nifi 3 node docker + ssl getting Untrusted proxy CN=localhost, OU=NIFI - docker
Followed detailed instructions to set up a 3 node docker hosted nifi cluster + ssl with standalone certificate. Steps that are taken:
set up docker to start up persistent 3 node nifi cluster (nifi01,nifi02,nifi03,registry and nifi_zookeeper)
since they all are in docker bridged network, hostnames are set as above. However in order to access UI, I used ssh tunnel to proxy as "localhost:8443:remotehost:6950" . so I can access them from browser as "https://localhost:8443/nifi".
Then set up oidc for which need ssl . so generated cert and kept it in shared location.
./bin/tls-toolkit.sh standalone -n localhost --subjectAlternativeNames 'localhost,0.0.0.0,nifi01,nifi02,nifi03,nifi_registry'
followed : https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#cluster-node-identities and set up authorizers.xml which created users.xml /authorizations.xml as below
authorizers.xml
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">xyz#oidc.domain.com</property>
<property name="Initial User Identity 2">CN=nifi01, OU=NIFI</property>
<property name="Initial User Identity 3">CN=nifi02, OU=NIFI</property>
<property name="Initial User Identity 4">CN=nifi03, OU=NIFI</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">xyz#oidc.domain.com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=nifi01, OU=NIFI</property>
<property name="Node Identity 2">CN=nifi02, OU=NIFI</property>
<property name="Node Identity 3">CN=nifi03, OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
which generated users.xml and authorizations.xml as :
users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="c3f09c4d-0c92-3f45-b2e4-877def626d99" identity="CN=nifi02, OU=NIFI"/>
<user identifier="882592de-bfd2-35fa-b447-e6866f066684" identity="CN=nifi01, OU=NIFI"/>
<user identifier="bae641ef-8e45-3838-8dde-8e012ada53f5" identity="CN=nifi03, OU=NIFI"/>
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814" identity="xyz#oidc.domain.com"/>
</users>
</tenants>
authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="4962996d-5f2e-3c80-94b3-1eaa2d71cedc" resource="/data/process-groups/2fa42d02-b336-30cd-aa96-f1aea310af6f" action="R">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
<user identifier="c3f09c4d-0c92-3f45-b2e4-877def626d99"/>
<user identifier="882592de-bfd2-35fa-b447-e6866f066684"/>
<user identifier="bae641ef-8e45-3838-8dde-8e012ada53f5"/>
</policy>
<policy identifier="cf5bec73-a284-3fae-811c-3e40e3db25e6" resource="/data/process-groups/2fa42d02-b336-30cd-aa96-f1aea310af6f" action="W">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
<user identifier="c3f09c4d-0c92-3f45-b2e4-877def626d99"/>
<user identifier="882592de-bfd2-35fa-b447-e6866f066684"/>
<user identifier="bae641ef-8e45-3838-8dde-8e012ada53f5"/>
</policy>
<policy identifier="1e6048dc-8ba2-34ee-a641-a1e260c55d75" resource="/process-groups/2fa42d02-b336-30cd-aa96-f1aea310af6f" action="R">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="92d7b372-f63a-30ab-a107-f70ea0bbc8d9" resource="/process-groups/2fa42d02-b336-30cd-aa96-f1aea310af6f" action="W">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="52b536d4-50ee-351a-9f9a-1f9ee1501814"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<user identifier="c3f09c4d-0c92-3f45-b2e4-877def626d99"/>
<user identifier="882592de-bfd2-35fa-b447-e6866f066684"/>
<user identifier="bae641ef-8e45-3838-8dde-8e012ada53f5"/>
</policy>
</policies>
</authorizations>
oidc is working as expected and authentication is working via SSO. however, once authenticated I am getting below error on UI.
Those look like cert issued authority from toolkit. How to fix this? I trid several options and articles and none seem to work. The above authorizers.xml works because service is working. Otherwise, getting "unable to seed policy for" error.
Can anyone help?
