We already have security configuration present in our application and we would like to use the same for security Activiti's rest services as well. I have tried to search around the internet but couldn't find a direct way to disable activiti's authentication configuration.
Spring version: 4.x
Aciviti version: 5.x
web.xml config:
<listener>
<listener-class>org.activiti.rest.servlet.WebConfigurer</listener-class>
</listener>`
You can disable Activit REST API basic authentication by adding below code to any configuration class:
#EnableAutoConfiguration(exclude = {
org.activiti.spring.boot.RestApiAutoConfiguration.class,
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
org.activiti.spring.boot.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class
})
If you are not using Spring boot, you can follow this blog.
Related
With a Spring Boot client configured in the DMZ and Spring Security OAuth configured using:
issuer-uri: https://authentication_server/auth/realms/my-realm
I get this error from Spring Security:
The Issuer "https://external_url/auth/realms/my-realm" provided in the configuration metadata did not match the requested issuer "https://authentication_server/auth/realms/my-realm
From this post I have learned that I need to specify authorization-uri, token-uri and jwk-set-uri instead of issuer-uri, and then it also works.
authorization-uri: https://external_url/auth/realms/my-realm/protocol/openid-connect/auth
token-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/token
jwk-set-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/certs
(I do not get why Spring Security cannot auto-configure with the same values from the issuer-uri when it works setting the values individually)
Now the problem is that logout stops working. When using issuer-uri the OAuth is auto-configured and end_session_endpoint is fetched from the answer, but when specifying each setting there is no way to specify the end_session_endpoint.
Is this an outstanding issue in Spring Security OAuth, or do I need to configure it differently?
I had to make a work around for this. With little time I started by copying the existing OidcClientInitiatedLogoutSuccessHandler which I already were using in configuring LogoutRedirectUri.
I simply copied the class and changed the implementation of the method endSessionEndpoint() to return the URI which is returned by our OAuth server as end_session_endpoint.
This issue is tracked in spring-security GitHub.
Probable fix will be allowing to add "Additional attributes for ClientRegistration and ProviderDetails".
I've got a Spring Boot Admin application which uses a Kubernetes Service Discovery to get the Spring Boot client applications.
spring:
cloud:
kubernetes:
discovery:
all-namespaces: true
service-labels:
springbootadmin: true
reload:
enabled: true
period: 60s
strategy: refresh
Without secured actuator endpoints this works fine.
But as soon as the client actuator endpoints are protected by basic auth this does not work any more. The Spring Boot Admin Documentation describes how to add the authentication data to the Spring Boot Admin Server bit it does not describe how to provide this when the services are discovered via Kubernetes.
I've tried these configurations. But they don't work:
Spring Boot Admin Docs: spring.boot.admin.instance-auth.default-user-name + password
Spring Boot Admin Tutorial spring.boot.admin.client.instance.metadata.user.name + password
I also found an answer which describes how to configure the credentials in the Kubernetes annotations. This works but I would prefer to configure the credentials in the Spring Boot Admin configuration (where I can use Secrets) and not separately for each service in the Kubernetes configuration as an unsecure label.
I think I have to inject the credentials in the Service Discovery metadata. But how?
EDIT
I've examined the service discovery and found no auth configuration options which could be provided:
class KubernetesDiscoveryProperties.Metadata
class de.codecentric.boot.admin.server.cloud.discovery.DefaultServiceInstanceConverter
It might be an option to add a custom header to the requests that are sent by SBA to the clients:
#Bean
public HttpHeadersProvider customHttpHeadersProvider() {
return (instance) -> {
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Authorization", "Basic bXlTcGVjaWFsVXNlcm5hbWU6bXlTcGVjaWFsUGFzc3dvcmQ=");
return httpHeaders;
};
}
The authentication can be set by these settings:
spring:
boot:
admin:
instance-auth:
default-user-name: user
default-password: pw
These settings are read by the Configuration Class AdminServerInstanceWebClientConfiguration which instantiates a bean basicAuthHttpHeadersProvider.
Im using spring boot 2.3.2.RELEASE with spring-cloud-config-server 2.2.4.RELEASE. Im trying to implement the spring-doc-openapi (1.4.3) in a existing project. If i add #EnableConfigServer in one the configuration class file, the swagger-ui.html endpoint returns a weird json:
"name":"swagger-ui",
"profiles":[
"index.html"
],
"label":null,
"version":null,
"state":null,
"propertySources":[
]
}
and not the the swagger ui as expected. Im not sure if its a bug, but would appreciate any kind of help.
