I've been struggling with this one for a while and can't figure out what I'm doing wrong.
I'm supposed to add basic authentication to my SOAP web service in Spring. I made the security config pretty simple (maybe too simple) so it concentrates on basic auth only (see below).
When I'm accessing the base URL from the browser, the authentication seems to be working, it asks for the credentials and if I provide them correctly, it accepts them.
However, when I want to send the SOAP request that contains the basic auth header to my web service endpoint, Spring Security sends back 401 to me. I tried sending the request with SOAPUI, Postman and from Windows Powershell via Invoke-WebRequest, and the result is the same whereas if I catch the request with Wireshark, the right header is there.
I'm using Spring Boot 2.1.8 for this project (same version with Spring Web Services and Security).
The security config class:
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("foo")
.password(passwordEncoder().encode("bar"))
.roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
}
#Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
To my understanding, there is nothing specific I have to add to the web service config itself so all related basic auth settings can be done in the security config class. Or am I wrong?
Appreciate your help.
Update
Here is the request/response pair:
REQUEST:
POST /foo/endpoint/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://foo.bar"
Authorization: Basic Zm9vOmJhcg==
Content-Length: 9688
Host: localhost:1502
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:foo="http://foobar.com/">
<soapenv:Header/>
<soapenv:Body>
// body omitted
</soapenv:Body>
</soapenv:Envelope>
RESPONSE
HTTP/1.1 401
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
WWW-Authenticate: Basic realm="Realm"
Content-Length: 0
Date: Thu, 13 Aug 2020 14:22:29 GMT
configure(HttpSecurity http) needs some modifications to enable the http basic authentication in your code.
authorizeRequests() is used for authorization purposes. Once after a user successfully logged in, what all the resources(endpoints) should be accessible to logged-in user, is defined by authorizeRequests(). I also recommend, while authorizing the endpoints, you better use the antMatchers. For Example: I have modified the above code as
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("foo")
.password(passwordEncoder().encode("bar"))
.roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.authorizeRequests()
.antMatchers("/simple/**").hasRole("USER");
}
#Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
I hope this would work for you. Try & let me know.
NOTE: In Spring boot, just by adding the spring-boot-starter-security dependency, security gets enabled, without any configurations. So now, you trying to re-configure the basic auto-configuration. By extending, WebSecurityConfigurerAdapter class. That's correct.
POSTMAN: use authorization header
I want to access /registration/createUser URL without any restriction or before login. However after adding httpBasic() in security configuration it is giving 401 error code. but if I use formlogin() instead of httpBasic() then it is working as expected. but login functionality is not working .
for below code login functionality is working but permitall() functionality not working
SecurityConfiguration.java
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
http.httpBasic()
.and().authorizeRequests()
.antMatchers("/registration/createUser").permitAll()
.antMatchers("/rpa/api/v1/**").authenticated()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
;
for below code permitall() functionality is working but login functionality is not working
SecurityConfiguration.java
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
http.authorizeRequests()
.antMatchers("/registration/createUser").permitAll()
.antMatchers("/rpa/api/v1/**").authenticated()
.antMatchers("/admin/**").hasRole("ADMIN")
.and().formLogin()
.permitAll();
}
RegistrationController.java
#CrossOrigin(origins = "*")
#RestController
#RequestMapping("/registration")
public class RegistrationController {
#Autowired
private UserRepository userRepository;
#Autowired()
PasswordEncoder bCryptPasswordEncoder;
#RequestMapping(value = "/createUser",method = RequestMethod.POST)
#ResponseBody
public String createNewRegistration(#RequestBody USerDto uSerDto) throws Exception {
Optional<User> existingUser=userRepository.findByUserName(uSerDto.getUserName());
