I have created a sample SOAP Web Service project (spring boot) and trying to integrate Okta as a resource server for authentication.
I am able to deploy the application to WebLogic, but when testing the service using SOAP UI, it gives the response even when there is no Token included in the header.
When I access WSDL from a browser using my wsdl url, http://myhost:port/appservice/app.wsdl I see the 401 error, so I think it is picking up the Security config changes. But it is not working for SOAP requests, I would get response even with out Okta token.
Is it because for SOAP requests, do I need to include any interceptors on top of Security Config java file. Or am I taking a wrong path for security with SOAP. Can someone let me know what am I missing or point me to right direction. Is token validation part of WS-Security? or the authentication manager in Okta resource server enough for this?
I followed this documentation to create it.
I have read most of the SO questions related to this and spring documentation, but could not connect the missing dots. Please help me with this. After spending lot of time, I felt like I was moving in circles.
UPDATE:
I have enabled spring security debug logs by doing below
#EnableWebSecurity(debug=true)
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG
UPDATE2:
I haven't made any big changes to my configuration, but when I ran the project on embedded tomcat locally, it started working. To run on Tomcat, I changed packaging from war to jar, excluded Tomcat in my POM and in my Main class, I had to remove the SpringBootServletInitializer and WebApplicationInitializer. That's it. I tested SOAP UI with the Okta bearer token and it gave me response. With out the token it did not give me response.
Spring Security not working only in case of WebLogic12c. I don't know what I am missing to include for that to work in WebLogic. when deployed through Tomcat, request is passed through all the beans in Security Filter Chain {
WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter,
LogoutFilter,
BearerTokenAuthenticationFilter,
RequestCacheAwareFilter,
SecurityContextHolderAwareRequestFilter,
AnonymousAuthenticationFilter,
SessionManagementFilter,
ExceptionTranslationFilter,
FilterSecurityInterceptor}
But on WebLogic, the request is passed only through first four beans in Security Filter Chain {WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter}
I just wanted to update the alternate solution I found for this problem, for completeness.
Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4.
I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4.
Thanks to #Toerktumlare, I have implemented logging with logback-spring.xml
I am having trouble as I have a sample app working with spring-boot and primefaces but can't manage to build a rest endpoint. I know there must be a configuration thing to be done between DispatcherServlet and FacesServlet but I still can't discover it. Can someone provide an example ?. I understand I could set each servlet to start working on a different path but its like being a turkish in the fog...
I have upgraded some micro services that talk to each other from Spring Boot 1.5.3 to 2.3.5.
Now when my micro service A calls micro service B, the call fails with the following status
on the network tab of chrome's developer tools (blocked:mixed-content)
I am not sure what has changed that I start getting this error.
In browser's console I get the below error:
Mixed Content: The page at 'https://gateway-url/my-endpoint' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://micro-service-b-url/login'. This request has been blocked; the content must be served over HTTPS.
The strange thing is that there is no end-point /login in my entire codebase.
I am unable to understand this behavior after springboot upgrade.
Any guidance on how spring boot upgrade led to this error and possible resolution is appreciated.
Note: I found some answers that suggest using the below code to resolve this
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
but looks like it doesn't work with all browsers and I am not sure if its safe to use this solution in terms of security.
Understood the issue and found the solution.
Looks like the security hooks used in SpringBoot 1 are deprecated in SpringBoot 2.
So in my micro-service B the below config in properties file wasn't working after upgrade
security.basic.enable: false
security.ignored=/**
as a result SpringBoot 2 was enforcing default security config on micro-service B and calls to micro-service B through gateway were being redirected to web-sso login which resulted in the mysterious /login endpoint being called.
The solution was to disable default security. I did the below steps:
1. Removed deprecated hooks from properties file:
security.basic.enable: false
security.ignored=/**
2. Disabled default security using below config
#SpringBootApplication(exclude = { SecurityAutoConfiguration.class,
ManagementWebSecurityAutoConfiguration.class })
public class MyApplication extends WebMvcConfigurerAdapter{
Note: I had to exclude ManagementWebSecurityAutoConfiguration.class because the micro-service was using SpringBoot actuator
I have a spring boot rest application working fine on Tomcat.
My goal was to deploy the same on weblogic. I have followed the steps mentioned on spring site here
I don't have a web.xml file in the project.
After deployment I ran into this error.
java.lang.IllegalStateException: No thread-bound request found:
Are you referring to request attributes outside of an actual web request,
or processing a request outside of the originally receiving thread? If you are actually operating with
in a web request and still receive this message, your code is probably running outside
of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListener
or RequestContextFilter to expose the current request.
at org.springframework.web.context.request.RequestContextHolder.currentR
equestAttributes(RequestContextHolder.java:131) ~[spring-web-4.3.13.RELEASE.jar:
4.3.13.RELEASE]
The same requests work fine in tomcat. I am not sure if I need to include a web.xml file with ContextLoaderListener. But I wonder how it's not a problem in tomcat container.
I have a simple web app running BlazeDS 4 running on JBoss AS 7.1. I'm trying to add resteasy but there seems to be issues connecting when creating a rest call. I think that BlazeDS is somehow blocking rest from being used. When I create a separate project with rest it works as expected, but when added to my existing project the following error is shown in the logs.
(with blazeds)
13:48:12,459 ERROR [org.springframework.flex.servlet.MessageBrokerHandlerAdapter] (http-localhost-127.0.0.1-8080-1) Received invalid request for endpoint path '/rest/hello'.
This is what appears when the call is successful (w/o blazeds)
13:52:00,914 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (http-localhost-127.0.0.1-8080-1) Deploying javax.ws.rs.core.Application: class rest.JaxRsActivator
For reference here is the example I followed
RestEasy Jax-RS in Jboss 7.1 doesn't work
Any help would be appreciated
I found that by creating a mvc with spring I am able to create rest calls.
I followed the testdrive tutorial that comes prepackaged when downloading spring.
Here is the documentation
http://static.springsource.org/spring/docs/3.0.0.M3/reference/html/ch18s02.html