I have two spring boot server applications (Spring boot 1.5.2), the first one is the resource server and the second is the authorisation server (oAuth2), I have added Spring boot actuator to both servers and configured both with the following properties:
management.security.roles=ROLE_MYADMINROLE
management.context-path=/myactuator
In the resource server, I can access the actuator endpoints using a token obtained from the authorisation server for a user who hold the role ROLE_MYADMINROLE.
But in the authorisation server itself, I could not get the token working at the first place (Http Basic was working), to use the tokens, I have added a resource server configuration to it, and set the filter order at 3 after reading Spring boot documentation
security.oauth2.resource.filter-order=3
OAuth2 resources are protected by a filter chain with order security.oauth2.resource.filter-order and the default is after the filter protecting the actuator endpoints by default (so actuator endpoints will stay on HTTP Basic unless you change the order).
In Spring boot release notes we have this regarding this filter order:
OAuth 2 Resource Filter
The default order of the OAuth2 resource filter has changed from 3 to
SecurityProperties.ACCESS_OVERRIDE_ORDER - 1. This places it after the
actuator endpoints but before the basic authentication filter chain.
The default can be restored by setting
security.oauth2.resource.filter-order = 3
Now my actuator endpoint in the authorisation server accepts tokens issued from the same server, the question is why the default is Http Basic for the actuator endpoints? I assume oAuth2 is more secure than Http Basic? why I had to change the filter order in the authorisation server but not in the resource server? Here I am looking for an explanation for this rather than a solution as I have got this working as I want already.
Related
The old spring security oauth can do this by spring-security-oauth2-autoconfigure
How can it be implemented using the latest spring security 5.7.x?
It seems that you have to create separate authorization server, resource server, and client...unlike the previous, you just have to enable configuration for authorization and resource server
But I am curious if there is a way to do libe the old way?
I discover this on my own.
Both the authorization and resource server can be in 1 springboot app and both can use same port.
It is the security configuration filter chain that you have to restrict both the "/login", "/oauth2/authorize"
Authorization server configuration is configured the basic way and so is the Resource server.
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I have an authorization server and resource server contained under one single spring boot application. I only want to enable the password flow.
I believe that would mean I only need the /oauth/token endpoint, however my swagger UI is configured to autofind all endpoints and shows:
authorization-endpoint(/oauth/authorize)
check-token-endpoint (/oauth/check_token)
token-endpoint (/oauth/token)
whitelabel-approval-endpoint (/oauth/confirm_access)
whitelabel-error-endpoint (/oauth/error)
As per the spring-security-oauth2-boot src code:
Spring Security access rule for the check token endpoint (e.g. a SpEL expression like "isAuthenticated()") . Default is empty, which is interpreted as "denyAll()" (no access).
This is the same for the token key endpoint.
If all access is denied to this endpoint by default and I am not changing them, should I turn them off completely/is there a way. Also, if i cannot disable them, can i disable them in the swagger docs auto configure to reduce clutter?
I have a complex situation where I need to implement a security for web app on tomcat 8 that serve both static html and rest services. the app is spring mvc application (no spring boot)
the authntication ( sso ) process will go as follow:
if user jwt not exist in http header then authonticate with ldap, getting user authorities from db and create jwt back to user.
if jwt exist in header, skip ldap filtering , extract the user authorities from token.
I was thinking of first servlet filter that uses spnego library and get the windows domain name (user name to use in ldap) that filter will also check to see if ldap authontication is needed ( if token not provided) and pass it back to spring filter chine through http params..
I'm struggling to implement he ideal.
please help.
thanks
As I know, there is support for LDAP in spring security, might be it will help you.
Other than that, if you want to write your own filters then you have to add those in spring security filter chain.
We are using Spring Boot Actuator Endpoints with our services.
We want to secure certain endpoints which are to be accessed only by the admin/support team for troubleshooting issues.
For example, /logfile,/env,/shutdown,/restart.
As per Spring Boot Actuator documentation, sensitive endpoints are secured by ACTUATOR role. We can also enable basic authentication and provide username and password in application.yml by adding Spring Security as a dependency.
My query is this works fine for basic authentication, but we want to use Token Based authentication.
We want the Admin Support team to first obtain a Token from a custom Token Service and then pass the token while the sensitive endpoints like /logfile and so on.
I am not sure how I can securely access these endpoint because they will be accessed via browser and not using a REST client. With REST client I see there are options supported for securing the same.
If someone has secured these endpoints with tokens and accessed them via browser can you please help me on the same.