Can someone guide me how can I connect my secured client with the spring boot admin application?
Scenario: I have a spring boot application (client) with spring security and spring-actuator enabled. The actuator endpoints are secured and for this I have the following (working) configuration in my web security config:
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, UserDetailsService userDetailsService) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
auth.inMemoryAuthentication().withUser("Test-Actuator").password("Test-Baby").roles("ADMIN", "ACTUATOR");
}
Now I want to integrate the Spring Boot Admin Application in our environment. I set up a simple application with spring-boot-admin-server and spring-boot-admin-server-ui enabled. In the application.properties file I provide the following properties:
spring.boot.admin.username=test
spring.boot.admin.password=test
these are for the server admin, right?
spring.boot.admin.client.metadata.user.name=Test-Actuator
spring.boot.admin.client.metadata.user.password=Test-Baby
these are for the client, right?
Now when I run the applications I get the following error from the client: Failed to register application as Application [...] at spring-boot-admin ([...]) 401 null
I call the spring boot admin page and get a HttpBasic Authentication Pop Up. No credentials from above work for this Pop Up.
Note: If I disable the security in the client application.properties file it works but (like expected) the client doesn't work anymore.
Related
In a single machine named mbc the React app at port 3000 running using pm2, the backend Spring boot application demo.war file deployed on Tomcat 9 at port 8099. In the same machine with firefox browser it is working as expected.
But I am facing the problem when from another machine with the firefox browser http://mbc:3000 the UI opens and the fetch call to the backend Spring boot App the sent option call
ends in the CORS blocked. The OPTIONS request returns with CORS blocked. I am not using any Security such as Spring Security. The application is simple proof of concept application using Spring boot and JPA. Kindly guide me how to sort it out. Is this indicates network issue or any other settings to be done at backend server
(1) at each controller #CrossOrigin annotation
(2) at the spring boot application file
#Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
};
(3) I am not using spring security
(4) In my windows machine at the etc file in the host file added the entry for ipaddress mbc. Here the mbc is the name of the host.
I've got a Spring Boot Admin application which uses a Kubernetes Service Discovery to get the Spring Boot client applications.
spring:
cloud:
kubernetes:
discovery:
all-namespaces: true
service-labels:
springbootadmin: true
reload:
enabled: true
period: 60s
strategy: refresh
Without secured actuator endpoints this works fine.
But as soon as the client actuator endpoints are protected by basic auth this does not work any more. The Spring Boot Admin Documentation describes how to add the authentication data to the Spring Boot Admin Server bit it does not describe how to provide this when the services are discovered via Kubernetes.
I've tried these configurations. But they don't work:
Spring Boot Admin Docs: spring.boot.admin.instance-auth.default-user-name + password
Spring Boot Admin Tutorial spring.boot.admin.client.instance.metadata.user.name + password
I also found an answer which describes how to configure the credentials in the Kubernetes annotations. This works but I would prefer to configure the credentials in the Spring Boot Admin configuration (where I can use Secrets) and not separately for each service in the Kubernetes configuration as an unsecure label.
I think I have to inject the credentials in the Service Discovery metadata. But how?
EDIT
I've examined the service discovery and found no auth configuration options which could be provided:
class KubernetesDiscoveryProperties.Metadata
class de.codecentric.boot.admin.server.cloud.discovery.DefaultServiceInstanceConverter
It might be an option to add a custom header to the requests that are sent by SBA to the clients:
#Bean
public HttpHeadersProvider customHttpHeadersProvider() {
return (instance) -> {
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Authorization", "Basic bXlTcGVjaWFsVXNlcm5hbWU6bXlTcGVjaWFsUGFzc3dvcmQ=");
return httpHeaders;
};
}
The authentication can be set by these settings:
spring:
boot:
admin:
instance-auth:
default-user-name: user
default-password: pw
These settings are read by the Configuration Class AdminServerInstanceWebClientConfiguration which instantiates a bean basicAuthHttpHeadersProvider.
