My team is developed an spring boot business app and its now on production server.
Now my manager wants to implement spring boot admin server to monitor this app( that's may be a good idea).
Now, My situation is, I am using spring boot 2.1.3 version and I created sample spring boot admin server and client and that's working fine. but when I made my business application to spring boot admin client that time I am getting an "health status= down ",and my business application security showing logs like no matching filters.
We have used strong security for business application.
Now, my question is can I bypass the security for actuator and How? and Is it good idea to use spring boot admin server (separate application) for business application.
Bellow is the log
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/api/getClientByName'
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/api/getAuthType'
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/api/resetPassword'
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/api/sendOTP'
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/api/fetchQuestionsList'
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/externalApi/**'
28-03-2019 13:47:18.480 DEBUG http-nio-8080-exec-1 o.s.s.w.u.m.AntPathRequestMatcher:176 - Checking match of request : '/actuator/metrics/jvm.memory.committed'; against '/api/**'
28-03-2019 13:47:18.481 DEBUG http-nio-8080-exec-1 o.s.s.w.FilterChainProxy:202 - /actuator/metrics/jvm.memory.committed?tag=area:heap has no matching filters
Related
In order to add a route for a websocket based micro-service I have
Configured my application as per Spring cloud gateway documentation
- id: sample_service_web_socket_handshake_url
uri: lb:ws://sample-service
predicates:
- Path=/notification-service-ws/**
above notification-service-ws is the handshake url of websocket-service
upon accessing this websocket endpoint directly( without spring-cloud-gateway ) session has been connected with no issue
but upon trying to connect using spring-cloud-gateway the gateway gives following warning log
2020-01-09 10:44:02.923 WARN 5155 --- [-server-epoll-5] .a.w.r.e.DefaultErrorWebExceptionHandler : Failed to handle request [GET http://192.168.10.44:4260/notification-service-ws]: Response status 400 with reason "Invalid 'Upgrade' header: {Sec-WebSocket-Version=[13], Sec-WebSocket-Key=[0EJxcMdBmRhZ5suS/INKnQ==], Sec-WebSocket-Extensions=[permessage-deflate; client_max_window_bits], Host=[192.168.10.44:4260]}"
I have verified no HTTP request is being sent to websocket service
Issue resolved after adding following properties to spring-cloud-gateway application.yml file:
spring:
application:
name: burraq-api-gateway
profiles:
active: dev
cloud:
gateway:
filter:
remove-non-proxy-headers:
headers:
- Proxy-Authenticate
- Proxy-Authorization
- Keep-Alive
- TE
- Trailer
- Transfer-Encoding
This issue occurred because spring cloud gateway by default request headers as mentioned here
I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application.
Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
I access http://localhost:8080/
I'm redirected to Keycloak (url looks good with scope=openid+email&response_type=code&client_id=web-application
I log in with sample user account
I'm redirected back with the code
Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question:
Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
"Service Account Enabled" is off. Enabling it should fix the issue.
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication
I am using CKAN 2.7.2.
I have added the following configurations in my development.ini file of ckan:
ckan.oauth2.authorization_endpoint = https://wso2IP/oauth2/authorize
ckan.oauth2.token_endpoint = https://wso2IP/oauth2/token
ckan.oauth2.profile_api_url = https://wso2IP/userinfo
ckan.oauth2.client_id = *client-id*
ckan.oauth2.client_secret = *clientsecret*
ckan.oauth2.profile_api_user_field = abc
ckan.oauth2.profile_api_mail_field = abc#gmail.com
Also, have exported the following while running ckan using paster serve :
export OAUTHLIB_INSECURE_TRANSPORT=True
Also, I have added an application (ckan provider) in WSO2 Identity Server also with callback URL = (http://ckan-url:5000/oauth2/callback) where the CKAN instance is running (i.e a private IP of 172.30.66.XX type running on port 5000).
So, what configuration need to be done in WSO2 Identity Server and ckan development.ini file?
Also, configuring on both sides, I get the error Client authentication Failed in CKAN GUI.
I am using Ckan 2.7.2 , WSO2-IS 5.1 and ckanext-oauth2 (oauthlib==0.8.0)
will it be giving a problem in authentication process??Can it be a version dependency issue??
I have followed the given steps. Kindly correct if I am missing or doing something wrong:
I have used API store and published ckan application.
Entered the ckan callback url as http://oauth2/callback
Entered the generated client ID and client secret from step 1 in ckan configuration.
Also, made the given changes mentioned by you regarding claim configurations and ckanext-oauth2 configurations.
Now, it gives above error.or sometimes Invalid Client (Client Authentication Failed)
Inbound settings:
enter image description here
Error Logs :
[2018-07-25 19:29:25,432] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2018-07-25 19:29:25,431+0530]
[2018-07-25 21:55:15,930] INFO {org.wso2.carbon.identity.application.authentication.framework.store.OperationCleanUpService} - Session Operation Data cleanup task is running successfully for removing expired Operation Data
[2018-07-25 23:40:15,929] INFO {org.wso2.carbon.identity.application.authentication.framework.store.SessionCleanUpService} - Session Data cleanup task is running successfully for removing expired Data
[2018-07-26 09:21:18,948] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2018-07-26 09:21:18,948+0530]
[2018-07-26 09:21:39,307] INFO {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} - 'admin#carbon.super [-1234]' logged out at [2018-07-26 09:21:39,0306]
[2018-07-26 09:55:15,975] INFO {org.wso2.carbon.identity.application.authentication.framework.store.OperationCleanUpService} - Session Operation Data cleanup task is running successfully for removing expired Operation Data
After configuring the settings I receive the following Message:
Your application settings at WSO2-IS seems to be correct. The only thing to take into consideration, it is that ckanext-oauth2 is only able to use the Code and, the Refresh Token grant types, so only those types need to be allowed.
