I have a REST API which calls another REST API using the Feign client. Between the two calls I have a reverse proxy which add Cookie in the Header's response.
In my next calls the Cookie is still present in the header although I only add Bearer using a Spring's Interceptor.
I don't understand how this can happen because my Feign client is a Singleton managed by Spring.
Related
I have to secure a RestApi service made with Spring.
My goal is to:
Decide which controller methods will be secured. I like the annotation approach, so I can annotate only required methods.
Read a token bearer from http header and verify it by an external service. This service will reply with some authentication information.
Use authentication data retrieved from external authorization service inside my controller. I would like to use a custom param object in my controller methods and use it in the business logic.
I underline I don't need to implement the authentication, the token bearer will be sent by client and I just need to verify it.
I tried to follow some tutorials about Spring Security but most of them are MVC implementation with authentication. Probabily my case is more likely a JWT usage with #Secured annotation, however it is not fully clear to me how can I define an external service and how I can inherit the authentication data inside my controller.
I have a Keycloak instance in which i created an EventListener (Provider & ProviderFactory) that responds to register events.
But now I want this EventListener to call an endpoint in my SpringBoot app which is secured by this Keycloak instance (as client).
For this I can simply send a Http request from inside the EventListenerProvider. However, I am wondering how I can secure the endpoint so that only this Keycloak event listener can access the endpoint.
Can Keycloak authenticate itself for a client endpoint ???
Maybe u guys have an idea.
It's just like other apps that calls each other using a token they got from Keycloak. You can define a client for your even listener in Keycloak realm (or for your Keycloak as a whole in case it may want to call other endpoints in future). Then before making a call to your Spring endpoint, you get a token from Keycloak via the client-id/client-secret (by calling the /token endpoint of your realm) and put it as the Authorization header in your request.
We have a few Spring micro services which communicate with each other via rest (Spring's RestTemplate). There is Oauth2 authorization applied in all of them and the JWT token is extended with a few custom fields (i.e. userRole, userId etc).
My problem is the following:
When we call a service which also calls another micro service via RestTemplate, the original bearer token (Oauth2) is not forwarded when the micro services are communicating with each other. We can't get a response from other services, because we are unauthorized. I can't find a neat solution.
Note, that we do not want to acquire a new token for the second call, because that would affect our performance. That is what OAuth2RestTemplate is doing, but we just want to pass the original bearer token.
As I researched on Stackoverflow, one solution would be to manually add the bearer + token as an Authorization header, and use .exchange() , but I think there should be a configuration in spring, which will make RestTemplate pass on the original Authorization header, or something similar.
I had the same issue while testing in local. The below configuration in my application.yml file fixed it. The token gets passed from one service call to another.
hystrix:
command:
default:
execution:
isolation:
strategy: SEMAPHORE
thread:
timeoutInMilliseconds: 5000
I have a rest web service that is implemented using spring boot starter web. This service acts as a client to another application that requires authentication to make calls to it.
Calls made from the client to the server are using org.springframework.web.client.RestTemplate.
Is there a way to come up with a solution to add authentication headers to outbound requests at one single point before they are sent out?
I don't want to add headers in each of the requests separately.
Javadoc for RestTemplate says:
This template uses a SimpleClientHttpRequestFactory and a
DefaultResponseErrorHandler as default strategies for creating HTTP
connections or handling HTTP errors, respectively. These defaults can
be overridden through
HttpAccessor.setRequestFactory(org.springframework.http.client.ClientHttpRequestFactory)
So I would take SimpleClientHttpRequestFactory and override its prepareConnection(..) method.
I am integrating an existing spring MVC web application with spring websockets. I was successfully able to integrate by following the instructions in
https://spring.io/guides/gs/messaging-stomp-websocket/
The existing web application has a filter, which sets a few of the attributes. I have a requirement to access the attributes set by the filter in the controller i,e in #MessageMapping method.
Could some one tel how can we access the request object in the #MessageMapping method?
When a STOMP client connects to the application, it first has to request a protocol upgrade to switch to websocket. Once using that websocket connection, the messages sent/received don't go through your regular Servlet filter - only the first HTTP request (the "Handshake") did.
Depending on your use case, there are several ways to achieve this.
If it's related to Authentication, then there are existing features for this in the Spring Framework, but also in Spring Security.
If it's related to the HTTP session, you can easily ask for all HTTP session attributes to be copied into the websocket session - or even customize the Handshake for your own needs (see reference doc). Once done, you can inject the Websocket scope in a #MessageMapping controller method and get those attributes (see reference doc).