Sending JKS file from open app to another using Spring Stack - spring

I'm looking for the Spring project which is providing some secure capability to sending JKS file between two Spring apps. I found a Spring Cloud Config project (currently I'm using it in my apps) and I found topics with same question in internet but no one answer it. Is there any feature that can I use from this project or maybe someone know another project with this features?

There is no project that provides such capability AFAIK. You could serve the JKS file as a resource which is exposed at a certain web endpoint. Add Spring Security to your project so the other application can request the JKS file over HTTPS, and maybe add basic authentication for that specific web endpoint so others can't download it too.
Hope that helps!

Related

Is there any way to decrypt encrypted properties in Spring Cloud config Server in other projects?

Is there any way to decrypt encrypted properties in Spring Cloud config Server in other projects?
For example, I want to decrypt "test" = "{chip}asdasdasd" without using the crypto endpoint of the spring cloud server.
Thank you in advance for your reply.
If you are using Spring Boot application as a client, it's easy, just add
encrypt:
key: your_key
to bootsrap.yaml and Spring will handle everything else.
Problems appear when you have other clients.
Then you can try to find some libraries or create your own: Example for TypeScript

Spring Boot 2 Authorization Server for public clients (PKCE)

is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc

How to generate csr for a spring boot application

Problem description
I've faced a problem with setting up ssl. I need to send a csr to namecheap for registering ssl.
I went to namecheap guidline for generating csr and I found no information about spring-boot applications.
Question
Is there any way to generate it for spring-boot?
Supposed solution
As I know spring-boot uses tomcat as an application server, so probably I need to use guide for tomcat. But I'm not sure in that.
Just use the guide for Tomcat. There is nothing specific about Spring Boot that you need to worry about for an SSL certificate.

securing spring boot app with mTLS - running on Swisscom App Cloud

I have a spring boot app deployed to Swisscom App Cloud that should to be secured with mTLS.
Obviously there's spring security... Specific to Swisscom App Cloud I read about securing traffic on https://docs.developer.swisscom.com/adminguide/securing-traffic.html.
It is unclear to me how the two play together...
If I enable mTLS via spring security, would that work as is or would I need additional configuration for the Swisscom App Cloud? (I came across HTTP routing which mentions passing client certificates for mTLS https://docs.developer.swisscom.com/concepts/http-routing.html)
Is the configuration of mTLS on Swisscom App Cloud a replacement for what I would otherwise enable with spring security or would I still need to configure something within my application?
Securing traffic mentions deployment manifest and BOSH manifest, is the latter (and maybe additional) configuration needed to enable mTLS on Swisscom App Cloud (i.e. would I need to have access to configs besides the deployment manifest) ?
Update
My use case that I have a REST API that will be consumed by a client outside of Swisscom App Cloud. It was decided that it shall be secured using mTLS.
The admin guide you're referring to is meant for platform operators (i.e. Swisscom), so it's not a resource that can be leveraged by end users.
What is your use case? If it's only a security requirement to check off a list, be aware that the platform itself will be using mTLS internally soon, so the whole path up until the app container is secured. That might be enough for your auditor.
If you really need to validate client certificates by yourself, CF's way of doing so is leveraging X-Forwarded-Client-Cert (https://docs.cloudfoundry.org/concepts/http-routing.html#-forward-client-certificate-to-applications).
However, we've currently not enabled this (there was no need for it up until now), but we can do so.
Update:
According to this explanation, insertion of X-Forwarded-Client-Cert is actually done transparently by the platform. So if you add the client application's certificate to the server application's truststore, it will verify the client certificate.
Update 2:
As you can see in the discussions below, it looks like there is currently conceptually no easy way to allow apps to do proper mTLS using X-Forwarded-Client-Cert. The only option currently is using tcp routes, which is something you can request with your Appcloud support team.

Spring WS security-accessing keystore that is not on the class path

I am new to spring web services and am currently trying to implement spring-ws security for secure transport and encryption/decryption of incoming and outgoing SOAP messages. We have a keystore on our server that is installed in the conf directory under Tomcat. How do I reference that keystore in my spring web app? I'd like to avoid having to move the keystore since it will be utilized by other applications in the future. I've searched for answers most of yesterday, but all the examples I've come across put the keystore file on the class path.
I am assuming you are using WSS4J with Spring-WS, you can put any valid resource to refer to the certificate location.
eg.
<property name="keyStoreLocation" value="file://C:/tomcat/.."/>

Resources