spring-cloud/spring-cloud-security

Security concerns for distributed applications implemented in Spring

André Ananias Barreto

@andre.barreto_gitlab

@Bean
public ResourceServerTokenServices tokenService() {
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setClientId("adminapp");
    tokenServices.setClientSecret("password");
    tokenServices.setCheckTokenEndpointUrl(authEndpoint + "/uaa-admin/oauth/check_token");
    return tokenServices;
}

The point is, now I'm gonna have two authentication microservices

@PostMapping()
@ResponseStatus(HttpStatus.CREATED)
@PreAuthorize("hasAnyAuthority('role_admin', 'role_user')")
User create(@RequestBody User user) {
return this.userService.create(user);
}

I don't know if only adding role to the controller is enough, like up there

I also don't know how to create both beans and direct the correct roles to the correct service bean(role_admin check with admin auth service, role_user check with user auth service)

Marcos Barbero

@marcosbarbero

Let me take a step back and ask you, why do you need two auth servers?

André Ananias Barreto

@andre.barreto_gitlab

Since is a microservice architecture we've made two protection services one for authenticating admin roles and other for the users because the have different user structures and databases

majiedahamed

@majiedahamed

Hi ...How can i use oauth2 accesstoken(opaque) received by doing an http(clientid,secret,usr,pass as params) call to an oauth2 server(password grant) for authenticating in springsecurity (for setting securitycontext)

majiedahamed

@majiedahamed

Iam trying to do external integration with my Springsecurity-Oauth2 based application https://i.stack.imgur.com/hVv8E.png
Please let me know if the approach is right ?

muhmadtabrez

@muhmadtabrez

@marcosbarbero Is there a way to allow token authentication for endpoints in an application which uses @EnableOAuth2Sso

I had seen that @EnableOAuth2Sso will in zuul WebsecurityConfigurerAdapter uanble to pass the access token to downstream api. even if i send the proper authorization header.

Marcos Barbero

@marcosbarbero

@muhmadtabrez follow up on #spring-cloud channel as it's also related to Zuul

Marcos Barbero

@marcosbarbero

Hi @muhmadtabrez I think you have some misunderstandings. What's the Client A and Client B, are they completely different applications consuming the API through Zuul?

majiedahamed

@majiedahamed

@marcosbarbero They are different applications,one gets the token another uses the token

Marcos Barbero

@marcosbarbero

How do you exchange the token between them? Why do you have this setup where one application requests the token while another one uses it?

@majiedahamed

majiedahamed

@majiedahamed

@marcosbarbero Thanks.I have two cases to integrate 1) legacy system where it does plain DB authentication and i cannot think of any protocol support even SSO 2) For a Mobile App for which i believe an oauth2 token can be stored and in need can request for a refresh token.

Marcos Barbero

@marcosbarbero

@majiedahamed Thanks for the update but i'm still not that sure how are you going to exchange the token. You mentioned storing the token in the mobile app and use the refresh token, do you mean store the token within the app and use whenever it's necessary? If that's the case I strongly advice you to not

it's a really big security breach

majiedahamed

@majiedahamed

@marcosbarbero you are right ! but my mobile app dev scripting framework does not provide me any Oauth2 plugins.I can only think of encrypting the tokens while storing .Please suggest other options to move ahead for mobile app.

Marcos Barbero

@marcosbarbero

It's basically just a matter of making HTTP requests, if you can handle it at your framework then you are good to go. You just need to choose the right grant type

majiedahamed

@majiedahamed

@marcosbarbero for client side user specific authentication i can use either code grant or password grant both responds with oauth2 token...and once authenticated client needs to send the token in the request to check token end point to verify authorization for any resource access.

Marcos Barbero

@marcosbarbero

Hi @majiedahamed , good morning! So, you are correct about the grant types I would say you can pick what works better for you, I would go for username & password one in this case. About the /check_token endpoint part, it's not really necessary, you can skip it

fschollmeyer

@fschollmeyer

Hi guys... I'm using a zuul proxy to connect to an oauth2 authorization server. Everything works fine, unless the refresh token is expired. In that case the zuul filter OAuth2TokenRelayFilter throws an BadCredentialsException and this one is forwarded directly to the user. What would be the right place to go for redirecting the user to the login page instead?

fschollmeyer

@fschollmeyer

Also after updating to spring-boot-2.1/spring-cloud-greenwich-RC2, the registeredRedirectUrl seems to match the whole path. So e.g. if my registeredRedirectUrl is https://localhost:9443/, e.g. https://localhost:9443/login is not a valid redirect URL anymore. Is that on purpose?

That was not the case with spring-boot-2.0.6 and cloud finchley SR2

fschollmeyer

@fschollmeyer

Hi... I have a server with server.use-forward-headers set to true... nonetheless in LoginUrlAuthenticationEntryPoint useForward is set to false. Is this a bug?

Joris Schellekens

@jorisschellekens

Joris Schellekens

@jorisschellekens

I'm building an Alexa Skill. This requires me to build an oAuth Security Provider (so that -upon installing my skill- users get a login form and receive tokens they can use to talk to my endpoints). I have an LDAP server (hosted on AWS).
Are there any good examples that could help me?

