I'm trying to configure OAuth2 authentication into an existing Spring MVC app that is currently configured to use simple FORM authentication. I'd like to use Facebook as authentication provider, but I also need to maintain form authentication and to register user data in application DB the same way for both authentication methods (obviously for social auth some fields will be absent, for ex. password).
I'm using Spring Boot 1.4.1 with these additional dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
But I cannot find a tutorial or some clear documentation explaining how to solve my case (FORM + OAuth2).
I tried to follow this tutorial but it is based on Spring Boot + AngularJS, while I'm using plain HTML + Thymeleaf.
This is my current Spring Security configuration:
http.authorizeRequests() //
.antMatchers("/css/**").permitAll() // static resources
.antMatchers("/webjars/**").permitAll() // static resources
.antMatchers("/images/**").permitAll() // static resources
.antMatchers("/login").permitAll().anyRequest().authenticated();
http.formLogin()
.failureUrl("/login?error").defaultSuccessUrl("/").loginPage("/login").permitAll()//
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout").permitAll();
What should I add to configure OAuth2 and to get user info once authenticated?
UPDATE After some googlin' I found that the way to go could be to use this dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-social-facebook</artifactId>
</dependency>
in place of plain spring-security-oauth2, but I still can't find a simple way to achieve what I want.
The best tutorial I found is this, but is a bit dated and is not based on Spring Boot, so I can't understand if some utility and autoconfiguration exist.
I tried to use this tutorial for other social network, but i got that you application as client has to provide next config in application.yml:
facebook:
client:
clientId: 233668646673605
clientSecret: 33b17e044ee6a4fa383f46ec6e28ea1d
accessTokenUri: https://graph.facebook.com/oauth/access_token
userAuthorizationUri: https://www.facebook.com/dialog/oauth
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
resource:
userInfoUri: https://graph.facebook.com/me
this info will be used during outh2 process to get authorization token
I resolve my problem with configuration simple OAuth2 with Spring through my Authorization Server, you can check my answer here if you haven't found how to do it
Related
I have a service I want to access using Feign client. The problem is that it requires authorization using OAuth2, password (as said in the Authorize page of Swagger and flow: password is set).
In the Swagger page of the service I can get the access to the methods by simply clicking on the Authorize and inputing my login and password, choosing request body and leaving client_id and client_secret fields as they were default, but how do I do that using Feign client now?
I tried following this guide but it describes how to do it with grant type client_credentials so it didn't work for me, it was expectedly giving errors and not accesing the method of the service. I checked the api of the service just to be sure, grant type is in fact password. When sending a request it was doing it with "Bearer null".
feign.FeignException$Unauthorized: [401] during [GET] to [...] [TestFeignClient#req(String)]: [{"error":"invalid_token","error_description":"Cannot convert access token to JSON"}]
There's a lot of code I don't know about, so I tried to find another guide which will be about grant type password. I tried to follow this guide which suits my situation, but Maven gives me errors about these dependencies, so the code is all red too (I checked the source code of the guide which can be found here
to find the dependencies, it's in the customer package pom, on the branch with_database as the author said in the comments section):
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-feign</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-eureka</artifactId>
</dependency>
So my question is: how can I correctly implement OAuth2 password grant type with Feign client? Is there any actual guides on how to do it? Becasue I didn't find any except these 2 and they both didn't work out for me.
Grant type "password" would mean that your resource server sends userid and password to the authentication server (oauth 2 server). This would mean you would send data tied to an actual user of your application over the wire. This is not something you want do anymore and this grant type is deprecated.
When you say you input client id and client secret in swagger, you are actually using grant type "client credentials" and not grant type "password". The data you are sending "over the wire" identifies an application or client, hence CLIENT id and CLIENT secret.
The userid and password you are entering is not sent to the authorization server. It might be some kind of BASIC authentication you have in front of your swagger mask.