Using this configuration for ckanext-oauth2:
ckan.oauth2.authorization_endpoint = https://wso2IP/oauth2/authorize
ckan.oauth2.token_endpoint = https://wso2IP/oauth2/token
ckan.oauth2.profile_api_url = https://wso2IP/userinfo
ckan.oauth2.client_id = *** OAuth Client Key from the Inbound Authentication Configuration at WSO2 ***
ckan.oauth2.client_secret = *** OAuth Client Secret from the Inbound Authentication Configuration at WSO2 ***
ckan.oauth2.scope = all_info openid
ckan.oauth2.profile_api_user_field = email
ckan.oauth2.profile_api_fullname_field = name
ckan.oauth2.profile_api_mail_field = email
and using your claim mapping configuration (http://wso2.org/claims/fullname and http://wso2.org/claims/emailaddress); I was able to sign in into CKAN. I have tested using CKAN v2.7.4, v2.8.0 and v2.8.1; ckanext-oauth2 v0.6.1 and WSO2-IS v5.5.0 (although it should work using WSO2-IS v5.1).
When trying to execute docker container with gatewayid & sectoken, it fails with error "The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401". And yet when I manually add via the CLI, it's successful.
I suspect it's because my security token has '--' in it. I tried '', "", and escaping characters on command line. but nothing worked. Fails in both Win10 and RHEL7.
Here's the console:
C:\Users\DebraJohnson>docker run -p 9023:9003 -it ibmcom/secure-gateway-client <gateway_id> --t <sectoken>
IBM Bluemix Secure Gateway Client Version 1.8.0fp4
....
<press enter for the command line>
[2018-04-16 09:12:17.993] [INFO] (Client ID 1) No password provided. The UI will not require a password for access
[2018-04-16 09:12:18.008] [WARN] (Client ID 1) UI Server started. The UI is not currently password protected
[2018-04-16 09:12:18.009] [INFO] (Client ID 1) Visit localhost:9003/dashboard to view the UI.
cli> [2018-04-16 09:12:18.327] [INFO] (Client ID 13) Setting log level to INFO
[2018-04-16 09:12:18.665] [ERROR] (Client ID 13) The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401
cli> [2018-04-16 09:12:18.671] [INFO] (Client ID 13) Process exiting without errors due to user or server request
cli> sectoken <sectoken>
cli> connect <gateway_id>
cli> [2018-04-16 09:12:43.095] [INFO] (Client ID 27) Setting log level to INFO
[2018-04-16 09:12:43.774] [INFO] (Client ID 27) The Secure Gateway tunnel is connected
[2018-04-16 09:12:43.868] [INFO] (Client ID xxxxxxxxxxx_Hsu) Your Client ID is xxxxxxxxxxx_Hsu
xxxxxxxxxxx_Hsu>
Thanks
Having a -- as part of the security token could be the reason why you got 403 error. Can you please try regenerating the security token and connect the gateway again.
If you still have issues please open a support ticket (https://console.bluemix.net/docs/get-support/howtogetsupport.html#getting-customer-support) where you can provide the gateway id for us to look further into this.
In Grails 3.3.0, I'm having an issue with getting it to use the UrlMappings that I've defined. For instance, I'm trying to have "/" map to the default controller/action.
This works locally (I've turned on logging for 'org.grails.plugins.web.mapping').
I see this in log:
2017-09-01 18:08:05,254 [http-nio-8080-exec-2] DEBUG org.grails.web.mapping.DefaultUrlMappingsHolder - Attempting to match URI [/] with pattern [500]
2017-09-01 18:08:05,254 [http-nio-8080-exec-2] DEBUG org.grails.web.mapping.DefaultUrlMappingsHolder - Attempting to match URI [/] with pattern [/]
2017-09-01 18:08:05,302 [http-nio-8080-exec-2] DEBUG org.grails.web.mapping.DefaultUrlMappingsHolder - Matched URI [/] with pattern [/], adding to posibilities
...and the default controller/action is what I see.
In the Tomcat container, I see this:
09-01 17:44:35,968 [ajp-bio-8009-exec-1] DEBUG org.grails.webflow.mvc.servlet.GrailsFlowHandlerMapping - Looking up Grails controller for URI [/]
2017-09-01 17:44:36,019 [ajp-bio-8009-exec-1] TRACE org.grails.web.servlet.mvc.GrailsDispatcherServlet - Testing handler map [org.grails.web.mapping.mvc.UrlMappingsHandlerMapping#17ef7838] in DispatcherServlet with name 'grailsDispatcherServlet'
but I don't see it attempt to match against "/". Or the 500, for that matter. Any ideas on what else to look for to troubleshoot this?