I'm doing a microservice project usign JHipster, i'm using Consul for Service Discovery and JWT for authentication, but here's my question:
For other clients to access my microservices, they need to authenticate by passing a JSON with the credentials via POST to the gateway and finally get de id_token. But how the gateway authenticate within the services? The gateway do something similar to what we did when there's external client? Or there's something to do with de Service Discovery?
I found this in the application-dev.yml:
security:
authentication:
jwt:
secret: my-secret-token-to-change-in-production
My guess is that the both microservice and the gateway share a common secret key, but i didn't found this key, only this section on the yml.
You found it, the secret key is used by the gateway to sign the token when it generates it, same key is used by microservices to verify signature. The gateway is a Zuul proxy that passes the authentication header to proxified microservices.
This property in Consul is available to all these apps through a local Consul agent at port 8500, see Spring Cloud Consul.
Related
In my Spring Boot Application I changed the default management server port in order to expose it on different port through HTTP. My main app works on HTTPS with SSL key and I don't want to expose it there.
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:local-ssl.p12
server.ssl.key-store-password=<password>
server.ssl.key-alias=local_ssl
server.port=8443
management.server.ssl.enabled=false
management.server.port=8081
management.endpoints.web.exposure.include=health,info,prometheus
However when I am trying to access the http://localhost:8081/actuator/prometheus, I am receiving the following picture from Postman. How can I access my endpoints through the new port?
When configured to use a custom port, the management server can also be configured with its own SSL using the various management.ssl.* properties. For example, this allows a management server to be available via HTTP while the main application uses HTTPS:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:store.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enabled=false
Alternatively, both the main server and the management server can use SSL but with different key stores:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:main.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enabled=true
management.ssl.key-store=classpath:management.jks
management.ssl.key-password=secret
for reference look here
https://docs.spring.io/spring-boot/docs/1.5.4.RELEASE/reference/html/production-ready-monitoring.html
I am trying to setup SSO using Azure AD. Our aplication is a spring boot application deployed on Amazon ECS.
For this I have refered https://dummybot.medium.com/saml-integration-with-spring-boot-spring-security-microsoft-azure-ad-b9610bdb78b9, which uses Spring Security SAML2 with Spring Boot.
In our case the application exposes the port 8080 from docker container and doesn't have its own SSL configuration. We are using Amazon ELB as load balancer in which the SSL is configured and through the load balancer we can access the application https://our-domain.com
When testing application locally I am able to login successfully when https://localhost:8443/saml/sso is added as a reply Url in Azure AD.
When I add only the https://our-domain.com/saml/sso as reply URL and try logging in while executing application locally, I get this error:
correct http protocol and port in AD request
which is expected as we dont have https://localhost:8080/.. as white listed reply URL in Azure AD now.
But what I noticed here in the error message is https://localhost:8080/... doesn't match the reply URL, which is correct, but there is no change in HTTP protocol or port 8080 which I am trying to access.
But, When I try to access the application deployed on AWS ECS using https://our-domain.com, I am successfully redirected to login page, but there I get this error.
incorrect http protocol and port in AD request
Where I can see HTTP protocol has been changed from https to http and the port is passed in the request as 8443.
I could see only in our AWS ELB which has configuration for SSL certificate and has a HTTPS listener 8443, and I am suspecting it is due to this the incorrect reply URL is passed by the Spring Security in the Azure AD Authentication request.
Amazon ELB configuration
I have tried to find solution for this and found an issue reported in Spring-Security-Saml project at https://github.com/spring-projects/spring-security-saml/issues/447, which talks about SAMLContextProviderLB as the context provider bean.
More details in Spring-Security SAML Extension documentation: https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-load-balancing
Although it is mentioned in the documentation for latest version of Spring-Security SAML Extension, I cant find this class, but it is available in older 1.0.x version of extension. Hence I am not able to use it.
Can someone please provide any pointers to fix this issue..
Thanks
I actually have a hosting service who has a subdomain, that subdomain function is to redirect to my local server where I have my services, for example:
My domain: example.com
Subdomain: guaymas.example.com // His function is to redirect to my server (firewall)
Redirect to a port : guaymas.example.com:8080 // where I have my services
And through a port I have a web service, in order to make the data transfer more secure I wanted to implement a SSL certificate but because of my configuration I’ḿ not able to generate the certificate with letś encrypt (because buying one is not an option), I can’t verify with http or dns method, Is there any other method that I can use to generate the SSL certificate?
PD: I'm using GlassFish and Soap web services on JAVA, those are running on Linux Server and my distro is deepin
Thanks a lot
Scenario
Trying to configure end to end ssl encryption from ALB to Spring boot application.
