<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.5.RELEASE</version>
</dependency>
I have created a spring-boot application purely severed as resource server.
#Configuration
#EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();
}
}
In my configuration class, I did the above (allow everything, just for experiment purpose). However, it still seems that all requests come to this server got 401 unauthorised error. PermitAll() does not seem to work.
Am I missing something here?
Thanks.
Related
I recently upgraded my project from Vaadin 23.1 to 23.2 and also upgraded my Spring Security configuration class to extend VaadinWebSecurity.
My project also has a custom WebSocket endpoint that is exposed at a certain URL.
Before the change to VaadinWebSecurity it was working fine. However after upgrading, it is not reachable any more.
Instead, it seems I am getting connected to a Vaadin WebSocket.
Probably the new SecurityFilterChain is overwriting my config.
Message received after connecting:
for(;;);[{"meta":{"async":true,"sessionExpired":true}}]
Security Config
#EnableWebSecurity
#Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
public static final String LOGOUT_URL = "/";
public static final String WEBSOCKET_URl = "/websocket";
//...
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(WEBSOCKET_URl)
.permitAll();
super.configure(http);
setLoginView(http, LoginView.class, LOGOUT_URL);
}
}
Sample WebSocket Handler
#Configuration
#EnableWebSocket
public class Websocket implements WebSocketConfigurer {
#Override
public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
registry
.addHandler(new WebSocketHandler() {
#Override
public void afterConnectionEstablished(WebSocketSession session) throws Exception {
session.sendMessage(new TextMessage("this is a response"));
}
// ...
}, SecurityConfiguration.WEBSOCKET_URl)
.setAllowedOriginPatterns("*");
}
}
I created a minimal example project based on start.vaadin.com.
It contains a sample WebSocket Handler.
sample-webscoket-vaadin.zip
Vaadin / Flow version: 23.2.1
Java version: 17
Can someone give me some advice how to get the WebSocket running again?
Atmosphere handler is intercepting the request. I've did some tests and security config is fine since the connection is established. After excluding Atmosphere dependency Spring WS handler works as expected.
It seems to be a bug in the Flow, I've created https://github.com/vaadin/flow/issues/14602
Exclusion workaround:
<dependency>
<groupId>com.vaadin</groupId>
<!-- Replace artifactId with vaadin-core to use only free components -->
<artifactId>vaadin</artifactId>
<exclusions>
<exclusion>
<groupId>com.vaadin.external.atmosphere</groupId>
<artifactId>atmosphere-runtime</artifactId>
</exclusion>
</exclusions>
</dependency>
I am trying to add swagger to my existing application. I have added the following dependencies :
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
Now the API /swagger-ui/ and /v2/api-docs is working fine. I am developing the application in REST API. The API's are working fine from POST man when i am sending JWT Token with them. They are not working in browser.
To make them working in browser, i have added the URL's in spring security permit all. But it is still not working in browser.
Spring Security Config:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(
.............
"/v2/api-docs",
"/swagger-ui.html")
.permitAll().anyRequest().authenticated().and().addFilter(getAuthenticationFilter())
.addFilter(new AuthorizationFilter(authenticationManager())).sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().cors();
}
How can i make those API's public?
try using security config
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
"/healthz"
};
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(AUTH_WHITELIST);
}
}
You need to make public more urls than just those two.
Springfox documentation states to allow the following urls
.antMatchers(
HttpMethod.GET,
"/v2/api-docs",
"/swagger-resources/**",
"/swagger-ui.html**",
"/webjars/**",
"favicon.ico"
).permitAll()
or to ignore them:
#Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(
"/v2/api-docs",
"/swagger-resources/**",
"/swagger-ui.html**",
"/webjars/**");
}
}
source: https://springfox.github.io/springfox/docs/current/
Even when I extend WebSecurityConfigurerAdapter class and override its methods: configure(HttpSecurity http) and configure(AuthenticationManagerBuilder auth) with custom users and roles and either add or remove #EnableWebSecurity annotation from this configuration concrete class, the default password is still getting generated and I cannot use http basic authentication with the custom credentials I declared inside configure() method.
I am always getting like below in the console:
Using generated security password: a2b4b374-65d2-4d20-a965-b34c00d44de9
turning off Spring Security by excluding SecurityAutoConfiguration.class is disabling the whole security which I don't want.
pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
Security Configuration
#Configuration
#EnableWebSecurity
public class BookStoreSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("{noop}password").roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().antMatcher("/**").authorizeRequests().anyRequest().hasRole("USER").and().csrf().disable();
}
}
App Entry Point
#SpringBootApplication(scanBasePackages={"com.example.springbootsecurity.bookstore"})
public class BookStoreApp {
public static void main(String[] args) {
SpringApplication.run(BookStoreApp.class, args);
}
}
I expected that from postman I would be able to login through basic authentication of my custom credential: admin/password.
But I always get the default password at console and my declared user credentials don't ever work and always give 401 unauthorized http status
Please help me with the solution!
Iam developing a angular webapp which is connected to a java (spring framework) backend. Authentication is done via a keycloak server.
On my local machine with the embedded tomcat server the angular application and the spring application runs without errors.
For deployment i need to use the old fashioned way by using an existing tomcat server.
The angular frontend is available in the ROOT directory via http://myurl/
The spring backend is placed as war file and reachable via http://myurl/api/
Everything works on the server except the authentication part.
Angular app is able to login via redirect etc. and gets an access token.
This token is transmitted on a request to the spring backend.
But the backend return a not authorized message.
Any help is apriciated!
Message is:
Unable to authenticate using the Authorization header
I have created a SecurityConfig class:
#Configuration
#EnableWebSecurity
#ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
#Autowired
public void configureGlobal(
AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider
= keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(
new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
#Bean
public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
#Bean
#Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(
new SessionRegistryImpl());
}
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/*")
.authenticated()
.anyRequest()
.permitAll();
}
}
Added this line to the application properties
keycloak
keycloak.auth-server-url=https://authserver.net/auth
keycloak.realm=myRealm keycloak.bearer-only=true
keycloak.resource=myclient
keycloak.cors=true
And added this dependancies
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>1.5.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>3.3.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Disabling the csrf token solved this issue.
Example:
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/*")
.authenticated()
.anyRequest()
I'm trying to configure Spring Security + Vaadin4Spring together with my Vaadin 7 application.
I have following code:
pom.xml security related dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>1.1.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.vaadin.spring</groupId>
<artifactId>spring-vaadin-security</artifactId>
<version>0.0.3-SNAPSHOT</version>
</dependency>
My MainUI class definition:
#VaadinUI
public class MainUI extends UI {
and Application class
#PropertySource(value = "classpath:application.properties")
#EnableAutoConfiguration
#ComponentScan
#EnableGlobalMethodSecurity
public class Application extends GlobalMethodSecurityConfiguration {
public static void main(String[] args) throws Exception {
SpringApplication.run(Application.class, args);
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("password").roles("ADMIN");
}
}
Right now when I'm trying to access http://localhost:8080/ I have following error message:
HTTP ERROR 404
Problem accessing /error. Reason:Request was not handled by any registered handler.Powered by Jetty://
What I'm doing wrong ? Please help me, I'm stuck on this the second day Without Spring security my application works perfectly, but without security it's doesn't have a big sense.. Thanks!
Solved at the vaadin4spring github: https://github.com/peholmst/vaadin4spring/issues/78