grails spring security rest plugin - spring

I'm trying restful spring security rest plugin from https://github.com/dmahapatro/grails-spring-security-rest-sample.git
I upgrade grails to 2.3.7 and spring security rest to 1.3.4. And all running smoothly.
I'm using postman for testing the rest login.
url: http://localhost:8080/grails-spring-security-rest-sample/api/login
form-data: username = user, password = pass
But there's always return error code 400 Bad Request.
Is there something wrong with the config or test?
Thanks,
Didin

This is a POST request with content-type as application/json. Refer dev tool again during the call to /api/login, it should be clear.
This is driven by a setting provided by the plugin as below:
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
If you wish to pass it as url param then switch the above off (in the app). By default setting is to use request url parameter as:
//default is true
grails.plugin.springsecurity.rest.login.useRequestParamsCredentials = true
In that case the request could look like:
http://localhost:8080/grails-spring-security-rest-sample/api/login?username=user&password=pass
Parameter name for username and password can also be customized by these settings:
grails.plugin.springsecurity.rest.login.usernameParameter=customusername
grails.plugin.springsecurity.rest.login.passwordParameter=custompassword

Related

Regexmatcher / Antmatcher for url with request param

In Spring, you can configure endpoints to be accessible without the need for authentication.
You can do this via WebIgnoring method or via the configure method and using permitAll(). The problem is for my registration form I have following request url:
http://localhost:9090/users?username=
the username is limited to the regex "^[^-\\s][\\w]{1,19}$". Does anyone know how to make that url anonymous for Spring using an antMatcher or a regexMatcher?

How to make spring webclient follow redirect with access token/authorization header?

We are using spring boot 2.4.5 with webflux and calling a service with client credentials grant type. What we noticed is that webclient is not following redirects.
How can we enable webclient to follow redirects where it can continue passing access token until it get the http 200?
Adding following code snippet does not pass the access token to redirected url and it is returning 401.
WebClient.builder()
.clientConnector(new ReactorClientHttpConnector(
HttpClient.create().followRedirect(true)
))
The sensitive headers like the Authorization are removed from the initialized request when redirecting to a different domain.
You can use the following variant of followRedirect(boolean):
followRedirect(boolean followRedirect, Consumer<HttpClientRequest> redirectRequestConsumer)
In order to re-add the Authorization header using redirectRequestConsumer.
For more details see the Javadoc here and Reactor Netty documentation here.

How to disable auto login redirect in Spring Boot Keycloak Adapter

I am writing an API in Spring Boot that I want to secure using Keycloak.
After doing some setting up, I managed to get the keycloak adapter to work. While I was expecting a 403 on any non-authenticated request, I get an HTTP 302 redirect to login page instead.
As I am working on an API, how can I disable the auto login-redirect and provide a 403 error message, so that I could add some frontend logic to start on the login process?
In your config, you do
http.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
It will start returning 403 on every failed call and you can then catch it and whatever logic you need.
You need to add the propery keycloak.bearer-only: true in the application.properties or application.yml to avoid redirect to login page when there is one error
You will get one 401 error

404 when do logout in Spring Security Rest Plugin for Grails

I'm setting the security system on my project (Grails - Angularjs) with Spring Security Rest Plugin v1.5.4 (using spring security core 2.0.0) for Grails 2.4.4. Doc about this plugin can be found here.
I'm testing the login and logout with postman chrome rest client and I'm able to do a login OK, but I'm getting a 404 when I do logout.
In the documentation clearly says:
The logout filter exposes an endpoint for deleting tokens. It will
read the token from an HTTP header. If found, will delete it from the
storage, sending a 200 response. Otherwise, it will send a 404
response
You can configure it in Config.groovy using this properties:
Config key...................................................................................Default
value
grails.plugin.springsecurity.rest.logout.endpointUrl....................../api/logout
grails.plugin.springsecurity.rest.token.validation.headerName....X-Auth-Token
So, after doing a login successfully, I tried to do a logout to that url (my_host_url/api/logout) with a GET method and sending a header X-Auth-Token with the token I got previously from login.
But I keep getting a 404. See image below
Edit: I'm setting the chain map like this (in order to get a stateless behavior):
grails.plugin.springsecurity.filterChain.chainMap = [
'/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter', // Stateless chain
'/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter' // Traditional chain
]
So. What am I doing wrong here, or what am I missing?
Thanks in advance!
You missed another excerpt from the docs. It's a warning message literally before the chunk you quoted, and says:
Logout is not possible when using JWT tokens (the default strategy), as no state is kept in the server.
If you still want to have logout, you can provide your own implementation by creating a subclass of JwtTokenStorageService and overriding the methods storeToken and removeToken. Then, register your implementation in resources.groovy as tokenStorageService.

How to send POST requests to a Spring Boot REST API using Postman form-data?

I'm trying a very simple Spring Boot + MySql app using STS: https://github.com/acenelio/person01
Posting a new Person using raw body works fine. However, when trying to post using form-data, I get either a 400 HttpMessageNotReadableException or 415 HttpMediaTypeNotSupportedException error, depending on which Content-type I set on Headers.
I provided some Postman printscreens here: https://sites.google.com/site/stackoverflownelioalves/arqs
What am I missing? I'm kinda new on Postman and Spring Boot. Thanks.
You can use the #RequestBody annotation:
#RequestMapping("/addInvestorProfile")
public #ResponseBody Boolean addInvestorProfile(#RequestBody() InvestorProfile profile
, #RequestParam(value = "sessionId") String sessionId)
{
.... your content
return true;
}
I am not sure which version of your spring boot. First of all, almost all spring mvc or spring boot controller method will accept all request content-type when you are not add consumer param to #RequestMapping annotation. So, maybe there is some wrong usage of postman.And I am work with spring boot & postman well.
try to compare postman behavior by copy request to curl
Usually post a request use curl looks like:
curl -XPOST UrlOfYourSpringBootEndPoint -d'body of your post'
more detail of curl here.

Resources