Chris Overgaauw

@chrisovergaauw

I would like to print the bearer token received by my spring application as I am running into an issue where .hasAuthority(<some string>) always seems to fail and I keep getting 401 responses.
Does anyone know how to do this or how to debug this in general? spring root and security logging are already at debug level

Srinivas

@Sriniva63328880_twitter

Hi all

Ivan

@advancedwebdeveloper

who is interested to speak about security at http://devopsstage.com/ ?

Pedro

@pgardunoc_twitter

That would be interesting

Attoumane

@akuma8

Hi there, I am a bit confused about all security dependencies available to secure a cloud application. When should we use:
-org.springframework.cloud:spring-cloud-security:<version>?
-org.springframework.cloud:spring-cloud-starter-security:<version>?
-org.springframework.security.oauth:spring-security-oauth2:<version>?
-org.springframework.boot:spring-boot-starter-oauth2-client:<version>?
-org.springframework.boot:spring-boot-starter-oauth2-resource-server:<version>

Attoumane

@akuma8

I am currently migrating standalone Spring Boot applications to Spring Cloud and until now I used:
org.springframework.boot:spring-boot-starter-security:<version> and org.springframework.security.oauth:spring-security-oauth2:<version> to secure my applications. I have a central application dedicated to issuing access token, a Spring Cloud Gateway and other Spring Boot applications. The question is which dependencies should I use in each case? Thanks a lot

fschollmeyer

@fschollmeyer

Hi guys... I'm using spring-security-oauth2-client to login via an OAuth2 server. My server supports strong authentication via attaching the desired acr_values to the authorization uri. Is there a way to set the acr_value? Or at least to modify the redirect URI to the authorization server manually?

Basavaraj K N

@rajiff

Hi, I am trying to implement a app with "Sign in with Google" functionality in a Microservice env (Zuul, Eureka, Config Server), confused where to put my initial UI (which logged in and need to be behind the API gateway), should I be using "Spring Cloud Security" or "Spring Security", which among them are more latest ?

PS: I am new to spring and java

naveenchirayath

@naveenchirayath

HI how to secure eureka naming server? I am added spring security in the eureka server. but while client registration I am getting "com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server". I am given the eureka.client.service-url.default-zone=http://username:password@localhost:8761. but its not working..

miha-

@miha-

@miha-
Hello, can some one help me understand this:
i need to sign en encrypt soap request
https://docs.spring.io/spring-ws/site/reference/html/security.html
The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
so for this only in policy has to be added, other things are the same

@Bean
    public KeyStoreCallbackHandler callback() throws Exception{
        KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();


        callbackHandler.setPrivateKeyPassword("t_passwordo");
        callbackHandler.setDefaultAlias("snet");
        callbackHandler.setKeyStore(keyStoreFactoryBean());
        callbackHandler.setTrustStore(TrustFactoryBean());

        return callbackHandler;
    }

signeture works ok
but for encrypt i get
2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
tnx

Abdullah Al-ahmar

@aalahmar_gitlab

I wanna ask about Zuul as an aouth2 client! Anybody has experience

Attoumane

@akuma8

Hi there,
Is there a guide to migrate an Spring Security OAuth2's Authorization Server with custom UserDetailService to the new Spring Security 5.2 changes?
About Spring Security OAuth2 support, I think it would be nice to take account the users opinion before deciding to no longer provide Authorization Server support.
That decision was so brutal, we are not ready yet.

M G R

@grajuu

Hey there,
Is it good to configure security and gateway in same micro service ..?

jerryniu

@geercode

@grajuu I don't think so.If you are creating a sso or uaa service, you should take auhorizaion and authetication as a system service.

M G R

@grajuu

Then how security will intercept gateway?
i mean gateway service is first entry point for all micro services.
You mean Request flow will gateway-> security-> microserviceA so on ..?

Basavaraj K N

@rajiff

How to support data driven RBAC with spring security and Zuul gateway ?

Srini555

@Srini555

MichaelvdHeuvel

@MichaelvdHeuvel

Hallo, I am working on an implementation of SAML 2.0 in our Spring boot application and we were following a tutorial where it is stated that the SAMLProcessorImpl needs a HTTPPostBinding with a Parserpool from OpenSaml. However the openSaml version of the tutorial is deprecated and I can not seem to find replacement. I noticed that the ParserPoolHolder has a static function for getting Pool, but when running the application it can not access the object:

Error:(149, 60) java: cannot access org.opensaml.xml.parse.ParserPool
class file for org.opensaml.xml.parse.ParserPool not found

Can anyone take a look with me, how to make sure the parsing is implementated correctly?

nguyennv84

@nguyennv84

Hi, is there a way to propagate the Authentication details in a web request to the event listeners that receive events raised in a web request?

Dhruv

@iamdhrv

Hello Everyone.
i am new here.

Where communities thrive

People

Repo info

Activity