I am using graphql-spqr-spring-boot-starter, version 0.0.5 in my spring boot application.
#GraphQLApi & #GraphQLQuery working fine and I am fetching data on /gui as well.
But as many have faced I am trying to apply the authentication part on graphql server calls. I am using JWT token in my application for REST API authorization/authentication.
So I have token which I suppose can be used for validation here as well.
I have tried using:
#PreAuthorize("hasRole('ROLE_RECRUITER_HR')")
but it gives compile time error:
io.leangen.graphql.metadata.exceptions.TypeMappingException: The
registered object of type com.sun.proxy.$Proxy90 appears to be a
dynamically generated proxy
For these and other possible issues, is it better to use wrapper graphql library like spring-boot-starter or it is safer to use graphql-spqr which more steps in my hand.
EDIT: GraphQL SPQR Spring Boot starter v0.0.6 fixed the issue and should work out of the box.
This is a bug in the starter. It doesn't properly detect the types when JDK proxies (and not CGLib) are used. I will make sure to fix this for the next release.
There's a couple of ways to temporarily work around this, but none of them are nice unfortunately.
You could e.g. force Spring to use CGLIB by e.g.
#EnableAspectJAutoProxy(proxyTargetClass = true)
but this has potentially wide implications so I would recommend you simply wait a bit. I'll release a new version with a fix in a couple of days, as this is a very important bug.
Related
When I have Spring Security disabled, Swagger2 (springfox 2.5) seems to work fine, but when I enable it again, the JSON it produces when calling http://localhost:8082/v2/api-docs seems to have some kind of problem. Taking a look at the browser console I find:
TypeError: e.schema is undefined
Comparing both api-docs, the one produced with Spring Security on is much longer. I have done all that says here. It was really helpful for being able to reach Swagger with Spring Security on, but it seems not to be enough. Why are these JSON so different? Why the one with Spring Security on seems to lack some info?
We have also used below paths in our spring security config and it was enough:
"/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html", "/webjars/**"
Could you show some code?
What kind of JSON converter do you use? Gson, Jackson?
Do you have some spring/spring security configuration in xml files?
I have just started using rails. In my app I have to access Slack apis, so I am using the slack-api gem. The way to configure that is
Slack.configure do |config|
config.token = "token"
end
I am wondering since the token is configured at class level 'Slack', would that cause any inconsistent behaviour? One request might set it to value A and before it is done, another request may set it to value B.
While Ruby web frameworks are generally single-threaded, this is not always the case. So it likely will cause problems if the token is different across multiple requests, will be hard to reason about or become a problem in the long run.
Try the newer gem, https://github.com/dblock/slack-ruby-client which will take a token in the initializer, ie. Slack::Web::Client.new(token: 'token') or Slack::RealTime::Client.new(token: 'token'), should avoid the problem altogether.
Man, what a nightmare!
Can anybody PLEASE point me in the direction of any kind of a proper tutorial or example of how to implement an OAuth2.0 server on Restlet (2.2 or 2.1.1). The only thing resembling a tutorial that I managed to find is this one here, but don't get too excited just yet, because it seems that the code in the framework is being changed more frequently than this tutorial is being updated.
Aside from the above mentioned article, there seems to be a near complete absence of any useful search results on this matter on Google. Surely someone out there must have got this right and is using OAuth2.0 on Restlet?
I did in fact manage to get my OAuth2.0 server as far as to return an access token to me (after spending hours analyzing the source code of the AccessTokenResource.java file), but it seems that it is only validating the client id and not the client secret. Assuming I can sort that out, I am still faced with the task of actually protecting the resources (which should be the job of the OAuthAuthorizer, but that appears to no longer even be present after 2.1.1).
Any help would be greatly appreciated!!
This extension is a work in progress. Please note that OAuth 2.0 has only recently been finalized.
We are currently updating the 2.2 branch to a very recent draft (31). The code has been updated and the documentation indeed needs to follow.
2.2 is still under development and isn't ready for production. We are looking for testers and contributors (code and doc) at this point.
In 2.2 OAuthAuthorizer has been split.
See this issue for additional details:
https://github.com/restlet/restlet-framework-java/pull/644
I have a simple server-side command line python script, based on the now deprecated FT SQL API using Client Login for authorization.
Every few hours I refresh my FT by inserting the updated data. It's a small table, 3000 rows.
Read the FT Migration Guide, have a Google User id, enabled the FT API and have an API key, etc.
(Switching my Google Maps application to the new API was straight forward)
But I'm confused about how to proceed with migrating a command line python script. I see that OAuth2 is the recommended approach for authentication but it appears to me that this is a much more complicated approach than I truly need. It's not even clear to me that it will work for command line scripts.
Truly no need to prompt the user for login info (it's only me). I realize that this must be an "Installed app" and I found the Hello,python example at
https://developers.google.com/fusiontables/docs/sample_code#ftAPIv1
Haven't tried this yet but wanted to see if anyone has experience with migrating command line scripts. (PHP would work as well)
In particular I was intrigued by a quote I found here:
https://developers.google.com/fusiontables/docs/v1/using
"The Fusion Tables API also supports older authorization options, such as OAuth 1.0, AuthSub, or ClientLogin; however, in most cases we don't recommend using those other options. If your application already uses those options, we recommend migrating to OAuth 2.0 if possible."
Because, frankly I'd rather not switch to OAuth 2 for such a simple task.
UPDATE
Forgot to mention, I run this from cron, every 3 hours. So user input is not really possible. Though as David suggested below a one time user input is doable.
You should be able to use your Client Login token as your auth token for your existing server-side command line app with the new API. You'll also need to include your developer key in the request as the "key" parameter.
There is a very simple python implementation of the OAuth2 Installed Application flow here https://developers.google.com/fusiontables/docs/samples/python as you may have found, and yes, you should switch to this. ClientLogin deprecated just like the SQL API.
The Code requires you to open a browser and prompts you every time you use it and I'm going to speak to the author about optimizing it and having it store the Refresh Token and so it would only prompt the first time you use it.
I am trying to do OmniAuth OpenID with Google Apps in Ruby on Rails. I know it should work out-of-the-box if I specify ":identifier => 'https://www.google.com/accounts/o8/site-xrds?hd=example.com'" where example.com is the domain that my targeted users come from.
The user can get redirected to Google when accessing /auth/google without a problem, and this openid.identity can be returned from Google:
... &openid.identity=http://example.com/openid?id=xxxxxxxxxxxxxxxxxxxxxxx ...
However, the example.com I am working with does not have the correct "rel='openid2.provider'" <link /> tags set up at http://example.com/, therefore the discovery fails when omniauth-openid tries to check with Google again.
Is there a quick and clean way to work around the default discovery behavior so that I can define https://www.google.com/a/example.com/o8/ud?be=o8 as the server directly without performing the automatic discovery?
Thanks!
I think omniauth-openid uses ruby-openid. If so, you should be able to get it work easily:
gem install ruby-openid-apps-discovery
Then throw in somewhere before making the request
require 'gapps_openid'
Google Apps has a slightly different discovery protocol, which is what that gem provides.
Before using the gem that Steve recommended, I came up with a workaround to make the entire discovery process happen locally only, which I find might be useful to some people. If you only accept users from a single Google Apps domain, you might want to:
Add a line like 127.0.0.1 example.com in your /etc/hosts.
set up a lightweight HTTP server like nginx, create a file called openid (do not append .html), and add your <link rel="openid2.provider" ... > tag there.
This is slightly faster than using ruby-openid-apps-discovery since it saves your application from sending some requests to an external https server.