I am working with Spring Boot and I am using spring-data-rest-hal-browser, everything seems to be fine, except when i try to hit the URL: localhost:8080 I get redirected to http://localhost:8080/login to use the HAL browser to navigate my endpoint, then I get a screen requesting for a user and a password that I don't have.
What are the default credentials to login to spring security and how can I change them or disable the login option?
This is the dependency i am using:
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
And this is the login screen:
Take a look at the console output after running your application. If you have no run-time exceptions, then you should easily find the credentials. By default the username is "user" and the password is always different and therefore generated from the system.
For more clarity, the login page comes with this dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Also, if you want to set some values for the credentials, then go to application.properties file and add those two lines:
spring.security.user.name= your_username
spring.security.user.password= your_password
Default username is user
password can be found in the console when you run your application.
example:
Using generated security password: 18ea5687-bc63-4663-9377-e2817c9d2568
If you want to set them yourself you can do so by overriding the defaults in application.properties:
spring.security.user.name=stack
spring.security.user.password=overflow
Related
I have a service I want to access using Feign client. The problem is that it requires authorization using OAuth2, password (as said in the Authorize page of Swagger and flow: password is set).
In the Swagger page of the service I can get the access to the methods by simply clicking on the Authorize and inputing my login and password, choosing request body and leaving client_id and client_secret fields as they were default, but how do I do that using Feign client now?
I tried following this guide but it describes how to do it with grant type client_credentials so it didn't work for me, it was expectedly giving errors and not accesing the method of the service. I checked the api of the service just to be sure, grant type is in fact password. When sending a request it was doing it with "Bearer null".
feign.FeignException$Unauthorized: [401] during [GET] to [...] [TestFeignClient#req(String)]: [{"error":"invalid_token","error_description":"Cannot convert access token to JSON"}]
There's a lot of code I don't know about, so I tried to find another guide which will be about grant type password. I tried to follow this guide which suits my situation, but Maven gives me errors about these dependencies, so the code is all red too (I checked the source code of the guide which can be found here
to find the dependencies, it's in the customer package pom, on the branch with_database as the author said in the comments section):
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-feign</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-eureka</artifactId>
</dependency>
So my question is: how can I correctly implement OAuth2 password grant type with Feign client? Is there any actual guides on how to do it? Becasue I didn't find any except these 2 and they both didn't work out for me.
Grant type "password" would mean that your resource server sends userid and password to the authentication server (oauth 2 server). This would mean you would send data tied to an actual user of your application over the wire. This is not something you want do anymore and this grant type is deprecated.
When you say you input client id and client secret in swagger, you are actually using grant type "client credentials" and not grant type "password". The data you are sending "over the wire" identifies an application or client, hence CLIENT id and CLIENT secret.
The userid and password you are entering is not sent to the authorization server. It might be some kind of BASIC authentication you have in front of your swagger mask.
Stick to your Bealdung guide, its exactly what you want to do. Setup all the beans you can see under 4.2 and provide the needed configuration. Afterwards you should be able to autowire the configured feignclient bean and use it anywhere.
Solved, you need to add this dependency I didn't notice in order to not to specify versions of dependencies:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Edgware.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Or just specify versions of the dependencies (second guide).
I'm working with
Spring Boot 2.2.5
Thymeleaf 3.0.11
Thymeleaf Spring Security 5, 3.0.4 Release
I use the following dependencies in my pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
Versions are recognized and the respective jars are included in my project. I also have added the extra namespace of Thymeleaf Security Module to my templates:
<html xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
I have implemented a role based authentication & authorization with Hibernate and MySQL and login / logout, which for my understanding works fine.
The sec:authentication tag of Thymeleaf Security Dialect works fine and also displays the correct roles. The sec:authorize tag seems to work as well when calling the method sec:authorize="isAuthenticated()".
However, I'm struggling when evaluating the role of a user in the templates, both using sec:authorize="hasRole('...')" or th:if="${#authorization.expression('hasRole(''...'')')}". I seems that the roles cannot be evaluated although they are correctly displayed using sec:authentication="principal.authorities".
I have summarized my approaches on a test page, displaying the following result:
Any clue where my bug or misunderstanding hides? Many thanks for your support in advance.
After some more research I figured out my issue. After adding the prefix ROLE_ to the role names (in the datasource), everything works fine.
I am developing the backend of an Angular + REST APIs application, the application needs some sort of session management (user is authenticated first using OTP then I need to keep track of any of his subsequent requests) ... I saw two examples for managing session with REST , first is using JWT + OAuth2 which I think is somehow over engineered as OAuth2 is not designed as I understand to be used within the same application (resource and authorization server are both within the same application) ... the other example uses redis and I can't introduce it to my current application ... actually what I need is something simple as storing the session in a static map-like structure that I always refer to (and moreover it would be nice to update the token with every client call to the backend, same like OAuth2 but simpler) ... I also checked the spring boot dependencies concerning sessions, all I found name external resource to be included like
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-jdbc</artifactId>
<version>2.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-hazelcast</artifactId>
<version>2.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-mongodb</artifactId>
<version>2.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-core</artifactId>
<version>2.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
<version>2.0.2.RELEASE</version>
</dependency>
And I have a restriction not to add any external caching dependency like hazelcast ... also for a jdbc-session management, it will really affect performance to go to database with every client call
Actuator "sensitive" endpoints secure since 1.5.x version, is it possible to specify user in properties or yml file and access these endpoints without adding spring security into project?
I know that there's property management.security.enabled can be set to false to expose endpoints, but want to keep them secure:)
Yes you can do it.
Just add the below lines in src/main/resources/application.properties file.
management.security.enabled=true
security.user.name=admin
security.user.password=admin1
management.security.roles=SUPERUSER
After this, add below dependency in your application pom.xml file.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Restart your application and try to access any sensetive actuator. You will be prompted to enter username and password. Enter the username and password that you configured in application.priperties.
After entering you will be able to access the sentive actuators.
Hope this helps.
Happy coding
I'm using spring-boot-security for basic authentication on my #RestController endpoints, as follows:
pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
application.properties:
security.user.name=user
security.user.password=pass
Question: how can I disable the basic auth in development, and only enable it if a specific profile is active using startup parameter -Dspring.profiles.active=production.
I would like to move the properties above into application-production.properties. And in dev there should not be any auth on the endpoints.
From a security perspective you probably want to do the opposite. Enable security by default and disable when running with a dev profile. Which is actually pretty easy to do add an application-dev.properties (assuming your profile is named dev.
Add the following to the file
security.basic.enabled=false
And for dev start with the profile enabled.