I have following security configs in
Server application.yml
management:
security:
enabled: false
server:
port: 8888
spring:
cloud:
config:
server:
jdbc:
order: 1
sql: SELECT prop_key,value FROM xlabs.properties where application=?
and profile=? and label=?
datasource:
password: XXXXX
url: jdbc:postgresql://localhost:8000/finos?currentSchema=xlabs
username: XXXXX
profiles:
active: jdbc
security:
user:
name: mufg
password: mufg
In Client side.
client application.properties
server:
port: 8082
spring:
application:
name: config-server
cloud:
config:
label: latest
profile: development
uri: http://localhost:8888
username: mufg
password: mufg
With this settings
Config server security works fine I can access properties via http://localhost:8888/config-server/development/latest after entering username and passwords. But when I try to up client it says property not resolved. Any issue here?
Thanks.
After some times I am able to find out the answer. In Config server with only that configs the client side will be blocked. So have to disable csrf and allow any request like as follows.
just add sever side.
#Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated();
}
}
But Here default security will be disabled. Here problem is if username or password changed from client side authentication happens.
Related
I have Spring cloud project which has below information:
Controller of address-service-1:
#RestController
#RequestMapping("/api/address")
#Slf4j
#RefreshScope
public class AddressController {
#Value("${scope-refresh-testing}")
private String message;
#RequestMapping("/scope-refresh-testing-message")
String getMessage() {
return this.message;
}
}
bootstrap.yml of address-service-1:
spring:
application:
name: address-service-1
# register to config server
cloud:
config:
discovery:
enabled: true
service-id: config-server-1
profile: default
management:
endpoints:
web:
exposure:
include:
- refresh
Properties of config-server-1:
server:
port: 8888
spring:
application:
name: config-server-1
cloud:
config:
server:
git:
default-label: master
uri: file:///E:/workspace/Spring-boot-microservices-config-server-study/
Properties which I stored in file:///E:/workspace/Spring-boot-microservices-config-server-study/ (address-service-1.yml):
scope-refresh-testing: testDefault
If I change scope-refresh-testing: testDefault222 then run url actuator/refresh, the properties file will rollback to scope-refresh-testing: testDefault
Did I miss something in configuration?
Thanks
My Spring Boot app giving me an error as 404 after redirecting from the Okta server.
May I have some help to solve this. My configurations are as below.
This is my Okta server redirect
https://dev-40483106.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=0oa3p7a86ycJ7olpP5d7&scope=openid%20email&state=xVpkZIPGaGqAQCZIMXZgTrbmKmHJbcKbtM95KO9RwVU%3D&redirect_uri=http://localhost:8082/mms-sso/auth&nonce=cPdNAYT4tQ9mAjhj4HUiynBEQVAnJHnBTIezqquOpJM
This is my Redirect URI where I am getting a 404 error
http://localhost:8082/mms-sso/auth?code=rOh9u2fwBTB7gasIMUgtjIDMs5_Sydqz-0O_jG5Qhj0&state=xVpkZIPGaGqAQCZIMXZgTrbmKmHJbcKbtM95KO9RwVU%3D
Below is the screenshot
[![error-404][1]][1]
spring:
security:
oauth2:
client:
registration:
okta:
client-id: clientId
client-secret: secret
scope: openid, email
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8082/mms-sso/auth
provider:
okta:
issuer-uri: https://dev-40483106.okta.com/oauth2/default
authorization-uri: https://dev-40483106.okta.com/oauth2/default/v1/authorize
resource:
server: http://localhost:8081
server:
port: 8082
servlet:
context-path: /ui-one
security config
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/login**", "/auth/**",
"/auth?**").permitAll().anyRequest().authenticated().and()
.oauth2Login();
Okta config
Sign-in redirect URIs - http://localhost:8082/mms-sso/auth
Sign out redirect URI - http://localhost:8082/mms-sso/, http://localhost:8082/mms-sso/logout
Controller for redirect
#GetMapping("/auth")
String home(#AuthenticationPrincipal OidcUser user) {
return "Welcome to MMS SSO";
}
Your controller mapping is for /auth but in redirect you specify it as /mmo-sso/auth.
