I use sprinfox.swagger 2.9.2
How can I change my configuration from:
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui.html")
.addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
to configuration 3.0.0?
because this doesn't work:
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui/index.html")
.addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/");
}
Related
I have a project based on Spring Boot 2.7.5 and Vaadin 23.3.0.
Using #Async methods, I'm losing the authenticated principal on upstream API calls. Researching this the solution here seems to be setting:
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
This resolves the issue and allows for authentication data to reach threads created by a #Async function.
My question is, I see VaadinWebSecurity is setting SecurityContextHolder.setStrategyName as follows:
protected void configure(HttpSecurity http) throws Exception {
SecurityContextHolder.setStrategyName(VaadinAwareSecurityContextHolderStrategy.class.getName());
...
I can override this in my SecurityConfig as follows:
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
...
Does the above affect Vaadin's security setup at all? Is this the suggested fix for my situation or is there a better approach?
As per Simon's recommendation, creating a new SecurityContextHolderStrategy which uses InheritableThreadLocal instead of the default ThreadLocal as follows:
import com.vaadin.flow.server.VaadinSession;
import org.springframework.lang.NonNull;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import java.util.Optional;
import static java.util.Objects.requireNonNull;
public class VaadinAwareSecurityContextHolderStrategyUsingInheritableThreadLocal implements SecurityContextHolderStrategy {
private final InheritableThreadLocal<SecurityContext> contextHolder = new InheritableThreadLocal<>();
#Override
public void clearContext() {
contextHolder.remove();
}
#Override
#NonNull
public SecurityContext getContext() {
SecurityContext context = getFromVaadinSession().orElseGet(contextHolder::get);
if (context == null) {
context = createEmptyContext();
contextHolder.set(context);
}
return context;
}
#NonNull
private Optional<SecurityContext> getFromVaadinSession() {
VaadinSession session = VaadinSession.getCurrent();
if (session == null || session.getSession() == null) {
return Optional.empty();
}
Object securityContext = session.getSession().getAttribute(
HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
if (securityContext instanceof SecurityContext) {
return Optional.of((SecurityContext) securityContext);
} else {
return Optional.empty();
}
}
#Override
public void setContext(#NonNull SecurityContext securityContext) {
contextHolder.set(requireNonNull(securityContext));
}
#Override
#NonNull
public SecurityContext createEmptyContext() {
return new SecurityContextImpl();
}
}
Then applying this in my SecurityConfig after I call super.configure():
public class SecurityConfig extends VaadinWebSecurity {
...
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
SecurityContextHolder.setStrategyName(VaadinAwareSecurityContextHolderStrategyUsingInheritableThreadLocal.class.getName());
...
}
...
Allows #Async methods to inherit authentication detail used in my WebClient for upstream API calls.
In my Dropwizard (1.2.4) application I'm having trouble injecting my Dropwizard configuration into classes that are instantiated by HK2. What's the best way to achieve this?
Just bind the configuration instance.
#Override
public void run(final DummyConfiguration conf, Environment env) {
env.jersey().register(new AbstractBinder() {
#Override
public void configure() {
bind(conf).to(DummyConfiguration.class);
}
})
}
Now you can #Inject the DummyConfiguration anywhere you need it.
For dropwizard version 2.0.1:
#Override
public void run(final YourConfiguration conf, Environment env) throws Exception {
env.jersey().getResourceConfig().register(new AbstractBinder() {
#Override
public void configure() {
bind(conf).to(YourConfiguration.class);
// bind other classes
}
});
// register resources
}
In earlier versions, you could have a class which implements ServletContextListener and put your code in the contextInitialized method, so that it runs when the server starts. This is useful for loading up the database into memory. How does one achieve this in a Vaadin 8 project?
In exactly the same way: By registering a ServletContextListener. You can use the #WebListener annotation for this. For example:
public class WebConfig {
#WebServlet("/*")
#VaadinServletConfiguration(ui = VaadinUI.class, productionMode = false)
public static class JdbcExampleVaadinServlet extends VaadinServlet {
}
#WebListener
public static class JdbcExampleContextListener implements ServletContextListener {
#Override
public void contextInitialized(ServletContextEvent sce) {
try {
DatabaseService.init();
} catch (Exception e) {
e.printStackTrace();
}
}
#Override
public void contextDestroyed(ServletContextEvent sce) {
DatabaseService.shutdown();
}
}
}
I'm working on Spring Boot application with configured SSO/OAuth2 security.
Authentication works fine for my rest controllers and now I need to secure my Apache Camel route with a rest endpoint.
