stateless clients, such as, mobile devices, you will be unable to rely on the default Spring Security mechanism of storing the user credentials in HTTP Session because HTTP requests will not have information to tie them to a session. This again is not specific to a Spring or Spring Security application because the constraint is imposed by the nature of the client and the client-server communication rather than any server-side technology. In such circumstances you will need to pass some authentication token in the HTTP headers for the application to maintain security state on the server side. I have a working example for this as well. If you need more details, there are articles on the web that explain how to do something like this with Spring Security.
I have a restful web service written using Spring WebMVC that will mostly be used to orchestrate other services. In some cases these services are on the same server, in some cases they are not. I have a few requests (GET and POST) that will be direct pass throughs to another service. Is there a way to blindly forward all GET and POST data from a request for certain URLs without knowing anything about the data in the request?
Ideally, I would like to be able to say all requests for http://server1/myService/user/... should forward to http://server2/user/... with all of the GET and POST parameters forwarded with it.
For the services on the same server, if they're being served by the same Spring MVC application, you could use RedirectViews and/or the "redirect:" prefix.
For those on another server, the best thing I can think of would be to use a servlet filter, similar to the approach suggested by this post: spring mvc redirect path and all children to another domain