We use spring cloud config as configuration tool. We store passwords and other sensitive things in the config git repository. We encrypt the config using Spring /encrypt endpoint and put the values in config.
There is an endpoint /env which returns all the properties. The problem here is, the values which are encrypted returned as plain text. Is there way, we make the endpoint to return encrypted value instead of plain text.
Disable server-side decryption by setting the following property:
spring.cloud.config.server.encrypt.enabled: false
The /env endpoint is an actuator endpoint added by Spring Cloud Config. You should take the usual steps to secure the actuator endpoints so as not to allow unwanted access.
You can set endpoints.configprops.keys-to-sanitize to whatever pattern you need. The default is password,secret,key,token,.*credentials.*,vcap_services Keys can be simple strings that the property ends with or regex expressions.
Refer: this
Related
I have an authorization server and resource server contained under one single spring boot application. I only want to enable the password flow.
I believe that would mean I only need the /oauth/token endpoint, however my swagger UI is configured to autofind all endpoints and shows:
authorization-endpoint(/oauth/authorize)
check-token-endpoint (/oauth/check_token)
token-endpoint (/oauth/token)
whitelabel-approval-endpoint (/oauth/confirm_access)
whitelabel-error-endpoint (/oauth/error)
As per the spring-security-oauth2-boot src code:
Spring Security access rule for the check token endpoint (e.g. a SpEL expression like "isAuthenticated()") . Default is empty, which is interpreted as "denyAll()" (no access).
This is the same for the token key endpoint.
If all access is denied to this endpoint by default and I am not changing them, should I turn them off completely/is there a way. Also, if i cannot disable them, can i disable them in the swagger docs auto configure to reduce clutter?
I create a Spring Cloud Config server. I put security in my application.properties file
security.basic.enabled=false
security.user.name=1user
security.user.password=123
When I try to log to the application with the name and password, I always get
Bad credentials
I tried to put enabled to true but get same result. I saw in the command line then spring generate random password like
69dfeb52-6320-4085-bcd1-22ee7a3676a2
if I use with with username user, I can connect.
>
Hi Robert Trudel
If you are using Spring Boot 2.x, then you need to prefix these properties with spring
as shown below:
spring.security.user.name=1user
spring.security.user.password=123
Also, you do not need this security.basic.enabled=false.
Hope this helps!
I'm trying to user encrypt feature of spring cloud config server. I'v generated a keystore and set required config in application.properties
i'm able to user /encrypt and /decrypt endpoints to encrypt and decrypt value.
However encrypted values are not decrypted by config server before sending them to client!
encrypt.key-store.location=classpath:/config-server.jks
encrypt.key-store.alias=config-server-key
encrypt.key-store.password=changeit
encrypt.key-store.secret=changeit
In my .yml file i've
message: '{cipher}AgAAeBKZOOQ3aM...'
What i'm missing?
i was able to fix my issue: instead of putting confi properties in application.properties, i had to set them in bootstrap.properties.
encrypt.key-store.location=classpath:/config-server.jks
encrypt.key-store.alias=config-server-key
encrypt.key-store.password=changeit
encrypt.key-store.secret=changeit
In spring boot app I set e.g. server.context-path=/mymodule. This is convenient because I don't need to repeat over and over again /mymodule prefix in #RequestMapping.
Further I want to have actuator endpoints grouped together on URLs with common prefix so I set management.context-path=/actuator.
Now actuator endpoint are mapped to /mymodule/actuator.
From security perspective I want to have actuator endpoints mapped to /actuator. Simple config on reverse proxy https://mydomain/api/mymodule -> http://oneofmyserver:port/mymodule protects that end users would not be able to access actuator.
Is it possible to map actuator endpoints to /actuator?
Probably better solution from security perspective is to export actuator on totally different port. To do it just add such properties:
management.port=9080
You can also just change context-path of actuator endpoints by using
management.context-path=/actuator
You can use the management.endpoints.web.base-path property to change the prefix for your management endpoint. Reference from spring-boot document.
The following example remaps /actuator/health to /healthcheck;
management.endpoints.web.base-path=/
management.endpoints.web.path-mapping.health=healthcheck
In case of you aren't able to use different ports and you have, for example, eureka in you environment, you can use the following:
Configure additional metadata, that you send to eureka. Simply by adding there some parameter with value of your context-path. spring docs
Configure Prometheus for using Eureka.
After that you will get an access to your custom meta-data
Finally you can use these new parameters in a relabeling step.
I have a Spring Boot app that is using Spring Cloud Config but I would like to encrypt the Spring Cloud Config password in the Spring Boot apps bootstrap.yml file. Is there a way to do this? Below is an example.
Spring Boot app bootstrap.yml
spring:
cloud:
config:
uri: http://locahost:8888
username: user
password: '{cipher}encryptedpassword'
A couple things I've discovered related to this.
If you use bootstrap.yml (or application.yml), the format for the cipher text must enclosed within single quotes:
security.user.password: '{cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914'
If you use bootstrap.properties (or application.properties), the format for the cipher text must NOT be enclosed:
security.user.password= {cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914
The [reference docs][1] show the yml without the quotes, which I never got to work. SnakeYaml always reported an error:
"expected <block end>, but found Scalar"
There is support for encrypted properties in the config client (as described in the user guide). Obviously if you do it that way you have to provide a key to decrypt the properties at runtime, so actually I don't always see the benefit (I suppose the config file is a bit like a keystore with a special format, so you only have one secret to protect instead of many). Example (application.yml):
integration:
stores:
test: '{cipher}316f8cdbb776c23e679bf209014788a6eab7522f48f97114328c2c9388e6b3c1'
and the key (in bootstrap.yml):
encrypt:
key: ${ENCRYPT_KEY:} # deadbeef
You can use Spring CLI to encrypt the secrets spring encrypt password --key 'SECRET_KEY'
https://cloud.spring.io/spring-cloud-cli/