I have a Spring Boot app that normally runs on tomcat (as a normal WAR), and for some URL patterns I have Spring-Security setup to force it to be HTTPS. All the HTTPS/certificates stuff is done outside of my application, so all this step (at least appears) to be doing is redirecting to the HTTPS address (and port).
My security configuration:
http.requiresChannel().requestMatchers( "/**" ) .requiresSecure()
It all works as expected on tomcat, and I get redirected correctly.
Now I want to write some Spring #IntegrationTests, but am not able to get it to make requests to the HTTPS URL - I suspect I am missing something fairly obvious, but not having any joy with my attempts.
My basic test case:
#RunWith( SpringJUnit4ClassRunner )
#SpringApplicationConfiguration( classes = Application )
#WebAppConfiguration
#IntegrationTest( [ "server.port:0" ] )
class MultipleUserAuthenticationTest {
#Value('${local.server.port}') private int port
private URL base
private RestTemplate template
#Before public void setUp() throws Exception {
this.base = new URL("https://localhost:" + port + "/api")
template = new RestTemplate()
}
#Test public void apiRequest() throws Exception {
HttpHeaders headers = //set custom headers
HttpEntity<String> entity = new HttpEntity<String>( headers )
ResponseEntity<String> exchange = template.exchange( base.toString(), HttpMethod.GET, entity, String )
}
I have tried the approach outlined here https://stackoverflow.com/a/34411279/258813 and https://stackoverflow.com/a/24491820/258813
But no joy - It still seems to be failing because the port it is attempting to access is the HTTP port, so I basically get:
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://localhost:52002/api":Unrecognized SSL message, plaintext connection?; nested exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Am I missing something obvious? Is there another way to get the HTTPS port (or tell spring to use one)?
Related
I am trying to have my STOMP client connect to a Websocket server over a Spring Gateway server.
My STOMP client can connect directly to the Websocket Server just fine, but i am having trouble using the gateway.
But it does not work.
I am using spring-cloud-gateway-mvc for the proxy.
Here my general purpose controller-method that does the proxying:
private final GatewayAssistant gatewayAssistant;
#RequestMapping(value = "/{service}/**")
public ResponseEntity<?> proxy(ProxyExchange<Object> proxy, #PathVariable String service, HttpServletRequest request, HttpServletResponse response) {
//Assistant method to get the correct path to the Websocket server
String path = gatewayAssistant.getUrl(proxy, service);
proxy.uri(path);
if(request.getHeader("Upgrade") != null){
path = path.replace("http", "ws"); //a temporary hack
}
//Assistant method to call the correct method, e.G if request.getMethod() is GET, it will call proxy.get()
final ResponseEntity<?> call = gatewayAssistant.call(proxy, RequestMethod.valueOf(request.getMethod()));
return call;
}
Here the Assistant class:
#Component
#RequiredArgsConstructor
public class GatewayAssistant {
private final ApplicationProperties applicationProperties;
public String getUrl(ProxyExchange<Object> proxy, String service) {
final String urlBase = applicationProperties.getGatewayPaths().get(service);
if(Objects.isNull(urlBase)) {
throw new ApplicationManagementException("No service '".concat(service).concat("' available"), HttpStatus.BAD_REQUEST);
}
final String path = proxy.path("/api/".concat(service));
return urlBase.concat(path);
}
public ResponseEntity<?> call(ProxyExchange<Object> proxy, RequestMethod method) {
return switch(method) {
case OPTIONS -> proxy.options();
case GET -> proxy.get();
case PUT -> proxy.put();
case HEAD -> proxy.head();
case POST -> proxy.post();
case PATCH -> proxy.patch();
case DELETE -> proxy.delete();
case TRACE -> throw new ApplicationManagementException("Cannot handle TRACE calls", HttpStatus.BAD_REQUEST);
};
}
}
I use simple Javascript to connect to the websocket:
let sock = new SockJS("http://my-proxy:8100/api/communication/stomp");
When i connect, then the first call gets proxied just fine, but the second call that has the "ws:" schema does not get proxied. In the WebSocket serer i get the message "Handshake failed due to invalid Upgrade header: null".
