These are chat archives for spring-cloud/spring-cloud

22nd
May 2015
Leon Radley
@leon
May 22 2015 05:58
The fix was simple, instead of redirecting to /login, there is a new function added to the HttpServletRequest called authenticate that forces authentication for the current url, which makes sping cloud remember the current url. Yeeey!
Dave Syer
@dsyer
May 22 2015 06:45
Not sure what you mean by adding function (JavaScript?) to servlet request (Java). I'd be interested to understand though in case it's something generic that I missed.
Leon Radley
@leon
May 22 2015 07:17
@dsyer by forcing a authentication for the current request instead of redirecting it worked, since that meant that ExceptionTranslationFilter saves the current request and not /login
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#authenticate(javax.servlet.http.HttpServletResponse)
Leon Radley
@leon
May 22 2015 12:41

I can’t get into the actuator endpoint when using @EnableOAuth2Resource. There seems to be an open issue with this
spring-cloud/spring-cloud-security#57

Either I need to get the basic auth working, or be able to specify a role for the user and use the authenticated user to decide if I can view the endpoints.

Can I disable basic auth, and have the actuator endpoints try to authenticate against the sso security?

Dave Syer
@dsyer
May 22 2015 12:46
You should be able to just set the filter order so the basic auth isn't used
But I haven't checked out that issue yet
Seems like you wouldn't care about the issue
Leon Radley
@leon
May 22 2015 12:50
It’s the same problem, though I might choose a different solution.
I cannot get into the actuator endpoints.
It would have been great if it had worked out of the box
But I’m not shure if the in memory AuthenticationManager could act as a fallback for the resource server?
Dave Syer
@dsyer
May 22 2015 12:53
I'm not sure why you'd want that (or what it means precisely).
The comments in s-c-s suggest that we thought of this and tested it
I think the Pivotal Cloud Foundry services rely on it in fact
Leon Radley
@leon
May 22 2015 12:55
I would think so too, but I’m getting the same error as #57
the default spring security user isn’t getting added, because the @EnableOAuth2Resource is adding it’s own AuthenticationManager which overrides the default one
This is right according to the documentation.
But now that means that basic auth doesn’t have a AuthenticationManager that can handle the login
Dave Syer
@dsyer
May 22 2015 12:58
Why does @EnableOAuth2Resource add an AuthenticationManager?
Leon Radley
@leon
May 22 2015 12:59
good question I’ll check where it’s added
Leon Radley
@leon
May 22 2015 13:08
ResourceServerConfiguration.java

@Autowired
    protected void init(AuthenticationManagerBuilder builder) {
        if (!builder.isConfigured()) {
            builder.authenticationProvider(new AnonymousAuthenticationProvider(
                    "default"));
        }
    }

The ResourceServerConfiguration has a dependency for authenticationManagerBuilder

The code not being called is

private static class SpringBootAuthenticationConfigurerAdapter extends
            GlobalAuthenticationConfigurerAdapter {

        private final SecurityProperties securityProperties;

        @Autowired
        public SpringBootAuthenticationConfigurerAdapter(
                SecurityProperties securityProperties) {
            this.securityProperties = securityProperties;
        }

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth.apply(new DefaultInMemoryUserDetailsManagerConfigurer(
                    this.securityProperties));
        }

    }
I think the ResourceServerConfiguration needs to add the default manager with parentAuthenticationManager that way it would fall back to the ones specified in the conf file
Dave Syer
@dsyer
May 22 2015 13:10
You want basic auth or oauth2 for your actuator endpoints?
it works with access tokens OOTB
Leon Radley
@leon
May 22 2015 13:12
The one it’s not working on is one which is both a sso and resource server
maybe it’s the combination?
Dave Syer
@dsyer
May 22 2015 13:12
Yes, that's more likely
The "sso" sample in spring-cloud-samples also works fine (and has basic auth for actuator endpoints)
I don't think I ever tried an SSO + ResourceServer combo
Does it even make sense?
If it does and you can see a possible fix, that would be great. I'm busy today (adding s-c-security features to Spring Boot 1.3) so I won't have a lot of time to look
Leon Radley
@leon
May 22 2015 13:15
I’ll see what I can find. Good luck with 1.3 :)
Dave Syer
@dsyer
May 22 2015 13:34
How come all the oauth2 samples work then?
They all use Spring Boot. Maybe not 1.2.3.
Could be I need to look into that.
Leon Radley
@leon
May 22 2015 13:35
Not shure there
Leon Radley
@leon
May 22 2015 13:40
The ResourceServerConfiguration is being instanciated before the AuthenticationManagerConfiguration.
but I’m not shure yet why