Develop Reference

Spring-boot how to accept JWTs without an issuer field?

If a JWT is missing an issuer field, I'd like to fallback to a jwk-uri or jwk-key-set, what would I need to override in Spring oauth2 libs because failing on missing issuer is a Spring default behavior.
An alternative would be to detect missing issuer field and inject that field with a string such as emptyIssuer... then I can define the appropriate issuer in application properties.

With Spring Boot, define just spring.security.oauth2.resourceserver.jwt.jwk-set-uri property (and not spring.security.oauth2.resourceserver.jwt.issuer-uri).
The JWK set is enough for the decoder to validate JWT signature.
If spring.security.oauth2.resourceserver.jwt.issuer-uri is set, then
JWT decoder is configured to check iss claim against the value in the conf
boot does its best to infer jwk-set-uri from the issuer-uri (and succeeds when the authorization-server is OIDC complient)

Enhance DataSourceProperties configuration bean with KMS provided secret

I want to set the password for the datasource programatically and still use auto configuration of Spring GCP and Spring Data.
Background
I want to obtain my password as encrypted blob and decrypt it via Google KMS. I read that spring gcp auto configuration mutates the DataSourceProperties bean to apply gcp secific configurations (https://docs.spring.io/spring-cloud-gcp/docs/1.0.0.RELEASE/reference/html/_spring_jdbc.html#_literal_datasource_literal_creation_flow).
Now I would like to mutate the DataSourceProperties Bean exposed by GcpCloudSqlAutoConfiguration once more.
Exposing the DataSourceProperties as follows does not work because GcpCloudSqlAutoConfiguration then doesn't know which Bean to take: the one configured by spring boot auto configuration or mine. But mine should be applied in the very last step of configuration.
#Bean
public DataSourceProperties dataSourceProperties(DataSourceProperties dataSourceProperties) {
dataSourceProperties.setPassword(getDecryptedSecret());
return dataSourceProperties;
}
private String getDecryptedSecret() {
// get encrypted password and decrypt it
return "myDecryptedPassword"
}

You should be able to provide your own bootstrap property source that contains a value for spring.datasource.password.
See: https://cloud.spring.io/spring-cloud-commons/multi/multi__spring_cloud_context_application_context_services.html#customizing-bootstrap-property-sources
Full answer is on project GitHub: https://github.com/spring-cloud/spring-cloud-gcp/issues/2330

Cloud KMS offers encrypting and decrypting data with a symmetric key[1] and/or an asymmetric key[2].
You can see DataSourceProperties[3] for more of the supported options for Spring Boot.
[1]-https://cloud.google.com/kms/docs/encrypt-decrypt
[2]-https://cloud.google.com/kms/docs/encrypt-decrypt-rsa
[3]-https://github.com/spring-projects/spring-boot/blob/v2.1.8.RELEASE/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jdbc/DataSourceProperties.java

How to use a service id in the keyUri used by a resources server to get the JWT verifier key?

I have an OAuth resource server secured with Spring cloud security.
The OAuth tokens that are used are JWT tokens, so the resource server needs a verifier key to be able to check the signature of the tokens.
In order to simplify configuration I would like the resource server to get the verifier key from the authorization provider (also a spring boot service, with an #EnableAuthorizationServer).
This works fine if I give the direct url of the authorization provider (using spring.oauth2.resource.jwt.keyUri), for example http://ip_of_authorization_provider/oauth/token_key.
The problem is when I want to give a service-id instead of an IP or DNS in that value, eg. http://authorization-provider/oauth/token_key.
It seems to me the problem is in JwtTokenServicesConfiguration, on line 225 of this file, specifically :
private RestTemplate keyUriRestTemplate = new RestTemplate();
If the keyUriRestTemplate was Autowired I could provide my own load balanced rest template, or if there was a #ConditionalOnMissingBean(JwtAccessTokenConverter.class) on the jwtAccessTokenConverter method below I could also provide my own load balanced logic.
Is there a way to do what I want without the ugly hack of recreating the whole ResourceServerTokenServicesConfiguration class in my app just to put only this small modification ?

There is a simpler and cleaner solution :
Just ditch the autoconfiguration made by spring-cloud-security and provide your own implementation of tokenServices that provide a JwtAccessTokenConverter whose key you have provided with a LoadBalanced RestTemplate. Chances are you'll eventually want to provide other specifics in your configuration anyways ...

How to use keystore in Websphere Liberty and in Java?

maybe it dumb question but I couldn't find explanation by googling.
There is settings in server.xml file of Websphere Liberty 8.5
<keyStore id="sampleJKSKeyStore"
location="MyKeyStoreFile.jks"
type="JKS" password="myPassword" />
What can I do with this keystore? Can I for example programatically save to and load from PrivateKey / PublicKey which I create by using the following code:
final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024);
final KeyPair key = keyGen.generateKeyPair();
final PrivateKey privateKey1=key.getPrivate();
final PublicKey publickey1=key.getPublic();
Thank you in advance!

The keystore configuration essentially just tells the Liberty profile runtime where the keystore is and how to get certificates from it. It can then be associated with the httpEndpoint to store the certificates for https. There are other ways it is used by the Liberty runtime, but the usage is by the runtime, not for applications. If you would like to get application access to it you can raise a request for the product to be enhanced here.

CXF STS Usernametoken symmetric binding XML Signature verification has failed

Working with CXF STS- STS client example I followed the example at https://web-gmazza.rhcloud.com/blog/entry/cxf-sts-tutorial and my sample code is at https://github.com/sampleref/CXFSecurity for reference. On debugging I found error as below at STS provider
<<||2014-07-13 18:26:50,286||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.UsernameTokenProcessor:50||||>> Found UsernameToken list element
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.validate.UsernameTokenValidator:78||||>> UsernameToken user alice
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.validate.UsernameTokenValidator:79||||>> UsernameToken password type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:115||||>> Found signature element
<<||2014-07-13 18:26:50,288||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:380||||>> Verify XML Signature
<<||2014-07-13 18:26:50,292||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:428||||>> XML Signature verification has failed
<<||2014-07-13 18:26:50,292||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:431||||>> Signature Validation check: false
Please provide some inputs, Its really important working for me with this. I posted more detailed error from STS Client at
CXF STS client throws Request does not contain Security header/Response message does not contain WS-Addressing properties

The problem is that you are not supplying the password for the private key in the STS. So for example, adding the following to the StsPasswordCallbackHandler makes the decryption work:
x509Passwords.put("stskeyalias", "stskeypassword");
You also need to remove the BouncyCastle dependency from the STS pom.
Colm.

I think the issues, https://issues.apache.org/jira/browse/CXF-5679 and https://issues.apache.org/jira/browse/CXF-5724 were creating problems. I used CXF version 3.0.0 and able to get SAML assertion now
Thanks