if(existingUser.isPresent()){
throw new Exception();
}else{
String plainText=uSerDto.getPassword();
String encrypt= bCryptPasswordEncoder.encode(plainText);
User user = new User();
user.setUserName(uSerDto.getUserName());
user.setEmail(uSerDto.getEmail());
user.setPassword(encrypt);
user.setPlainTextPSW(plainText);
HashSet hashSet= new HashSet();
Role role= new Role();
role.setRole(uSerDto.getRole());
role.setDescription(uSerDto.getPassword());
hashSet.add(role);
user.setRoles(hashSet);
userRepository.save(user);
return "USer Added successfully";
}
}
loginController.java
#CrossOrigin(origins = "*")
#RestController
#RequestMapping("/")
public class loginController {
#RequestMapping(value = "/login",method = RequestMethod.GET)
#ResponseBody
public String login() throws Exception {
return "success";
}
}
loginservice.ts
login(username:string,password:string){
const headers = new HttpHeaders({ Authorization: 'Basic ' + btoa(username + ':' + password) });
return this.httpClient.get("http://localhost:8888/login",{headers,responseType: 'text' as 'json'})
}
registration.ts
saveUser(userName,email,password, role) {
const headers = new HttpHeaders({ Authorization: 'Basic ' +
btoa(userName + ':' + password +email + ':' + role) });
return this.http.post<any>('http://localhost:8888/registration/createUser',
{
userName:userName,
password:password,
email:email,
role:role,
},{headers}). pipe( share(),
catchError(this.errorHandle));
below text is a request for /createuser . which is permitAll().but it throwing 401 even if there is no authentication.
Request URL: http://localhost:8888/registration/createUser
Request Method: POST
Status Code: 401
Remote Address: [::1]:8888
Referrer Policy: no-referrer-when-downgrade
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Thu, 26 Mar 2020 05:53:13 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Authorization: Basic cm46YXdlcnJ1YXNlQGdtYWlsLmNvbTp1c2Vy
Connection: keep-alive
Content-Length: 75
Content-Type: application/json
Host: localhost:8888
Origin: http://localhost:4200
Referer: http://localhost:4200/login
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
{userName: "rn", password: "awer", email: "ruase#gmail.com", role: "user"}
userName: "rn"
password: "awer"
email: "ruase#gmail.com"
role: "user"
response
{"timestamp":"2020-03-26T05:53:13.578+0000","status":401,"error":"Unauthorized","message":"Unauthorized","path":"/registration/createUser"}
so how to achieve both when I am trying to access from my angular UI.
While debugging a CORS issue I am experiencing I've found the following behaviour. Chrome makes the following OPTIONS preflight request (rewritten in CURL by Chrome itself):
curl -v 'https://www.example.com/api/v1/users' -X OPTIONS -H 'Access-Control-Request-Method: POST' -H 'Origin: http://example.com' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es-ES,es;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' -H 'Accept: */*' -H 'Referer: http://example.com/users/new' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, x-api-key, content-type'
The response from the server to this request if the following:
< HTTP/1.1 403 Forbidden
< Date: Thu, 21 Jul 2016 14:16:56 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-Frame-Options: SAMEORIGIN
< Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
< Content-Length: 20
< Keep-Alive: timeout=5, max=100
< Connection: Keep-Alive
being the body of the response 'Invalid CORS request'. If I repeat the request removing the header 'Access-Control-Request-Method' (and only that header) the OPTIONS requests succeeds with the following reponse:
< HTTP/1.1 200 OK
< Date: Thu, 21 Jul 2016 14:21:27 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-Frame-Options: SAMEORIGIN
< Access-Control-Allow-Headers: origin, content-type, accept, x-requested-with, x-api-key
< Access-Control-Max-Age: 60
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Origin: *
< Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
< Content-Length: 0
< Keep-Alive: timeout=5, max=100
< Connection: Keep-Alive
However, the offending header is a CORS spec standard header so it should not prevent the request from succeeding, right? Why is this header causing such behaviour?
And how can I tweak the access control headers sent by my server to make the request work when made with Chrome?
By the way, I am using Chrome 36.0, and the server is using Spring Boot, with the CORS headers being managed by Spring.
