I have two microservices, The first one is a web API, the another is a gateway.
I've already started both, but I cannot authenticate with no user. Neither admin or user.
When I try to log in, I receive this message on API server.
InsufficientAuthenticationException: Full authentication is required
to access this resource 2018-02-23 13:05:31.373 WARN 7144 --- [
XNIO-2 task-3] o.z.p.spring.web.advice.AdviceTrait :
Unauthorized: Full authentication is required to access this resource
Both microservices are with the default configuration of jhipster .
The gateway was created with --skip-server option.
I believe the problem is the server_api_url because all the calls to api is directed to port 9000 but the api is running on 8081.
I got this from Chrome Dev tools:
Request URL:http://localhost:9000/api/profile-info?cacheBuster=1519408025933
The :9000 is wrong the port must be 8081.
Where can I change that ?.
I have already change the webpack.common.js
SERVER_API_URL: 'http://localhost:8081/'
But nothing work.
Related
I am trying to setup SSO using Azure AD. Our aplication is a spring boot application deployed on Amazon ECS.
For this I have refered https://dummybot.medium.com/saml-integration-with-spring-boot-spring-security-microsoft-azure-ad-b9610bdb78b9, which uses Spring Security SAML2 with Spring Boot.
In our case the application exposes the port 8080 from docker container and doesn't have its own SSL configuration. We are using Amazon ELB as load balancer in which the SSL is configured and through the load balancer we can access the application https://our-domain.com
When testing application locally I am able to login successfully when https://localhost:8443/saml/sso is added as a reply Url in Azure AD.
When I add only the https://our-domain.com/saml/sso as reply URL and try logging in while executing application locally, I get this error:
correct http protocol and port in AD request
which is expected as we dont have https://localhost:8080/.. as white listed reply URL in Azure AD now.
But what I noticed here in the error message is https://localhost:8080/... doesn't match the reply URL, which is correct, but there is no change in HTTP protocol or port 8080 which I am trying to access.
But, When I try to access the application deployed on AWS ECS using https://our-domain.com, I am successfully redirected to login page, but there I get this error.
incorrect http protocol and port in AD request
Where I can see HTTP protocol has been changed from https to http and the port is passed in the request as 8443.
I could see only in our AWS ELB which has configuration for SSL certificate and has a HTTPS listener 8443, and I am suspecting it is due to this the incorrect reply URL is passed by the Spring Security in the Azure AD Authentication request.
Amazon ELB configuration
I have tried to find solution for this and found an issue reported in Spring-Security-Saml project at https://github.com/spring-projects/spring-security-saml/issues/447, which talks about SAMLContextProviderLB as the context provider bean.
More details in Spring-Security SAML Extension documentation: https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-load-balancing
Although it is mentioned in the documentation for latest version of Spring-Security SAML Extension, I cant find this class, but it is available in older 1.0.x version of extension. Hence I am not able to use it.
Can someone please provide any pointers to fix this issue..
Thanks
i'm using keycloak (v. 10) for make authentication for existing spring (no boot library) application. I'am using the java-adapter from keycloak documentation i added the suggested configuration on my spring security config.
This is my keycloak.json file:
{
"realm": "cnp-server",
"auth-server-url": "http://localhost:8081/auth/",
"ssl-required": "external",
"resource": "cnpserver-client",
"public-client": true,
"confidential-port": 0
}
On this screen the configuration of keycloak client (is running on docker):
When i try to access to application, the browser make a redirection to:
http://localhost:8081/auth/realms/cnp-server/protocol/openid-connect/auth?response_type=code&client_id=cnpserver-client&redirect_uri=http%3A%2F%2Flocalhost%3A8088%2Fcnp_server_web_war%2Fsso%2Flogin&state=73ee7ebe-1949-4e94-9349-f3760f37bb4a&login=true&scope=openid
When i key the access credentials on prompt box, somethings going wrong; on Keycloak log:
WARN [org.keycloak.events] (default task-63) type=CODE_TO_TOKEN_ERROR, realmId=cnp-server, clientId=cnpserver-client, userId=null, ipAddress=192.168.32.1, error=invalid_code, grant_type=authorization_code, code_id=7972a766-f9be-4907-85a7-69e6d5d50cbf, client_auth_method=client-secret
On spring application log:
ERROR org.keycloak.adapters.OAuthRequestAuthenticator [OAuthRequestAuthenticator.java:337] - failed to turn code into token
ERROR org.keycloak.adapters.OAuthRequestAuthenticator [OAuthRequestAuthenticator.java:338] - status from server: 400
ERROR org.keycloak.adapters.OAuthRequestAuthenticator [OAuthRequestAuthenticator.java:340] - {"error":"invalid_grant","error_description":"Code not valid"}
It's seems similar to this topic, but i don't make any personal configuration on redirect-uri (and i don't know how i can change that).
Thanks
Has somebody succeeded in setting up OIDC connection to Keycloack in a Quarkus app deployed in a Kubernetes cluster ?
Could you clarify how does the connection-delay (and other related parameters) work ?
(Here is the documentation I tried to follow)
In our env (Quarkus 1.13.3.Final, Keycloak 12.0.4) we have such config:
quarkus.oidc.connection-delay: 6M
quarkus.oidc.connection-timeout: 30S
quarkus.oidc.tenant-id: testTenant-01
And these msgs appear in pod's log when it's being started:
2021-07-26 14:44:22,523 INFO [main] [OidcRecorder.java:264] -
Connecting to IDP for up to 180 times every 2 seconds
2021-07-26
14:44:24,142 DEBUG [vert.x-eventloop-thread-1]
[OidcRecorder.java:115] - 'testTenant-01' tenant initialization has failed:
'OpenId Connect Provider configuration metadata is not configured and
can not be discovered'. Access to resources protected by this tenant
will fail with HTTP 401.
(... following log comes later as the pod is running ...)
2021-07-27 06:11:54,261 DEBUG [vert.x-eventloop-thread-0]
[DefaultTenantConfigResolver.java:112] - Tenant 'null' is not
initialized
2021-07-27 06:11:54,262 ERROR
[vert.x-eventloop-thread-0] [QuarkusErrorHandler.java:101] - HTTP
Request to /q/health/live failed, error id:
89f83d1d-894c-4fed-9995-0d42d60cec17-2: io.quarkus.oidc.OIDCException:
Tenant configuration has not been resolved at
io.quarkus.oidc.runtime.OidcAuthenticationMechanism.resolve(OidcAuthenticationMechanism.java:61)
at
io.quarkus.oidc.runtime.OidcAuthenticationMechanism.authenticate(OidcAuthenticationMechanism.java:40)
at
io.quarkus.oidc.runtime.OidcAuthenticationMechanism_ClientProxy.authenticate(OidcAuthenticationMechanism_ClientProxy.zig:189)
at
io.quarkus.vertx.http.runtime.security.HttpAuthenticator.attemptAuthentication(HttpAuthenticator.java:100)
at
io.quarkus.vertx.http.runtime.security.HttpAuthenticator_ClientProxy.attemptAuthentication(HttpAuthenticator_ClientProxy.zig:157)
at
io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2.handle(HttpSecurityRecorder.java:101)
at
io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2.handle(HttpSecurityRecorder.java:51)
at
io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1038)
Questions:
Any way how to find out what metadata are missing ?
Can I somehow change the 2s period between connection attempts ?
Any relation between connection-delay and connection-timeout ?
It failed after cca 2s - does it mean that it fails immediately in the 1st attempt, or has it finished 180 attempts so fast ?
Does DefaultTenantConfigResolver get tenant from different resource than OidcRecorder in initialization, i.e. should tenant be configured at multiple places ?
Finally made it work. Caused by incorrect auth-server-url which is not clear at all from the log messages.
quarkus.oidc.client-id: my-app
quarkus.oidc.enabled: true
quarkus.oidc.connection-delay: 6M
quarkus.oidc.connection-timeout: 30S
quarkus.oidc.tenant-id: testTenant-01
quarkus.oidc.auth-server-url: ${keycloak.url}/auth/realms/${quarkus.oidc.tenant-id}
The URL format is emphasized in Quarkus doc: Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/auth/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm
There are 2 servers. The 1st one is production env and 2nd is my Websphere (Mock server). I have installed an application in Websphere which is not able to process the https/http request from the client server.
When the client configure to access the https (port 9443) to my mock server then I am getting the following error on request processing:
ERROR 13172876 --- [bContainer : 13]
c.i.w.s.c.impl.SSLHandshakeErrorTracker : SSLC0008E: Unable to
initialize SSL connection. Unauthorized access was denied or
security settings have expired. Exception is
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
connection?
When the client configures http (port 9080), then I am getting the following error:
WARN 13172876 --- [ebContainer : 7] o.s.web.servlet.PageNotFound
: Request method 'GET' not supported
ERROR 13172876 --- [ebContainer :
7] o.s.boot.web.support.ErrorPageFilter : Cannot forward to error
page for request [/] as the response has already been committed. As a
result, the response may have the wrong status code. If your
application is running on WebSphere Application Server you may be able
to resolve this problem by setting
com.ibm.ws.webcontainer.invokeFlushAfterService to false
I have configured the WireMock application for service virtualization in my application. My application has 1 RestController which has 2 request methods(POST) and 1 class to configure/run wiremock service. I do not have any error when I test the application directly from Mock server. But when the client hits my server, I am getting the following error.
For https issue, the certificate may get expired which is configured # Application Server (Websphere) level.
For Http issue, there may be some other firewall or configuration which executes the request before it goes to server. Otherwise, it should create issue # your local setup as well.
I need to download a datastore from my appengine application. The application itself is written in JAVA and I've already activated remote API according to this instruction. Then I run appcfg.py and it asks me for log in details and I get the following result:
06:18 PM Downloading data records.
[INFO ] Logging to bulkloader-log-20131101.181851
[INFO ] Throttling transfers:
[INFO ] Bandwidth: 250000 bytes/second
[INFO ] HTTP connections: 8/second
[INFO ] Entities inserted/fetched/modified: 20/second
[INFO ] Batch Size: 10
Please enter login credentials for [_app_address_]
Email: [_My_Google_Mail_]
Password for [_My_Google_Mail_]:
Error 302: --- begin server output ---
--- end server output ---
Obviously I've hidden app and my mail but they are correct (I use the same credentials when use appcfg.sh to deploy new version).
If it helps the app configuration is:
Authentication Type: (Experimental) Federated Login
Datastore Replication Options: High Replication
What can I do about it?? I really need to get local copy of the production data...
Huh. The problem was in Note: Bulk upload and download is not supported for apps that use Federated (OpenID) authentication
I made a workaround - maybe someone finds it useful. To download data I've created a second app with google account authentication type and uploaded simple python app from this instruction. This way I was able to move entities from my source app to target and then download it using simple appcfg.py call...
The parameter `--url` needs to start with `https`
e.g.
`appcfg.py upload_data --config_file=bulkloader.yaml --url=https://<APP_ID>.appspot.com/remote_api --kind=<ENTITY> --filename=<FILE_NAME>.csv`