I'm trying to use a Websocket on a Spring boot server.
I'd like to set the allowedOrigins to allow connections from everywhere like this :
#Configuration #EnableWebSocketclass WSConfig : WebSocketConfigurer {
override fun registerWebSocketHandlers(registry: WebSocketHandlerRegistry) {
registry.addHandler(ChatHandler(), "/chat").setAllowedOrigins("*").withSockJS()
}
}
But I get this error message :
When allowCredentials is true, allowedOrigins cannot contain the special value "*" since that cannot be set on the "Access-Control-Allow-Origin" response header.
To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.] with root cause
The thing is that there isn't a method to set allowedOriginPatterns on WebSocketConfigurer. So I don't understand how I should manage this. Same for "Access-Control-Allow-Origin".
I think there is something that I misunderstood but I don't get what.
If you could help me understand ! Any help is appreciated :)
Somebody already answered this question. I guess you are using a newer version of Spring Boot (>5.3). They changed something in their code and you have to use
registry.addHandler(ChatHandler(), "/chat").setAllowedOriginPatterns("*").withSockJS();
Simply change from .setAllowedOrigins("*") to .setAllowedOriginPatterns("*") and you should be fine.
According to this thread:
How to handle CORS origins with Stomp and SockJS in Spring 5.3 and newer?
Related
Im using spring boot 2.3.2.RELEASE with spring-cloud-config-server 2.2.4.RELEASE. Im trying to implement the spring-doc-openapi (1.4.3) in a existing project. If i add #EnableConfigServer in one the configuration class file, the swagger-ui.html endpoint returns a weird json:
"name":"swagger-ui",
"profiles":[
"index.html"
],
"label":null,
"version":null,
"state":null,
"propertySources":[
]
}
and not the the swagger ui as expected. Im not sure if its a bug, but would appreciate any kind of help.
Not sure if its relevant to add the springdoc dependency on spring cloud config server, unless you need to explore some APIs on the config server it self.
Here is the link of a fully working example using springdoc with config server:
https://github.com/springdoc/springdoc-openapi-demos/tree/master/sample-springdoc-openapi-microservices
And this is the link of a blog which explains the natural usage with microservies and spring cloud modules:
https://piotrminkowski.com/2020/02/20/microservices-api-documentation-with-springdoc-openapi/
Answer from #brianbro seems not to be working anymore...
Verified on: springdoc-openapi v1.6.6 and org.springframework.cloud:spring-cloud-config-server:v2.2.4.RELEASE
Here is how I solved it:
List item spring.cloud.config.server.prefix=config-server - please note that any request to config server will require to add prefix!
Add following bean (sample implementation in Kotlin)
#Bean fun configServerApi(): GroupedOpenApi =
GroupedOpenApi.builder()
.group("Config server")
.pathsToMatch(
"/config-server/**"
)
.build()
Now you should be able to reach swagger ui :)
I am new to Spring Boot and my current project is a REST API developed in Spring Webflux. The goal is to have an endpoint which has an optional JWT Token, allowing you ti create things anonymously or not. But all the starter guides to Spring Security are really complicated and use Spring MVC, as far as I can tell.
Now my idea was to create a HandlerFilterFunction looking like
class AuthenticationFilter : HandlerFilterFunction<ServerResponse, ServerResponse> {
override fun filter(request: ServerRequest, next: HandlerFunction<ServerResponse>): Mono<ServerResponse> {
val authHeader = request.headers().header("Authorization").firstOrNull()
// get user from database
request.attributes()["user"] = user
return next.handle(request)
}
}
and adding it to the router {...} bean.
Is this a good idea, or should I go another router? If so, can somebody point me towards a JWT tutorial for Spring Webflux.
The Spring Security docs point to a JWT-Based WebFlux Resource Server sample in the codebase.
It's not Kotlin-based, so I also posted a sample of my own just now; hopefully, it helps get you started.
As for your question, yes, you can create a filter of your own, though Spring Security ships with a BearerTokenAuthenticationFilter that already does what your filter would likely do. The first linked sample adds this filter manually while the second sample lets Spring Boot add it.
While updating my Spring Boot application to the latest build snapshot and I am seeing that none of the actuator endpoints are enabled by default. If I specify them to be enabled in application.properties, they show up.
