My question might be confusing and I will try to make it clear as possible! We have a webserver(Apache), application server(Spring boot) and database server. I am implementing HTTPS for the rest API. SSL certificates are set to be in web server and the web server will redirect all requests to the Application Server.
My question is as I have added my SSL certificates in webserver, do I need to add anything to my application server? How do I make my spring boot application to accept only HTTPS request?
Thanks in advance
Related
Can someone explain how hosting works ? in my spring boot app there'ss embedded tomcat server. as I understand the spring app runs with tomcat, tomcat takes some port, 8080 for example, and listens to requests coming to that port (when deployed locally at least) localhost:8080. I can make requests from my front end app, which runs on localhost:3000 and tomcat will take the requests, find controllers mapped to the urls that front request is directed to "/user" or "/myposts" or whatever, that controller runs code, talks to db inserts data into response and tomcat sends it back to front end.
If I deploy my app to some hosting service, like Google cloud, does the spring app still run with tomcat ? in that case which port will tomcat run on, where would my front end send requests to ? to the subdomain that google cloud has set up for my project ? Where would i need to configure SSL/https ? Would my front end send secure requests to google subdomain over https endpoints and it would relay those requests to deployed spring app through http(unsecured, inside hosting server) ? Or how ?
One of the most straightforward way to do this is to spin up an instance, ssh into the that instance and run your spring boot app the same way you would run it on your machine. Everything works the same as it would on that cloud instance. Your spring boot app still runs within tomcat and it still listens to port 8080. The only difference is now the hostname is no longer localhost and it will be the DNS name of that instance. You can find the DNS name on the console.
You need to get a SSL certificate if you wanna enable https "natively" in your spring boot app. Alternatively, you can set up a load balancer or an API gateway in front of your cloud instance to do the SSL termination for you. In this case, your frontend will send request to the load balancer or API gateway instead of your spring boot app. They accept https requests and transform them to http request and send it to your spring boot app.
I'm creating an Authentication Server and which some of my existing applications can use to authenticate. I'm using the OAuth2 with Spring Boot by following this sample project and tutorial https://github.com/dynamind/spring-boot-security-oauth2-minimal.
But in my case my existing applications are built using Spring MVC and angular. So there is no separate Resource Server. Resources are also located in same application(Resources are my Secured Request Mappings in same application).I just want to separate the authentication process from my client applications and use a common Authorization Server. (Currently they use the Google Authentication + Spring Security to secure the application).
So I tried to use #EnableResourceServer and #EnableOAuth2Client in same application but I could not get the expected results.
What is the best way to achieve this task?? Is there any other method that I can follow to authenticate my applications from Oauth2 Server?
You need to configure your web security for form based login and Resource Server Security form REST Endpoints
See my answer to the similar question here
I've got a simple SPA Sprint Boot application - executable jar with embedded tomcat and looking to plug it into siteminder with preauthenticatedauthenticationprovider. Application is http://someserver:1234
Documentation states that a WebAgent is installed on a web server and that 'intercepts' requests. Would the WebAgent be deployed in a separate container? If so, how does it intercept requests? All documentation refers to this intercept, but doesn't state the mechanism.
Does it need to be deployed inside the same container to intercept requests? The only way I can think any http headers are intercepted is through proxies.
There are 2 ways to configure Web Agent.
1. Local Configuration
- Setup Agent in the sever where Applciaiton is hosted.
2. Centralized Configuration
- Setup Agent in the a web server like Apache and add proxy entries to the backend applications. this configuration intercepts each and every request going from the webagent server. I recommend this. if you have still questions drop here.
- Thanks,
Chiranjeevi
I work with proof of concept web application, and have to create login/password authentication. For now security is not a matter, but further in production it will be important. My first question: Should I already configure TomCAT with SSL certificate to work via HTTPS? Is this somehow affects servlet implementation? Can I just develop everything using http, and just switch to https on production?
I think web application should work with any HTTP or HTTPs and this depends only on servlet container (TomCAT) setup, but I am not sure. Now I work with Oracle manual with some changes, especially in sense of TomCAT 8 and annotations use.
Also, please note some parts of my application will use websocket protocol.
Thanks.
We have developed a web service in Java and have published the wsdl. This is done over http. Now we have to provide it over a secure connection i.e. https. The web service application is hosted on webspehere and we have the certificate used in websphere for https.
I am looking for the steps to update the java code and wsdl so that we can publish web service over https.
You should not need to update any Java code or WSDLs. This is all a function of the server configuration. The server is already listening on regular HTTP, presumably on port 80. A listener needs to be added for HTTPS, presumably on port 443 - and mapped to the same web context as your existing application.
Alternatively, this can be done outside of the web server (WebSphere, in your case) by fronting it with something like Apache HTTP Server or a dedicated load balancer that supports SSL/TLS offloading - which can be more efficient.
Since this really isn't a programming question, I'd recommend opening a new question at http://serverfault.com for details on how to configure WebSphere or something related to the configuration I proposed above.