When the request is made by Firefox (v47.0) the behaviour is different but with an analogue result. Firefox does not even send the preflight request, it directly sends the POST request, which receives as response a 403 Forbidden. However, if I copy the request with the 'Copy as cURL' option, and repeat it from a terminal window, It succeeds and sends the correct CORS headers in the response.
Any idea?
Update: Firefox does send the preflight OPTIONS request (as shown by the Live HTTP headers plugin), but Firebug masks it, so the behaviour in both browsers it exactly the same. In both browsers is the 'Access-control-request-method' header the difference that makes the request fail.
After a lot of struggling, I finally found the problem. I configured a request mapping in Spring to handle OPTIONS traffic, like this:
#RequestMapping(value= "/api/**", method=RequestMethod.OPTIONS)
public void corsHeaders(HttpServletResponse response) {
response.addHeader("Access-Control-Allow-Origin", "*");
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.addHeader("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with");
response.addHeader("Access-Control-Max-Age", "3600");
}
I did not know that by default Spring uses a default CORS processor, and it seems it was interfering with my request mapping. Deleting my request mapping and adding the #CrossOrigin annotation to the appropriate request mappings solved the problem.
i also faced the same issue and find solution for enabling global cors issue in spring boot
#Configuration
#EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*")
.allowedHeaders("*");
}
}
after this , we need to enable CORS in spring security level also, so for this
add cors() in your SecurityConfiguration class which extent WebSecurityConfigurerAdapter
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors()
.and()
.csrf().disable()
.authorizeRequests()..
}
I had the same issue. I've resolve it by adding 'OPTIONS' to allowed CORS methods in my Spring MVC configuration.
#Configuration
#EnableWebMvc
#ComponentScan
public class RestApiServletConfig extends WebMvcConfigurerAdapter {
#Override
public void addCorsMappings(CorsRegistry registry) {
super.addCorsMappings(registry);
registry.addMapping("/**")
.allowedOrigins("http://localhost:3000", "http://localhost:8080")
.allowedMethods("GET", "PUT", "POST", "DELETE", "OPTIONS");
}
}
For me I have added #crossorigin annotation in each of controller api call.
#CrossOrigin
#PostMapping(path = "/getListOfIndividuals", produces = { "application/json" }, consumes = { "application/json" })
public ResponseEntity<String> test(#RequestBody String viewIndividualModel)
throws Exception {
String individualDetails = globalService.getIndividualDetails(viewIndividualModel);
finalString = discSpecAssmentService.getViewFormForDisciplineEvaluation( viewIndividualModel);
return new ResponseEntity<String>(finalString, HttpStatus.OK);
}
Edit: Enable CORS in security configuration and make sure options requests bypass security
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// More security configuration here
}
I added this as an answer because I couldn't format it well for the top voted answer.
I found this post helpful as well: How to handle HTTP OPTIONS with Spring MVC?
DispatchServlet must be configured to pass along options request, or else it never reaches the mapped request:
...
<servlet>
<servlet-name>yourServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>dispatchOptionsRequest</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
...
I came across this really while testing the CORS on our endpoints using test-cors.org website and it exhibits the exact same behavior that is described above.
The approach that I did was to use the Global CORS filter instead of using the #CrossOrigin annotation.
#Configuration
class CorsConfig : WebMvcConfigurer {
override fun addCorsMappings(registry: CorsRegistry) {
registry.addMapping("/**")
.allowCredentials(true)
.allowedHeaders("*")
.allowedMethods("*")
.allowedOrigins("*")
.maxAge(3600)
}
}
Note that you should not use #EnableWebMvc unless you want to take control Spring Boot Auto-configuration as noted here...which will probably cause some "issues" as noted here and here
This next custom configuration is also needed (solution partially lifted from here) or else you will get that particular CORS pre-flight issue:
#Configuration
class CustomWebSecurityConfigurerAdapter : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http.cors().and().csrf().disable()
}
}
I'm trying it set up a proof of concept using Spring Boot and OAuth2. I've set up some project very similar to the ones outlined here:
https://spring.io/guides/tutorials/spring-boot-oauth2/
and here: https://spring.io/guides/tutorials/spring-security-and-angular-js/
The main difference with mine is I've left out all the AngularJS stuff.
