Using Spring Cloud HOXTON.SR6, with Spring boot 2.3.2
When initiating the service, i get 403 errors trying to access "/secret/application" and "/secret/application/{profile}". The "application" in those paths should be replaced by my application name.
Error:
[RequestedSecret [path='secret/application/{profile}’, mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ] org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ]
The replacement works correctly and the erros are gone if i set spring.cloud.vault.generic.enabled = false.
The problem is that this property is set for deprecation. Then what would be the way around it?
The errors are present with:
spring:
cloud:
vault:
authentication: approle
app-role:
role-id: <<role-id>>
secret-id: <<secret-id>>
kv:
enabled: true
backend: secret
application-name: <<application-name>>
default-context: <<application-name>>
host: <<vault-host>>
But not anymore with:
spring:
cloud:
vault:
authentication: approle
app-role:
role-id: <<role-id>>
secret-id: <<secret-id>>
kv:
enabled: true
backend: secret
application-name: <<application-name>>
default-context: <<application-name>>
generic:
enabled: false
host: <<vault-host>>
Should i be using this differently?
I had kind of a similar problem, and here's what I did :
I removed bootstrap.properties (if any ... as it's deprecated), and moved all the Vault-related props into application.properties
I declared the property spring.config.import: vault:// into application.property
I removed spring.cloud.vault.generic.enabled (as no longer needed).
One last thing ... if you're using env. variables, you've to make sure they're really exported ... if not, use the source command (or reboot the os)
As you said setting the generic to false solve the problem, so my recommendation is to keep that until they remove it
Related
If I'm trying to connect to my Vault Engine, I get a Error 503 Service Unavailable. If I'm sending the call to a local WireMock which redirects the call with less headers to the same address, it works. Spring Cloud Version is 3.1.1
Cannot enhance VaultToken to a LoginToken: Token self-lookup failed: 503 <html><body><h1>503 Service Unavailable</h1>
The bootstrap config looks like this
spring:
cloud:
vault:
scheme: https
host: <uri-to-the-vault>
port: 443
uri: <uri-to-the-vault>
authentication: token
token: "TOKEN"
enabled: true
kv:
enabled: true
backend: <backend-name>
profiles: <profile-name>
application-name: <application-name>
I tried to setup a connection through WireMock to look if the call is incorrect. I tried to redirect the call. Wiremock takes the call and sends it just to the same base url written above but only with the token as a header and it works. Postman takes the same call and it works aswell.
I am on learning stage of Spring Cloud & using spring version 2.4.3 and spring-cloud-version
2020.0.1 and I created two property file
application.yml
spring:
application:
name: cloud-server
server:
port: 8888
bootstrap.yml
spring:
cloud:
config:
server:
git:
uri: https://github.com/************/insurance-config-server
default-label: main
but still I got following error
***************************
APPLICATION FAILED TO START
***************************
Description:
Invalid config server configuration.
Action:
If you are using the git profile, you need to set a Git URI in your configuration. If you are using a native profile and have spring.cloud.config.server.bootstrap=true, you need to use a composite configuration.
How to solve this kind of error?
Did you have a bootstrap.yml file?
I had the same problem. My project did not have a bootstrap.yml, but I specified a dev activity file in the IDEA startup configuration, which caused the same error as you did. The error could not be found bootstrap.yml on startup. After deleting dev in IDEA startup configuration, it can start normally.
If you are following the example in the book you referenced then I will suggest you move this
spring:
cloud:
config:
server:
git:
uri: https://github.com/************/insurance-config-server
default-label: main
to application.yml
That is what I did and it worked for me
I’m trying to solve an awkward problem with Spring Cloud Config Server via Bitbucket.
My config repo on Bitbucket Cloud Server. bootstrap.yaml file looks like below.
server:
port: 9101
spring:
application:
name: config-server
cloud:
config:
server:
git:
uri: https://****#bitbucket.org/****/config-repo.git
username: ***
password: ****
skip-ssl-validation: true
clone-on-start: true
force-pull: true
basedir: /tmp
eureka:
client:
service-url:
defaultZone: ${EUREKA_SERVER_ADDRESS}
register-with-eureka: true
The config-server fetched all properties from bitbucket and write to the /tmp file after app is started.
There is no exception or no warning. Everything is fine.
I’m getting an error looks like below after a few hours later, the app trying to fetch from bitbucket to update all properties.