As I understand there are several ways how to do it:
By adding auth processor to my route
By adding policy (SpringSecurityAuthorizationPolicy) to my route
By handlers option to jetty endpoint
I'm trying to do it by adding new auth processor to my rest endpoint but I stuck on this exception:
org.springframework.security.oauth2.common.exceptions.OAuth2Exception:
No AuthenticationProvider found for
org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
During debugging I see that org.springframework.security.authentication.ProviderManager.getProviders() contains only one provider AnonymousAuthenticationProvider so probably I have to register appropriate provider...
Can someone help me to find the right way to solve this problem please?
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().permitAll();
}
#Configuration
#EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
#Value("${oauth2.token.endpoint}")
private String tokenEndpoint;
#Bean
public ResourceServerTokenServices tokenService() {
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setClientId("clientId");
tokenServices.setClientSecret("clientSecret");
tokenServices.setCheckTokenEndpointUrl(tokenEndpoint);
return tokenServices;
}
#Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
}
}
}
#Configuration
public class EmbeddedServerRoute {
#Bean
public RoutesBuilder embeddedServer() {
return new RouteBuilder() {
#Override
public void configure() throws Exception {
restConfiguration().component("jetty").port("8081").bindingMode(RestBindingMode.json);
}
};
}
}
#Component
public class RestTestRoute extends RouteBuilder {
#Autowired
private AuthProcessor authProcessor;
#Override
public void configure() throws Exception {
from("rest:get:/test").process(authProcessor).to("mock:end").end();
}
}
#Component
public class AuthProcessor implements Processor {
#Autowired
private AuthenticationManager authenticationManager;
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new OAuth2AuthenticationDetailsSource();
#Override
public void process(Exchange exchange) throws Exception {
HttpServletRequest request = exchange.getIn().getBody(HttpServletRequest.class);
Subject subject = new Subject();
Authentication auth = getAuth(request);
subject.getPrincipals().add(auth);
exchange.getIn().setHeader(Exchange.AUTHENTICATION, subject);
}
private Authentication getAuth(HttpServletRequest request) throws OAuth2Exception {
Authentication authentication = null;
try {
authentication = tokenExtractor.extract(request);
if (authentication != null) {
request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
if (authentication instanceof AbstractAuthenticationToken) {
AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication;
needsDetails.setDetails(authenticationDetailsSource.buildDetails(request));
}
return authenticationManager.authenticate(authentication);
}
} catch (Exception e) {
throw new OAuth2Exception(e.getMessage());
}
throw new OAuth2Exception("Not Authorized to view resource");
}
}
As a final solution I decided to use Spring Boot embedded servlet container instead of Apache Camel rest component. So it could be easily secured by Spring Security. This could be done by creating additional beans:
#Bean
public ServletRegistrationBean servletRegistrationBean() {
SpringServerServlet serverServlet = new SpringServerServlet();
ServletRegistrationBean regBean = new ServletRegistrationBean(serverServlet, "/camel/*");
Map<String, String> params = new HashMap<>();
params.put("org.restlet.component", "restletComponent");
regBean.setInitParameters(params);
return regBean;
}
#Bean
public Component restletComponent() {
return new Component();
}
#Bean
public RestletComponent restletComponentService() {
return new RestletComponent(restletComponent());
}
How to implement Jedis without JedisPool/commons-pool2-2.0 because still we are using jdk 1.5(commons-pool2-2.0 does not support JDK 1.5)
How to implement a thread-safe connection pooling?
I'm not sure about Jedis compatibility with Java 5. You can create your own pooling based on the older commons-pool 1.6 library. You do not need to have commons-pool2 on your class path to run jedis. I used Jedis 2.7.3 and commons-pool 1.6 to validate the solution approach.
Find the example code attached:
import org.apache.commons.pool.ObjectPool;
import org.apache.commons.pool.PoolableObjectFactory;
import org.apache.commons.pool.impl.GenericObjectPool;
import redis.clients.jedis.Jedis;
public class JedisWithOwnPooling {
public static void main(String[] args) throws Exception {
ObjectPool<Jedis> pool = new GenericObjectPool(new JedisFactory("localhost"));
Jedis j = pool.borrowObject();
System.out.println(j.ping());
pool.returnObject(j);
pool.close();
}
private static class JedisFactory implements PoolableObjectFactory<Jedis> {
private String host;
/**
* Add fields as you need. That's only an example.
*/
public JedisFactory(String host) {
this.host = host;
}
#Override
public Jedis makeObject() throws Exception {
return new Jedis(host);
}
#Override
public void destroyObject(Jedis jedis) throws Exception {
jedis.close();
}
#Override
public boolean validateObject(Jedis jedis) {
return jedis.isConnected();
}
#Override
public void activateObject(Jedis jedis) throws Exception {
if (!jedis.isConnected()) {
jedis.connect();
}
}
#Override
public void passivateObject(Jedis jedis) throws Exception {
}
}
}