Update: Checked nifi access log and found below:
2022-09-08 15:40:56,879 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Initializing Authorizer
2022-09-08 15:40:56,986 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Sep 08 15:40:56 UTC 2022
2022-09-08 15:40:56,987 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi01, OU=NIFI (raw node identity CN=nifi01, OU=NIFI)
2022-09-08 15:40:56,987 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi03, OU=NIFI (raw node identity CN=nifi03, OU=NIFI)
2022-09-08 15:40:56,987 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi02, OU=NIFI (raw node identity CN=nifi02, OU=NIFI)
2022-09-08 15:40:57,000 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Sep 08 15:40:57 UTC 2022
2022-09-08 15:40:57,001 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Configuring Authorizer
2022-09-08 15:41:03,346 INFO [main] o.a.n.w.s.o.StandardOidcIdentityProvider OpenId Connect: Available clientAuthenticationMethods [client_secret_basic, client_secret_post, private_key_jwt, tls_client_auth]
2022-09-08 15:44:20,874 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 172.20.0.1 [] GET https://localhost:8443/nifi-api/flow/current-user
2022-09-08 15:44:20,890 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 172.20.0.1 GET https://localhost:8443/nifi-api/flow/current-user [Anonymous authentication has not been configured.]
2022-09-08 15:44:34,264 INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 172.20.0.6 [xyz#oidc.domain.com<CN=localhost, OU=NIFI>] GET https://nifi01:8443/nifi-api/flow/current-user
2022-09-08 15:44:34,275 WARN [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 172.20.0.6 GET https://nifi01:8443/nifi-api/flow/current-user [Untrusted proxy CN=localhost, OU=NIFI]
2022-09-08 15:46:26,568 INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 172.20.0.6 [xyz#oidc.domain.com<CN=localhost, OU=NIFI>] GET https://nifi01:8443/nifi-api/flow/current-user
2022-09-08 15:46:26,569 WARN [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 172.20.0.6 GET https://nifi01:8443/nifi-api/flow/current-user [Untrusted proxy CN=localhost, OU=NIFI]
Looks like "CN=localhost, OU=NIFI" is getting added by the ssl certificate? Maybe someone can explain.
UPDATE:
Was able to fix the issue by adding Node Identity user to accessPolicyProvider and userGroupProvider for the proxy on authorizers.xml.
userGroupProvider:
<property name="Initial User Identity 5">CN=localhost, OU=NIFI</property>
accessPolicyProvider:
<property name="Node Identity 4">CN=localhost, OU=NIFI</property>
Related
How to call API with Bearer token Wso2 EI?
I have 2 api to request: API get token API request to work something (use OAuth2) Below is code to call get token: <?xml version="1.0" encoding="UTF-8"?> <api context="/default" name="PostToken" xmlns="http://ws.apache.org/ns/synapse"> <resource methods="GET"> <inSequence> <payloadFactory description="Setting payload for GetAccessToken API" media-type="xml"> <format> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <root xmlns=""> <grant_type>$1</grant_type> </root> </soapenv:Body> </soapenv:Envelope> </format> <args> <arg value="client_credentials"/> </args> </payloadFactory> <!-- Below configurations are required to send data as application/x-www-form-urlencoded --> <header name="Content-Type" scope="transport" value="application/x-www-form-urlencoded"/> <property name="messageType" scope="axis2" type="STRING" value="application/x-www-form-urlencoded"/> <header name="Authorization" scope="transport" value="Basic xxxxxxxx"/> <property name="POST_TO_URI" scope="axis2" type="STRING" value="true"/> <call> <endpoint> <http method="post" uri-template="https://sample.com/token"> <suspendOnFailure> <initialDuration>-1</initialDuration> <progressionFactor>-1</progressionFactor> <maximumDuration>0</maximumDuration> </suspendOnFailure> <markForSuspension> <retriesBeforeSuspension>0</retriesBeforeSuspension> </markForSuspension> </http> </endpoint> </call> <respond/> </inSequence> <outSequence/> <faultSequence/> </resource> </api> How next step I can get token from response to apply the 2nd API with Bearer token? Many thanks!
You can refer to the following blog regarding the Using OAuth2 Protected Back-ends With API Manager., This blog is regarding handling that in the WSO2 API Manager. But this is applicable in the EI as well. [1] https://medium.com/#menakajayawardena/wso2-how-to-using-oauth2-protected-back-ends-with-api-manager-5d7e234c61c
WSO2 in Hybrid gateway environment always routing to Sandbox URL, even when used with production access token
I am using WSO2 APIM 3.0.0 version & I have published an API in WSO2 using an existing swagger definition.
I am using a hybrid gateway environment, with the "Production" & "Sandbox" URLs configured to different code environments (for testing purposes the "Production" URL hits our qa box and "Sandbox" hits my local environment). I have just noticed that WSO2 is always routing calls to the sandbox environment (my local) even when I use the "Production" access token.
Is there something else I need to do apart from simply generating different access tokens for prod & sandbox from the devportal for it to route to the desired environment?
And does this mean that I MUST always have different gateways for different environments?
I tested this using OAUTH & JWT token types, with different grant mechanisms, and it still does the same thing.
synapse-config attached as requested:
<?xml version="1.0" encoding="UTF-8"?><api xmlns="http://ws.apache.org/ns/synapse" name="admin--XXXBackendPlatform" context="/WSO2/1.0.0" version="1.0.0" version-type="context">
<resource methods="POST" url-mapping="xxxxx" faultSequence="fault">
<inSequence>
<property name="api.ut.backendRequestTime" expression="get-property('SYSTEM_TIME')"/>
<filter source="$ctx:AM_KEY_TYPE" regex="SANDBOX">
<then>
<send>
<endpoint key="XXXBackendPlatform--v1.0.0_APIsandboxEndpoint"/>
</send>
</then>
<else>
<sequence key="_production_key_error_"/>
</else>
</filter>
</inSequence>
<outSequence>
<class name="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtResponseHandler"/>
<send/>
</outSequence>
</resource>
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.common.APIMgtLatencyStatsHandler">
<property name="apiUUID" value="6535a4b7-759b-4f0e-8980-eab80aaee847"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
<property name="apiImplementationType" value="ENDPOINT"/>
<property name="AuthorizationHeader" value="WSO2_Auth"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler">
<property name="RemoveOAuthHeadersFromOutMessage" value="true"/>
<property name="APILevelPolicy" value="Unlimited"/>
<property name="AuthorizationHeader" value="WSO2_Auth"/>
<property name="CertificateInformation" value="{}"/>
<property name="APISecurity" value="oauth2,oauth_basic_auth_api_key_mandatory"/>
<property name="apiUUID" value="6535a4b7-759b-4f0e-8980-eab80aaee847"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtUsageHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.analytics.APIMgtGoogleAnalyticsTrackingHandler">
<property name="configKey" value="gov:/apimgt/statistics/ga-config.xml"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/>
</handlers>
</api>
As per the below part, you have only configured a sandbox endpoint in your API. You should get an error if you use production keys to access the API. <filter source="$ctx:AM_KEY_TYPE" regex="SANDBOX"> <then> <send> <endpoint key="XXXBackendPlatform--v1.0.0_APIsandboxEndpoint"/> </send> </then> <else> <sequence key="_production_key_error_"/> </else> </filter>
Service fabric hosted Asp.net WebApi Container application : 403 - Forbidden : Access is denied. on local cluster
I'm trying to do a lift and shift of a Asp.net MVC application . I've containarized my Asp.Net WebApi application and deployed it AzureContainerRegistry and i'm referencing the container in a service fabric application. My ServiceManifest looks like this <?xml version="1.0" encoding="utf-8"?