2020-12-22 12:08:55.865 INFO 1 --- [nio-9101-exec-5] o.s.c.c.s.e.NativeEnvironmentRepository : Adding property source: file:/tmp/salesart-spm-prod.properties
2020-12-22 12:08:56.936 WARN 1 --- [nio-9101-exec-7] .c.s.e.MultipleJGitEnvironmentRepository : Could not fetch remote for master remote: https://****#bitbucket.org/***/config-repo.git
I guess the problem is about the Bitbucket Session. Why did I thought like this?
Because after successfully logged in to bitbucket server via username and password, the app fetching all properties.
Then, a few hours later I’m getting same error.
Do you have any idea to solve this problem?
I have a problem:
WWW-Authenticate Bearer realm="test", error="invalid_token", error_description="Invalid token issuer. Expected 'http://keycloak:8080/auth/realms/test', but was 'http://localhost:8080/auth/realms/test'"
My settings:
application.yml
keycloak:
realm: test
resource: api
auth-server-url: http://keycloak:8080/auth
ssl-required: external
autodetect-bearer-only: true
cors: true
principal-attribute: preferred_username
credentials:
secret: 2b553733-8d5f-4276-8ace-17112ac7ac20
docker-compose.yml
keycloak:
image: jboss/keycloak:10.0.0
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
ports:
- "8080:8080"
networks:
- net
Auth url: http://localhost:8080/auth/realms/test/protocol/openid-connect/auth
Token url: http://localhost:8080/auth/realms/test/protocol/openid-connect/token
I understand why the problem exists, but I don`t understand how to fix it.
Keycloak's Default Hostname Provider (https://www.keycloak.org/docs/latest/server_installation/#default-provider) has a property called frontendURL which should be set as the public URL on which Keycloak is exposed.
Setting frontendURL ensures that all front-channel URLs, like issuer, authorization_endpoint use the configured value as hostname in the URLs and back-channel URLs keep using hostname in the request.
I added 127.0.0.1 keycloak in hosts file and used http://keycloak:8080/auth/realms/*** url to get the token. Now the JWT token contained the issuer as keycloak instead of localhost. I verified the token using jwt.io website. This resolved the mismatch in token issuer.
I’m trying to migrate JHipster from using Zuul to Spring Cloud Gateway. JHipster uses Eureka to look up routes and I believe I’ve configured Spring Cloud Gateway correctly to look up routes and propagate the access token to them. Here’s my config:
spring:
cloud:
gateway:
default-filters:
- TokenRelay
discovery:
locator:
enabled: true
lower-case-service-id: true
route-id-prefix: /services/
httpclient:
pool:
max-connections: 1000
The problem I’m experiencing is the access token is not sending an Authorization header to the downstream services.
Here's how things were configured with Zuul in my application.yml:
zuul: # those values must be configured depending on the application specific needs
sensitive-headers: Cookie,Set-Cookie #see https://github.com/spring-cloud/spring-cloud-netflix/issues/3126
host:
max-total-connections: 1000
max-per-route-connections: 100
prefix: /services
semaphore:
max-semaphores: 500
I created a pull request to show what's changed after integrating Spring Cloud Gateway.
https://github.com/mraible/jhipster-reactive-microservices-oauth2/pull/4
Steps to reproduce the issue:
git clone -b reactive git#github.com:mraible/jhipster-reactive-microservices-oauth2.git
Start JHipster Registry, Keycloak, and the gateway app:
cd jhipster-reactive-microservices-oauth2/gateway
docker-compose -f src/main/docker/jhipster-registry.yml up -d
docker-compose -f src/main/docker/keycloak.yml up -d
./mvnw
Start MongoDB and the blog app:
cd ../blog
docker-compose -f src/main/docker/mongodb.yml up -d
./mvnw
Navigate to http://localhost:8080 in your browser, log in with admin/admin, and try to go to Entities > Blog. You will get a 403 access denied error. If you look in Chrome Developer Tools at the network traffic, you'll see the access token isn't included in any headers.
I was able to solve this using this answer.
spring:
cloud:
gateway:
discovery:
locator:
enabled: true
predicates:
- name: Path
args:
pattern: "'/services/'+serviceId.toLowerCase()+'/**'"
filters:
- name: RewritePath
args:
regexp: "'/services/' + serviceId.toLowerCase() + '/(?<remaining>.*)'"
replacement: "'/${remaining}'"
I also had to add .pathMatchers("/services/**").authenticated() to my security config, which wasn't needed for Zuul. You can see my commit here.