I have the following services:
Authorization server
Resource server (as protected OAuth2 client)
UI server (as protected OAuth2 client)
All that I want to happen is this:
Hit the UI server
Get redirected to auth server and get prompted for credentials
UI server will then fetch some text from resource server and display them
I can get this all to work fine with Basic authentication on the auth server. However I want to be able to replace the basic authentication with that from Active Directory.
I have a couple of other Spring Boot projects that can do the AD authentication and it works, however whenever I try and drop it into this things go wrong. I think it's to do with the security around the auth server endpoints, but I'm not sure what.
Also, it's not clear to me which endpoints should be secured by what protocol (OAuth2 v. Basic) in a production environment? The docs recommend some endpoints should be secured with Basic. Should all 'OAuth2 clients' somehow include these credentials in their requests?
Here's my auth server application (with bits for Active Directory added):
#EnableResourceServer
#EnableAuthorizationServer
#SpringBootApplication
#RestController
public class AuthServerLdapApplication {
public static void main(String[] args) {
SpringApplication.run(AuthServerLdapApplication.class, args);
}
#RequestMapping("/user")
public Principal user(Principal user) {
return user;
}
#Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
#Configuration
protected static class ActiveDirectoryConfig extends WebSecurityConfigurerAdapter {
#Value("${activedirectory.url}")
private String activeDirectoryUrl;
#Value("${activedirectory.domain}")
private String getActiveDirectoryDomain;
#Autowired private AuthenticationManager authenticationManager;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(getActiveDirectoryDomain,
activeDirectoryUrl);
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
auth.authenticationProvider(provider);
auth.parentAuthenticationManager(authenticationManager);
}
}
}
Basically what then happens is that I get this when I hit the UI server:
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
If I do this against the authorization server:
curl -v http://localhost:9004/uaa/login
* Trying ::1...
* Connected to localhost (::1) port 9004 (#0)
> GET /uaa/login HTTP/1.1
> Host: localhost:9004
> User-Agent: curl/7.44.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Cache-Control: no-store
< Pragma: no-cache
< WWW-Authenticate: Bearer realm="null", error="unauthorized", error_description="Full authentication is required to access this resource"
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Tue, 01 Dec 2015 12:38:53 GMT
<
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}* Connection #0 to host localhost left intact
It looks like the login endpoint now expects a bearer token? I'm not sure how to proceed now...
Any help/advice would be appreciated...
You #EnableResourceServer but you haven't provided any rules for the resources you want to protect so it's trying to protect everything. You need to add a #Bean of type ResourceServerConfigurerAdapter and set the request matchers (as well as whatever other rules you want).
I want to disable the Trace verb on the serve so that endpoints are untraceable.
My endpoints are created using Spring MVC and there is a option endpoints.trace.enabled=false.
Pain is how to test this, if trace is disabled or not. I tried chrome plug-ins live HTTP Headers but it for generic site. I want to check my endpoint.
For example:
curl --insecure -v -X TRACE -H http://localhost:8080/toy/49f6a7d3-eb20-3ab2-be3b-8399e7f28abf
HTTP/1.1 200 OK
< Date: Sat, 21 Mar 2015 04:34:03 GMT
< Content-Type: message/http; charset=UTF-8
< Content-Length: 270
<
TRACE /toy/49f6a7d3-eb20-3ab2-be3b-8399e7f28abf HTTP/1.1
User-Agent: curl/7.37.1
Host: localhost:8080
Accept: */*
* Connection #0 to host localhost left intact
I tried below but now it denies all the request.
#Configuration
#EnableWebMvcSecurity
#EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.TRACE, "/**").denyAll();
}
}
AFAIK TRACE is disabled by default on Tomcat, as well as Jetty 6,
You can use curl to make sure:
curl -v -X TRACE http://www.example.com
You want to see 405 method not allowed in the response.