UPDATE
I get the error because use the "ws" schema. But now that i fixed that, i get no exceptions in both server, in debug logging i see no errors, yes, the front-end browser client gets "failed: Error during WebSocket handshake: Unexpected response code: 500"
I am writing an integrationtest for a resource (Jax-rs with resteasy) which invokes a thirdparty request to the Trustpilot Api to get a review link for a product.
In my tests I wanted to mock this call by using Wiremock and invoke the request by using resteasy Dispatcher.
The code below shows my Setup (names etc are changed).
#RunWith(SpringJUnit4ClassRunner.class)
#ContextConfiguration(classes = { MyResourceTestContext.class })
public class MyResourceIntegrationTest {
#Rule
public WireMockRule wireMockRule = new WireMockRule(wireMockConfig().dynamicPort().dynamicHttpsPort());
#Autowired
private MyResource myResource;
private Dispatcher dispatcher;
private MockHttpResponse response;
#Before
public void setUp() throws Exception {
dispatcher = MockDispatcherFactory.createDispatcher();
dispatcher.getRegistry().addSingletonResource(myResource);
response = new MockHttpResponse();
}
#Test
public void testResourceShouldReturnRedirectToTrustpilotreview() throws Exception {
URI apiRequestURI = UriBuilder
.fromUri("https://api.trustpilot.com/v1/private/product-reviews/business-units"
+ "/{businessUnitId}}/invitation-links")
.build(BUSINESS_UNIT_ID);
URI expectedRedirectURI = UriBuilder.fromUri("https://products.trustpilot.com/#evaluate/{reviewLinkId}")
.build(REVIEW_LINK_ID);
stubFor(post(apiRequestURI.toString())
.willReturn(okJson("{\"reviewLinkId\":\"" + REVIEW_LINK_ID + "\","
+ "\"reviewUrl\":\"" + expectedRedirectURI.toString() + "\"}")));
MockHttpRequest request = MockHttpRequest.get("/myResource");
dispatcher.invoke(request, response);
WireMock.verify(1, postRequestedFor(urlEqualTo(apiRequestURI.toString())));
Assert.assertEquals(HttpStatus.TEMPORARY_REDIRECT.value(), response.getStatus());
Assert.assertEquals(expectedRedirectURI.toString(), response.getOutputHeaders().getFirst("Location"));
}
But what I'm getting is (with my actual bid in the url):
com.github.tomakehurst.wiremock.client.VerificationException: Expected at least one request matching: {
"url" : "https://api.trustpilot.com/v1/private/product-reviews/business-units/<bid>/invitation-links",
"method" : "POST"
}
Requests received: [ ]
Stepping into the request with the Debugger I can say this request and other requests are actually executed successfully. But they are not recognized/mocked by Wiremock.
Is there something wrong with my Wiremock setup? Any Ideas? Thank you!
There are a couple of reasons why this isn't sending anything to WireMock at the moment:
WireMock only accepts relative URLs when stubbing so passing the full URL including protocol and domain won't work. Try something equivalent to stubFor(post(urlPathEqualTo("/v1/private/product-reviews/business-units/<bid>/invitation-links") instead.
There doesn't seem to be any way for your class under test to know which host/port WireMock is running on and no forward proxying set up so the code is presumably still trying to call the real Trustpilot API.
To solve 2. you have a couple of options:
Set up your class/code under test to use localhost as the destination host and the result of wireMockRule.port() as the port number, or wireMockRule.httpsPort() if you're on HTTPS.
