I have a Spring Boot application which uses JWT for authorization. I have a basic understanding of OAuth and JWT but this application uses more things I'm not currently familiar with. So, in order to generate a JWT to use in this application, we execute a command similar to this:
java -jar jwt-bearer-token-acquirer-1.0.18.jar
--legacyVerifierKeyEndpoint https://example.com/oauth/token_key
--tokenEndpoint https://example.com/oauth/token
--issuer ABC123
--subject ABC123
--scope /myapp/myscope
--privateKeySignerFile C:\mykeyfile.jks
--jksKeyAlias ABC123
--jksKeyStorePassword myPassword
--jksKeyPassword myOtherPassword
Once we get a JWT with this command, we can make the API call and returns the expected results.
So now, I was requested to see how to auto generate JWT's using ReadyAPI so our validators can run tests without manually generating tokens. After reading a lot on their documentation here https://support.smartbear.com/readyapi/docs/requests/auth/types/oauth2/generate-jwt.html?sbsearch=auto%20generate%20token I am still not able to understand what to do.
I was able to add the key store information but I'm not sure where or how to tell ReadyAPI to generate a complete JWT since I don't know where to put things like the verifier key endpoint or the token endpoint.
I would greatly appreciate any help.
Thank you all in advance.
You said:
...this application uses more things I'm not currently familiar with.
so you will probably not be able to use the default ReadyAPI mechanism to generate your JWT.
start a testcase, and open the Setup tab.
In the setup you can use something like "command".execute() to run your command. See this SO Q&A for additional info. If you can get your developers to show you how to call your jwt-bearer-token-acquirer-1.0.18.jar from Java/Groovy, that would simplify this.
In the script store the JWT token in something like def token = "command".execute(). And store the token in a testcase property: testCase.setPropertyValue('token', token)
Start adding REST calls to your testcase. For each REST call you make you will have to Add custom headers: Authorization with value bearer ${#TestCase#token}. If you are feeling up to it, this can be simplified with custom Events.
Related
In our Company we use BitBucket with our company URL: git.our-company.com
Now I want to create a new repository - automated by a Java application.
When I try to call the post-method I receive : XSRF Security Token Missing
I understand the basic concepts of CSRF (also called XSRF).
But what I am struggeling with is how to read this CSRF Token?
Where is it located / is there one place e.g. in a HEADER or hidden field?
Also how do I pass the token? I saw code like this : post.addRequestHeader("X-CSRF-Token",csrf); which seems pretty easy.
As said the application is BitBucket.
I am generating an app(frontend and backend) using the console command: jhipster. The app was generated with authorization. Then I was asked to completely remove the authorization.
I found that it is possible to generate a new application with the command: --skip-user-management, how to remove authorization for existing application?
Please take a look at https://stackoverflow.com/a/59212698/7773582 to understand how to remove authorization in an existing application. This is the case for Angular-frontend, I unfortunately don't know where authorization is handled in reactjs as frontend.
I resolve it, using anonymous user.
In SecurityConfiguration.class set permitAll() for all requests and remove beforeFilter().
In private-route.tsx set true for checkAuthorities() method.
I've been attempting to secure my GraphQL API with Spring Security and JWT tokens, I've followed along with this post but have had no sort of luck. I got a working version of authentication using contexts with GraphQLContext but for every mutation/query I need to add the same verbose auth check, where spring security annotations are far nicer.
I'm unable to even really test what I've done since GraphQL doesn't seem to like when i add #PreAuthorize("hasRole(\"USER\")") on a query resolver, so I'm unsure if GraphQL is compatible with spring security at this point.
I've attached the source code to a gist since there is a fair few classes, I'm just unsure if the approach I'm taking is the right one, but using annotations on authorised routes is far nicer.
Soruce Code:
https://gist.github.com/PHILLIPS71/9388afb2495152f875b48ae06b241348
Stacktrace:
Caused by: com.coxautodev.graphql.tools.ResolverError: No method found with any of the following signatures (in priority order):
com.sun.proxy.$Proxy73.users( [, graphql.schema.DataFetchingEnvironment])
com.sun.proxy.$Proxy73.getUsers( [, graphql.schema.DataFetchingEnvironment])
Last year I made JAX-WS client for a web service in this link
This webservice use a STS service to get SAML token and use it to access main webservice. I use wsdl2java of apache cxf to generate JAX-WS client for this webservice. Everything was just fine.