Steps Done
ACM created
created a domain name in ACM and downloaded the public certificate chain using GetCertificateRequest API.
Domain name is *.mnkartik.com
create a truststore.jks and imported the certificates and chain as trusted sources.
spring boot application on ec2
configure the ALB with the target source as EC2
created self signed certificate and keystore as keystore.jks
configured the application as below in properties
server.port=8080
server.ssl.key-store = classpath:keystore.jks
server.ssl.key-store-password = password
server.ssl.key-password = password
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA
server.ssl.enabled=true
server.ssl.trust-store=classpath:truststore.jks
server.ssl.trust-store-password=password
when hit using the EC2 public api to spring boot application running on 8080 with https:// its working with an unsecured error ( as obvious ) with response printed successfully.
Problem
But when hitting the alb url, its returning as 502 Bad gateway error. Could not be able to solve.
This is ec2 result
ALB result
I am currently developing a application based on a micro service architecture. We use a API-Gateway implemented using Spring Cloud Netfix's Zuul Server to route the requests to our micro services.
To realize single sign on for all our services I am currently working on an OAuth2 server set up using Spring Cloud Security. The server is basically just copy and past of the implementation in Dave Syer's Repo: https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver
The main difference is that I want to route the requests to my OAuth server through the Zuul Proxy. This way I will not have to directly expose my OAuth Server and can add and remove Login Server dynamically.
The problem is I do not seam to understand how to correctly configure this setup. When I try to access a protected resource on the OAuth server I am forwarded to the login page. This of course is as expected. But I can not figure out how to set the hostname and port used when forwarding. What I want to happen is the server to forward to an endpoint on the Zuul server that will get proxied back to the OAuth server. (The Zuul API-Gateway should be the only server the client ever talks to. Everything else will be hidden.)
As it is the host and port are read from the HttpServletRequest in LoginUrlAuthenticationEntryPoint. But the request the server sees is the request send by the Zuul proxy. So I am forwarded to an internal IP not an endpoint on the proxy.
I tried to set the URL of the login page in WebSecurityConfigurerAdapter.configure(HttpSecurity) to the absolut URL of my Zuul Proxy. But this just caused my application to complain about too many redirects. (Might have caused a loop there.)
What would be the best way to set this up?
Do I have to implement some kind of own forwarding strategy by overriding a bean?
Is there a configuration option I am missing?
Is my idea itself wrong? (In his answer to How to avoid redirect to another host with Zuul? Dave Syer says you would not normally proxy this but does not explain why.)
Update: POC can be found here https://github.com/kakawait/uaa-behind-zuul-sample
Did you try following setup (on zuul server):
zuul:
routes:
uaa-service:
path: /uaa/**
stripPrefix: false
security:
# Disable Spring Boot basic authentication
basic:
enabled: false
oauth2:
sso:
loginPath: /login
client:
accessTokenUri: https://<zuul hostname>/uaa/oauth/token
userAuthorizationUri: https://<zuul hostname>/uaa/oauth/authorize
...
Basically it works on my project only thing I have to do is to disable CSRF protection on /uaa/oauth/token route.
Auth server should be on
server:
# Use different context-path to avoid session cookie overlapping
context-path: /uaa
Tested using Spring-Cloud.Brixton.M3
Thank to #thomas-letsch, you should tweak you security like following (sample)
public void configure(HttpSecurity http) throws Exception {
http.logout().and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/uaa/oauth/**").permitAll()
.anyRequest().authenticated().and()
.csrf().csrfTokenRepository(getCSRFTokenRepository()).ignoringAntMatchers("/uaa/oauth/token").and()
.addFilterAfter(createCSRFHeaderFilter(), CsrfFilter.class);
}
As far as I understand your question, spring-cloud-security (for the EnableOauth2Sso part) and spring-cloud (for zuul), this is not possible to proxy the calls to the authorization server using zuul.
The main reason being that spring-cloud-security secures the Gateway independently (and before accounting for) Zuul routing's logic.
Which means that the (sample configuration from Dave Syer's OAuth2 example) spring.oauth2.client.* configuration
spring:
oauth2:
client:
accessTokenUri: http://localhost:9999/uaa/oauth/token
userAuthorizationUri: http://localhost:9999/uaa/oauth/authorize
clientId: acme
clientSecret: acmesecret
is considered before allowing any access to the Zuul's routes zuul.routes.*
Moreover this setup enables the client agent to store two Cookies: one for the Gateway and one for the Authorization Server.
I hope this helps.