First Question :
Spring Security OAuth2 Implemented in a single project having Authorization and Resource Server, getting access token on postman successfully, I already have implemented zuul as a seperate microservice and able to access different different microservice with the same port number. But What I am trying to implement, How will I Make use of Zuul Proxy in context to Spring Security OAuth2 ? How will I integrate Zuul Proxy with Spring Securtity OAuth2 ?
Second Question :
How to create a custom controller in Spring Security OAuth2 ? Please give your valuable suggestions ? Thanks in Advance
Related
I have multiple Spring boot micro-services deployed to kubernetes. Im also using Spring Gateway & Eureka Discovery.
Those micro-services are secured with Spring Security and require JWT token for access to the endpoints. Im using #PreAuthorize methods etc.
It all works fine when I'm accessing those endpoints from frontend application that is sending JWT token in request,
but, I can't bypass that security in service-to-service communication via FeignClient.
Ideally, my micro-services wouldn't need token at all to call other micro-service's methods via FeignClient. But I still need that security when endpoints are accessed from frontend or when requests are coming from Spring Api Gateway.
Do you know some elegant solution to this problem?
I was thinking about adding another pair of endpoints that don't have security annotations (#PreAuthorize) and somehow disable access to those endpoints on Spring Api Gateway, so they cannot be accessed from outside, but only directlly by one of the micro-services.
I have the below microservice architecture(spring boot ,java). I want to implement OAUTH2 JWT security at ZUUL gateway only and not replicate the security code in microservices .
let say Microservice 1 has rest end point http://localhost:8080/microservice-1/get/person then i should not have any security code in Microservice 1 but still at the same time no one should be able to access the Microservice 1 rest end point directly without passing JWT tokens but it should only be accessible via ZUUL.
You can use WebSecurityConfigurerAdapter class in your Zuul gateway and configure the security for each route.
This is an excellent example for you
https://medium.com/#bharatrajmeriyala/spring-cloud-security-with-netflix-zuul-2ef04a1dcfb
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I want to secure different Spring boot rest APIs using OAuth2 authorization server.
What is the best solution to achieve this?
I can build REST services with spring-security-oauth2
I can build website security with spring-security
And as you know, oauth2 has oauth-server, resource and client side. But I cannot put them together. I want to know how to build oauth2 website that I can login(session) with browser and I can use it as secure REST services(with access token). Any help? Thanks very much.
I'm not expert in Spring, but Spring security examples link has some examples how to implement OAuth2.0 servers and resource servers.