i am using spring remoting alongside spring security
I have 2 servers (let's call them "front" and "back")
The "front" server is exposed to the outside world and receives, along with the rest of the request, the "Authorization" header. However, i notice that when i use spring remoting to call the "back" that header is not copied. What do i do?
BTW, I haven't checked it yet but i am almost certain that it won't work for "JSESSIONID" as well.. what do i need to do in order to propagate these 2 headers?
If you are using Spring-Remoting, then spring-security-remoting to the rescue! This module contains several request factories and executors that enrich the requests with a security context.
For RMI: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/remoting/rmi/package-summary.html
For HTTP: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/remoting/httpinvoker/package-summary.html
Related
I am writing an Angular4 app with Spring Boot backend. I am using a SessionScoped bean to store the logged in user (I know this is not RESTful and stuff and I am ok with it for now) and RestControllers for the endpoints.
Logging in and querying data with Postman works nicely, but it does not work from my angular app, so I debugged it a little and saw that I get jsessionid-s in the response-headers, but they are not appended in the requests.
What might be the problem? How can I use Angular with Spring Boot and session scoped beans?
It depends on how your are calling the backend.
If you are using angular-cli and the proxying the calls to spring boot it should work out of the box since same domain requests always pass cookies.
This is the preferred way because usually this is how you then deploy it live using a nginx location block to get all /api/ calls go to spring and everything else to angular.
https://github.com/angular/angular-cli/blob/master/docs/documentation/stories/proxy.md
If you have the api on a different host you will need to pass withCredentials: true to all requests going to the backend to force the request to include the cookies.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
this.http.post('http://localhost:3000/api/thing', { withCredentials: true }).subscribe()
We have developed a software proxy based on spring boot and zuul, that is meant to govern services within our integration layer. We do not own the systems consuming the various services, nor do we own the actual services themselves. The services are SOAP based webservices at present. We make use of pre, post , error and route filters. Validations are database driven, including which client is allowed to call what webservice. All service definitions reside in the database (request endpoint, request xsd, response xsd, which clients are allowed to invoke, etc.).
The aim now is to add hystrix commands to handle service failures, as well as a hystrix dashboard.
The standard way to use hystrix commands involves annotating service methods with javanica. Is there a way to dynamically declare/register hystrix commands for these webservices at runtime after reading the configurations from the database? The hystrix interception will need to happen based on the multiple webservice endpoints being invoked from a single point.
Hoping this is achievable ...if not, I would really appreciate any alternative proposals for how hystrix commands could be declared in this way.
Thanks!
You're saying that you are already using Spring Boot and Zuul. How are you mapping the routes? Through the url param? Then you'll have to enroll your own. But if you define the routes as ribbon services and pass the routes as ribbon servers as described in the documentation you will get Hystrix for free.
I am integrating an existing spring MVC web application with spring websockets. I was successfully able to integrate by following the instructions in
https://spring.io/guides/gs/messaging-stomp-websocket/
The existing web application has a filter, which sets a few of the attributes. I have a requirement to access the attributes set by the filter in the controller i,e in #MessageMapping method.
Could some one tel how can we access the request object in the #MessageMapping method?
When a STOMP client connects to the application, it first has to request a protocol upgrade to switch to websocket. Once using that websocket connection, the messages sent/received don't go through your regular Servlet filter - only the first HTTP request (the "Handshake") did.
Depending on your use case, there are several ways to achieve this.
If it's related to Authentication, then there are existing features for this in the Spring Framework, but also in Spring Security.
If it's related to the HTTP session, you can easily ask for all HTTP session attributes to be copied into the websocket session - or even customize the Handshake for your own needs (see reference doc). Once done, you can inject the Websocket scope in a #MessageMapping controller method and get those attributes (see reference doc).
I have a restful web service written using Spring WebMVC that will mostly be used to orchestrate other services. In some cases these services are on the same server, in some cases they are not. I have a few requests (GET and POST) that will be direct pass throughs to another service. Is there a way to blindly forward all GET and POST data from a request for certain URLs without knowing anything about the data in the request?
Ideally, I would like to be able to say all requests for http://server1/myService/user/... should forward to http://server2/user/... with all of the GET and POST parameters forwarded with it.
For the services on the same server, if they're being served by the same Spring MVC application, you could use RedirectViews and/or the "redirect:" prefix.
For those on another server, the best thing I can think of would be to use a servlet filter, similar to the approach suggested by this post: spring mvc redirect path and all children to another domain
My application exposes a RESTful API which when called calls out to a mailbox server and fetches data. I want to be able disable the service during application runtime in the event of some outage on the mailbox server. I wanted to do this in a way that the logic of deciding whether or not to call the mailbox server was abstracted from the actual code that calls the mailbox server. Two options which seem to fit this scenario are filters and interceptors however I'm looking for advice on which one best suits this requirement and what are the difference between each?
Thanks
If you are using Spring MVC then you can use an interceptor, which is like a filter but that has access to the Spring context. If you are using Jersey then you can't use interceptors.