Use the new auto JVM proxy setup feature to proxy your app's calls through WireMock. This assumes you're on WireMock 2.31.0+ and that your app's HTTP client respects the JVM proxy system properties.
i am using java library client for web application authentication, i produce authorization url using client secret and client id,also i provided a redirect url within google api console,but i don't know if it is necessary for me to create this server to receive refresh token?
i mean in production i should provide a separate server to receive the refresh token?(redirect url comes to this server)
the main problem is user should paste the produced url on browser by himself but i want to open browser authmaticly , the second one is about reciving the refresh token i am not sure about creating another server to recieve refreshcode and i can't use service accounts i am going with web flow authentication.
UserAuthorizer userAuthorizer =
UserAuthorizer.newBuilder()
.setClientId(ClientId.of(clientId, clientSecret))
.setScopes(SCOPES)
.setCallbackUri(URI.create(OAUTH2_CALLBACK_URL_CONFIGURED_AT_GOOGLE_CONSOLE))
.build();
baseUri = URI.create("http://localhost:" + simpleCallbackServer.getLocalPort());
System.out.printf(
"Paste this url in your browser:%n%s%n",
userAuthorizer.getAuthorizationUrl(loginEmailAddressHint, state, baseUri));
and this is local server to receive refresh token:
private static class SimpleCallbackServer extends ServerSocket {
private AuthorizationResponse authorizationResponse;
SimpleCallbackServer() throws IOException {
// Passes a port # of zero so that a port will be automatically allocated.
super(0);
}
/**
* Blocks until a connection is made to this server. After this method completes, the
* authorizationResponse of this server will be set, provided the request line is in the
* expected format.
*/
#Override
public Socket accept() throws IOException {
Socket socket = super.accept();
}
}
for those who struggling to get authorized using google oauth2.0 with spring boot
you cant redirect user to authorization url(which google authorization server gives to using your client id and client secret) use a controller to redirect user:
#GetMapping(value = "/redirect-user")
public ResponseEntity<Object> redirectToExternalUrl() throws URISyntaxException {
String url=gs.createUserAuthorizationUrl();
URI authorizationUrl = new URI(url);
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.setLocation(authorizationUrl);
return new ResponseEntity<>(httpHeaders, HttpStatus.FOUND);
}
at service layer createUserAuthorizationUrl() method is like below:
public String createUserAuthorizationUrl() {
clientId = "client-id";
clientSecret = "client-secret-code";
userAuthorizer =
UserAuthorizer.newBuilder()
.setClientId(ClientId.of(clientId, clientSecret))
.setScopes(SCOPES)
.setCallbackUri(URI.create("/oauth2callback"))
.build();
baseUri = URI.create("your-app-redirect-url-configured-at-google-console" + "your-spring-boot-server-port"); //giving redirect url
String redirectURL = userAuthorizer.getAuthorizationUrl(loginEmailAddressHint, state, baseUri).toString();
return redirectURL;
}
and let's create a controller to support the get request comming from google authorization server with an code. we are going to use that code to get access token from google.i get state and code by #RequestParam
and i also want to redirect user to my application.
#GetMapping(value = "/oauth2callback")
public ResponseEntity<Object> proceedeTOServer(#RequestParam String state,
#RequestParam String code) throws URISyntaxException {
String url="my-application-url-to-redirect-user";
URI dashboardURL = new URI(url);
HttpHeaders httpHeaders=new HttpHeaders();
httpHeaders.setLocation(dashboardURL);
gs.getCode(state,code);
return new ResponseEntity<>(httpHeaders,HttpStatus.FOUND);
}
and in getCode(code) in service layer i am going to send to code and receive the refresh token or access token:
UserCredentials userCredentials =userAuthorizer.getCredentialsFromCode(code, "your-app-redirect-url-configured-at-google-console" + "your-spring-boot-server-port");
I have a rest client maven module which is responsible for getting a token, and then for creating requests using this token.
