I'm troubleshooting authentication/registration flow and need a quick way to reset all sessions server side (no curl or other client side logout magic!).
Is there Spring Actuator or JMX ready endpoint to invalidate all sessions?
We use Tomcat as am embedded server, if it helps...
Seems there is a dedicated Spring Actuator Endpoint:
https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints
sessions - Allows retrieval and deletion of user sessions from a Spring Session-backed session store. Requires a Servlet-based web application using Spring Session.
https://docs.spring.io/spring-boot/docs/current/actuator-api/html/#sessions-retrieving
21.2. Retrieving a Single Session
curl 'http://localhost:8080/actuator/sessions/4db5efcc-99cb-4d05' -i -X GET
curl 'http://localhost:8080/actuator/sessions/4db5efcc-99cb-4d05' -i -X DELETE
Extra step to enable Actuator endpoints:
management.endpoints.web.exposure.include:
- env
- health
- info
- sessions
Related
Our application is created by Jhipster which comprise with spring boot and keycloak and postgress db. I have set the "SSO Session Idle" time as 1 minute in the keycloak realm settings.
Expectation is keycloak should send logout event if the user is idle for 1 minute and more. But nothing is happening(even no log in keycloak) and the session is still alive. I am able to call other rest API without any issue.
While logging in through key cloak I am able to see following log in keycloak. Not sure whether this is creating problem.
03:57:20,717 WARN [org.keycloak.events] (default task-64) type=REFRESH_TOKEN_ERROR, realmId=google, clientId=youtube, userId=8299cea8-8ebf-45df-8685-b37445620255, ipAddress=10.198.140.148, error=invalid_token, grant_type=refresh_token, refresh_token_type=Offline, refresh_token_id=2b031b6d-5ff4-4967-a300-42b930dfc04b, client_auth_method=client-secret
Is there anything specific I have to configure in application.yaml or application_prod.yaml for getting session expired event in spring boot Jhipster application ?
I am struck for many days. Any help would be much appreciated.
I am expecting while setting session idle time in keycloak, keycloak should send session time out or logout event. And Jhipster spring boot application should able to log out.
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
We are using Spring Boot v2.0.4 + Spring Cloud (Finchley release).
We have deployed Zuul, Auth Server, Eureka, and Config Server, each in their own separate applications / processes. We have half a dozen of our own services deployed. We are using OAuth2 authentication for all services. We are using the embedded undertow container for all apps.
When Zuul uses the embedded Undertow container, we can not log in- the login page is redisplayed even though the credentials are correct. When Zuul is switched to use the embedded Tomcat container, everything works correctly- logging in brings the user to the correct page. (All other apps use Undertow in both cases.)
When we debug the requests coming through Zuul for Tomcat vs Undertow, we see that the SPRING_SECURITY_CONTEXT session attribute is being set for Tomcat but is not being set for Undertow. I assume this means that the user will be redirected back to the login page, which is why we are seeing that behavior.
We know that it is an issue with Zuul + Tomcat vs. Undertow, since the configuration of all other apps remains exactly the same.
Any ideas? We are really scratching our heads over this one.
It turned out this was caused by JSESSIONID cookie name conflict between Zuul and Auth Server. Because Tomcat container has different handling than Wildfly for multiple Set-Cookies of the same name (which is in violation of RFC6265), we are only seeing it now.
I should have mentioned that we configured auth server to be behind the Zuul proxy, hence the multiple JSESSIONID cookies.
We fixed this for now by renaming the JSESSIONID cookie name on all back-end servers. We will investigate the best way to do this for production deployment going forward, perhaps by using Spring Session. Any suggestions welcome.
I am using Spring boot 2 with spring webflux running on netty.
I would like to add session management without needing to have a backing database or redis server (so Spring Session doesn't seem to be a solution here).
I could use WebSession in my controllers, but then I would need to enable sticky sessions on my load balancer, which I would prefer to avoid.
What I would like is one of the following:
Client side session like in Play framework (session is stored as a cookie and added onto each subsequent request)
Hazelcast session replication but this only works with servlet containers
Has anyone experienced the same thing and found a viable solution?
Spring Session has plans for providing Hazelcast implementation of ReactiveSessionRepository. The current plan is to wait for Hazelcast 4.0, which will move to Java 8 as baseline and use CompletableFuture instead of their own ICompletableFuture. You can track gh-831 for progress on this topic.
In the meanwhile you could try and use ReactiveMapSessionRepository, passing in Hazelcast's IMap.
I'm trying to set up a sample application using spring boot admin (both server + client side) and have run into an issue with authentication.
When spring security is enabled on the management/actuator endpoints on the client side the spring-boot-admin server does not seem able to communicate with the client -- logging in to the Admin interface via a Web browser results in a continuous loop of authentication windows popping up and prompting for usernames/passwords. Hitting cancel will display an HTTP 401 error on the page.
Here's a configuration that works on the client side:
management.security.enabled=false
security.basic.enabled=true
security.user.name=test
security.user.password=test
spring.boot.admin.url=http://localhost:9081/admin
spring.boot.admin.username=admin
spring.boot.admin.password=admin
This will:
Disable security for spring-boot's management/actuator resource
Enable security for all other resources (HTTP basic auth - user: test, password: test)
Register the spring-admin client on startup using the url http://localhost:9081/admin (HTTP basic auth - user: admin, password:admin)
I'm guessing the spring boot admin app doesn't support communication with secured clients because I don't see any configuration properties that would allow the information to be passed in upon client registration.
Has anyone got around this limitation and if so, how? I'd rather not leave the actuator endpoints "open to the public" so-to-speak, even though they are actually just exposed on the company's internal network.
There is no security feature included since the various solutions look very different. But I've put up some examples: https://github.com/joshiste/spring-boot-admin-samples