I have a Front end application that runs on http:// localhost:5555, with angular 2
On the other hand, I have a Back end application running with spring boot on http:// localhost:8080/, that provide a REST Api for my angular 2 application.
Sending requests from http://localhost:5555/ to http://localhost:8080/ works as well.
what is the best way to authenticate users ,I read so many articles, but I couldn't find a solution.
you need to creating cross-origin with #CrossOrigin(origins = "http://localhost:5555") in controller file
Related
I am trying to connect from my javascript front to the REST API of my camunda orchestration which is deployed as part of a spring boot application.
the called url is :
GET http://localhost:8081/oms-orchestrator-ms/api/engine/engine/default/history/process-instance
i get an 401 error for non authenticated queries which is normal
First question : is it the right way to query the Engine Rest API for process definition/ instances and history?
In order to make it work , i add the JSESSIONID cookie as header to my requests,
how can i use the basic auth to query the orchestrator api instead of using the cookie?
Thanks for your Help
the /api path is part of the cockpits REST backend which is secured by the same rules as the cockpit webapp.
You can additionally deploy the rest api (camunda-bpm-spring-boot-starter-rest if you are using spring boot). This will add an almost identical REST api for the engine under the path /rest. This one is open by default and can be secured manually if required (and advised for prod environments).
I'm trying to secure my single page Angular 5 application that has a spring boot backend with firebase authentication.
Is the following a good way to implement this.
All requests that do not start with /api are forwarded to index.html with forward:/index.html. The AuthGuard in my Angular app will then handle whether the user has access or needs to login.
All requests going to /api/** have to be authenticated. Here the firebase user token will be set in the header of the request by Angular and my custom Spring authentication filter and authentication provider vill handle it.
Are there any tutorials, specifically for the spring part of the implementation, that I can look at. I haven't found any thing similar and I want to be sure that the security implementation is done correctly.
I am writing an Angular4 app with Spring Boot backend. I am using a SessionScoped bean to store the logged in user (I know this is not RESTful and stuff and I am ok with it for now) and RestControllers for the endpoints.
Logging in and querying data with Postman works nicely, but it does not work from my angular app, so I debugged it a little and saw that I get jsessionid-s in the response-headers, but they are not appended in the requests.
What might be the problem? How can I use Angular with Spring Boot and session scoped beans?
It depends on how your are calling the backend.
If you are using angular-cli and the proxying the calls to spring boot it should work out of the box since same domain requests always pass cookies.
This is the preferred way because usually this is how you then deploy it live using a nginx location block to get all /api/ calls go to spring and everything else to angular.
https://github.com/angular/angular-cli/blob/master/docs/documentation/stories/proxy.md
If you have the api on a different host you will need to pass withCredentials: true to all requests going to the backend to force the request to include the cookies.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
this.http.post('http://localhost:3000/api/thing', { withCredentials: true }).subscribe()
We are currently developing a microservice application using Spring Boot 1.4 and Keycloak 2.5.0 (configured as openid-connect service) using the Keycloak Spring Adapter (not the Spring Boot adapter).
All of our microservices are put behind a load balancer and an additional reverse proxy as the application will be hosted on an existing domain behind a context root (so the root of our application is http://foo.bar/foobar/ and the rest services are http://foo.bar/foobar/rest/).
We are facing a couple of problems with Keycloak in this given scenario:
Keycloak forward to /sso/login if a sign-in is needed. This is in our case unwanted behaviour because http://foo.bar/sso/login will not exist. I have found a way to change the forward but there is no way to make Keycloak listen to the same url; we end up with a 404 in this case.
After signing in, Keycloak redirects back to the /sso/login url with the correct tokens, but if this is not the same server, the request fails and it redirects us to http://foo.bar/. Since every microservice exposes /sso/login, this can be in fact a completely different server.
If keycloak is hosted on the same domain, we end up in a redirect loop. We would also like to have Keycloak hosted on the same domain and on the context root http://foo.bar/foobar/auth/ .
We've already tried using the "token-store": "cookie" but this did not resolve the problem.
Is there a way to resolve these problems or is Keycloak maybe not the correct solution for our use-case ?
Update 05/05/2017:
Move my answer from here to an answer
We are now up and running with Keycloak so I'll briefly explain what we did. The front-end of our application runs Angular2 and we created a custom login page in the Angular application itself (so it's not a theme for Keycloak) which will directly query the Keycloak API for an OAuth2 Bearer token. The front-end will send this token on each request in the Authorization header (as per the OAuth standards).
On the service side we have configured keycloak as a bearer-only solution (bearer-only: true in the keycloak.json), this way the application just returns a 401 or a 403 instead of forwarding to the login page.
Using this configuration the user will never see anything from the /sso/login page and there is also no redirect issue anymore.
TLDR; the use-case I described was also not realistic, calling a REST URL and then forwarding to a login page is kind of bad stuff :)
I have a Front end application that runs on http:// localhost:4200, with angular 2 (I've used angular-cli for generating the project).
The application runs without any problems (I can get and post info from/to database using Angular 2 Http service:
getList () {
return this._http.get("http:// localhost:8080/").map(res => res.json());
}
On the other hand, I have a Back end application running with spring boot on http:// localhost:8080/ (note the ports), that provide a REST Api for my angular 2 application.
Sending requests from http://localhost:4200/ to http://localhost:8080/ works as expected.
Before I've programmed an application with spring framework & angularJS 1, spring security took care of login and security in the same app (maven project).
Now I have two separate applications that are communicating via http (RESTful Api with spring boot , and front end Api with angular 2)
How can I set my login form and where to put it, and how to configure spring security with my angular 2 application?
When you spin up the Angular Application with Angular CLI, your Angular Pages are served by NodeJs in the backend.
You have a couple of options here.
The login can be handled at NodeJS server which can in turn invoke
Spring Boot application to Authenticate and Authorize.(I think, you might need to do some tweaks like using express server instead of lite server. take a look here https://stackoverflow.com/a/37561973/6785908)
After initial development, you can copy over your AngularJS
resources to a Spring MVC (Spring Boot) server and use it to serve
your pages (as well as the rest APIs), just as you were doing
before.
Make the Angular App invoke the spring boot Service (I guess , you
are using the $http.post to submit the form, if that's the case you
can just change the URL so that it can hit spring boot app instead.)
For the production deployment, use nginx/httpd to serve the static
files (AngularJS/CSS etc) and route/proxy all the dynamic request to
the spring boot app.
I would strongly suggest the 3rd option.