I am trying to setup a test jhipster web app with okta as per this guide.
I am able to login with my jhipster web app with okta and I should be ROLE_ADMIN, but after getting redirected back to the webapp menu any attempt to navigate to an entity results in a not authorized/access denied page.
The IDE is Intellij and the build tool is gradle. I am using Java SDK 11.
The okta has ROLE_ADMIN and ROLE_USER groups:
I have added the claim:
The console logs:
Enter: add() with argument[s] = [AuditEvent [timestamp=2020-04-25T19:50:39.747921400Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
Exit: add() with result = null
WARN 16660 --- [ XNIO-1 task-52] o.z.problem.spring.common.AdviceTraits : Unauthorized: Full authentication is required to access this resource
WARN 16660 --- [ XNIO-1 task-52] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource]
In trying to fix the error I have added both users and groups to the assignments under the application:
But the problem persists.
What is the fix to be authorized as ADMIN?
Change your groups claim to use a filter of "Matches regex" and it should fix your problem.
Related
I see issues in the Spring cloud config server (Springboot) logs when connecting to the repo where configs are stored. I'm not sure if it's unable to clone because of credentials or something else (git-upload-pack not permitted). Any pointers to this would be great.
2021-10-06 22:52:51.763 INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-10-06 22:52:51.764 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2021-10-06 22:52:51.765 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2021-10-06 22:52:54.769 WARN 1 --- [nio-8080-exec-1] .c.s.e.MultipleJGitEnvironmentRepository : Error occured cloning to base directory.
org.eclipse.jgit.api.errors.TransportException: https://github.asdf.asdf.asdf.com/asdfad/sdasdf: git-upload-pack not permitted on 'https://github.asdf.asdf.adsf.com/sdfdf/asdfsad-configs/'
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:254) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:306) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:200) ~[org.eclipse.jgit-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.cloneToBasedir(JGitEnvironmentRepository.java:612) [spring-cloud-config-server-3.0.4.jar!/:3.0.4]
at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.copyRepository(JGitEnvironmentRepository.java:587) [spring-cloud-config-server-3.0.4.jar!/:3.0.4]
at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.createGitClient(JGitEnvironmentRepository.java:570) [spring-cloud-config-server-3.0.4.jar!/:3.0.4]
at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.refresh(JGitEnvironmentRepository.java:267) [spring-cloud-config-server-3.0.4.jar!/:3.0.4]
at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.getLocations(JGitEnvironmentRepository.java:245) [spring-cloud-config-server-3.0.4.jar!/:3.0.4]
at org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentRepository.getLocations(MultipleJGitEnvironmentRepository.java:139) [spring-cloud-config-server-3.0.4.jar!/:3.0.4]
The Spring boot app.properties for the config server app looks like this -
spring.cloud.config.server.git.uri=https://github.sdf.sdasdf.asdf.com/asdf/asdf-configs
spring.cloud.config.server.git.username=github-token
spring.cloud.config.server.git.password={github_token}
The endpoint returns the response below:
{"status":"DOWN","components":{"clientConfigServer":{"status":"UNKNOWN","details":{"error":"no property sources located"}},"configServer":{"status":"DOWN","details":{"repository":{"application":"app","profiles":"default"},"error":"org.springframework.cloud.config.server.environment.NoSuchRepositoryException: Cannot clone or checkout repository: https://github-token#github.sdf.sdf.dsfs.com/sdf/sdfsd-configs"}},"discoveryComposite":{"description":"Discovery Client not initialized","status":"UNKNOWN","components":{"discoveryClient":{"description":"Discovery Client not initialized","status":"UNKNOWN"}}},"diskSpace":{"status":"UP","details":{"total":103880232960,"free":24558080000,"threshold":10485760,"exists":true}},"livenessState":{"status":"UP"},"ping":{"status":"UP"},"readinessState":{"status":"UP"},"refreshScope":{"status":"UP"}},"groups":["liveness","readiness"]}
Github token needs to be passed as username which I was configuring against the password property for the spring boot app. The password property needs to be left empty and the Github-token needs to be assigned to the username like below-
spring.cloud.config.server.git.username=asdfasdxxxxxxxyssssysysyssysy
spring.cloud.config.server.git.password=
Token authentication requirements are necesary for Git operations, see this link for more info.:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Try to add .git in the end of the URI in app.properties
spring.cloud.config.server.git.uri=https://github.sdf.sdasdf.asdf.com/asdf/asdf-configs.git
I have a user with role manager in jhipster, and this role should have the authority to create users.
I have implemented all front end functionality to allow this user to create users in user management. In admin.route.ts I provided the ROLE_MANAGER authority and in the canActivate method in user-management.component I gave the authority ROLE_MANAGER. I have also given permission .HasAnyAUthoirty() for both admin and manager roles in the /management/** APIs from the SecurityConfiguration class.
