I would like to create a simple console spring boot application which should read an URL from terminal then print its data then again read another URL and print its data and so on till pressing CTRL + C. The grant type to be used should be client credentials; the client credentials should be the same for every URL and should be conveyed to the application at startup using the spring boot Externalized Configuration capabilities. After 1th URL read the access token used in the process should be reused for the subsequent URLs; when expired/invalidated the access token should be transparently renewed/re-generated (using the refresh token if provided by the authorisation server in the 1th place or again the client credentials grant type).
The 6.6 OAuth 2.0 Client with e.g. 12.5 WebClient for Servlet Environments seems to fit the need but require to configure HttpSecurity (see 6.6 OAuth 2.0 Client) which I don't need because I'm not creating a web application but kind of a curl utility.
How would one benefit the features provided by those without having to configure HttpSecurity?
you can consider postman is a console application without http security config. I think you need to create your own login to store the token and then put it into the header for each restful call.
Related
I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.
I have a Spring boot application in which users can log in and their credentials would then be used to perform an AWS ADFS login.
A preconfigured role will be assumed and we'll get an access key, secret key, and session token in return. These will then be used to create the S3 client to perform file upload/download operations.
My issue is how can we perform the AWS ADFS login from the java spring boot code? Is there a library that supports it out of the box?
Also, I understand the session obtained this way is short-lived. Is there a way to refresh the session so that these tokens do not expire? Or should the whole AWS authentication, s3 client creation be done every time an upload/download request comes in?
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.
I am currently usingstruts, spring and hibernate in my application. I'm using CAS for authentication. The table containing the user name and password fields are mentioned in the deploymentConfigContext.xml of the CAS war file.
Using spring security how can I implement the same in my application for web services?
How is the username and password given from a client invoking my web services?
Your WS is protected by some sort of CAS filter, that is perhaps provided by Spring Security. When a request comes in, the filter intercepts and redirects to CAS login. User logs in, and they go back to the WS. Filter intercepts the request again, validates the ticket and moves onto the WS