> <ServiceManifest Name="BookingApiServicePkg" Version="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ServiceTypes> <StatelessServiceType ServiceTypeName="BookingApiServiceType" UseImplicitHost="true" /> </ServiceTypes> <CodePackage Name="Code" Version="1.0.0"> <EntryPoint> <ContainerHost> <ImageName>bookingacr.azurecr.io/bookingapi</ImageName> </ContainerHost> </EntryPoint> </CodePackage> <ConfigPackage Name="Config" Version="1.0.0" /> <Resources> <Endpoints> <Endpoint Name="BookingApiServiceTypeEndpoint" Port="62651" UriScheme="http" Protocol="http"/> </Endpoints> </Resources> </ServiceManifest> And the Application manifest looks like this <ApplicationManifest ApplicationTypeName="BookingApiType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Parameters> <Parameter Name="BookingApiService_InstanceCount" DefaultValue="-1" /> </Parameters> <ServiceManifestImport> <ServiceManifestRef ServiceManifestName="BookingApiServicePkg" ServiceManifestVersion="1.0.0" /> <ConfigOverrides /> <Policies> <ContainerHostPolicies CodePackageRef="Code" ContainersRetentionCount="2" RunInteractive="true"> <HealthConfig IncludeDockerHealthStatusInSystemHealthReport="true" RestartContainerOnUnhealthyDockerHealthStatus="false" /> <PortBinding ContainerPort="80" EndpointRef="BookingApiServiceTypeEndpoint" /> </ContainerHostPolicies> </Policies> </ServiceManifestImport> <DefaultServices> <Service Name="BookingApiService" ServicePackageActivationMode="ExclusiveProcess"> <StatelessService ServiceTypeName="BookingApiServiceType" InstanceCount="[BookingApiService_InstanceCount]"> <SingletonPartition /> </StatelessService> </Service> </DefaultServices> </ApplicationManifest> The Url that gets generated is the MachineName:PortNumber (http://desktopm423:62651on my local system) but when accessing it it shows a 403 - Forbidden: Access is denied. when deployed to a ServiceFabric instance i get and IP Address and the message is Service Not found
It looks like you have a certificate service fabric certificate problem , you have to add all your certificate in the computer local Cert/ root and in all the current user cert
As long as you do not configure any Andmin Client Certificate all your request to the Explorer (:19080/Explorer) end up with an 403.
You can add an Thumbprint of an Admin Client Certificate in the Portal:
Following is the ARM setting for the same:-
{
"type": "Microsoft.ServiceFabric/clusters",
...
"properties": {
...
"ClientCertificateThumbprints": [
{
"CertificateThumbprint": "THUMBPRINT_HERE",
"IsAdmin": true
}
],
...
}
}
How to ensure in Confluence only users from certain IP can access and others hit the login page to access?
I have Confluence set up in Azure Data-centre and running ok. I want to make sure Users in certain IP range can access Confluence pages. Users that are not in above IP range will see the login page. And, once logged in can use the Confluence. Now, I suppose if I add in the server.xml the following line (src:https://confluence.atlassian.com/confkb/how-to-allow-only-certain-ip-addresses-to-have-access-to-confluence-658015747.html) <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.0.1,192.168.50.*" /> as below: <Server port="8000" shutdown="SHUTDOWN" debug="0"> <Service name="Tomcat-Standalone"> <Connector port="8080" connectionTimeout="60000" disableUploadTimeout="true" maxHttpHeaderSize="16384" redirectPort="8443" maxThreads="280" minSpareThreads="280" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="confluence.mydomain.com.au" proxyPort="443" scheme="https" secure="false" /> <Engine name="ConfluenceDC" defaultHost="localhost" debug="0"> <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4"> <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true"> <Manager pathname=""/> <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/> </Context> <Context path="/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true"> <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/> </Context> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.0.1,192.168.50.*" /> </Host> </Engine> </Service> </Server> This possibly will allow the Confluence to be accessible by the IPs given. But I want to ensure other IP hit the login page for accessing. How to do that?
How to implement Oauth2 two-legged token based security on Mule CE?
I am working on Mule CE and need to implement token based security (preferably) using Oauth2. I have configured the authorization-server and I do see the default mappings in the log file, however when I send message on "/oauth/token" nothing happens.