However, when I try open the user-management page,even though it opens, I see a message on top which says you are not authorized to see this page. THen when I create the user, I get the error
Enter: io.xiges.asbestos.adm.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-03-11T21:40:58.263Z, principal=user, type=AUTHORIZATION_FAILURE, data={type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
2019-03-12 08:40:58.267 DEBUG 25632 --- [ XNIO-2 task-24] i.x.a.adm.aop.logging.LoggingAspect : Exit: io.xiges.asbestos.adm.repository.CustomAuditEventRepository.add() with result = null
2019-03-12 08:40:58.269 WARN 25632 --- [ XNIO-2 task-24] o.z.p.spring.web.advice.AdviceTrait : Forbidden: Access is denied
2019-03-12 08:40:58.272 WARN 25632 --- [ XNIO-2 task-24] .m.m.a.ExceptionHandlerExceptionResolver : Resolved exception caused by Handler execution: org.springframework.security.access.AccessDeniedException: Access is denied.
In my application, I want to give all users in the role manager, the authority to create users. What am I missing here?
I am working on a project that re-uses https://github.com/vdenotaris/spring-boot-security-saml-sample to integrate with Azure AD as IDP.
The integration went pretty smoothly. The only thing I couldn't fix was metadata trust check.
According to https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html
it's recommended to set metadataTrustCheck to false to skip signature validation
However, I'd like to ask if it's possible to use metadata trust check with Azure.
To recreate, set IDP metadata url to
https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
set metadataTrustCheck to true for WebSecurityConfig#extendedMetadataProvider
and import login.microsoftonline.com SSL cert into samlKeystore.jks
2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
The issue doesn't happen with ssocircle metadata https://idp.ssocircle.com/idp-meta.xml
The certificate used to sign your metadata seems different from the one at login.microsoftonline.com which you imported.
See Signature trust establishment failed for SAML metadata entry
I am new to Spring boot and Spring oauth2 and somehow after googling got examples using spring boot 1.2.4 with mongodb. The following are the setup:
Spring boot 1.2.4 and Spring oauth2 2.0.7 for Authorization Server
Spring boot 1.5.4 and spring oauth2 2.0.7 for Resource Server
The controller code snippet for Resource Server is as below :
#RequestMapping("/hello")
#ResponseBody
#PreAuthorize("hasRole('Dev')")
//#PreAuthorize("hasRole('Dev')")
public String helloWorld() {
return "Hello World.";
}
When resource and authorization servers were spring boot 1.2.4 authorization were working FINE but with different versions it seems to be incompatible, as it throws an error :
{
"error": "access_denied",
"error_description": "Access is denied"
}
When i put the logging in 1.5.4 this is the log result :
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String st.malike.auth.client.http.DemoController.helloWorld(); target is of class [st.malike.auth.client.http.DemoController]; Attributes: [[authorize: '#oauth2.throwOnError(hasRole('Dev'))', filter: 'null', filterTarget: 'null']]
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication#1c32aba2: Principal: null; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: Dev
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter#6d6b90, returned: -1
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter#1deeabb9, returned: 0
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter#1c3cd0b, returned: 0
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.m.a.ExceptionHandlerExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.a.ResponseStatusExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Could not complete request
org.springframework.security.access.AccessDeniedException: Access is denied
Now I know the line is causing trouble in Spring-boot-1.5.3
o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter#6d6b90, returned: -1
Please help how to make authorizations with the above setups or how to make the authorization work.
I changed spring-security version to 3.2.10.RELEASE in Resource Server with spring-boot 1.5.3 , all working fine. It seems that spring-security logic in 4.x is changed and is not compatible.
I am using Spring Security and Active Directly for authentication. Below my configuration
registry
.ldapAuthentication()
.ldapAuthoritiesPopulator(customLdapAuthoritiesPopulator)
.userDnPatterns("cn={0},cn=Users")
.contextSource() .managerDn("cn=Administrator,cn=Users,cn=COMPANY,cn=COM,cn=TN")
.managerPassword("xxxxxxx")
.url("ldap://xxx.xxx.xxx.xxxx:389/cn=COMPANY,cn=COM,cn=TN") ;
When I am trying to connect with a valid user I've got this log:
23:30:49.321 [http-bio-8080-exec-8] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
23:30:49.322 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.LdapAuthenticationProvider - Processing authentication request for user: ben
23:30:49.344 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Attempting to bind as cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:49.345 [http-bio-8080-exec-8] DEBUG o.s.s.l.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=ben,cn=Users,cn=COMPANY,cn=COM,cn=TN
23:30:52.371 [http-bio-8080-exec-8] DEBUG o.s.s.l.a.BindAuthenticator - Failed to bind as cn=ben,cn=Users: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580
Sorry, it was a stupid mistake: I used CN instead of DC.