Here is the "login()" method :
private static final String ROOT_URL = "https://my-url";
private static final String LOGIN_API = "/LogIn";
#Autowired
#Qualifier("myRestTemplate")
RestTemplate restTemplate;
public String login() {
LoginRequest loginRequest = new LoginRequest();
loginRequest.setAccountName("USER");
loginRequest.setPassword("P#ssw0rd");
loginRequest.setTimeout(120);
LoginResponse loginResponse = restTemplate.postForObject(ROOT_URL + LOGIN_API, loginRequest, LoginResponse.class);
String token = loginResponse.getLogInResult().getToken();
log.info(loginResponse.toString());
return token;
}
When I call this "login()" method from a JUnit inside the module, it works.
Also I have various services from other modules who depend on this rest client module and they can call it with no error.
Now I've just created a new module who needs to use this rest client service. When I call the "login()" service from this new module, it ends with :
ResourceAccessException: I/O error on POST request for "https://my-url/LogIn":
unable to find valid certification path to requested target
What can possibly could cause this error in a case and not the other, when the URL called is a constant ?
I've tried to check the "restTemplate" object is the same in both case and I think it is, but even if it was not, how could this happen ? by which mechanism ?
UPDATE : I've tried to activate spring debug on org.springframework.beans to see if a wrong restTemplate injection could be the cause of this problem, but when I do this from my parent module, I don't even see the injection of any restTemplate.
It's like some process are happening in a forked JVM, and this forked process doesnt know about the certificates (the ones in $JAVA_HOME/jre/lib/security/cacerts).
If I debug the call from the child module, I can see the restTemplate injection happening.
I am working on a Spring application that serves up REST endpoints. One of the endpoints essentially acts as a proxy between the HTML client and a third party cloud storage provider. This endpoint retrieves files from the storage provider and proxies them back to the client. Something like the following (note there is a synchronous and asynchronous version of the same endpoint):
#Controller
public class CloudStorageController {
...
#RequestMapping(value = "/fetch-image/{id}", method = RequestMethod.GET, produces = MediaType.IMAGE_JPEG_VALUE)
public ResponseEntity<byte[]> fetchImageSynchronous(#PathVariable final Long id) {
final byte[] imageFileContents = this.fetchImage(id);
return ResponseEntity.ok().body(imageFileContents);
}
#RequestMapping(value = "/fetch-image-async/{id}", method = RequestMethod.GET, produces = MediaType.IMAGE_JPEG_VALUE)
public Callable<ResponseEntity<byte[]>> fetchImageAsynchronous(#PathVariable final Long id) {
return () -> {
final byte[] imageFileContents = this.fetchImage(id);
return ResponseEntity.ok().body(imageFileContents);
};
}
private byte[] fetchImage(final long id) {
// fetch the file from cloud storage and return as byte array
...
}
...
}
Due to the nature of the client app (HTML5 + ajax) and how this endpoint is used, user authentication is supplied to this endpoint differently that the other endpoints. To handle this, a HandlerInterceptor was developed to deal with authentication for this endpoint:
#Component("cloudStorageAuthenticationInterceptor")
public class CloudStorageAuthenticationInterceptor extends HandlerInterceptorAdapter {
#Override
public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response, final Object handler) {
// examine the request for the authentication information and verify it
final Authentication authenticated = ...