Stick to your Bealdung guide, its exactly what you want to do. Setup all the beans you can see under 4.2 and provide the needed configuration. Afterwards you should be able to autowire the configured feignclient bean and use it anywhere.
Solved, you need to add this dependency I didn't notice in order to not to specify versions of dependencies:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Edgware.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Or just specify versions of the dependencies (second guide).
Small question regarding some actuator endpoints returning 404 please.
I have a web app, based on Webflux 2.4.2, and for testing this issue only, I am using
management.endpoints.web.exposure.include=*
Actuator is working, because a curl will get the response for /health /metrics and other endpoints.
However, for those endpoints /auditevents /httptrace /integrationgraph /sessions, I am not able to get anything, besides a http 404.
[05/Feb/2021:13:00:18 +0000] "OPTIONS /auditevents HTTP/1.1" 404 141 55 ms
May I ask what did I miss please?
What are the steps to enable the /auditevents endpoint please?
What are the steps to enable the /httptrace endpoint please? I have sleuth and Zipkin working
What are the steps to enable the /integrationgraph endpoint please?
What are the steps to enable the /sessions endpoint please?
Those are really the only endpoints returning 404, still do not know why.
Don't want to spam with one question same question per endpoint. All other actuator endpoints are fine.
Thank you
According to Spring Boot Reference Docs :
To enable /httptrace in the actuator, then you have to create a bean of InMemoryHttpTraceRepository class in the custom #Configuration class which provides the trace of the request and response.
#Bean
public HttpTraceRepository htttpTraceRepository() {
return new InMemoryHttpTraceRepository();
}
To enable /auditevents in the actuator, then you have to create a bean of InMemoryAuditEventRepository class in the custom #Configuration class which exposes audit events information.
#Bean
public AuditEventRepository auditEventRepository() {
return new InMemoryAuditEventRepository();
}
To enable /integrationgraph in actuator, you have to add spring-integration-core dependency in the pom.xml (as per documentation) :
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-core</artifactId>
</dependency>
or if you are having a spring-boot project, then add this :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-integration</artifactId>
</dependency>
/actuator/sessions are by-default enabled. But still you can add this explicitly to check the behaviour.
Add this in application.properties.
management.endpoint.sessions.enabled = true
I'm trying to in corporate Spring Actuator to my application. I have added the dependency in my pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>1.4.2.RELEASE</version>
</dependency>
But I get a 404 when trying to access the /health endpoint. After looking online, I've read that I need to also have the spring-boot-starter-web dependency in my POM. I was under the assumption that I only need the actuator dependency in order to get it working
Yes web is needed if you want to access via HTTP (otherwise only JMX is available).
The documentation for actuator states
"Click Dependencies and select Spring Web and Spring Boot Actuator."
Actuator "sensitive" endpoints secure since 1.5.x version, is it possible to specify user in properties or yml file and access these endpoints without adding spring security into project?
I know that there's property management.security.enabled can be set to false to expose endpoints, but want to keep them secure:)
Yes you can do it.
Just add the below lines in src/main/resources/application.properties file.
management.security.enabled=true
security.user.name=admin
security.user.password=admin1
management.security.roles=SUPERUSER
After this, add below dependency in your application pom.xml file.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Restart your application and try to access any sensetive actuator. You will be prompted to enter username and password. Enter the username and password that you configured in application.priperties.
After entering you will be able to access the sentive actuators.
Hope this helps.
Happy coding
I'm using spring-boot-security for basic authentication on my #RestController endpoints, as follows:
pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
application.properties:
security.user.name=user
security.user.password=pass
Question: how can I disable the basic auth in development, and only enable it if a specific profile is active using startup parameter -Dspring.profiles.active=production.
I would like to move the properties above into application-production.properties. And in dev there should not be any auth on the endpoints.
From a security perspective you probably want to do the opposite. Enable security by default and disable when running with a dev profile. Which is actually pretty easy to do add an application-dev.properties (assuming your profile is named dev.
Add the following to the file
security.basic.enabled=false
And for dev start with the profile enabled.