My security configuration is as follows:
http.authorizeRequests().antMatchers("/authenticate").fullyAuthenticated().anyRequest().permitAll().and().httpBasic();
It works and all the endpoints but /authenticate are not secured. But when the client sends Authorization header to any of the unsecured endpoints then Spring Security returns 401.
curl -s -u asdf:asdf http://127.0.0.1:22000/info
{"timestamp":1511348485989,"status":401,"error":"Unauthorized","message":"Bad credentials","path":"/info"}
How I must to configure security to ignore Authorization header on unsecured endpoints if it is sent?
Thanks in advance
Related
I'm using zuul gateway on my.domain.com and authorization code grant type to authenticate requests with keycloak on auth-my.domain.com
when gateway redirects to the keycloak for login
redirect-uri is gateway:8080/... instead of my.domain.com/...
and after logging in i will redirect to gateway:8080/...
what should I do to gateway sends the correct url to the keycloak?
The problem is this: we have released an application with a Vue front-end and a keycloak authorization server. Keycloak works in a docker containerThe application is located at the URL: app.xxxx.xx, and the authorization is at the URL: auth.xxxx.xx. Nginx is used as a proxy server. Everything starts, but after authorization, the application itself does not load and an error occurs:
Access to XMLHttpRequest at 'https://auth.xxxx.xx/auth/realms/Atlas/protocol/openid-connect/token' (redirected from 'http://auth.xxxx.xx/auth/realms/Atlas/protocol/openid-connect/token') from origin 'http://app.gxxxx.xx.' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Keycloak config
Nginx config
Try using "+" in "Web origins" in your client configuration ?
See Web origins.
We are using Oracle Access Manager for providing SSO for HP Service Request Catalog application.
Service request Catalog application requires userid as in form of REMOTE_USER header, this REMOTE_USER will be used for authentication.
So we are passing REMOTE_USER header with userid value from Oracle Access Manager.
Even after passing REMOTE_USER header, authentication is not successful. In the application logs we found error that "SSO: Authentication failed, reason - REMOTE_USER header can't be found in HTTP request".
Service Request Catalog application is using SPRING security 3.1.0 version.
Kindly let me know if we can change Service Request Catalog application to accept different headers other than REMOTE_USER for authentication.
Regards,
Gurivi
Confirm that the server.xml file on Tomcat are set to get REMOTE_USER from the HTTP Header. To do this, follow these steps:
Locate # Define an AJP 1.3 Connector on port 8009 settings.
Verify that the property tomcatAuthentication is set to false.
Reference
I have a bunch of services that sit behind a Zuul Edge Server. The Zuul Edge Server also performs authentication. The session is shared with all services using Spring Session. I want to be able to authenticate and route the request to a service in the same flow. I looked at Dave Syer's tutorial where a Gateway Server can authenticate and route requests.
On that project, the following commands work:
curl -u admin:admin http://localhost:8080/user
curl -c cookie.txt -u admin:admin http://localhost:8080/user
&& curl -b cookie.txt http://localhost:8080/admin/user
I was expecting this to work as well but it doesn't:
curl -u admin:admin http://localhost:8080/admin/user
I was expecting the Gateway server to authenticate, create a redis session, route the request to admin service which would have picked the Authentication from redis session. The request is being routed to admin service, but it also attempts a Basic Authentication and fails.
This is what I see in admin service's logs:
o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'admin'
o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
o.s.s.a.dao.DaoAuthenticationProvider : User 'admin' not found
o.s.s.w.a.www.BasicAuthenticationFilter : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
I get an HTTP 401 Unauthorized response.
I also tried to disable HTTP Basic Authentication in admin service, but then I get HTTP 403 Forbidden response.
Is there some way to achieve this?
UPDATE
I think this can't work due to the way Spring Session is implemented to save session. I'm waiting for a response to my question on github.
I have a microservice deployed on 3 nodes sitting behind a HAProxy load balancer all inside internal network. The services are protected using OAuth2 APIS authorization server. Now, I want to move the HAProxy to DMZ. And I want to reject requests that do not have auth token in the header and also validate the auth token by calling OAuth REST API.
In HAProxy I couldn't find a way to do this. There is an option httpchk which can be used for healthcheck. I'm looking for a similar feature that can be used to validate each incoming request.
Can anyone please help suggest me on how to implement this using HAProxy or Apache mod_proxy?
There's the Apache module mod_auth_openidc that would allow you to validate OAuth 2.0 tokens against an Authorization Server, see: https://github.com/zmartzone/mod_auth_openidc. That module can be combined with mod_proxy to achieve what you are looking for.
In HAProxy I couldn't find a way to do this.
For the record, as of 2021 you can. Here's a HAProxy official blog post about using OAuth https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/.
TL;DR: install this haproxy-lua-oauth script, then you can come up with conf like this snippet
frontend api_gateway
# Always use HTTPS to protect the secrecy of the token
bind :443 ssl crt /usr/local/etc/haproxy/pem/test.com.pem
# Accept GET requests and skip further checks
http-request allow if { method GET }
# Deny the request if it's missing an Authorization header
http-request deny unless { req.hdr(authorization) -m found }
# Verify the token by invoking the jwtverify Lua script
http-request lua.jwtverify
# Deny the request unless 'authorized' is true
http-request deny unless { var(txn.authorized) -m bool }
# (Optional) Deny the request if it's a POST/DELETE to a
# path beginning with /api/hamsters, but the token doesn't
# include the "write:hamsters" scope
http-request deny if { path_beg /api/hamsters } { method POST DELETE } ! { var(txn.oauth_scopes) -m sub write:hamsters }
# If no problems, send to the apiservers backend
default_backend apiservers