I can't get ipRestrictions to work via springsecurity.
I'm working with a bare app to try and isolate the issue with Grails 3.3.10 and spring-security-core 3.2.0.
Eventually I want to restrict access to a web service to a limited subnet. But in an attempt to get this to work I'm just trying to find any case that will get rejected.
I'm working with a stock create-app application but I've added the following to build.gradle to pull in spring-security:
compile 'org.grails.plugins:spring-security-core:3.2.0'
My application.groovy to configure this is:
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.ipRestrictions = [
[pattern: '/**', access: '172.16.0.1']
]
I'm expecting to see something like a 401 Unauthorized or 403 Forbidden.
IP Address Restrictions don't apply to requests coming from localhost. This is to "help" local development but subsequently makes testing your restrictions more difficult. There is a confusingly worded note at the bottom of section 18 of the docs that should start "All patterns can always be accessed from localhost regardless of IP address":
All addresses can always be accessed from localhost regardless of IP pattern, primarily to support local development mode.
Related
I have deployed my first webapp at a digital ocean droplet.
The app has two docker containers running at :8000 and :5173
It has a frontend and a backend.
Originally I thought Cors is not enabled.
However after more research I think the issue lies with Fastapi as I've found other threads with similar problems.
Unfortunately none worked. There is talk on github and SO that fastapi and docker is the problem, but it works fine on my local machine. (in the container).
I tried these, this and pretty much everything I could find.
The error message is:
Access to fetch at 'http://<IP address>:8000/mdstats_player' from origin 'http://<IP address>:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
GET http://<ip_address>/mdstats_player net::ERR_FAILED 200
In Fastapi I set up the allowed origins including that new IP address.
Exactly like https://fastapi.tiangolo.com/tutorial/cors/ and it works locally originally getting the same error.
I also tried the wildcard and starlette.
I can access http://<ip_address>:8000 just fine.The container is running as expected.
On my local machine everything works as expected too. (i.e. backend and frontend containers can communicate).
The origins I set, (where ipaddress is my Digital Ocean IP address), the exact same one that gets denied, I think I have all variations, but maybe I am missing one?
origins = [
"http://localhost:5173",
"localhost:5173",
"http://<ip_address>:5173",
"<ip_address>:5173",
"http://<ip_address>:5173/",
"localhost:5173/",
"0.0.0.0:5173",
"http://172.18.0.2:5173/",
]
As a last chance:
I am also using svelte with vite.
In my docker-compose file I set:
- VITE_BACKEND_URL=http://<ip_address>:8000
original set to localhost
Many thanks in advance.
After trying pretty much everything I have found a solution:
instead of adding the middleware afterwards like they do on the fastapi tutorial
I did this:
from fastapi.middleware.cors import CORSMiddleware
from fastapi.middleware import Middleware
app = FastAPI(middleware=middleware)
origins = [
"http://localhost:5173",
"http://localhost:5173/",
"localhost:5173",
"localhost:5173/",
"0.0.0.0:5173",
"http://172.18.0.2:5173/",
"http://192.168.64.2:5173/",
]
middleware = [
Middleware(
CORSMiddleware,
allow_origins=origins,
allow_credentials=True,
allow_methods=['*'],
allow_headers=['*']
)
]
I also had to add the network ips.
But the middleware part was crucial. Even with the network ips with app.add_middle_ware this won't work. I tried several times just to make sure that really is the solution since it seems like a lot of the other posts that come across have solutions that were just along the way since docker doesn't update everything each system update. See issues of docker on github.
Hope this helps someone. What insanity.
Im working on a website using Laravel in a Docker container on local. The webserver used is Nginx.
Im trying to implement Facebook's Graph API (the PHP API) and as Im developing on localhost and using Docker, any time I want to use the API I get:
Can't Load URL: The domain of this URL isn't included in the app's
domains. To be able to load this URL, add all domains and subdomains
of your app to the App Domains field in your app settings.
I tried adding the domain I use locally myapp.local:3000, also <my ip>:3000 or localhost:3000 but nothing works.
Here is the code:
public function facebookRequest() {
$fb = new \Facebook\Facebook([
'app_id' => 'MY_APP_ID',
'app_secret' => 'MY_APP_SECRET',
'default_graph_version' => 'v8.0',
]);
$callback = 'users/get-facebook-photos';
$helper = $fb->getRedirectLoginHelper();
$permissions = ['user_photos'];
$data['fb_url'] = $helper->getLoginUrl($callback, $permissions);
$loginUrl = $helper->getLoginUrl(base_url().'/users/get-facebook-photos', $permissions);
echo 'Log in with Facebook!';
}
What I need to do to develop using Graph API and Docker? There's some option to bypass domain filter or what should I do?
