Is it possible to inject an HTTP request in a SecurityIdentityAugmentor with Quarkus, so that I can use some HTTP header params to build the augmented identity ?
Related
I am looking for the solution to intercept
AbstractWebClientReactiveOAuth2AccessTokenResponseClient while using spring reactive Oauth2 with authorization grant type client_credentials? I am using hmac-auth-webclient provided here but this example only intercept the ClientRequest sent by webclient created in the configuration. While
ServerOAuth2AuthorizedClientExchangeFilterFunction using its own webclient instance to send the token request which doesnt get intercepted with the filters specified in the configuration. How can I force every webclient initiated in the application should use certain headers in the request such as Digest & signature headers?
I am expecting way to intercept webclient instance used AbstractWebClientReactiveOAuth2AccessTokenResponseClient to send some more custom headers with /token request.
We are using spring boot 2.4.5 with webflux and calling a service with client credentials grant type. What we noticed is that webclient is not following redirects.
How can we enable webclient to follow redirects where it can continue passing access token until it get the http 200?
Adding following code snippet does not pass the access token to redirected url and it is returning 401.
WebClient.builder()
.clientConnector(new ReactorClientHttpConnector(
HttpClient.create().followRedirect(true)
))
The sensitive headers like the Authorization are removed from the initialized request when redirecting to a different domain.
You can use the following variant of followRedirect(boolean):
followRedirect(boolean followRedirect, Consumer<HttpClientRequest> redirectRequestConsumer)
In order to re-add the Authorization header using redirectRequestConsumer.
For more details see the Javadoc here and Reactor Netty documentation here.
Basic Spring Security is great as it comes with WebSecurity (preventing malformed URLs) along with setting up authentication and authorization.
As part of authenticating my web request, the digest of the request body needs to be verified against the digest value passed in the http header. Setting up the Spring Security filter, forces my auth filter to process a firewalled request. The firewalled request doesn't seem to expose the request body to the filter.
What is the correct way to set up the Spring Security filter so that I can inspect the request body?
Thanks!
In Spring Security there are many filter classes built in for to be extended and used for specific purposes. As in my experience most of (or all of them) have methods with overloads which have access to,
HttpServletRequest request, HttpServletResponse response
as method arguments, so that those can be used inside the method.
When the filter class is met with any request, these variables are then populated with related data thus the code inside the methods output as expected.
Has sprint integration http outbound gateway has any configuration property to add interceptor into org.springframework.web.client.RestTemplate ?
I want to intercept the httpRequest for adding some security information in request (like interceptor property in ws-ouboundgatewy) ,But I could not see any interceptor configuration option in http outbound gateway?.
Do we have any other option to achieve this functionality ?
You can inject to the <int-http:outbound-gateway> any custom RestTemplate bean using rest-template attribute on the first one.
But from other side I don't see any mentions for interceptor logic in the RestTemplate...
Can I add custom cookies over websocket in Spring SockJS implementation? The way we can add it with http request/ response?
Forget to mention that I see way to read cookie from headers :: HttpHeaders headers= session.getHandshakeHeaders(); -But I do not see a way to set headers. With headers I can read the cookies -but how to set it?
This is all work-in-progress still, but at this time you can configure a HandshakeInterceptor on the DefaultSockJsService. That gives you access to the request and response before and after the handshake.