I am developing an application consisting of RESTful services communicating over HTTP. Spring Boot is providing the underlying support.
As part of my investigations, I am currently working with a known working example of a RESTful client and server that uses HTTPS/SSL/TLS ( https://github.com/indrabasak/spring-tls-example ). I have managed to successfully build, run the example and verify that it works.
Part of the client security configuration code involves setting up basic authorization on a org.springframework.boot.web.client.RestTemplateBuilder.
I am under the impression (perhaps incorrect) that authentication is not required. Am I right or wrong in this assumption?
I have been experimenting with trying to remove the authentication and when I run the example, the server emits output indicating that the action is "Unauthorized". On the client side, I get a 201 response (for a POST), but the JSON data does not contain the data I expect.
Related
I'm writing a custom client for an existing framework but in a different language than the supported client. Now I would like to intercept the traffic of the existing client-server connection to get a better grasp of the API intrinsics, which is always quite tedious if you have to extract it from the code alone. I had a look at postman but it doesn't seem to allow interception of websocket messages (https appears to be possible thorugh postman interceptor. Is there a similar tool for websockets?
Basically what I'm looking for is just a relay that forwards every request as-is to the server and vice-versa for the response.
There is a Spring Boot app running on a host, it exposes number of REST endpoints. One of these endpoints is providing sensitive information.
On the same host resides a client app, over which I have no control.
1 - Is there any way using Spring Security to limit access to the endpoint in question, based on client's port?
I cannot change anything in the client app, since it is a 3rd party app.
2 - is there any other way to limit access based on ports, like iptables rules?
No, it seems like it is not possible to limit access to endpoint based on the port of the caller, only using Spring Security.
Spring Security Doc
1 - However, using Spring Security one can limit access, based on the IP that the request is made - here.
2 - Also one can get the HttpServletRequest request object in the controller method and get the port that the request is made from, like:
request.getRemotePort();
//IP is also available
//request.getRemoteAddr();
=> in the end what I need is doable.
I'm working on a PoC of a system where a mobile app client needs to be connected on a server with communications going both ways : either for updating the server or being updated by it. There is no client-to-client communications for the moment.
The client logs in the server via an HTTPS/POST method and gets back a token if the credentials are OK. This token is to be used by any further communication in order to authenticate the user. The reason why I'm using HTTPS for logging in is that there also is a web interface for other purposes.
I could not find a tutorial or documentation that explains how to implement this use case with channels based on websocket transport. All I found so far are either partial and focus on some specific aspects (eg authentication, setting SSL/TLS, etc) and assume the reader already knows the rest or are the over simplified implementations of the chat app. I'm sure I'm not looking at the right place...
My questions are:
What would be the list of callback to implement this use case on
either side
On the server: how does a process send notifications to the
client
NB: I'm using Elixir 1.5.1 and Phoenix 1.3
From the Phoenix guide:
Each Channel will implement one or more clauses of each of these four callback functions — join/3, terminate/2, handle_in/3, and handle_out/3.
The page I linked contains also an MCVE of sockets running on Phoenix. In the bottom there are examples of how the server-client communication is done.
The only thing to apply this to your use-case would be to use one of authentication libraries (e.g. Überauth that comes with great examples) to handle token on each subsequent connection request.
I am working on a distributed web application using Spring Microservices design pattern where individual services are running on different ports like -
Product Management - domain:8500
User Management - domain:8501
Now If the user calls User Management by opening the URL "domain:8501/some_url" which internally calls Product Management i.e. "domain:8500/some_other_url" and also assume that certificate is self-signed i.e. for the browser, the CA is unknown and hence the exception needs to be manually added in the browser.
In this case, while Chrome works fine, Firefox and IE also probably adds the exception for domain with port and hence for internal call as well it waits internally for the security exception to be added.
As a result, my API calling is failed. Is this a Firefox behaviour or I am doing something wrong?
AJ
Try either using an API gateway or a proxy. You can use Zuul for a proxy. Please go through Zuul starter.
You can even do some more interesting things by having a proxy. Like:
Implementing Security: Implement Validation & Verification as security check over the proxy and can avoid the same over other microservices.
Response Handling: You can alter a generic response from your microservices in proxy for the client(Web/Mobile Browser/Mobile App)
Hope this helps.
Is there any way in spring where I can POST the requests to another domain from My controller? I have parameters which I need to pass in POST from the controller to another third party domain, is this possible?
What you probably want is for your server to act like a HTTP client and send some data via HTTP POST to a third server:
Your web app client ---> Your web server ---> Another web server
If that is indeed what you need, yes, it is possible. The fact that your application is a web server itself isn't important, although it can be confusing - it's easier to think about it as if you wanted to post the data from an ordinary command-line Java application.
One of the many tools that can help you is Apache HttpClient.