I've been attempting to secure my GraphQL API with Spring Security and JWT tokens, I've followed along with this post but have had no sort of luck. I got a working version of authentication using contexts with GraphQLContext but for every mutation/query I need to add the same verbose auth check, where spring security annotations are far nicer.
I'm unable to even really test what I've done since GraphQL doesn't seem to like when i add #PreAuthorize("hasRole(\"USER\")") on a query resolver, so I'm unsure if GraphQL is compatible with spring security at this point.
I've attached the source code to a gist since there is a fair few classes, I'm just unsure if the approach I'm taking is the right one, but using annotations on authorised routes is far nicer.
Soruce Code:
https://gist.github.com/PHILLIPS71/9388afb2495152f875b48ae06b241348
Stacktrace:
Caused by: com.coxautodev.graphql.tools.ResolverError: No method found with any of the following signatures (in priority order):
com.sun.proxy.$Proxy73.users( [, graphql.schema.DataFetchingEnvironment])
com.sun.proxy.$Proxy73.getUsers( [, graphql.schema.DataFetchingEnvironment])
Related
I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.
I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically.
Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.
Is there some documentation, website or whatever else, describing what to do to implementsthis ?
Thank you very much !
From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request
PKCE will automatically be used when the following conditions are true:
client-secret is omitted (or empty)
client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)
My company has asked me to do a small project in Java Spring and I have never programmed in Spring nor Java before, so I am a bit lost.
I have been asked to make a series of endpoints, seeing the documentation does not seem difficult, where I find the difficulty is that I always receive as input a JSON with several key-value pairs, and with that, I have to search in an Oracle database using Hibernate and return another JSON with other key-value pairs.
Example:
Input:
{
"client_id": 123,
"shop_id": 22,
"id_contract": 233
}
Output:
{ "loan": "70%"
"percentage_point": "80%"
}
My question is, should I do it through a POST method? Is the output a status 200? How do I get from JSON, for example, the client id to map it in the database with hibernate / Spring?
Any advice will be welcome, even if it is simply articles, etc.
Well what you have been asking is not for a specific problem.It is an entire requirement. I can try helping with the steps that you may need to follow.
If you are not done creating a project, I would suggest you to use Spring Boot for your project.To create a spring boot app click here
And if you are using maven or gradle select it and then search for Spring Web,Spring Data JPA in search dependencies and generate a project.
Once you have a project ready and imported it into an IDE (for example Eclipse, IntelliJ Idea, Netbeans or any other Java IDE), and finally all you have to do is to write REST services to implement your requirements.
And to answer your questions.
should I do it through a POST method?
If you were told that the request you will be receiving is in a JSON format, then you need to use POST method.
What is post and why to use post method.check here
Is the output a status 200?
A status 200 in http means SUCCESS. It means when the data sent by the client is valid and the server has processed the request(in your case JSON body) successfully it returns 200.So incase of success your api will return 200.
More on http status codes
How do I get from JSON, for example, the client id to map it in the database with hibernate / Spring?
To understand more on how to create a rest controller, take JSON input, create a POST method, use Spring JPA for making database operations please follow the links below:
create a rest service
spring boot crud Database operations example from scratch
Spring boot Data JPA example
Hope this will help you to put you in right path.
Without code or a more specific post about requirements it's impossible to help. All I can do is provide links to potentially helpful articles. You need to look into the following;
Spring Boot RESTful service
Spring Boot Controller vs RestController
Spring Boot JPA
Spring Boot Consuming/Producing JSON
I'm having trouble getting Spring Security to work in my Spring MVC app. It is configured correctly (I think) and I am fully expecting it to use the configured security filter on all requests. It isn't. My question isn't to make sure I'm configured correctly so I'm not going to post any code, I am only asking if there is a method or something I can call in one of my controllers that will return true or false signifying if Spring Security is actually enabled or not so I can know how to proceed debugging. Thanks!
In your case, you could use spring actuator.
This is module used for application monitoring. You can read more about it, in this blog post: http://www.baeldung.com/spring-boot-actuators
I'm attempting to integrate Spring's default access control list implementation into a Jersey contained Restful API. I successfully was able to implement Basic Authentication using the Spring Security Filter Chain and setting up an authentication manager in my securityContext.xml.
My problem in a nutshell is, after adding the acl-context.xml and making adjustments to other parts of the project, my project seems to not recognize the #pre and #post annotations. It doesn't throw an error, but it doesn't make queries to the database according to the mysql log. Is there something about the default implementation of Spring's ACL that relies on Spring MVC classes like #controller, #transactional, #resource, or #service?
Here is the repo with the code as it is now (I appologize for the extra classes laying about. It is a maven project.
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/tree/secure
web.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/src/main/webapp/WEB-INF/web.xml
webSecurityConfig.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/src/main/resources/webSecurityConfig.xml
acl-context.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/src/main/resources/acl-context.xml
pom.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/pom.xml
I'm sorry I would love to paste the .xmls here but I can't seem to get the formatting to work and its deleting characters. Please let me know if there is anything else I can do to clarify the situation. If I'm doing anything overtly stupid in regards to anything else, please let me know. I welcome the criticism. I'm the only person on our team working on network security and I don't have anyone here to give me feedback.
I have a SpringBoot application and deploying it in PCF where app is trying to connect Oracle 12c Database using PCF User Provided Services but it failing with this error Failed to determine a suitable driver class
build.gradle code:
and here are the configuration that I used in CUP service:
Service binding is happening properly. I can see the same details under VCAP_SERVICES in Environment Variables.
Error:
Short Answer: I think you want the uri to be oracle://... Strip off the jdbc: part. The Spring Autoreconfiguration code that gets injected by the Java buildpack will look at the prefix on the URI, so it needs oracle:// to know it's an Oracle link.
Long Answer: You probably don't want to depend on the injected Spring Autoreconfiguration. When it just works, it's great, but it can be difficult to understand what it's doing when it doesn't work.
It is better to use Spring Cloud Connector or even better, as all signs point to this replacing Spring Cloud Connector, use java-cfenv. For details on java-cfenv, see this blog post.
Spring Cloud Connector has the same issue I mentioned above as the Spring Autoreconfiguration, except that it will pretty clearly tell you when it doesn't recognize a bound service. Anyway, if you decide to use SCC, make sure you prefix the URI with oracle://.
If you use java-cfenv, it's more flexible so it's really up to you what properties and values you inject through the service.
Hope that helps!