I am trying to get my microservices configuration from a config server connected to 2 sources : git and vault (for secrets). I have the config bellow:
in the config-server:
server:
port: 8888
spring:
profiles:
active: git, vault
cloud:
config:
server:
vault:
port: 8200
host: 127.0.0.1
kvVersion: 2
git:
order: 2
uri: git#gitlab.git
and in the client side in the bootstrap.yml:
spring:
application:
name: my-service-name
cloud:
config:
uri: http://localhost:8888
token: //token
label: dev
But in my vault i have the path like this :
secret/cad
|--my-service-name
When i make my secret directly in /secret/my-service-name i can access my secrets, but how can i configure acces to secrets in : /secret/cad/my-service-name
Thank you.
You can create your Custom configuration Class that implements VaultConfigurer where you can override to your custom path
#Configuration
Public class CustomVaultConfiguraton implements VaultConfigurer {
#override
public void addSecretsBackends(SecretBackendConfigurer configures){
configures.add("customPath");
}
}
add above configuration class in spring.factories
org.springframework.cloud.bootstrap.BootstrapConfiguration=\packagename.CustomVaultConfiguration
Is possible to config Spring Booot application to have some url with non-secure (non-https) ex: /actuator/info, /actuator/prometheous While All other enpoint forced to be secure?
Enable SSL like this:
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=xxxx
I was try to set:
management.server.port=8762
management.server.ssl.enabled=false
and
#Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().antMatchers("/actuator").requiresInsecure();
http.requiresChannel().anyRequest().requiresSecure();
// accept only IP in range to access metric
http.csrf().disable().authorizeRequests().antMatchers("/actuator/**")
.access("hasIpAddress('" + ipRangeMain + "') or hasIpAddress('" + ipRangeSecond + "')");
}
But it's still not working
When I try to access /actuator/info, it show error:
Bad Request
This combination of host and port requires TLS.
"/actuator/info" endpoint need to accessed by Load Balancer and "/actuator/prometheous" to Monitoring, But now it not work.
In case anybody stumbles over this as well. I solved it using 2 Ports like #user3611168 suggested:
applycation.yml:
server:
port: 10000
ssl:
key-store-type: ...
key-store: ...
key-store-password: ...
key-alias: ...
management:
server:
port: 8080
ssl:
enabled: false
Port 10000 with SSL. Port for Prometheus 8080 without SSL
I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.
How can i prevent the clients from storing these user name and
password as clear text in the bootstrap.yml files in the client
application/services ?
The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)
You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
If you want custom user/password pairs, you need indicate in server configuration file
security:
basic:
enabled: false
and add this minimal Class in your code (BasicSecurityConfiguration.java):
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
#Configuration
//#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Value("#{'${qa.admin.password:admin}'}") //property with default value
String admin_password;
#Value("#{'${qa.user.password:user}'}") //property with default value
String user_password;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password(user_password).roles("USER")
.and()
.withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated()
//.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
//.antMatchers("/qa/**").permitAll()
;
}
}
#Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.
For example (application.yml):
server:
port: 8888
security:
basic:
enabled: false
qa:
admin:
password: adminadmin
user:
password: useruser
management:
port: 8888
context-path: /admin
logging:
level:
org.springframework.cloud: 'DEBUG'
spring:
cloud:
config:
server:
git:
ignoreLocalSshSettings: true
uri: ssh://git#gitlab.server.corp/repo/configuration.git
This works for me.
Edit: Instead of the Class, you can put basic user configuration directly in application.yaml:
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)
spring.security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
Basic authentication configuration that works for me.
Server-side:
Needed depedency: org.springframework.boot:spring-boot-starter-security
bootstrap.yml
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: git#bitbucket.org:someRepo/repoName.git
hostKeyAlgorithm: ssh-rsa
hostKey: "general hostKey for bitbucket.org"
security:
user:
name: yourUser
password: yourPassword
Client-side:
bootstrap.yml
spring:
application:
name: config
profiles:
active: dev
cloud:
config:
uri: http://localhost:8888
username: yourUser
password: yourPassword
management:
security:
enabled: false
Sources: Spring doc security feautres, Spring cloud config client security
encrypted text can be placed in bootstrap.yml.
Check -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption