I have a front end application in digitalOcean with domain name testDO. This domain has SSL certificate. So all request origin are from https://testDO.com.
I have a backend server sitting in AWS created by deploying war file into beanstalk. It has the name testAWS.us-east-2.elasticbeanstalk.com
When I call API directly from the url for example http://testAWS.us-west-2.elasticbeanstalk.com/myAPI/getName it works. When I call the same API from my front end I get blocked:mixed-content. Is this because its http and not https? what is the workaround?
Yes this is because, your HTTPS site tries to access content through HTTP which is blocked by the browser. You need to either both HTTPS or proxy the request at frontend server and terminate SSL there and forward it to your API Server in Beanstalk.
Note: Since the frontend and backend are in two different environments it will be preferred to use both HTTPS than the proxy approach for security.
You can create a CloudFront Distribution and take it with https to http. You also need to enable CORS in your response to access cross origin domain requests.
Client --> CloudFront --> Your http API (Response with CORS).
Hope it helps.
You need to setup your AWS Elastic Beanstalk environment with your domain or you can use HTTPS with a self-signed certificate for development and testing purposes.
You can use upload your front end in AWS S3, In AWS static webpage Endpoints are http, so you wan't get this mixed-content problem.
Reference:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
Related
I am implementing oauth2 server using Springboot
I have four microservices
Sales (sales)
Inventory (inventory)
IAM service (Authorization Server, with Oauth2) (http://iam:8089)
Gateway (gateway on http://www.gateway.com)
All these services are behind the Spring clould gateway, and its deployed under K8S, And Gateway is exposed as external interface.
Now if I try to do authenticat user using oauth2 throught gateway like below.
Step 1 :
Http Request http://www.gateway.com/oauth/authorize
So in Response header I am getting like
Location: http://iam:8089/v1/oauth/login (But expectation is http://www.gateway.com/oauth/login)
and because of that browser
redirect me to http://iam:8089/oauth/login
Where Ideally I am expecting that also routed through gateway service something like
http://www.gateway.com/oauth/login
Can someone please help me to solve this.
Thanks
Alpesh
Sounds like a good setup in line with what we recommend at Curity in our IAM Primer Article, with the Authorization Server (AS) behind a reverse proxy or gateway.
In your case the AS listens at http://Iam:8089 but that is an internal URL. The AS also has a 'Base URL' that is used by internet clients, and this is the URL of the gateway, which is http://www.gateway.com in your example:
It will be returned to clients in OpenID Connect discovery requests
It will be returned to browsers in browser redirects during authentication
There should be somewhere in Spring OAuth2 Server where you set the Base URL, similar to that in the Curity Identity Server (see image below). The process should be to set this value and then verify that it is returned in a metadata request. You should then be configured correctly.
In Spring I expect the setting you need is in the fluent configuration somewhere - maybe one of the Configurer classes. I find it pretty hard to find what I'm looking for in Spring though.
i'm trying to integrate java application with azure ad .
i have registered an app in azure and added redirect url's , after successful login , it was redirected to my java application where i am fetching authorization code using msal library.
Getting the below exception
com.microsoft.aad.msal4j.MsalServiceException: AADSTS500112: The reply address
'http://testUrl' does not match the reply address 'https://testUrl
the only difference i see in the above url's is http and https, even though i mentioned https in both redirect url in the app registrations as well as redirect_uri in the microsoft login url.
btw, it was working with my local environment, not working when i hosted it on the server .
We had the same issue after it was deployed in production environment. The reason the https became http is since I was in a load-balanced environment, the outside URL differed from the inside URL (The load balancers off-loaded the SSL processing). When the http request from azure reached our web filter, the httpRequest.getRequestURL().toString() get the http instead of https. What we did is, ask devops team to add a header in httprequest with the original url sent to load balancer, and in our code, we extract the http header instead of the http request itself.
Specifically, change
String currentUri = httpRequest.getRequestURL().toString();
to
String currentUri = httpRequest.req.getHeader(HEADER_PROXY_URL);
The HEADER_PROXY_URL is the header name that devops inject the original url.
According to my research, the redirect URL for web apps and services must begin with the scheme https. If you want to use the scheme http, you just can use http:\\localhost. For more details, please refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison#restrictions-on-redirect-urls
I have followed the techinical guidance in the below link. But I am not able to get a clear idea how i can configure that in my spring rest framework.
Offloading https to load balancers with Spring Security
My requirement is before the actual request comes to my rest api, it's hitting the Amazon elb. Elb is converting https to http. But I need to check the original request is HTTPS and it's properly converted to HTTP using the ELB.
I have gone through the SecureChannelProcessor and InsecureChannelProcessor.
I am expecting my request should be HTTPS before hitting the ELB and after the ELB it should be HTTP. That validation check should be handled in my REST API Code. END USER REQ ---(https)----> ELB -------(http)--> REST API in my rest api, I should be able able to check the X-Forwarded-Proto (Or request type) should be https and it's been converted as http in my ELB.
But Not getting a clear idea. Any help will be appreciated.
I own a Java application on Google App Engine Java with a custom domain and multiple subdomains.
I'd like to allow one part of my application to be served over https (for example, all the urls of a subdomain or all the urls with /secure/ in path).
The other urls should still be served over http. Our website receive more than 100 req/s and the vast majority of these requests should still work over http.
I fear that by trying to activate https I might block all the http requests which would create a big downtime for our servers.
Is it possible to do what I'd like with App Engine?
What is the best way to do it and avoid any downtime?
Thanks!
If someone is interested, here's what I finally did:
in google apps for my domain, in More controls / Security / SSL for Custom Domains, I activated my app engine app id.
I activated Virtual IP ($39/month) (but it also works with SNI)
As I use VIP, I changed the CNAME to redirect all my subdomains to the special CNAME for SSL with VIP (unnecessary with SNI I think)
I created a key + CSR with OpenSSL. I created a self signed certificate and tested it. It worked but of course, warning message.
I paid a signing authority for a valid certificate (wildcard for all my subdomains, about 100€/year)
I added that certificate + intermediate certificate and key in google apps for my domain.
It now works perfectly in both http and https. There wasn't any service disruption at any time for http.
I'll now add some url filter to my app to automatically redirect some http urls to https.
I have a GWT appilcation in which the client makes a request to another domain.
I wrote the request using RequestBuilder in GWT.
On executing the code, I get an error in my browser :
No 'Access-Control-Allow-Origin' header is present on the requested resource.
So I google and I found that the domain to which I am making the request should add this header in the response that it sends. Now I dont't have control over the other domain's server, so I can't do any modification there.
My question is, can I intercept the response and the Access-Control-Allow-Origin header to the response that is being sent by the other domain's server at my server, before I send it to my client?
I tried using Filters but the Filter doesn't get called for responses coming from another domain.
Is this possible to do, am I missing something or is it just not possible?
Vivek's answer that cross domain requests aren't allowed by the browser is true, except for the CORS mechanism, whereby newer browsers that support it can try in a cross origin way to servers that also support it.
However, unless that remote server support it itself, there is nothing you can do. If I server my app from A, and want to connect to B, only B can authorize that. If A were allowed to permit my app to connect to B via some filter or servlet, then I could write an app that makes calls to gmail or facebook or twitter and read/write your settings and personal data at those other urls.
So instead, it is the cross origin server that you are contacting that must approve the connection with the header you mentioned. In lieu of that, you can still use your own server as a proxy for the cross origin server.
Cross-domain requests are forbidden by web browsers as per the same origin security policy. These restrictions are limited to browser based applications and hence you can definitely use your own server application as a filter between the GWT based client side application and the external server.