Develop Reference

Spring boot config server does not refresh if I update local

I have Spring cloud project which has below information:
Controller of address-service-1:
#RestController
#RequestMapping("/api/address")
#Slf4j
#RefreshScope
public class AddressController {
#Value("${scope-refresh-testing}")
private String message;
#RequestMapping("/scope-refresh-testing-message")
String getMessage() {
return this.message;
}
}
bootstrap.yml of address-service-1:
spring:
application:
name: address-service-1
# register to config server
cloud:
config:
discovery:
enabled: true
service-id: config-server-1
profile: default
management:
endpoints:
web:
exposure:
include:
- refresh
Properties of config-server-1:
server:
port: 8888
spring:
application:
name: config-server-1
cloud:
config:
server:
git:
default-label: master
uri: file:///E:/workspace/Spring-boot-microservices-config-server-study/
Properties which I stored in file:///E:/workspace/Spring-boot-microservices-config-server-study/ (address-service-1.yml):
scope-refresh-testing: testDefault
If I change scope-refresh-testing: testDefault222 then run url actuator/refresh, the properties file will rollback to scope-refresh-testing: testDefault
Did I miss something in configuration?
Thanks

spring boot Oauth Okta 404 on redirect

My Spring Boot app giving me an error as 404 after redirecting from the Okta server.
May I have some help to solve this. My configurations are as below.
This is my Okta server redirect
https://dev-40483106.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=0oa3p7a86ycJ7olpP5d7&scope=openid%20email&state=xVpkZIPGaGqAQCZIMXZgTrbmKmHJbcKbtM95KO9RwVU%3D&redirect_uri=http://localhost:8082/mms-sso/auth&nonce=cPdNAYT4tQ9mAjhj4HUiynBEQVAnJHnBTIezqquOpJM
This is my Redirect URI where I am getting a 404 error
http://localhost:8082/mms-sso/auth?code=rOh9u2fwBTB7gasIMUgtjIDMs5_Sydqz-0O_jG5Qhj0&state=xVpkZIPGaGqAQCZIMXZgTrbmKmHJbcKbtM95KO9RwVU%3D
Below is the screenshot
[![error-404][1]][1]
spring:
security:
oauth2:
client:
registration:
okta:
client-id: clientId
client-secret: secret
scope: openid, email
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8082/mms-sso/auth
provider:
okta:
issuer-uri: https://dev-40483106.okta.com/oauth2/default
authorization-uri: https://dev-40483106.okta.com/oauth2/default/v1/authorize
resource:
server: http://localhost:8081
server:
port: 8082
servlet:
context-path: /ui-one
security config
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/login**", "/auth/**",
"/auth?**").permitAll().anyRequest().authenticated().and()
.oauth2Login();
Okta config
Sign-in redirect URIs - http://localhost:8082/mms-sso/auth
Sign out redirect URI - http://localhost:8082/mms-sso/, http://localhost:8082/mms-sso/logout
Controller for redirect
#GetMapping("/auth")
String home(#AuthenticationPrincipal OidcUser user) {
return "Welcome to MMS SSO";
}

Your controller mapping is for /auth but in redirect you specify it as /mmo-sso/auth.

Spring Config Server : get secrets from vault with specific path

I am trying to get my microservices configuration from a config server connected to 2 sources : git and vault (for secrets). I have the config bellow:
in the config-server:
server:
port: 8888
spring:
profiles:
active: git, vault
cloud:
config:
server:
vault:
port: 8200
host: 127.0.0.1
kvVersion: 2
git:
order: 2
uri: git#gitlab.git
and in the client side in the bootstrap.yml:
spring:
application:
name: my-service-name
cloud:
config:
uri: http://localhost:8888
token: //token
label: dev
But in my vault i have the path like this :
secret/cad
|--my-service-name
When i make my secret directly in /secret/my-service-name i can access my secrets, but how can i configure acces to secrets in : /secret/cad/my-service-name
Thank you.

You can create your Custom configuration Class that implements VaultConfigurer where you can override to your custom path
#Configuration
Public class CustomVaultConfiguraton implements VaultConfigurer {
#override
public void addSecretsBackends(SecretBackendConfigurer configures){
configures.add("customPath");
}
}
add above configuration class in spring.factories
org.springframework.cloud.bootstrap.BootstrapConfiguration=\packagename.CustomVaultConfiguration

Spring Boot: disable https for actuator endpoint

Is possible to config Spring Booot application to have some url with non-secure (non-https) ex: /actuator/info, /actuator/prometheous While All other enpoint forced to be secure?
Enable SSL like this:
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=xxxx
I was try to set:
management.server.port=8762
management.server.ssl.enabled=false
and
#Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().antMatchers("/actuator").requiresInsecure();
http.requiresChannel().anyRequest().requiresSecure();
// accept only IP in range to access metric
http.csrf().disable().authorizeRequests().antMatchers("/actuator/**")
.access("hasIpAddress('" + ipRangeMain + "') or hasIpAddress('" + ipRangeSecond + "')");
}
But it's still not working
When I try to access /actuator/info, it show error:
Bad Request
This combination of host and port requires TLS.
"/actuator/info" endpoint need to accessed by Load Balancer and "/actuator/prometheous" to Monitoring, But now it not work.

In case anybody stumbles over this as well. I solved it using 2 Ports like #user3611168 suggested:
applycation.yml:
server:
port: 10000
ssl:
key-store-type: ...
key-store: ...
key-store-password: ...
key-alias: ...
management:
server:
port: 8080
ssl:
enabled: false
Port 10000 with SSL. Port for Prometheus 8080 without SSL

How to Secure Spring Cloud Config Server

I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.
How can i prevent the clients from storing these user name and
password as clear text in the bootstrap.yml files in the client
application/services ?

The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)
You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
If you want custom user/password pairs, you need indicate in server configuration file
security:
basic:
enabled: false
and add this minimal Class in your code (BasicSecurityConfiguration.java):
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
#Configuration
//#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Value("#{'${qa.admin.password:admin}'}") //property with default value
String admin_password;
#Value("#{'${qa.user.password:user}'}") //property with default value
String user_password;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password(user_password).roles("USER")
.and()
.withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/encrypt/**").authenticated()
.antMatchers("/decrypt/**").authenticated()
//.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
//.antMatchers("/qa/**").permitAll()
;
}
}
#Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.
For example (application.yml):
server:
port: 8888
security:
basic:
enabled: false
qa:
admin:
password: adminadmin
user:
password: useruser
management:
port: 8888
context-path: /admin
logging:
level:
org.springframework.cloud: 'DEBUG'
spring:
cloud:
config:
server:
git:
ignoreLocalSshSettings: true
uri: ssh://git#gitlab.server.corp/repo/configuration.git
This works for me.
Edit: Instead of the Class, you can put basic user configuration directly in application.yaml:
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword
For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)
spring.security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword

Basic authentication configuration that works for me.
Server-side:
Needed depedency: org.springframework.boot:spring-boot-starter-security
bootstrap.yml
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: git#bitbucket.org:someRepo/repoName.git
hostKeyAlgorithm: ssh-rsa
hostKey: "general hostKey for bitbucket.org"
security:
user:
name: yourUser
password: yourPassword
Client-side:
bootstrap.yml
spring:
application:
name: config
profiles:
active: dev
cloud:
config:
uri: http://localhost:8888
username: yourUser
password: yourPassword
management:
security:
enabled: false
Sources: Spring doc security feautres, Spring cloud config client security

encrypted text can be placed in bootstrap.yml.
Check -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption