Using spring-security-oauth2 with refresh tokens, i'm having problems getting details (OAuth2Authentication.getDetails()) from the refreshed access_token because they are lost in refreshAccessToken#DefaultTokenServices as i have seen in debug. Details are present before first refresh.
I have seen a fix in https://github.com/spring-projects/spring-security-oauth/pull/581 but the changes has not been commited in three years.
I'm surprised there's no more complaints about this topic in 3 years and i would like to know how is people solving this problem.
After some investigation, i have been able to solve the problem as follows.
All was a configuration misunderstood, with conflicts between #EnableAuthorizationServer and #EnableResourceServer definitions.
Setting same configuration in both classes, I was able to solve the problem using custom classes extendingTokenEnhancer and JwtAccessTokenConverter.
I also updated dependencies to last versions:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.0.4.RELEASE</version>
</dependency>
Related
I'm writing an application secured with Spring Security.
I want to achieve 2 objectives:
Application in the background is using Keycloak as auth server (this is under my control).
I want the user to be able to log in by default login form in the application, so the user doesn't need to be forwarded to the authentication page of Keycloak.
The desired solution is to use features of
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
The logins enabled are:
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(withDefaults())
.formLogin(withDefaults());
return http.build();
}
I now how to obtain access token from Keycloak but don't know if I can use it to set OAuth2 context in spring security.
I could not find any example of how to do it with the AuthorizationGrantType password.
You are referring to "Password grant" flow and it has been deprecated. You should not use that (like REALLY not).
To authenticate users, use authorization-code flow (with the redirection to the authorization-server). There are several good reason for that:
security concerns
this the (strongly) recommanded way (because of above)
if you do not use your authorization-server screens, then you'll probably have to implement other features than just username / password form (registration, Multi Factor Authentication, profile édition,...)
If your concern is look and feel, consider defining a Keycloak theme. This will allow you to take control of all the Keycloak screens your users could see.
I want to use an on prem bitbucket server using the bitbucket rest api from an application to create, update, and manage projects, repositories, teams etc while taking the parameters from my UI. And create we hooks from my java application. Can anyone point me in the right direction and a few examples to use the api for these from my spring boot project? What are the prerequisites
PS: I looked at the api docs and tried from postman and i want to call the rest end point from my java application.
Edit:
So I am trying to use the JAVA api given
<dependency>
<groupId>com.atlassian.bitbucket.server</groupId>
<artifactId>bitbucket-rest</artifactId>
<version>4.0.0-eap1</version>
<scope>provided</scope>
</dependency>
I'm unable can someone point me to the right direction to initialize or configure the BitBucketClient in my Java code. I don't know how to start calling my local bitbucket server
I'm developing a message-driven module that does not offer any web services (although it might invoke some). The main loop is to listen for incoming messages.
The reason I'm thinking of re-using dropwizard is because, even though I'm not developing any web services, I'd like to reuse the rest of the functionality that comes packaged with dropwizard - database, migrations, configuration,.yml files, jersey client etc. Is that possible (without a hack)?
You should be able to use the components that interest you as Maven dependencies. Like this:
<dependency>
<groupId>io.dropwizard</groupId>
<artifactId>dropwizard-configuration</artifactId>
<version>0.9.1</version>
</dependency>
These individual modules don't depend on dropwizard-core so you won't be pulling in Jetty, etc.
Has anyone configured swagger with spring-data-rest. I know swagger has DocumentationConfig class which scans for all spring-mvc request mappings. But, how to use that for spring-data-rest as there are no explicit request mappings defined. Any help in this regard is greatly appreciated. Also, like to know, if there are any other documentation framework which supports Spring-Data-Rest.
In version greater than 2.6.0 of SpringFox, support for spring data rest was added (but it's still in incubation). In order to add support for Spring Data Rest, you need to include the dependency below:
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-data-rest</artifactId>
<version>2.6.1</version>
</dependency>
This has been lingering out there a while, but as others have mentioned, there are (still) no Swagger implementations that support Spring Data Rest. However, Spring Data Rest does follow the HAL specification, and the HAL Browser integrated really seamlessly with any SDR project. Coupled together with the newer versions of SDR that expose ALPS metadata, this should be very sufficient for your documentation goals.
Answer for your second question:
AsciiDoctor combined with Spring REST Docs/RestAssured can be neat way of documenting SDR endpoints. It does require a bit of manual effort though, as the only automated part will be the creation of snippets. These can then be loaded into your AsciiDoc files.
was wondering if I can use the Neo4j Java API for connecting to remote DBs or is REST the only way for me to access a remote DB ? Was looking to use something like
GraphDatabaseService graphDb = new GraphDatabaseFactory().newEmbeddedDatabase(NEO_4J_REMOTE_DB_ENDPOINT);
If I can use, what would my endpoint look like ? '/db/data ?
Or is it the case where I have to use REST ?
I have my server running in GAE and have a Neo4j instance in Heroku.
Thanks guys.
REST is the only communication protocol with the server version at the moment. There have been talks about a binary protocol but that does not exist atm.
However, there are several layers for different languages over this REST API. For Java, you can find it here :
https://github.com/neo4j/java-rest-binding
This allows you to use the same API as the embedded version, but in the background it is translated to REST. There are some limitations on the functionality, and it's not up to date with all the latest versions but never the less, it works pretty darn good and I always use it with Heroku.
EDIT: If you're using maven, add this repository http://m2.neo4j.org/index.html and then add these lines to your POM
<dependency>
<groupId>org.neo4j</groupId>
<artifactId>neo4j-rest-graphdb</artifactId>
<version>2.0.1</version>
</dependency>