Spring Security: For testing an application I want to have SSL off the way
is https necessary for client-cert X.509 authentication?
Yes it is necessary. It is also extremely trivial to set it up. Please see:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html
22.3 Setting up SSL in Tomcat
There are some pre-generated certificates in the samples/certificate directory in the Spring Security project. You can use these to enable SSL for testing if you don't want to generate your own. The file server.jks contains the server certificate, private key and the issuing certificate authority certificate. There are also some client certificate files for the users from the sample applications. You can install these in your browser to enable SSL client authentication.
To run tomcat with SSL support, drop the server.jks file into the tomcat conf directory and add the following connector to the server.xml file
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="${catalina.home}/conf/server.jks"
keystoreType="JKS" keystorePass="password"
truststoreFile="${catalina.home}/conf/server.jks"
truststoreType="JKS" truststorePass="password"
/>
clientAuth can also be set to want if you still want SSL connections to succeed even if the client doesn't provide a certificate. Clients which don't present a certificate won't be able to access any objects secured by Spring Security unless you use a non-X.509 authentication mechanism, such as form authentication.
Related
I try a SAML connection to Azure B2C with a Spring application found on GitHub.
Every works fine until I run in local, but when I need to test this application in a production eviroment I found myself up against problems due to HTTPS connection.
My production enviroment is based on AWS, I'm running a ECS Tasks configured in reverse proxy. I'm using an Load Balancer with an HTTPS listener and an HTTP rule to redirect on HTTPS.
This application is based on Spring, (not Spring Boot) and builds a WAR file that I run on a Tomcat 7.
When I try the login, this application try an HTTP request that the ALB redirect to HTTPS, but this redirect invalidate my SAML workflow.
I try to add requires-channel="https" to any <security:intercept-url /> node in my securityContext.xml but when I try to access to the application online I've got a ERR_TOO_MANY_REDIRECTS
I need to configure tomcat and this application to request only HTTPS without the needs of any redirects but I don't now how
I finnaly found a solution in two steps.
First step: I modify my Tomcat configuration to works only in https.
In server.xml I added a connector to works with TLS
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/keystore.keystore"
keystoreType="JKS"
keystorePass="myStorePass"
keyPass="myPass" />
And then I removed redirect of 8080 to 443. Find the node Connector with protocol="HTTP/1.1" and remove it.
Second step: I modify Load Balancer to works only in HTTS with 443 port. To do this I had to create a new target group and a new service on my cluster.
Currently, I have my web application running on compute engine via a spring boot application. My website is ssl protected and it connects to my gcp load balancer. However, the connection between the load balancer and my spring boot application is http. How can I make this https as well? What are details that I need to provide. My application is deployed on a gcp compute vm.
Here are the steps I have followed :-
Generate a Self Signed cert (PKCS12 format) assuming you in development and testing phase else in PROD you will need a CA Signed or similar cert
Generate Key using your P12 cert and store it in to Key Store
Make your boot app enabled by setting the following properties
server.ssl.enabled=true
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore/yourCertificate.p12
# The password used to generate the certificate
server.ssl.key-store-password=password
# The alias mapped to the certificate
server.ssl.key-alias=yourAlias
# The format used for the keystore.
server.ssl.key-store-type=PKCS12
These steps will help you make your Boot app HTTPS enabled.
I have two different spring boot application with SSL enabled in it and also there is an eureka discovery server and these two applications are linked to eureka server.I need to make some https call between these two SSL enabled applications. So I decided to go ahead with feign client .Eureka is able to resolve https url properly for feign client. But while making the call I'm getting "unable to find valid certification path to requested target". I can understand this error is because public key of my client application is not present in truststore of the application from which I'm making feign call. I have already added the public key in my custom truststore, But it is of no use.Property file for the same is below
server.ssl.enabled=true
server.ssl.key-store=classpath:springboot.p12
server.ssl.key-store-password= Pass#123
server.ssl.keyStoreType= PKCS12
server.ssl.keyAlias= springboot
server.ssl.trust-store=classpath:springboot.jks
server.ssl.trust-store-password=Pass#123
eureka.instance.nonSecurePortEnabled=false
eureka.instance.securePortEnabled=true
After digging more into the issue I found that "server.ssl.trust-store" property will set truststore in the embeded tomcat server of spring boot application, But some have my https call is taking default JDK truststore. When I added system properties in my application then everything is working fine. But with spring boot properties file configuration it is not working .
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
I feel setting system properties is an workaround and I'm looking for a better solution .
I even tried enabling ribbon client and added "ribbon.IsSecure=true" property also. But still getting the same issue.
Can someone please provide a suggestion for the same.
Thank you
I am trying to use sample application for inhouse adfs now, the difference is SSOCircle idp url is not http secured, whereas the adfs url I am configuring is https secured.
I have explained my approach here
Spring saml sample application with https idp url throws exception: No IDP was configured, please update included metadata with at least one IDP
Could you please look into the same and explain me the steps to make https url working?
Thanks
One thing you need to do is add the ssl certificate to your saml keystore.
You can get this ssl certificate a couple of ways. One way is to view the idP logon form in your browser, then export the certificate using browser functionality.
Spring also provide a utility program for extracting the ssl certificate. Check out this link...
http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#configuration-key-management-ssl-keys
I've made an implementation based on this with a FilesystemMetadataProvider: https://github.com/vdenotaris/spring-boot-security-saml-sample
To make the SSL handshake work for the artifact binding I had to put/trust the CA certificate for the IDP in the java keystore used by the keyManager.
I would rather have used the cacerts on the jre in case the IDP changed CA, but I haven't been able to find any property to set so that Spring SAML looks inside that instead.
Also this answer suggest that the cacert is ignored altogheter:
Spring Security SAML - HTTPS connections
Why is the cacert ignored in Spring SAML? This seems like a deficiency for me.
I have checked that the CA for the IDP is in the cacert file for my jre. If i remove the beans related to TLS/socket factory from the config it still fails.
Yes, cacerts is ignored. Spring SAML uses custom implementations for handling of trust, with an intention of providing more control over the system's security. You can always quite easily copy over all certificates from cacerts to samlKeystore.
Your custom certificate/JDK default certificate must have IDPs certicate imported as trust .
Your custom certificate used in JKS manager must have at-least one private key.
Please import your trust in JDK_PATH/jre/lib/securitycacerts and try the command wget <your_idp_descriptor_url>