I have a spring boot api secured with spring basic security. I call the api from another application. So I currently have the password in plain text in the application.yml files of my api and also the application.yml file from which I am calling the service.
How can I avoid having it in plain text in the yml? is there a way to have an encrypted password in both yml files?
I ended up using Jasypt (Java Simplified Encryption). This was very helpful
Related
Is there any way to decrypt encrypted properties in Spring Cloud config Server in other projects?
For example, I want to decrypt "test" = "{chip}asdasdasd" without using the crypto endpoint of the spring cloud server.
Thank you in advance for your reply.
If you are using Spring Boot application as a client, it's easy, just add
encrypt:
key: your_key
to bootsrap.yaml and Spring will handle everything else.
Problems appear when you have other clients.
Then you can try to find some libraries or create your own: Example for TypeScript
i m new with spring security.
I want to know if it's possible to have jwt authentication server separate from resource server,
If possible i need a working example.
Thanks!
You could find an example with Oauth2 and Spring Boot 2.1.9.RELEASE here:
https://github.com/buddhiprab/springboot-oauth2-separating-authorization_server-and-resource_server
All the explanation of this example is here: https://medium.com/#buddhiprabhath/spring-boot-oauth-2-0-separating-authorization-service-and-resource-service-1641ebced1f0
This is doing with the client-credentials flow from OAuth2.
Here is another example using password flow:
https://www.javainuse.com/spring/springboot-oauth2-password-grant
Here's an example that shows a separate auth and resource server. This is from Joe Grandja, who is one of the primary authors of Spring Security:
Old way; Spring Security version 5.1 or earlier with separate spring-security-oauth library: https://github.com/jgrandja/spring-security-oauth-2-4-migrate
New way; Spring Security 5.2+: https://github.com/jgrandja/spring-security-oauth-5-2-migrate
Thank`s everyone! i start to understand how it works! i want to integrate jwt now!
I have an existing legacy SOAP webservice that runs on Tomcat and uses JAAS(Java authentication & authorization service) for user authentication. I would like to convert this to a SOAP service which runs on Spring boot. I also want to continue with the JAAS configuration for security. How can I integrate JAAS with Spring boot?
Any pointers are appreciated
Now, I use Spring boot version 2.0.0.RELEASE and Swagger version 3.1.6 and Keycloak of Jboss. I would like to know how to configure in application.yml then let swagger can get access_token from Keycloak.
Thanks for your help
An initial decision to make is whether to say that the user accessing the swagger page needs to have an access token (i.e. the url pattern for swagger is secured and the user has to log in to get to swagger) or you exclude the swagger URLs from keycloak so that its UI can be accessed without needing a token.
If you're using the keycloak spring boot adapter then the URL patterns to secure (and which roles are required to access them) are configured in the application.yml or application.properties file as security-constraints. As properties an example is:
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/customers/*
This could be translated to yaml as:
keycloak:
security-constraints[0]:
-authRoles[0]: user
-securityCollections[0]:
-patterns[0]: /customers/*
(Real yml example at https://github.com/codemonkeybr/skip/blob/master/skip-cart/src/main/resources/application.yml#L29 )
Anything not covered by security-constraints is not restricted. There's a similar way of doing this with spring security if you're not using the official keycloak adpater - normally then you do it in a SecurityConfiguration java class.
Then you face decisions based on your chosen oauth2 flow and whether you use the 'try it out' feature. You can display descriptions without necessarily needing a token but 'try it out' does need a token. That yaml example above also has a way of telling swagger the token issuer url:
swagger:
auth:
token-url: ${keycloak.auth-server-url}/realms/${keycloak.realm}/protocol/openid-connect/token/
client-id: skip-local
That config is read by a java swagger configuration class and is part of a whole example that you could run. This specific question of how to configure swagger to work with an oauth2 token is not specific to keycloak and is general swagger-oauth2 configuration for which there is a guide at baeldung and there's an example using a different mode in Keycloak integration in Swagger
Spring use application.properties as the configure file, and I have created a new app which all working good exception the spring.database.password which does not meet the security requirement in my company. Is there any ways to encryt the psw? is there any example for me?
You could use jasypt to handle the encryption and then use Jasypt's Spring integration or this Jasypt Spring Boot Starter to wire it into Spring.