These are chat archives for spring-cloud/spring-cloud

27th
Dec 2018
muhmadtabrez
@muhmadtabrez
Dec 27 2018 05:18
@marcosbarbero i can see the request carrying authorization header.
but the subsequent request downstream to uaa server /oauth/authorize will not have Authorization header. I had commented all sensitiveHeaders part but still it is not carrying the header
Marcos Barbero
@marcosbarbero
Dec 27 2018 08:45
The sensitive headers part is fine, you need to add it otherwise the Authorization header won’t be passed to the downstream server.
Do you have this project in a public repo?
muhmadtabrez
@muhmadtabrez
Dec 27 2018 08:48
i dont have the project in public but i am referring to this project https://github.com/rohitghatol/spring-boot-microservices
here instead of using authserver i am using cloudfoundry uaa server
Marcos Barbero
@marcosbarbero
Dec 27 2018 08:50
Ok, I’ll check it later
muhmadtabrez
@muhmadtabrez
Dec 27 2018 08:51
security:
user:
password: none
oauth2:
client:
accessTokenUri: http://${ENV_HOST_UAA}/uaa/oauth/token
userAuthorizationUri: http://${ENV_HOST_UAA}/uaa/oauth/authorize
clientId: client
clientSecret: secret
registered-redirect-uri: http://${ENV_HOST}/login
pre-established-redirect-uri: http://${ENV_HOST}/login
use-current-uri: false
resource:
jwt:
keyValue: tokenKey
here ENV_HOST_UAA is localhost:8081 where i am running uaa authorization server
@marcosbarbero is there any way to pass Authorization header to downstream uaa service any hacks. since this server is still in my setup
Marcos Barbero
@marcosbarbero
Dec 27 2018 08:55
The sensitive headers Config would do the trick but as you are telling me it didn’t work
muhmadtabrez
@muhmadtabrez
Dec 27 2018 09:18
@marcosbarbero any other workaround for this
Marcos Barbero
@marcosbarbero
Dec 27 2018 09:24
Try to specify some values to the sensitiveHeaders instead of leaving it empty
Idk, add Cookies as a sensitiveHeader
muhmadtabrez
@muhmadtabrez
Dec 27 2018 10:50
@marcosbarbero i tried setting that but the result is same
muhmadtabrez
@muhmadtabrez
Dec 27 2018 11:52
@marcosbarbero to be precise i am getting this exception Caused by: org.springframework.security.oauth2.common.exceptions.InvalidRequestException: Possible CSRF detected - state parameter was required but no state could be found
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getParametersForTokenRequest(AuthorizationCodeAccessTokenProvider.java:255) ~[spring-security-oauth2-2.0.13.RELEASE.jar:na]
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:209) ~[spring-security-oauth2-2.0.13.RELEASE.jar:na]
at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221) ~[spring-security-oauth2-2.0.13.RELEASE.jar:na]
at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173) ~[spring-security-oauth2-2.0.13.RELEASE.jar:na]
at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:105) ~[spring-security-oauth2-2.0.13.RELEASE.jar:na]
... 63 common frames omitted
Marcos Barbero
@marcosbarbero
Dec 27 2018 13:21
let me see it
do you have the csrf disabled on ApiWesecurityConfiguration?
muhmadtabrez
@muhmadtabrez
Dec 27 2018 14:24
@marcosbarbero yes i have disabled
muhmadtabrez
@muhmadtabrez
Dec 27 2018 14:31
@EnableOAuth2Sso
    @Configuration
    @Order(value=1)
    public static class ApiWesecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
            .antMatchers("/**/*.html","/login","/core-employee/getAllEmployees","/core-employee/getTotalEmployeeTypes","/core-location/getalllocation","/core-location/assignToParentLocation/{aps_org_group_id}/{locationname}","/super-admin/updateRecordNumber/{module}","/super-admin/extauth","/super-admin/authrefresh")
            .permitAll()
            .anyRequest().authenticated()
            .and().httpBasic().and().
            .logoutSuccessUrl("/uaa/logout.do").and().csrf().disable();
        }

        @Override
         public void configure(WebSecurity web) throws Exception {
             web.ignoring().antMatchers("/uaa/**");

         }

        }