We have Spring Boot Admin Version-2.0.3 and corresponding Client Version.
Our spring boot instances are deployed to Pivotal Cloud Foundry.
Everything works great, until we deploy a new version of a spring boot instance. A new internal url is generated for the instance, and get registered to admin. But it didn't deregister the removed instance from the admin.
So it leaves spring boot admin in an inconsistent state. such as:
how can I make the registered instance deregister itself when it gets destryed.
I have tried setting:
spring.boot.admin.client.auto-deregistration = true
But it doesn't work as hoped.
The setting auto-deregistration=true causes your client application to send a http delete call to the server on endpoint /instances/{id}. Csrf checking must be disabled for this endpoint as well on the server. This configuration was missing in the sample securityconfiguration in the spring boot admin documentation. ( See https://github.com/codecentric/spring-boot-admin/issues/1251 )
To fix this, replace
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");
With
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringRequestMatchers(
new AntPathRequestMatcher(adminContextPath + "/instances", HttpMethod.POST.toString()),
new AntPathRequestMatcher(adminContextPath + "/instances/*", HttpMethod.DELETE.toString()),
new AntPathRequestMatcher(adminContextPath + "/actuator/**")
);
we are using netflix oss for reverse proxying and security of microservices, we are following the jhipster pattern mentioned here https://www.jhipster.tech/microservices-architecture/, where request from UI application goes to gateway which is Api Gateway and it proxies the request to our backend microservices , we are using jwt for authentication, we wanted a dashboard to monitor our microservices and api gateway which registers with eureka server , we started a separate spring boot admin server so that it registers with eureka server and poll microservices and gateway for metrics endpoint but we are getting exception
Full authentication is required to access this resource
which is thrown by filters which are filtering for jwts at both api gateway and microservices level,
we also tried disabled
management.security.enabled: false
but still no luck ,can some one please help to guide what changes i need to make to enable spring boot admin to successfully poll the microservices and api gateway?
I tried the following approach
firstly i enabled web.ignoring().antMatchers("/actuator/**"), so that actuator endpoints are ignored by spring security but this approach will risk my api's
Second idea:
if i enable 2 filters in spring security , the first filter would be for spring boot admin with basic authentication for actuator endpoints and second filter will be of my jwt authentication for rest all api's and downstream api's not sure will it be feasible?
i enabled the 2 filters one filter for actuator end points and 1 filter for api's but these filters are working perfectly but not able to connect to SBA
public class SpringSecurityAdminFilter extends WebSecurityConfigurerAdapter {
#Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
String password = passwordEncoder().encode("xxxx");
auth.inMemoryAuthentication().passwordEncoder(passwordEncoder()).withUser("sam").password(password).roles("ADMIN");
}
#Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ADMIN")
.and().httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);//We don't need sessions to be created.
}
}
i enabled basic authentication for spring boot admin server added the property in microservices
eureka.instance.metadata-map.user.name:
eureka.instance.metadata-map.user.password:
now actuator endpoints are protected by basic authentication
I have had a similar issue. On my spring boot application we had a cors filter to block Http Head requests. So head requests cannot be accepted from spring boot admin.
Check maybe filter is blocking HEAD Http requests .
Setting management.security.enabled=false in the application.properties also necessary.
I am developing a Spring Boot REST application that has a custom token authentication system. The token holds the roles for the user as claims.
A Zuul proxy routes the traffic to multiple spring boot microservices and I would like to add a filter to the Zuul so that it extracts the roles from the token (stored as claims) and sets them in the Spring security environment (which I don't know the internals) so that I can configure the access in the micro services using the standard Spring security approach, using for example a WebSecurityConfigurerAdapter:
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("secret1")
.roles("USER").and().withUser("admin1").password("secret1")
.roles("USER", "ADMIN");
}
So, to rephrase... how can I include those roles from my custom token using a pre-filter in Zuul so they are part of the AuthenticationManagerBuilder object?