1) Is this behavior intended? I tried searching for an issue to explain it but couldn't find one. Could somebody link me to the issue / documentation?
2) Is there a way to enable all the actuator endpoints? I often find myself using them during development and would rather not maintain a list of them inside my properties file.
Two parts to this answer:
"Is there a way to enable all the actuator endpoints?"
Add this property endpoints.enabled=true rather than enabling them individually with endpoints.info.enabled=true, endpoints.beans.enabled=true etc
Update: for Spring Boot 2.x the relevant property is:
endpoints.default.web.enabled=true
"Is this behavior intended?"
Probably not. Sounds like you might have spotted an issue with the latest milestone. If you have a reproducible issue with a Spring Boot milestone then Spring's advice is ...
Reporting Issues
Spring Boot uses GitHub’s integrated issue tracking system to record bugs and feature requests. If you want to raise an issue, please follow the recommendations below:
Before you log a bug, please search the issue tracker to see if someone has already reported the problem.
If the issue doesn’t already exist, create a new issue.
Even if we enable all the actuator endpoints as below
management.endpoints.web.exposure.include=* (In case of YAML the star character should be surrounded by double quotes as "*" because star is one of the special characters in YAML syntax)
The httptrace actuator endpoint will still not be enabled in web by default. HttpTraceRepository interface need to be implemented to enable httptrace (See Actuator default endpoints, Actuator endpoints, Actuator httptrace).
#Component
public class CustomHttpTraceRepository implements HttpTraceRepository {
AtomicReference<HttpTrace> lastTrace = new AtomicReference<>();
#Override
public List<HttpTrace> findAll() {
return Collections.singletonList(lastTrace.get());
}
#Override
public void add(HttpTrace trace) {
if ("GET".equals(trace.getRequest().getMethod())) {
lastTrace.set(trace);
}
}
}
Now the endpoints can be accessed using the url,
http://localhost:port/actuator/respective-actuator-endpoint
(Example http://localhost:8081/actuator/httptrace)
If there is a management.servlet.context-path value present in properties file then the URL will be,
http://localhost:port/<servlet-context-path>/respective-actuator-endpoint
(Example http://localhost:8081/management-servlet-context-path-value/httptrace)
UPDATE: use this only in dev environment, not in production!
Is there a way to enable all the actuator endpoints?
Using Spring Boot 2.2.2 Release, this worked for me:
On the file src/main/resources/application.properties add this:
management.endpoints.web.exposure.include=*
To check enabled endpoints go to http://localhost:8080/actuator
Source: docs.spring.io
I am developing a Spring Boot REST API. It uses #ControllerAdvice and #ExceptionHandler in a class that extends ResponseEntityExceptionHandler to catch exceptions. To get this to work, we added these two fields to the config:
spring.mvc.throw-exception-if-no-handler-found: true
spring.resources.add-mapping: false
The problem is I am also trying to host static documents that I would like spring to map. I added this to my config:
spring.resources.static-locations: classpath:/static/html5/,classpath:/public/html5/
It seems I cant set mapping to false and map static resources. If I dont set add-mapping to false, I can't catch 404s.
Is there a spring way to solve this? If not, I am going to try to define an endpoint for each static resource and find the files in the jar, which seems like a hack.
Thanks in advance for any suggestions!
Before I explain the issue I should say that we only need Apache Shiro for authorization and athentication is already enabled with OAuth2.
So my code to enable Shiro is exactly as the code in this link here.
I have also checked this issue. But for me if I enable LifecycleBeanPostProcessor almost most beans will be null. I made that create method in config class static as it suggests in the second link but no luck.
So my question is, is there any way to only enable authorization without registering shiro filter? If not, how to get around this issue? Because it seems ShiroFilterFactoryBean requires LifecycleBeanPostProcessor and that breaks the whole application.
We are using latest version of Spring Boot and Shiro 1.2.4
As outlined in an issue in the comments, you would need to set an already authenticated identity in the subject, which can be done with the Subject.Builder() (I'm using version 1.5.2 here).
Subject user = new Subject.Builder()
.principals(new SimplePrincipalCollection("bud", "myRealm"))
.authenticated(true)
.buildSubject();
if (user.hasRole("admin")) {
// do some authorized stuff
}
When implementing a custom realm the authentication ability can be disabled by returning false from the Realm’s supports method as described here .