Not sure if its relevant to add the springdoc dependency on spring cloud config server, unless you need to explore some APIs on the config server it self.
Here is the link of a fully working example using springdoc with config server:
https://github.com/springdoc/springdoc-openapi-demos/tree/master/sample-springdoc-openapi-microservices
And this is the link of a blog which explains the natural usage with microservies and spring cloud modules:
https://piotrminkowski.com/2020/02/20/microservices-api-documentation-with-springdoc-openapi/
Answer from #brianbro seems not to be working anymore...
Verified on: springdoc-openapi v1.6.6 and org.springframework.cloud:spring-cloud-config-server:v2.2.4.RELEASE
Here is how I solved it:
List item spring.cloud.config.server.prefix=config-server - please note that any request to config server will require to add prefix!
Add following bean (sample implementation in Kotlin)
#Bean fun configServerApi(): GroupedOpenApi =
GroupedOpenApi.builder()
.group("Config server")
.pathsToMatch(
"/config-server/**"
)
.build()
Now you should be able to reach swagger ui :)
While updating my Spring Boot application to the latest build snapshot and I am seeing that none of the actuator endpoints are enabled by default. If I specify them to be enabled in application.properties, they show up.
1) Is this behavior intended? I tried searching for an issue to explain it but couldn't find one. Could somebody link me to the issue / documentation?
2) Is there a way to enable all the actuator endpoints? I often find myself using them during development and would rather not maintain a list of them inside my properties file.
Two parts to this answer:
"Is there a way to enable all the actuator endpoints?"
Add this property endpoints.enabled=true rather than enabling them individually with endpoints.info.enabled=true, endpoints.beans.enabled=true etc
Update: for Spring Boot 2.x the relevant property is:
endpoints.default.web.enabled=true
"Is this behavior intended?"
Probably not. Sounds like you might have spotted an issue with the latest milestone. If you have a reproducible issue with a Spring Boot milestone then Spring's advice is ...
Reporting Issues
Spring Boot uses GitHub’s integrated issue tracking system to record bugs and feature requests. If you want to raise an issue, please follow the recommendations below:
Before you log a bug, please search the issue tracker to see if someone has already reported the problem.
If the issue doesn’t already exist, create a new issue.
Even if we enable all the actuator endpoints as below
management.endpoints.web.exposure.include=* (In case of YAML the star character should be surrounded by double quotes as "*" because star is one of the special characters in YAML syntax)
The httptrace actuator endpoint will still not be enabled in web by default. HttpTraceRepository interface need to be implemented to enable httptrace (See Actuator default endpoints, Actuator endpoints, Actuator httptrace).
#Component
public class CustomHttpTraceRepository implements HttpTraceRepository {
AtomicReference<HttpTrace> lastTrace = new AtomicReference<>();
#Override
public List<HttpTrace> findAll() {
return Collections.singletonList(lastTrace.get());
}
#Override
public void add(HttpTrace trace) {
if ("GET".equals(trace.getRequest().getMethod())) {
lastTrace.set(trace);
}
}
}
Now the endpoints can be accessed using the url,
http://localhost:port/actuator/respective-actuator-endpoint
(Example http://localhost:8081/actuator/httptrace)
If there is a management.servlet.context-path value present in properties file then the URL will be,
http://localhost:port/<servlet-context-path>/respective-actuator-endpoint
(Example http://localhost:8081/management-servlet-context-path-value/httptrace)
UPDATE: use this only in dev environment, not in production!
Is there a way to enable all the actuator endpoints?
Using Spring Boot 2.2.2 Release, this worked for me:
On the file src/main/resources/application.properties add this:
management.endpoints.web.exposure.include=*
To check enabled endpoints go to http://localhost:8080/actuator
Source: docs.spring.io
My Spring Boot application works on Spring Security 3.2.7.RELEASE.
Now, I'd like to update it to 4.0.2.RELEASE.
After hours of debug I have found that Spring Security 4.0.2.RELEASE uses defaultRolePrefix="ROLE_"
in
org.springframework.security.access.expression.SecurityExpressionRoot.hasAnyAuthorityName(String prefix, String... roles) method
In my application I use roles without this prefix and accordingly I get AccessDeniedException.
How to configure Spring Boot in order to use SecurityExpressionRoot.defaultRolePrefix="" ?
I found the solution how to fix it. I need to change hasRole to hasAuthority, for example:
#PreAuthorize("hasAuthority('PERMISSION_CREATE_NODE')")
In the other hand you can remove role prefix ass described here. In this cas you are free to use other annotations.