Spring boot admin not showing secured endpoints of spring boot client - spring-boot

Installed spring boot admin and server.
All client endpoints are visible in spring boot admin but after adding security dependency in client secured endpoints are not visible in admin.
Provided credentials of admin and client in application.yaml of client.

Had the same problem. Firstly, you need to share user and password from admin-client, this can be configured in yml file:
spring.boot.admin.client:
url: http://localhost:8080
instance:
metadata:
user.name: ${spring.security.user.name}
user.password: ${spring.security.user.password}
Also you need to enable http basic in security config, because SBA server then uses this metadata to make http calls.
source: https://codecentric.github.io/spring-boot-admin/2.2.3/#_securing_client_actuator_endpoints

Related

Spring boot admin server configuration on Cloud run

We have a few cloud run services deployed on Cloud run with Ingress control set to "All" and Authentication set to "IAM". These are REST APIs created using Spring boot framework. We have one more Cloud Run service which is deployed as Spring boot admin server with Ingress control set to "All" and Authentication set to "Allow Unauthenticated Invocations".
Now the backend team have configured the Cloud run REST API services with the following cloud run endpoints in application.properties to communicate with Spring boot admin server:-
spring.boot.admin.client.url=${sm://cloud_run_rest_api_endpoint}
spring.boot.admin.client.instance.service-url=${sm://spring_boot_admin_server_cloud_run_endpoint}
This obviously fails on cloud run with 403 Unauthorized as the endpoints (Eg: /health, /metrics, /trace etc) required by Spring boot admin server from its clients need an Authorization Bearer token.
Is it possible to pass JWT token when accessing those endpoints ? Has anyone had success in setting up the same ? Or is there any possibility to have some of our cloud run service endpoints to be public on which we can later apply some security provided by spring ?
We are in the middle of setting up free API monitoring tool for our all APIs. Any recommendations are much appreciated.

How can I configure endpoints for RBAC in Spring Boot via Cloud Config Server?

I want to add the ability to microservices to allow configuring endpoints and permissions for RBAC via Cloud Config Server. So if there is a service called mordor, then if I add following properties in its application.yml at Cloud Config Server's repo
rbac:
- endpoint: /v1/test1
method: GET
scopes: ["rest-write:all", "read-write:product"]
- endpoint: /v1/test2
method: POST
scopes: ["read-write:product"]
the endpoints mentioned above should be configured for RBAC. As of now, I am passing the scopes and permissions via Auth0 JWT and using it for authentication. But with this, I will be able to add RBAC also based on the permissions I configure in Auth0's dashboard.
What is the best way to proceed with this?
I am able to get the rbac endpoints from Cloud Config Server but the problem is how to add them to Spring Security. I already have a class OAuth2SecurityConfiguerer where httpSecurity is configured but I haven't been able to add endpoints to Spring Security because it might require iterating over the endpoints obtained from Cloud Config Server

Spring OAuth2.0 : Authorization and Resource server in 1 Spring Boot app

The old spring security oauth can do this by spring-security-oauth2-autoconfigure
How can it be implemented using the latest spring security 5.7.x?
It seems that you have to create separate authorization server, resource server, and client...unlike the previous, you just have to enable configuration for authorization and resource server
But I am curious if there is a way to do libe the old way?
I discover this on my own.
Both the authorization and resource server can be in 1 springboot app and both can use same port.
It is the security configuration filter chain that you have to restrict both the "/login", "/oauth2/authorize"
Authorization server configuration is configured the basic way and so is the Resource server.

Spring Cloud Gateway Proxy Host issue

I am running Spring Cloud Gateway with Spring Boot version 2.5.8 and Spring Cloud version 2020.0.5.
I am trying to configure Spring Cloud Gateway to validate JWT access tokens using Spring Security and thus the gateway needs to connect to the OAuth2 Authorization server external to my company's network. As per company standard, I am using a proxy host to connect to the external Authorization server and I have set the http.proxy* and https.proxy* environment variables ie
-Dhttp.proxyHost=my-proxy.com -Dhttp.proxyPort=3328 -Dhttps.proxyHost=my-proxy..com -Dhttps.proxyPort=3328 -Dhttp.proxySet=true -Dhttps.proxySet=true
and well as the properties in application.yml. ie
spring:
cloud:
httpclient:
proxy:
host: my-proxy.com
port: 3328
But I am getting timeout error when connecting to the external Authorization Server. The proxy host and port are correct and are working for other Spring Boot projects using Spring MVC. I saw this question/answer
spring-boot app as spring-cloud-gateway has to use a proxy: JVM arguments not used NOR spring.cloud.gateway.httpclient.proxy.****
But my entries in application.yml is not working. Would appreciate if someone can provide some advice on resolving the issue.
Thanks

How to configure spring boot admin client when authentication is enabled?

I'm trying to set up a sample application using spring boot admin (both server + client side) and have run into an issue with authentication.
When spring security is enabled on the management/actuator endpoints on the client side the spring-boot-admin server does not seem able to communicate with the client -- logging in to the Admin interface via a Web browser results in a continuous loop of authentication windows popping up and prompting for usernames/passwords. Hitting cancel will display an HTTP 401 error on the page.
Here's a configuration that works on the client side:
management.security.enabled=false
security.basic.enabled=true
security.user.name=test
security.user.password=test
spring.boot.admin.url=http://localhost:9081/admin
spring.boot.admin.username=admin
spring.boot.admin.password=admin
This will:
Disable security for spring-boot's management/actuator resource
Enable security for all other resources (HTTP basic auth - user: test, password: test)
Register the spring-admin client on startup using the url http://localhost:9081/admin (HTTP basic auth - user: admin, password:admin)
I'm guessing the spring boot admin app doesn't support communication with secured clients because I don't see any configuration properties that would allow the information to be passed in upon client registration.
Has anyone got around this limitation and if so, how? I'd rather not leave the actuator endpoints "open to the public" so-to-speak, even though they are actually just exposed on the company's internal network.
There is no security feature included since the various solutions look very different. But I've put up some examples: https://github.com/joshiste/spring-boot-admin-samples

Resources