I'm using Spring security OAuth 2.0 authorization in a Spring Boot REST API. It works as expected in Postman tests but I don't succeed to make it working from Swagger "Try out". I'm using this post here: How to configure oAuth2 with password flow with Swagger ui in spring boot rest application. This is supposed to work but it doesn't in my case. I just need some clarification on the following method:
private SecurityContext securityContext() {
return SecurityContext.builder().securityReferences(defaultAuth()).forPaths(PathSelectors.ant("/user/**"))
.build();
}
What the /user/** URL stands for ? Does it means that the defined security context should apply on all URL matching the pattern ? Or does it mean that this URL shall be called to get the user details ?
My code is exactly as the one in the post, however, after I fill in the dialog box with the user credentials and scopes, etc. I get "Auth ErrorTypeError: Failed to fetch" and whatever I do I can't get any usefull log message.
It might have something to do with CORS as the HTTP filters, which are called when I'm doing Postman tests, aren't called in this case.
Any suggestion please ?
Many thanks in advance.
Kind regards,
Nicolas
I confirm that the code mentioned in the article works as expected. I was mistaken while performing tests with wrong URLs, etc. Sorry for the smalltalk.
Kind regards,
Nicolas
Related
I've been creating an OAuth2 Login application with Spring Security and have been making good progress, The Identity Provider I am working with requires that their /authorization endpoint be triggered with an HTTP POST.
I've been doing some testing and it seems that Spring Security triggers the /authorization endpoint by a GET request.
From looking at the OAuth RFC documentation, I see the following.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.
So before I implement anything custom to trigger a POST request to the authorization server I am integrating with, I was just curious if anyone knew of a way to get Spring Security to trigger a POST for the /authorization instead of a /GET.
Curious if I'm missing where that functionality is supported, if at all.
Thanks for your time.
You can use springsecurity and oauth2server to configure your login model and through this interface to login
POST:
http://your_ip:port/auth/oauth/token?grant_type=password&username=username&password=password&client_id=yourclientid&client_secret=yoursecret
I am testing my Spring Security application using PostMan client. When I change the password and update the request and fire the request, I am not getting 401 error. Spring security does not call the UserDetailsService. Only when I change the username to some wrong username, the UserDetailsService is getting called and I start seeing expected results. This might be a security issue. Is there something I am missing here.
I was able to solve the error. Setting the sessionCreationPolicy to Stateless resolved the issue. This link talks about the issue - Link
I am working on securing a REST API, here is the basic set up (Happy Path) I am working with:
1) UI will request to authenticate with another service, this service will return a JWT to the UI.
2) Once a user of the UI is done with their work, they will make a request to the REST API that I am tasked with securing using a JWT that is passed to me.
3) I will then ensure the JWT is legit, get the users roles and then determine if the user is authorized to access that endpoint (perform the requested function).
I am sure this is possible, but my past experience with Spring Security wasn't dealing with JWT or Authorization only.
Would it be a correct approach to implement Authentication and Authorization, get that working and then back out the Authentication part?
Thank you for your kind help!
I suggest that you take a look at the Spring Security OAuth2 project. It makes this kind of thing fairly easy.
In particular, have a look at this section about using JWT
I don't understand really the logics of the roles/authorities in Spring Security using Spring Boot (despite the documentation).
I would authorise the mapped controller requests according to the logged user.
Could someone help me?
Thank you in advance!
General idea is very easy: you have role in your application, you have a users. Users have the collection of roles(may be empty). Also, all endpoints of you application(controller methods, service methods) can be allowed to reach only for some sets of this roles(see #RolesAllowed annotation). If you try to reach this method(via http request, for example) and you(as user) haven't this roles, you would be banned to get valid response instead you will receive 403 error
I used the following as a reference to add spring security in a rest based application. I hope this helps others as well..
http://www.baeldung.com/securing-a-restful-web-service-with-spring-security
There is a link with sample code to take inspiration.
The idea being in rest we don't redirect and disable these redirections for login and provide alternatives HTTP responses.
Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here