Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
Hello Team...
I am trying to make a starter library (for reactive microservices) for my organization where in I want to configure only the /actuator/**
endpoints. I managed to isolate the configuration into an auto-configuration library and am defining the securityWebFilterChain
bean where i am able to use a securityMatcher
and perform the filtering...
Further down the chain, when one of the microservices using this library wants to add their own authentication scheme (e.g JWT checking) to the path, they are now having to re-define the full bean including the actuator config to get the required results.
Is there a built in way of allowing for this customization and injection of additional securityMatchers downstream if a library does the init upstream?
@GetMapping("/browse/{videoCatalogType}")
@PreAuthorize("hasAnyRole(\"" + AuthoritiesConstants.ADMIN + "," + AuthoritiesConstants.CHALCHITRA + "," + AuthoritiesConstants.SUBSCRIBED + "\")")
I'm trying to enable spring security only on the actuator endpoints, and allow all other requests, regardless of auth scheme to pass into the app code (which handles security in it's own regard).
Right now this is what I have:
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
// NOTE: This will only add spring security to the actuator endpoints, all other endpoints will be handled
// by the JWT auth handling.
// https://stackoverflow.com/questions/38403740/authenticate-only-selected-rest-end-points-spring-boot
return http.authorizeExchange()
.pathMatchers("/actuator/**").authenticated()
.anyExchange().permitAll()
.and().httpBasic()
.and().csrf().disable()
.build()
}
@Bean
fun userDetailsService(): MapReactiveUserDetailsService {
return MapReactiveUserDetailsService(
User.withDefaultPasswordEncoder()
.username(actuatorAdminUsername)
.password(actuatorAdminPassword)
.roles("SUPERUSER")
.build()
)
}
This works to ensure that:
1) http basic auth can be used to access the actuator endpoints
2) any bearer request is passed through into the app code (which is what I want)
but doesn't allow an http basic auth request to pass through and be handled by my app code. I've tried a few different incantations to get it working as expected, but mostly get the current state or I get it to pass through http basic requests (at which case my auth on the actuator endpoints doesn't work). Any pointers?
@molexx How did you setup this? You need to create a custom AccessDeniedHandler
implementation and set it through HttpSecurity.exceptionHandling().accessDeniedHandler(myAccessDeniedHandler)
. Then you can implement handle
method as you wish.
For example:
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
response.setStatus(HttpStatus.FORBIDDEN.value());
response.getWriter().write(objectMapper.writeValueAsString(responseBody));
Or, in your case, you can set content-type to text/plain
and write a String.
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
@reneschroeder0000
hi, what is the best way to mock an oauth2-openid connect server for my client? i would like to have something like a local test repository that doesnt need to query other services.
my current implementation is as follows:
@TestConfiguration class OAuth2TestConfiguration { @Bean fun getInMemoryReactiveClientRegistrationRepository( @Value("\${spring.security.oauth2.client.registration.foo.client-id}") clientId: String, @Value("\${spring.security.oauth2.client.registration.foo.client-secret}") clientSecret: String, @Value("\${foobar.token-uri}") tokenUri: String ): ReactiveClientRegistrationRepository { return InMemoryReactiveClientRegistrationRepository( ClientRegistration.withRegistrationId("foo") .tokenUri(tokenUri) .clientId(clientId) .clientSecret(clientSecret) .scope("doesnt matter here") .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) .build() ) } @Bean fun getServerOAuth2AuthorizedClientRepository( @Autowired authorizedClientService: ReactiveOAuth2AuthorizedClientService ): AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository { val repo = AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService) repo.setAnonymousAuthorizedClientRepository(UnAuthenticatedServerOAuth2AuthorizedClientRepository()) return repo } @Bean fun getInMemoryReactiveOAuth2AuthorizedClientService( @Autowired repository: ReactiveClientRegistrationRepository ): ReactiveOAuth2AuthorizedClientService = InMemoryReactiveOAuth2AuthorizedClientService(repository) @MockBean lateinit var jwtDecoder: ReactiveJwtDecoder }
and wiremock for the tokenUri:
{ "request": { "method": "POST", "url": "/token" }, "response": { "status": 200, "headers": { "Content-Type": "application/json" }, "jsonBody": { "access_token": "some token", "token_type": "Bearer" } } }
Have you guys found a way to do Unit Testing on either @OAuth2Client or @ResourceServer mode when using WebFlux? spring-security-test
examples (https://docs.spring.io/spring-security/site/docs/current/reference/html/test.html#test-method) only demonstrate how to mock Basic Auth.
If there's a RTFM link, I would appreciate it as well.
redirectUris
for a mobile application.window.location.origin
but It does not work. Any idea please. (I am using ionic 4 as front end client). For dev I set http://localhost:8100
and It works.