Similar config of OAuth2 works fine with Spring/Tomcat when deployed as standalone Spring web service application on Tomcat.
Here is my Mule config:
<mule xmlns:mulexml="http://www.mulesoft.org/schema/mule/xml"
xmlns:https="http://www.mulesoft.org/schema/mule/https" xmlns:jersey="http://www.mulesoft.org/schema/mule/jersey"
xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:vm="http://www.mulesource.org/schema/mule/vm/2.0"
xmlns:spring="http://www.springframework.org/schema/beans" version="CE-3.3.1"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context" xmlns:ss="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/xml http://www.mulesoft.org/schema/mule/xml/current/mule-xml.xsd
http://www.mulesoft.org/schema/mule/xml
http://www.mulesoft.org/schema/mule/xml/3.3/mule-xml.xsd
http://www.mulesoft.org/schema/mule/http
http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core
http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/https
http://www.mulesoft.org/schema/mule/https/current/mule-https.xsd
http://www.mulesoft.org/schema/mule/jersey
http://www.mulesoft.org/schema/mule/jersey/current/mule-jersey.xsd
http://www.mulesoft.org/schema/mule/spring-security
http://www.mulesoft.org/schema/mule/spring-security/3.3/mule-spring-security.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.mulesoft.org/schema/mule/pattern
http://www.mulesoft.org/schema/mule/pattern/3.3/mule-pattern.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd ">
<mule-ss:security-manager>
<mule-ss:delegate-security-provider
name="memory-provider" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider ref="myAuthenticationProvider" />
</ss:authentication-manager>
<oauth:client-details-service id="clientDetailsService">
<oauth:client client-id="admin"
authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
authorities="ROLE_USER, ROLE_TRUSTED_CLIENT" scope="read,write,trust"
access-token-validity="60" />
</oauth:client-details-service>
<oauth:authorization-server
client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
</spring:beans>
<spring:beans>
<mvc:annotation-driven />
<spring:bean id="myAuthenticationProvider"
class="com.sachin.tech.security.MyUserAuthenticationProvider" />
<spring:bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<spring:property name="realmName" value="myCustomerAppRealm" />
</spring:bean>
<spring:bean id="oauth2AccessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
<spring:bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<spring:property name="authenticationManager" ref="authenticationManager" />
</spring:bean>
<spring:bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<spring:bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<spring:property name="tokenStore" ref="tokenStore" />
<spring:property name="supportRefreshToken" value="true" />
<spring:property name="accessTokenValiditySeconds"
value="60" />
</spring:bean>
</spring:beans>
<flow name="wsauthentication_2" doc:name="wsauthentication_2">
<http:inbound-endpoint exchange-pattern="request-response"
host="localhost" port="8098" doc:name="MyHTTPInbound2_2"
doc:description="wsauthentication_2 Desc">
</http:inbound-endpoint>
<echo-component doc:name="Echo" />
</flow>
</mule>
The mapping seems to be fine in logs:
13:48:01,789 DEBUG FrameworkEndpointHandlerMapping:125 - Looking for request mappings in application context: org.mule.config.spring.MuleApplicationContext#7fe3a7ec: startup date [Tue Apr 23 13:47:56 IST 2013]; root of context hierarchy
13:48:01,836 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.handleError(javax.servlet.http.HttpServletRequest)
13:48:01,836 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/confirm_access],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map<java.lang.String, java.lang.Object>) throws java.lang.Exception
13:48:01,851 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/authorize],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.lang.String,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
13:48:01,851 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/authorize],methods=[POST],params=[user_oauth_approval],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
13:48:01,851 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/token],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.lang.String,java.util.Map<java.lang.String, java.lang.String>)
Please help.
I don't think Sprint OAuth can actually work outside of a Java web container. For Mule EE, you can use the OAuth2 provider from the Enterprise Security package. For Mule CE, you could try to run an embedded Jetty container and use Mule's Servlet endpoints behind it. That should provide an environment in which Spring OAuth could work. See the Bookstore example, provided with the Mule distribution, for inspiration.