I have a spring app running on tomcat and I've set up two connectors 8080 and 8443. I use 8443 for authentication and 8080 for the application. After authentication JSESSIONID is added with secure notation and thus it's not available in HTTP.
How can I create two types of authentication when authenticating with HTTPS so that HTTP would also be authenticated. I set my authentication with:
SecurityContextHolder.getContext().setAuthentication(authentication);
This should work out of the box. The session cookie that's set is shared for http & https. Examine the cookie and verify if the domain, path & protocol are correctly set. Also you should verify your spring security configuration. Example here
Also you should really be using only https instead of serving any content through http - the overhead is insignificant while giving a big security benefit.
You can not do it and it has nothing to do with Tomcat.
The issue is the browser will not send the same cookies that it was using for HTTPS to the HTTP URL. You will have to login twice. You could potentially do some very nasty things to somewhat accomplish this (like allowing session ids in the URL and/or some javascript to perform some autologin) but I highly recommend you do not do that.
The only solution I can see to make this work safely might be to use SAML single sign-on. Otherwise you really should serve everything you want authorization for under HTTPS (ie requires login).
Related
I'm trying to reach a Spring Boot API hosted on a server with my Angular application, but I have some CORS issues.
CORS Error in the console
Redirection Flow
I tried several things, I added my URLs in both keycloak and Spring, and I think I found the origin of the problem but can't seems to resolve it.
I believe the problem comes from the fact that keycloak redirects to http://user-service.cubetech-app.fr/sso/login instead of the HTTPS version of that url. I read that when the browser detect a redirection on a different hostname it change the Origin header to null, and I think this is what creates the CORS error.
I don't know how to force HTTPS on the internal redirection.
For further informations, my spring backend and my keycloak server are hosted on my VPS, in a docker, and behind a traefik reverse-proxy that enables HTTPS with Let's Encrypt.
Check the webOrigins value of the client you use in Keycloak.
Realm settings-> clients -> {your client}
In my Controller, which is build with using spring-boot, I've enable CORS only for my server and localhost whit this annotation:
#CrossOrigin(origins = {"http://localhost:8080", "https://www.somepage.com"}, maxAge = 3600)
This is working fine. But now I'm not sure, if it's also needed, to add basic authentication for the REST API. As far as I understood, the only call the REST API is accepting now, is my own server and localhost, and that's why, I think it's not needed. But I was not able to figure out, if this is a bad practice or not.
Do You recommend to use basic auth too for the REST API even when CORS is enabled?
No.
The Same Origin Policy is a feature built into browsers that prevents an attacker's JavaScript running on the attacker's website from reading the response to an HTTP request from the victim's browser to the targetted website.
This stops the attacker from stealing data from the targetted website using the credentials belonging to the victim.
(To some degree. There are other kinds of attacks.)
CORS is a tool that relaxes this rule so that when you to allow another site to access that data (either using the user's credentials or because it is just public data), it can.
Note that I said "a feature built into browsers". It isn't built into other tools.
An attacker can still make HTTP requests with their code, or tools like Postman and curl, or their own web browser.
Neither the Same Origin Policy nor CORS are substitutes for authentication and authorization.
CORS is a mechanism implemented in browsers and it will not prevent me to access your API with curl. Therefore, secure your API if you need it to stay secure.
We are using Okta Customer Identity with our application. The challenge with our architecture is that each user gets their own server and subdomain, which is a little weird for Okta, because each redirect URL needs to be provided as part of the application configuration. As we add new users, the list of redirect URLs continues to grow, one per user machine. Their API is not really designed for this, so we have to write the complete list of redirect URLs with every change.
We would like to find a way to use a proxy for the Okta authentication, so that we can just have a single redirect URL for the Okta application configuration. But we're using https://github.com/okta/okta-spring-boot, and we're not really sure how to make it work with a proxy.
If we set up an HTTP proxy using -Dhttp.proxyHost=my.proxy.host -Dhttp.proxyPort=8080, that's going to affect all HTTP traffic, which is not acceptable.
Is there a way we can use an HTTP proxy purely for the Okta auth only, leaving all other HTTP traffic unproxied?
Is there something we can do with the Okta Spring Boot library that would make it possible for all user machines to share a common proxy machine?
The final alternative would be to write some "active" proxy code that runs on the proxy which handles the requests and forwards them on to Okta. It would have to introspect the Okta response and pass it back to the right user machine.
Is there a way to do #1?
Failing that, is there a way to do #2?
If neither of those are possible, are you aware of an existing implementation of #3?
i am currently building a security solution in spring cloud microservices.
when combining springs OAuth2 and Zuul implementation, it is quite easy to build an authenticationprocess like:
user calls the ui, which knows initially: user is not authenticated
redirect to auth server to ask the user for his login creds
redirects him back to the ui, providing a code or token.
I would prefer a flow with password authentication flow, in a way where the auth server is behind zuul
For example:
1.2.3.4:8080 is Zuul (with a UI with angularJS), domain "example.com"
1.2.3.5:9000 is the Auth Server
I could configure the zuul in a way, to access 1.2.3.5:9000 directly, passing form fields AND basic authentication to pass the client id.
since the auth server registers itself to eureka, I could also use "example.com/auth_server", which is the same, but managed through zuul. Alternatively I could also configure it manually....nevertheless:
Password authentication does not work, since Zuul is removing the basic authentication header from call....
at this point, I see I am doing something wrong...because the edge serve COULD have it's own security solution and tunneling the basic authentication to auth may be not the best way....but
HOW can I manage password authentication with ouath2 through zuul?
Please Help :)
By default "Cookie", "Set-Cookie", "Authorization" are marked as sensitive headers on a route and are not forwarded. Setting zuul.routes.myroute.sensitiveHeaders='' should allow you to pass those headers through, though I'm not sure it's the best idea.
The problem was a late working session in the evening :)
The component making the request didn't send the authorization since some updates which led to no headers ever reached the edge server.
Obviously, everything works as intended if basic or bearer authorization headers are passed over
I have a problem related to subdomain and https request.
I am trying to route from http to https where my http address is subdomain.domain.com and https address is domain.com/subdomain. But the problem is when i switched from http to https i loose my session variables.
How can i persist my session variables in both http and https requests.
Thank you.
The session is probably tracked by a cookie.
Cookies have a domain associated with them, in this case this would be "subdomain.domain.com". For a different domain, even if it is the parent domain, the cookie will not be provided by the web browser.
I think there are ways to make a cookie valid for all subdomains under a given domain, but you have to look into the documentation of the software you are using for that.
For any more information, we really need more detail about what software you are using to keep this session. Standard PHP sessions? Or something else?