We have a Java Dropwizard application that currently uses a custom authentication filter.
We need to add a new authentication filter that will be executed only if the old one fails.
Is there any way to register a filter as a fallback for another one?
Maybe something like
environment.servlets().addFilter("A").onFail("B") ?
Related
I am generating an app(frontend and backend) using the console command: jhipster. The app was generated with authorization. Then I was asked to completely remove the authorization.
I found that it is possible to generate a new application with the command: --skip-user-management, how to remove authorization for existing application?
Please take a look at https://stackoverflow.com/a/59212698/7773582 to understand how to remove authorization in an existing application. This is the case for Angular-frontend, I unfortunately don't know where authorization is handled in reactjs as frontend.
I resolve it, using anonymous user.
In SecurityConfiguration.class set permitAll() for all requests and remove beforeFilter().
In private-route.tsx set true for checkAuthorities() method.
I'm running a web application under Tomcat server. Different servlets are configured using Tomcat's web.xml.
I'm looking for a convenient way to restrict access to specific METHODS of specific URLS so that only these METHODS can be accessed using an Authorization header while others can be accessed without any restriction.
For instance, for url http://localhost:8080/my/servlet1 - GET and OPTIONS can be accessed by any user, while POST and PUT must be authorized with a username and a password, but for url http://localhost:8080/my/servlet2- all methods are open.
How can I implement that?
Thanks
The most low level API that allows you to do all sorts of filtering based on the context of the HTTP request in the javax/servlet/Filter
You implement a filter class that can restrict on the basis of HTTP method and any other criteria you choose. You register the filter on your web.xml and you add rules for which paths it is filtering.
Here is an walk through on applying such a filter.
If you happen to be using more than just a naked Tomcat for your application and you are using Spring Boot on top of it you could use their flavor of filters. This is an example for that case.
I am using Spring Cloud Brixton.M3 and Spring Boot 1.3.0.RELEASE. I am sort of new in this (especially in Spring Cloud). I have created Registry Server (i.e. Eureka instance), Config server and Gateway.
As per my requirement I am intercepting each request hitting the gateway in one of my Filter to extract required information from Header and based upon that I am throwing exception or forwarding / verifying that request using Feign Client. Some time hystrix throw HystrixRuntimeException when it couldn't reach out to respective services or because of any other issues.
So What I want is:
Provide default fallback method for every forwarding request, so that I can read and process it accordingly.
Global Exception handling other than #ControllerAdvice since I am not providing any custom #HystrixCommand and Controller to call services (AOP based solution ?).
Is it possible to intercept every failed request and retry them for certain number of times ? Internally it might be happening but can I override this functionality and handle each failed request either because of TimedOutException or because of HttpConnectionPool exception ?
Update
Is it a good practice to provide own routing in Zuul gateway ? using #RestController and #HystrixCommand together ? (I think its a bad idea, because over the period of time we will end up with lots of controllers and hence actual use of intelligent routing wouldn't work as expected)
Currently there is an open issue for fallbacks with feign. There is also an open issue for fallbacks with zuul.
I'm investigating a Spring Boot project generated by JHipster and found out that its request mappings aren't done via web.xml nor via Spring's #RequestMapping but like so:
ServletRegistration.Dynamic someServlet =
servletContext.addServlet("someServlet", new SomeServlet());
someServlet.addMapping("/someUrl");
someServlet.setAsyncSupported(true);
My questions are:
Are there any reasonable advantages of dynamic registration instead of classic mapping?
Is it spring-boot's standard of registering mappings or it's just a will of jhipster's owner?
Is someServlet.setAsyncSupported(true) just another way of making response.setHeader("Access-Control-Allow-Origin", "*")?
Is there any reasonable advantages of dynamic registration instead of classic mapping?
Dynamic servlet registration Servlet 3+ way of registering servlets. In Servlets 3 you can avoid creating web.xml and configure application in pure Java. It gives you some advantages like compile time check if everything is fine there and what's more important since you do it in Java code, you can do some additional checks or conditions - for example register particular servlet only if environment property is set or class is available on the classpath.
It's not a replacement for #RequestMapping. In case of Spring Boot you will use it most probably when you want to register some 3rd party servlet - like Dropwizard Metrics servlet in case of JHipster.
Is it spring-boot's standard of registering mappings or it's just a will of jhipster's owner?
There are at least 2 ways of registering additional servlets in Spring Boot. See answers here: How can I register a secondary servlet with Spring Boot?.
Your own controllers you map as usual with #RequestMapping.
Is someServlet.setAsyncSupported(true) just another way of making response.setHeader("Access-Control-Allow-Origin", "*")?
Nope. For setting this header you use usually CORSFilter (read more: Enabling Cross Origin Requests for a RESTful Web Service). asyncSupported flag is used to make servlet able to process request asynchronously.
I'm creating a restful web service using Resteasy. One thing I need to do is to secure the service using a standard HTTP auth request. The tricky part is that the service is multi-tenant and needs to use one of the path parameters to determine the security realm.
There are a lot of articles typical of this link which describe setting up a single-tenant service. What I can't find is what to configure, and what interfaces to implement to describe my own security which is based on a path parameter + the username in the HTTP authentication method.
I envision that prior to calling any of the application logic, tomcat/resteasy would call a SecurityProvider (or whatever) interface with the HttpServletRequest and have me either throw a 401 or return a SecurityContext that gets passed to the JAX-RS handlers. In that routine, I would inspect the path parameters, and make a determination based on parameter+username+password given in the Basic/Digest/Form.
Is there any such beast?
I thought I'd update this since there's bee little activity on this question.
It looks like there's no baked in feature to do what I envisioned, so instead I extended the RestEasy servlet and added the security checks in my override before passing control back to the stock RestEasy servlet.
Seems to work well.