I have upgraded some micro services that talk to each other from Spring Boot 1.5.3 to 2.3.5.
Now when my micro service A calls micro service B, the call fails with the following status
on the network tab of chrome's developer tools (blocked:mixed-content)
I am not sure what has changed that I start getting this error.
In browser's console I get the below error:
Mixed Content: The page at 'https://gateway-url/my-endpoint' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://micro-service-b-url/login'. This request has been blocked; the content must be served over HTTPS.
The strange thing is that there is no end-point /login in my entire codebase.
I am unable to understand this behavior after springboot upgrade.
Any guidance on how spring boot upgrade led to this error and possible resolution is appreciated.
Note: I found some answers that suggest using the below code to resolve this
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
but looks like it doesn't work with all browsers and I am not sure if its safe to use this solution in terms of security.
Understood the issue and found the solution.
Looks like the security hooks used in SpringBoot 1 are deprecated in SpringBoot 2.
So in my micro-service B the below config in properties file wasn't working after upgrade
security.basic.enable: false
security.ignored=/**
as a result SpringBoot 2 was enforcing default security config on micro-service B and calls to micro-service B through gateway were being redirected to web-sso login which resulted in the mysterious /login endpoint being called.
The solution was to disable default security. I did the below steps:
1. Removed deprecated hooks from properties file:
security.basic.enable: false
security.ignored=/**
2. Disabled default security using below config
#SpringBootApplication(exclude = { SecurityAutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class })
public class MyApplication extends WebMvcConfigurerAdapter{
Note: I had to exclude ManagementWebSecurityAutoConfiguration.class because the micro-service was using SpringBoot actuator
Related
I have created a sample SOAP Web Service project (spring boot) and trying to integrate Okta as a resource server for authentication.
I am able to deploy the application to WebLogic, but when testing the service using SOAP UI, it gives the response even when there is no Token included in the header.
When I access WSDL from a browser using my wsdl url, http://myhost:port/appservice/app.wsdl I see the 401 error, so I think it is picking up the Security config changes. But it is not working for SOAP requests, I would get response even with out Okta token.
Is it because for SOAP requests, do I need to include any interceptors on top of Security Config java file. Or am I taking a wrong path for security with SOAP. Can someone let me know what am I missing or point me to right direction. Is token validation part of WS-Security? or the authentication manager in Okta resource server enough for this?
I followed this documentation to create it.
I have read most of the SO questions related to this and spring documentation, but could not connect the missing dots. Please help me with this. After spending lot of time, I felt like I was moving in circles.
UPDATE:
I have enabled spring security debug logs by doing below
#EnableWebSecurity(debug=true)
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG
UPDATE2:
I haven't made any big changes to my configuration, but when I ran the project on embedded tomcat locally, it started working. To run on Tomcat, I changed packaging from war to jar, excluded Tomcat in my POM and in my Main class, I had to remove the SpringBootServletInitializer and WebApplicationInitializer. That's it. I tested SOAP UI with the Okta bearer token and it gave me response. With out the token it did not give me response.
Spring Security not working only in case of WebLogic12c. I don't know what I am missing to include for that to work in WebLogic. when deployed through Tomcat, request is passed through all the beans in Security Filter Chain {
WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter,
LogoutFilter,
BearerTokenAuthenticationFilter,
RequestCacheAwareFilter,
SecurityContextHolderAwareRequestFilter,
AnonymousAuthenticationFilter,
SessionManagementFilter,
ExceptionTranslationFilter,
FilterSecurityInterceptor}
But on WebLogic, the request is passed only through first four beans in Security Filter Chain {WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter}
I just wanted to update the alternate solution I found for this problem, for completeness.
Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4.
I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4.
Thanks to #Toerktumlare, I have implemented logging with logback-spring.xml
A pretty basic API initialized with Spring Boot + Tomcat which serves multiple (4) endpoints. This API is exposed to public and receives requests in those endpoints only.
None of those are for File uploading. We are monitoring the API and noticed the following message:
"Creating the temporary upload location [C:\Users[user]\AppData\Local\Temp\tomcat.443.338388046123984973\work\Tomcat\localhost\ROOT] as it is required by the servlet [dispatcherServlet]". I was wondering if someone tried to upload a file as an exploit because we noticed some exploits attempts before (log4j, random-requests to other non-existing endpoints, etc)
Should I be worried? How I can disable it?
You can disable mutlipart/form with the following spring property
spring.servlet.multipart.enabled = false
I have attempted to take advice offered for similar problems; to no avail. Can someone please explain a resolution for this problem, as if I were six?
I've upgraded my version of spring boot to 2.5. All tests in my suite still pass, except for this #Springboot test:
#Test
void readActuatorInfo_success() throws Exception {
mockMvc.perform(
get("/actuator/info")
.header("Authorization", "Basic dXNlcjpwYXNzd29yZA=="))
.andExpect(status().isOk());
}
It fails because the response is 404. Now, I know that springboot does not, by default, expose the endpoints, that they must be explicitly configured. For example, the following yaml should do it, but no. Any tips?
application:
endpoint:
info:
enabled: true
To be clear, this test passed for Springboot 2.3
From 2.5 onwards the Info endpoint is no longer exposed by default,
The /info actuator endpoint is no longer exposed over the web by default. Additionally, if Spring Security is on the classpath and your application doesn’t have a custom security configuration, the endpoint requires authenticated access by default.
Refer to the documentation on exposing and securing actuator endpoints to change these new defaults.
https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.5-Release-Notes#secure-info-endpoint
management:
endpoint:
web:
exposure: "health,info"
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I'm trying to adapt Vaadin Spring Boot QuickTickets Dashboard example with my project needs. Everything is working fine except I'm unable to access another (not Vaadin UI) URLs. For example, I have Spring Boot Actuator endpoint - http://localhost:8080/actuator/health but when I try to access it, the application wrongly redirects me to http://localhost:8080/actuator/health#!dashboard. Pretty much the same behavior with my custom login page(not Vaadin UI) - http://localhost:8080/login. I also unable to access it.
How to correctly setup Vaadin to be able to access Spring Boot Actuator endpoints and my custom login page also?
You need to map the servlet to a different path. I think the problem is that the Vaadin-Servlet is mapped to / an is processing all requests.
Adding the following to you application.properties should do the trick.
vaadin.servlet.urlMapping = /myapp/*
Of course the URL of the app changes accordingly.