Recently they have updated their STS service endpoint. This new STS service endpoint. Which has different signature and digest algorithm. It has some extra element in request body.
I tried to modify current code so that it support new STS service. But my code is sending same RequestSecurityToken request.I mean it does not adopt for new requirement. I tried to adopt this but I could not do that.
New STS service required http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 as new signature method and http://www.w3.org/2001/04/xmlenc#sha256 as new digest algorithm. Plus it required following element in request body:
<tr:ActAs xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802">
<v13:RelationshipToken xmlns:v13="http://vanguard.business.gov.au/2016/03" ID="1bc9a44e-dccd-49e2-8f29-40d7b1257325">
<v13:Relationship v13:Type="OSPfor">
<v13:Attribute v13:Name="SSID" v13:Value="1234567895"/>
</v13:Relationship>
<v13:FirstParty v13:Scheme="uri://abr.gov.au/ABN" v13:Value="27809366375"/>
<v13:SecondParty v13:Scheme="uri://abr.gov.au/ABN" v13:Value="89567587874"/>
</v13:RelationshipToken>
</tr:ActAs>
Plus there are minor differences here. I have two ways now I think:
If I can change old code to STS client send request with those value. which I tried and not succeeded.
They provide some code which support fetching SAML assertion token and proof token from STS client. If I can put SAML assertion token into my JAX-WS client directly then this problem is also solved.
Any help or suggestion will be appreciated to us
The SHA-256 digest algorithm is normally set by using an AlgorithmSuite policy that requires it (e.g. Basic256Sha256). I see in the policy they are still using "Basic256" however. CXF allows you to configure RSA-SHA256 via some configuration properties (see for example 'ws-security.asymmetric.signature.algorithm' here http://cxf.apache.org/docs/ws-securitypolicy.html). You can set ActAs Object/Element on the STSClient directly.
I was receiving "An error occurred when verifying security for the message". Two changes that I had to make to resolve this while using Metro 2.3.1 -
In the STS wsdl, need to mention the signature algorithm like this ---
sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA"
In the USI wsdl, need to change the AlgorithmSuite to Basic256 from Basic256Sha256Rsa15
I'm trying to get SSO up and running. So when I sign in on a different application (on the same auth0 domain) and go to the login page of my application I want my application to automatically log me in.
I managed to get the first parts running and I received an authorization code from auth0. But when I try to retrieve the tokens they are all null.
my redirectuUri and clientSecret are correct and I assume the authorization code returned earlier is correct aswell.
It seems as if the request doesn't return any tokens. They are all null.
Where do I start to find out what's going wrong? Thanks!
public Tokens getTokens(final String authorizationCode, final String redirectUri) {
Validate.notNull(authorizationCode);
Validate.notNull(redirectUri);
System.out.println("Sending request with code to retrieve tokens.");
final Credentials creds = authenticationAPIClient
.token(authorizationCode, redirectUri)
.setClientSecret(clientSecret).execute();
return new Tokens(creds.getIdToken(), creds.getAccessToken(), creds.getType(), creds.getRefreshToken());
}
If using the Auth0 Spring MVC Library (not Spring Security MVC) - then best place to stick a breakpoint would at the top of the Callback Controller's handle method
You can then step through / step in - and inspect what is going on. This method calls getTokens and that delegates to Auth0ClientImpl which is the code block you reference in the question.
Check your ClientId, ClientSecret and Domain are all correct - and if your code is reaching this method - that the code / redirectURI being passed in are also correct. Would check the Auth0 logs from the Dashboard too, and determine if any successful authentication events are recorded.
Finally, please can you confirm which version of auth0-java (maven POM dependency / gradle dependency) you are using - and which version of the auth0-spring-mvc library you are referencing also.
For SSO Specific Examples - plain Spring falls between two stools as I wrote one for plain java and one for Spring Security MVC - but you should get a good idea of what is going on by studying these two samples:
Auth0 Servlet SSO Sample
Auth0 Spring Security SSO Sample
In particular, study the JSP pages since that is where the SSO checks and auto-login logic lives. Ensure too that you enable SSO on the Settings of each of your Clients defined in your Auth0 tenant.
Disclaimer: am the author of the above libraries - please leave me comments below if you still have problems and require any clarifications.