I configured a service with oauth2Login.
User is redirected to Authorization Endpoint - /oauth2/authorization/{registrationId} when he/she is not authorized.
I would like to customize redirection in a way that it takes into account path prefix, since application is accessible trough prefix /api/myapp/.
From the source code I can see that there is OAuth2AuthorizationRequestRedirectWebFilter during Spring Security setup and this filter is using DefaultServerRedirectStrategy which decides if location is relative or not. Moreover it uses a contextPath which is hard to set when using Spring Boot.
Unfortunately I don't know how to override default behavior to make redirect relative.
I don't need to modify contextPath. Instead I've registered ForwardedHeaderTransformer as a bean.
This transformer is able to retrieve headers set by proxy (X-Forwarded-Prefix) and sets context path for request correctly.
Related
I have am application that has a context-root set (property: quarkus.http.root-path).
Using quarkus-resteasy-reactive-jackson, a resource was created with a #Path annotation.
Now I want to generate OpenAPI documentation for my resource.
As I want to deploy this into a API gateway, I require a server property with a context root in the swagger.
I added a server entry using the mp.openapi.servers property.
The problem now appears that when there is a root-path property, the generated swagger resource path includes this root path, e.g.
quarkus.http.root-path=/sample
mp.openapi.servers=http://localhost:8080/sample
Resource annotated with #Path("resource")
It seems that the resource path includes the root-path.
So importing this swagger into the API gateway (or just clicking on the Try button), results in a url of http://localhost:8080/sample/sample/resource being attempted which ofc does not exist.
Is there a way to not to add the root-path to the resource endpoint in swagger? (I tried using mp.openapi.extensions.application-path.disable=true, but this had no effect)
I managed to get past this by doing the following:
dont set quarkus.http.root-path
quarkus.rest.path=/sample
quarkus.http.non-application-root-path=/sample/q
mp.openapi.servers=https://localhost:8080/sample
So just want to know if anyone know of a better way of doing this?
I have an issue integrating swagger-ui (swagger2) into my spring-boot application. It seems as though the default location for swagger-ui being on the root is conflicting with an endpoint.
For example, my base path is foobar (full url: locahost:8080/foobar/). One of my endpoints has a path variable that can be any number (making the endpoint url: localhost:8080/foobar/{number} or localhost:8080/foobar/123 as an example). This seems to conflict with swagger-ui.html, as when I then try to hit locahost:8080/foobar/swagger-ui.html, spring complains, thinking 'swagger-ui.html' is the path variable for that endpoint.
I was curious if there was a way to define an explicit mapping for swagger-ui, so that spring won't think that I'm just inputting a path variable to the other endpoint? I ideally don't want to modify the foobar/{number} path at all, and would like to either make an explicit mapping for swagger-ui, or change the path for swagger-ui itself. Any help is appreciated. Thanks!
What is the purpose of having
security.basic.path=/any-secured-path/**
this setting in application.properties?
It seems that Basic Auth is not kicking in automatically accessing this url (or suburls).
The security.basic.path starts after context path. So no matter what the context path is, just set the protected path after that. For example, the full url is /mycontextpath/pathA/pathB, if you want to have /pathB to be protected, just set security.basic.path=/pathA/pathB. If context path is / only, you should still set security.basic.path=/pathA/pathB.
I'm using a Filter in a Spring Boot web application to log all my user requests to a database. One of the things I'd like to log is the username, but when I try to get the current user using:
SecurityUtils.getSubject().getPrincipal()
I get the following error:
No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
What do I need to do so that my Filter is able to retrieve the current user?
You need to have at least one url defined for your filter mapping:
https://github.com/apache/shiro/blob/1.4.x/samples/spring-boot-web/src/main/java/org/apache/shiro/examples/WebApp.java#L96-L101
And of course the Shiro servlet filter configured (which I'm guessing you already have)
Take a look at the above example.
we have existing web application built with Spring security 3.1 ,Wink(for rest)
we now need to add oauth2 (client_credentials flow) for several resources, i looked into many examples and all of them using the Http namespace configuration along with spring dispatcher servlet (which we didn't have till now)
problem is that http namespace is creating a springSecurityFilterChain which we already had in the application , so first thing i renamed the existing filter so the default could co-exist with the old one.
but this does not work, its either the existing chain working for requests or the new one.
i have tried the following already
1. disabled dispatcher servlet context by giving empty config location (in web.xml)
2. tried to have the oauth configuration in application-context.xml (right to the existing FilterChainProxy)
3. Allow the /oauth/token in existing chain by setting its filter to none (so the new can take over)
4. tried to declare the oauth filters in the existing chain but there was a problem with its not getting the right clientAuthentication
i really don't know what else to try - so the question is : is it possible to have both declared in the same webapp ? or is it possible to declare oauth2 configuration in the old fashion.
thanks
Shlomi
I managed to do that eventually, having the API (protected with oauth) completey separated url from the rest of the application.
so the Http namespace is creating the springSecurityFilterChain bean and the others just have different bean names. everyone is delegated through the DelegatingProxy in web.xml
i needed to puth the API URL prefix in other chains and allow all requests through , leaving the oauth security chanin to deal with security.
(i.e filter-chain pattern="/api/**" filters="none)
regarding the spring oauth2 bounded to spring MVC so tight i think is not a good implementation.
the mapping of the dispatcher servlet cannot be for /* but have to be something like /auth/*
so a special filter inherit from ClientCredentialsTokenEndpointFilter with special path like super("/auth/oauth/token") was needed.
it also cannot be /api/* since this is the real API URI mapped by our rest framework (wink RestServlet)
so we have something like this
http://server:port/context/auth/oauth/token
http://server:port/context/api/someresource (protected with oauth2)
http://server:port/context/rest/someresource (old rest for application)
Shlomi