Spring security 5.1.0.Rc1 has come up with support for OAuth2 Resource Servers in webflux - https://spring.io/blog/2018/08/21/spring-security-5-1-0-rc1-released .
The example given here talks about Oauth2 based on JWT format .
how can i configure a oauth2 resource server based and specify the token decoding uri .
In spring MVC i could use #EnableResourceServer and security.oauth2.resource.token-info-uri property . How would i do the same with webflux ?
I don't know if it actually worked with RC1 but with 2.1.0.M1 I could get it to work like this:
build.gradle:
repositories {
mavenCentral()
maven {
url 'https://repo.spring.io/libs-snapshot'
}
}
dependencyManagement {
imports {
mavenBom 'org.springframework.cloud:spring-cloud-gateway:2.1.0.M1'
}
}
dependencies {
compile 'org.springframework.boot:spring-boot-starter-security'
compile 'org.springframework.security:spring-security-oauth2-jose'
compile 'org.springframework.security:spring-security-oauth2-client'
compile 'org.springframework.security:spring-security-oauth2-resource-server'
}
application.yaml
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/certs
Also there's a sample at https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2resourceserver-webflux
Related
Grails console plugin page is not coming up nothing gets rendered on the UI only when application is run on production environment either via run-app or as a war file deployed on embedded tomcat.
Grails version - 3.2.4
build.gradle looks like this:
buildscript {
repositories {
mavenLocal()
maven { url "https://repo.grails.org/grails/core" }
maven { url "https://plugins.gradle.org/m2/" }
}
dependencies {
....
classpath "com.bertramlabs.plugins:asset-pipeline-gradle:2.13.1"
...
}
}
version "0.1"
apply plugin: "asset-pipeline"
repositories {
mavenLocal()
maven { url "https://repo.grails.org/grails/core" }
maven { url "http://repo1.maven.org/maven2" }
}
dependencies {
....
runtime 'org.grails.plugins:grails-console:2.0.9'
runtime "com.bertramlabs.plugins:asset-pipeline-grails:2.13.1"
....
}
Any thoughts whats going wrong here?
By default the plugin is disabled in production for obvious reasons (an attacker could do anything to your app) - but if you understand the risk and secure it you can re-enable it. Checkout the documentation here https://github.com/sheehan/grails-console#security
I am using Grails spring security core plugin version 3.0.3.
The debug statements when configuring the spring security core framework are printed twice and the filter chain is also initialized twice
WARN grails.plugin.springsecurity.SpringSecurityCoreGrailsPlugin -
Configuring Spring Security Core ...
Configuring Spring Security Core ...
WARN grails.plugin.springsecurity.SpringSecurityCoreGrailsPlugin - ... finished
configuring Spring Security Core
... finished configuring Spring Security Core
Build gradle file
buildscript {
ext {
grailsVersion = project.grailsVersion
}
repositories {
mavenLocal()
maven { url "https://repo.grails.org/grails/core" }
}
dependencies {
classpath "org.grails:grails-gradle-plugin:$grailsVersion"
classpath "org.grails.plugins:hibernate:4.3.10.5"
}
}
plugins {
id "io.spring.dependency-management" version "0.5.2.RELEASE"
}
version "0.1"
group "restservicesapp"
apply plugin: "spring-boot"
apply plugin: "war"
apply plugin: 'eclipse'
apply plugin: 'idea'
apply plugin: "org.grails.grails-web"
ext {
grailsVersion = project.grailsVersion
gradleWrapperVersion = project.gradleWrapperVersion
}
repositories {
mavenLocal()
maven { url "https://repo.grails.org/grails/core" }
}
dependencyManagement {
imports {
mavenBom "org.grails:grails-bom:$grailsVersion"
}
applyMavenExclusions false
}
dependencies {
compile "org.springframework.boot:spring-boot-starter-logging"
compile "org.springframework.boot:spring-boot-starter-actuator"
compile "org.springframework.boot:spring-boot-autoconfigure"
provided "org.springframework.boot:spring-boot-starter-tomcat"
compile "org.grails.plugins:hibernate"
compile "org.grails.plugins:cache"
compile "org.hibernate:hibernate-ehcache"
runtime "mysql:mysql-connector-java:5.1.38"
compile 'org.grails.plugins:spring-security-core:3.0.3'
compile ('org.grails.plugins:spring-security-rest-gorm:2.0.0.M2') {
exclude group: 'org.grails.plugins', module: 'spring-security-core'
}
testCompile "org.grails:grails-plugin-testing"
testCompile "org.grails.plugins:geb"
//console "org.grails:grails-console"
}
task wrapper(type: Wrapper) {
gradleVersion = gradleWrapperVersion
}
Do you have org.grails.plugins:cxf into your build.gradle ? Possibly two context are being created. One for your main app and other for your /services/*. Move the cfx dependency in gradle file above spring security plugin and then you should see spring security being configured once only. I have been struggled with this more then 2 weeks now. But this solved this issue for me. For me it actually was an issue as the spring security being configured second time it was giving my NPE at times. See this question from myself only.
Update
My above assessment proved wrong. The real solution is, add below snippet to your build.gradle
configurations.runtime {
exclude module: "cxf"
}
I believe Spring Security is not being configured twice. One line of output is from logging, the other is a println.
Below is some code from grails.plugin.springsecurity.SpringSecurityCoreGrailsPlugin:
Closure doWithSpring() {{ ->
ReflectionUtils.application = SpringSecurityUtils.application = grailsApplication
SpringSecurityUtils.resetSecurityConfig()
def conf = SpringSecurityUtils.securityConfig
boolean printStatusMessages = (conf.printStatusMessages instanceof Boolean) ? conf.printStatusMessages : true
if (!conf || !conf.active) {
if (printStatusMessages) {
String message = '\n\nSpring Security is disabled, not loading\n\n'
log.warn message
println message
}
return
}
log.trace 'doWithSpring'
if (printStatusMessages) {
String message = '\nConfiguring Spring Security Core ...'
log.warn message
println message
}
I want to create a sample app in Grails with Neo4J. (on IntelliJ)
After creating a simple app and added the necessary configurations inside Buildconfig.groovy
Repo
mavenRepo 'http://m2.neo4j.org/content/repositories/releases/'
Plugin
compile ":neo4j:2.0.0-M02"
I want to use MySql and Neo4J at the same time (adding mapping inside the domain model, when I want neo4j).
But I have this error:
Error |
2014-12-14 19:05:59,261 [localhost-startStop-1] ERROR context.GrailsContextLoaderListener - Error initializing the application: No bean named 'sessionFactory' is defined
Message: No bean named 'sessionFactory' is defined
Line | Method
->> 104 | postProcessBeanFactory in org.grails.datastore.gorm.plugin.support.PersistenceContextInterceptorAggregator
What am I doing wrong ?
having same problem - if I removed the neo4j plugin - and create an ordinary domain class+test works fine
as soon as you enable the neo4j plugin (2.0.0-M2) - and run the same test again it fails with the errors above -
no idea how enabling the neo plugin removed the sessionFactory bean that grails normally setsup
something cooky going on
tried to cheat and added this to the resources.groovy beans
...
sessionFactory(ConfigurableLocalSessionFactoryBean) {
dataSource = ref('dataSource')
hibernateProperties = ["hibernate.hbm2ddl.auto": "create-drop",
"hibernate.show_sql": "true"]
}
and tried to re run the test - still fails as it says that in error
..Message: No such property: ConfigurableLocalSessionFactoryBean for class: resources
so its somewhere deep in the bowels...
Finally I found a solution: Do not use this plugin. I prefer to use a micro service architecture. I created an application with Spring Boot, Groovy and Neo4J. I omitted controllers, model and spring repositories.
build.gradle
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:1.2.2.RELEASE")
}
}
apply plugin: 'groovy'
apply plugin: 'idea'
apply plugin: 'spring-boot'
jar {
baseName = "it.luis"
version = '0.1-SNAPSHOT'
}
repositories {
mavenCentral()
jcenter()
maven { url "http://m2.neo4j.org/content/repositories/releases/" }
maven { url "https://repo.spring.io/libs-release" }
}
dependencies {
// compile 'org.codehaus.groovy:groovy-all:2.4.0'
compile localGroovy()
compile("org.springframework.boot:spring-boot-starter-web")
compile("org.springframework.boot:spring-boot-starter")
compile("org.springframework:spring-context")
compile("org.springframework:spring-tx")
compile("org.springframework.data:spring-data-neo4j")
compile("org.hibernate:hibernate-validator")
compile("org.springframework.boot:spring-boot-starter-actuator")
compile("javax.el:javax.el-api:2.2.4")
testCompile("junit:junit")
/* Swagger */
compile "com.mangofactory:swagger-springmvc:0.9.5"
/* Stormpath */
compile "org.sonatype.oss:stormpath-spring-security"
runtime "com.stormpath.sdk:stormpath-sdk-httpclient:0.9.3"
}
Application.groovy
package it.luis
import org.springframework.boot.SpringApplication
import org.springframework.boot.autoconfigure.EnableAutoConfiguration
import org.springframework.boot.autoconfigure.SpringBootApplication
/**
* Created by Luigi on 01/03/2015.
*/
#SpringBootApplication
#EnableAutoConfiguration
class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class,args)
}
}
Neo4JConf.groovy
package it.luis
import com.mangofactory.swagger.plugin.EnableSwagger
import org.neo4j.graphdb.GraphDatabaseService
import org.neo4j.graphdb.factory.GraphDatabaseFactory
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.ComponentScan
import org.springframework.context.annotation.Configuration
import org.springframework.data.neo4j.config.EnableNeo4jRepositories
import org.springframework.data.neo4j.config.Neo4jConfiguration
import org.springframework.web.servlet.config.annotation.EnableWebMvc
/**
*/
#Configuration
#EnableNeo4jRepositories(basePackages = "it.luis")
#ComponentScan("it.luis")
#EnableWebMvc
#EnableSwagger
class EngineConfiguration extends Neo4jConfiguration {
EngineConfiguration() {
setBasePackage("it.luis")
}
#Bean
GraphDatabaseService graphDatabaseService() {
return new GraphDatabaseFactory().newEmbeddedDatabase("neo4j.db");
}
}
I'm using grails oauth plugin standard configuration as part of Config.groovy
environments {
production {
oauth {
providers {
linkedin {
api = LinkedInApi
key = 'mykey'
secret = 'mySecret'
successUri = "/userLogin/linkedinLogin"
callback = "https://myserverdomain/oauth/linkedin/callback"
}
}
}
}
}
When using the same configuration in external file and reference it by
grails.config.locations = ["file:external-config.groovy"]
There is an error "No oauth configuration found. Please configure the oauth scribe plugin".
Notice:
1. other configuration properties are working fine.
2. Problem exist only in production mode. Using the same configuration file in development mode works fine.
I'm trying to build a Grails 2.0 application using private plugins:
mycompany-frontend = Grails Application
mycompany-core = Grails plugins for domain classes
In the mycompany-core plugin, I created some domain classe and added a joda-time dependency in BuildConfig.groovy:
plugins {
build(":tomcat:$grailsVersion",
":release:1.0.1",
":svn:1.0.2") {
export = false
}
build(":joda-time:1.3.1")
}
in the mycompany-frontend app, I have the following BuildConfig.groovy:
plugins {
runtime ":hibernate:$grailsVersion"
runtime ":resources:1.1.5"
build "mycompany:mycompany-core:0.1-SNAPSHOT"
build ":svn:1.0.2"
build ":spring-security-core:1.2.7"
build ":tomcat:$grailsVersion"
}
I also removed grails.plugins entries from application.properties to avoid confusion.
But at the end, the mycompany-frontend cannot find the model classes from mycompany-core plugin.
What should I look/fix to get this working?
Have you tried to define the dependency to your core-plugin as runtime-/compile-dependency instead of build?