Seems like you're using your application to request a token from facebook servers and when the token is created, you'll end up being redirected on to the original destination. The redirect location cannot be "localhost" it should be a valid location ... like a website. If you want to make this work locally you could edit your /etc/hosts file to map local.example.com to 127.0.0.1 and use this domain for redirections in tests/QA, so that when your app gets redirected, it attempts it via the localhost.
Another suggestion (found by searching for the exact but more generic parts of the error "Can't Load URL: The domain of this URL isn't included in the app's domains") suggests:
add "https://apps.facebook.com/" in valid OAuth redirect URIs under https://developers.facebook.com/apps/your-app-id/fb-login/settings/
Well finally got a solution (not the one I wanted). I was using a custom domain defined on my host file. That didn't work for Facebook. I needed to use localhost (not even 127.0.0.1) and whitelist localhost on Facebook Developers.
So, if you have this issue, you can do this workaround and use localhost instead of custom domain. Nevertheless, my ideal solution would be using custom domains.
I am working with a designer and I'd like them to have access to the interactions I've implemented on the site we're working on. However this time, I have 2 issues. My localhost is configured to a subdomain:
http://store.teststore:3000/ and we're on different networks. Is there anyway to work around this?
ngrok should work for you. Download and install it following these instructions here: https://ngrok.com/download. Documentation on how it is used can be found here https://ngrok.com/docs. Once installed running the below command should work for you (depending on the hosting environment):
ngrok http -host-header=rewrite store.teststore:3000
You will need to give the URL generated by ngrok and displayed in the cmd prompt to the designer.
Update: Handling absolute redirects
Based on your comment it sounds like, after login, your site does an absolute redirect (the full URL is specified). If it is possible I would change your code to do a relative redirect where the domain is omitted. You could also make your root domain configurable in the absolute redirect and configure it to be the ngrok domain provided for now. Lastly, you could attempt to configure your DNS with a CNAME record following ngroks Tunnels to custom domains documentation. This last option, however, requires a paid for ngrok subscription.
Install ngrok if you haven't yet and CD into your project directory and invoke ngrok. Note Your application must be running locally on the same port number ngrok will be running.
I am trying to run the quick start code of Real Time API of Google Drive.
I believe I did everything right. But I am getting
Error: origin_mismatch
Request Details
openid_connect_request=true
cookie_policy_enforce=false
scope=https://www.googleapis.com/auth/drive.install https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/plus.me
response_type=token
access_type=online
redirect_uri=postmessage
proxy=oauth2relay601571239
origin=http://127.0.0.1
state=811328575|0.818765953
display=page
client_id=XXXXXXXXXX
You haven't given much detail about your application architecture, so i can only suggest a general answer. OAuth restricts which URLs can be referred to it. The list of permitted URLs is configured in the API console at https://code.google.com/apis/console. The URL is very fussy, so make sure you enter it exactly as it appears in the address bar.
As at Oct 2013, you can't use localhost. You have 2 choices.
edit 127.0.0.1 = mydevserver.example.com into your /etc/hosts
use a url shortener (eg. goo.gl) to create an alias to localhost
However, I believe that it is now possible to configure localhost in the
Google api console.
I had same problem with origin_mismatch.
From: Create a client ID section localhost should work and worked for me after small testing.
Origin in Google API i have:http://localhost
URL to address bar in browser:localhost
From the beginning this configuration not works, but after i tried write to address bar: 127.0.0.1->enter->origin_mismatch, it's correct and after again write localhost, now it's works.
Tested same behaviour in Firefox 39 and Google Chrome 37.0.2062.120 Ubuntu 12.04 (281580) (64-bit).
I just checked out this answer: Rails Recaptcha plugin always returns false
but it didn't seem to help. I'm trying to run recaptcha on rails on my local machine. The site says the API keys should work for prod and local. I've checked the keys many times and have even tried "workarounds" where you explicitly feed in the pub/priv key (since I'm running on windows). I just wanted to know if there's a known issue with windows, or if there's an issue with running on localhost, or if this plugin is out of date? Thanks.
I'm always getting the error that my captcha is wrong. I even tried the sound type, still wrong. Apologies if this is just a silly question, I just wanted to rule out everything that may be a known issue.
When getting an API key for ReCaptcha a domain must be specified. localhost won't work but your hostname should. As the recaptcha site says:
By default, your reCAPTCHA key is restricted to the specified domain, and any subdomains for additional security
Find out your hostname at the following link and use it as the domain for you API keys:
http://whatismyipaddress.com/staticpages/index.php/what-is-my-hostname
My provider happens to be Comcast, so I created a global API key for comcast.net
https://admin.recaptcha.net/recaptcha/createsite/