if (authenticated == null) {
try {
pResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} catch (IOException e) {
throw new RuntimeException(e);
}
return false;
}
else {
try {
request.login(authenticated.getName(), (String) authenticated.getCredentials());
} catch (final ServletException e) {
throw new BadCredentialsException("Bad credentials");
}
}
return true;
}
}
The interceptor is registered like this:
#Configuration
#EnableWebMvc
public class ApiConfig extends WebMvcConfigurerAdapter {
#Autowired
#Qualifier("cloudStorageAuthenticationInterceptor")
private HandlerInterceptor cloudStorageAuthenticationInterceptor;
#Override
public void addInterceptors(final InterceptorRegistry registry) {
registry.addInterceptor(this.cloudStorageAuthenticationInterceptor)
.addPathPatterns(
"/fetch-image/**",
"/fetch-image-async/**"
);
}
#Override
public void configureAsyncSupport(final AsyncSupportConfigurer configurer) {
final ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
executor.setCorePoolSize(this.asyncThreadPoolCoreSize);
executor.setMaxPoolSize(this.asyncThreadPoolMaxSize);
executor.setQueueCapacity(this.asyncThreadPoolQueueCapacity);
executor.setThreadNamePrefix(this.asyncThreadPoolPrefix);
executor.initialize();
configurer.setTaskExecutor(executor);
super.configureAsyncSupport(configurer);
}
}
Ideally, the image fetching would be done asynchronously (using the /fetch-image-asyc/{id} endpoint) because it has to call a third party web service which could have some latency.
The synchronous endpoint (/fetch-image/{id}) works correctly for all browsers. However, if using the asynchronous endpoint (/fetch-image-async/{id}), Chrome and Firefox work as expect.
However, if the client is Microsoft IE or Microsoft Edge, we seem some strange behavior. The endpoint is called correctly and the response sent successfully (at least from the server's viewpoint). However, it seems that the browser is waiting for something additional. In the IE/Edge DevTools window, the network request for the image shows as pending for 30 seconds, then seems to timeout, updates to successful and the image is successfully display. It also seems the connection to the server is still open, as the server side resources like database connections are not released. In the other browsers, the async response is received and processed in a second or less.
If I remove the HandlerInterceptor and just hard-wire some credentials for debugging, the behavior goes away. So this seems to have something to with the interaction between the HandlerInterceptor and the asynchronous controller method, and is only exhibited for some clients.
Anyone have a suggestion on why the semantics of IE/Edge are causing this behavior?
Based on your description, there are some different behaviors when using IE or Edge
it seems that the browser is waiting for something additional
the connection seems still open
it works fine if remove HandlerInterceptor and use hard code in auth logic
For the first behavior, I would suggest you use fiddler to trace all http requests. It is better if you could compare two different actions via fiddler (1) run on chrome, 2) run on edge ). Check all http headers in requests and responses carefully to see whether there is some different part. For the other behaviors, I would suggest you write logs to find which part spend the most time. It will provide you useful information to troubleshot.
After much tracing on the server and reading through the JavaDocs comments for AsyncHandlerInterceptor, I was able to resolve the issue. For requests to asynchronous controller methods, the preHandle method of any interceptor is called twice. It is called before the request is handed off to the servlet handling the request and again after the servlet has handled the request. In my case, the interceptor was attempting to authenticate the request for both scenarios (pre and post request handling). The application's authentication provider checks credentials in a database. For some reason if the client is IE or Edge, the authentication provider was unable to get a database connection when called from preHandle in the interceptor after the servlet handled the request. The following exception would be thrown:
ERROR o.a.c.c.C.[.[.[.[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Could not open connection; nested exception is org.hibernate.exception.JDBCConnectionException: Could not open connection] with root cause
java.sql.SQLTransientConnectionException: HikariPool-0 - Connection is not available, request timed out after 30001ms.
So the servlet would successfully handle the request and send a response, but the filter would get hung up for 30 seconds waiting for the database connection to timeout on the post processing called to preHandle.
So for me, the simple solution was to add a check in preHandle if it is being called after the servlet has already handled the request. I updated the preHandle method as follows:
#Override
public boolean preHandle(final HttpServletRequest pRequest, final HttpServletResponse pResponse, final Object pHandler) {
if (pRequest.getDispatcherType().equals(DispatcherType.REQUEST)) {
... perform authentication ...
}
return true;
}
That solved the issue for me. It doesn't explain everything (i.e., why only IE/Edge would cause the issue), but it seems that preHandle should only do work before the servlet handles the request anyways.