Has methods secure Config Server by oauth2 token? - spring-security

Has methods secure Config Server by oauth2 token ?
I plan to implement spring cloud config-server by oauth2 token,so client-server can fetch property by :
cloud:
config:
uri: http://user:password#localhost:8888
Is it feasible ?
but ... i met some problems .
I start a demo https://github.com/keryhu/spring-oauth2-config-server.git
It contains four services :
1 : eureka : start first,and can implement service register and discovery,it has no oauth2 enviroment.
2 : auth-server : JWT OAuth2 server configuration ,start secondly.
#SessionAttributes("authorizationRequest")
#EnableResourceServer
#EnableDiscoveryClient
and inmemory user :
security:
user:
password: password
3: config-server : start thirdly
#EnableDiscoveryClient
#EnableConfigServer
#EnableResourceServer
and in application.yml :
spring:
cloud:
config:
server:
git:
uri: https://github.com/keryhu/cloud-config
security:
oauth2:
resource:
jwt:
keyValue: |
-----BEGIN PUBLIC KEY-----
....
-----END PUBLIC KEY-----
4: pc-gateway : is a client-server,also a ui server. start lastly
When i test the secured uri: http://localhost:8080/hello, the page was redirected to
http://localhost:9999/uua/login
After entering "user:password",it redirects back
http://localhost:8080/hello
So i think the oauth-server and oauth-client is fine.
but.. i also set the following configuration in bootstrap.yml
cloud:
config:
uri: http://user:password#localhost:8888
When starting pc-gateway service, Fetching config from server has 401 Unauthorized errors :
INFO 954 --- [main] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at: http://localhost:8888
WARN 954 --- [main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: 401 Unauthorized
Need help ! thanks !

Related

Spring security OAuth code flow - Invalid credentials

I am getting invalid credentials while implementing the Auth Code Flow with Oauth2 Spring Security. Below is the microservices flow:
Eureka Service - Gateway - Custom Spring Authentication Service
- AM Service (pulls AM business data)
- SM Service (pulls SM business data)
I am able to authenticate and auth code is getting generated as show below
http://127.0.0.1:8060/login/oauth2/code/test-client?code=J5Qvmk&state=HLD0vIaz6GzJl4dK_HJCtt7CGojuPSBVj23bu9fL38s%3D
But then when trying to get redirected to original API call, it fails stating "Invalid credentials"
Below is the error:
enter image description here
Below is the configurations on gateway:
spring:
application:
name: gateway-service
cloud:
gateway:
default-filters:
- TokenRelay
routes:
- id: CdsaiAMServiceApplication
uri: http://127.0.0.1:8082
predicates:
- Path=/ams/**
filters:
- TokenRelay=
- StripPrefix=0
- name: Retry
args:
retries: 1
statuses: UNAUTHORIZED
methods: GET,POST,DELETE
backoff:
firstBackoff: 10ms
maxBackoff: 50ms
factor: 2
basedOnPreviousValue: false
- id: CdsaiSMServiceApplication
uri: http://127.0.0.1:8866
predicates:
- Path=/sms/**
filters:
- TokenRelay=
- StripPrefix=0
- name: Retry
args:
retries: 1
statuses: UNAUTHORIZED
methods: GET,POST,DELETE
backoff:
firstBackoff: 10ms
maxBackoff: 50ms
factor: 2
basedOnPreviousValue: false
discovery:
locator:
enabled: true
sleuth:
sampler:
probability: 1
zipkin:
baseUrl: ${ZIPKIN_BASE_URL:http://127.0.0.1:9411}
security:
oauth2:
resource:
user-info-uri: "http://127.0.0.1:8383/user"
client:
registration:
test-client:
provider: spring
client-id: clientId
client-secret: client-secret
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
client-name: test-client
user-info-authentication-method: header
provider:
spring:
authorization-uri: "http://127.0.0.1:8383/oauth/authorize"
token-uri: "http://127.0.0.1:8383/oauth/token"
token-info-uri: "http://127.0.0.1:8383/oauth/check_token"
user-name-attribute: preferred_username
Can someone please help.

Spring Cloud Dataflow RBAC with Azure Active Directory RBAC

We are currently working on a POC of Spring Cloud Dataflow, deployed in an Azure Kubernetes Service.
One of our requirements is to integrate it with an Azure Active Directory.
The authentication part went smoothly, but for the authorization, we need SCDF to be able to recognize appRoles of users (RBAC). But the behaviour so far seems to be that only the scopes are exposed, and if all scopes were exposed, then the user has all the service-roles (ROLE_VIEW, ROLE_DESTROY, ROLE_DEPLOY,...).
For instance, we'd like one user to have ROLE_VIEW only, and another user to have both ROLE-VIEW and ROLE_DESTROY.
What we've done so far:
Following the documentation, we created an App Registration (dataflow-server) exposing the following scopes & API permissions:
api://dataflow-server/dataflow.destroy
api://dataflow-server/dataflow.view
api://dataflow-server/dataflow.deploy
api://dataflow-server/dataflow.manage
api://dataflow-server/dataflow.schedule
api://dataflow-server/dataflow.create
api://dataflow-server/dataflow.modify
We created 2 appRoles, "role_reader" and "role_writer", to grant to specific users.
And we updated the configmap of the SCDF server to include these configurations:
spring:
cloud:
dataflow:
security:
authorization:
provider-role-mappings:
dataflow-server:
map-oauth-scopes:true
role-mappings:
ROLE_VIEW: role_reader
ROLE_DESTROY:role_writer
ROLE_DEPLOY: role_writer
ROLE_CREATE: role_writer
ROLE_MANAGE: role_writer
ROLE_SCHEDULE: role_writer
ROLE_MODIFY: role_writer
And:
spring:
security:
oauth2:
client:
registration:
dataflow-server:
provider: azure
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
client-id: <client_id_from_the_azure_app_registration>
client-secret: <client_secret>
scope:
- openid
- profile
- email
- offline_access
- api://dataflow-server/dataflow.view
- api://dataflow-server/dataflow.destroy
- api://dataflow-server/dataflow.schedule
- api://dataflow-server/dataflow.manage
- api://dataflow-server/dataflow.create
- api://dataflow-server/dataflow.deploy
- api://dataflow-server/dataflow.modify
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0
user-name-attribute: name
resourceserver:
jwt:
jwt-set-uti: https://login.microsoftonline.com/<tenant-id>/v2.0/keys
My understanding after reading the docs was that this should be sufficient to map the service roles (ROLE_VIEW) with the Azure AppRoles (role_reader) and allow to use RBAC.
Where did I go wrong ?
Thanks in advance for taking the time to read !

Unable to setup Spring Config server with bibucket

I'm trying to set up Spring Boot Config Server for a few microservices from the Bitbucket repo(earlier while learning tutorial I did the same using Github, it worked, but I think bitbucket is a little different).
Have added dependencies in Config-Server build.gradle
implementation 'org.springframework.cloud:spring-cloud-config-server'
Annotation added in the application class
#EnableConfigServer
Modified .properties file to .yml, and configured like this
server:
port: 8012
spring:
application:
name: config-server
cloud:
config:
server:
git:
uri: ssh://bitbucket.org/project/repo.git
ignore-local-ssh-settings: true
clone-on-start: true
passphrase: passphrase
private-key: |
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,***************************
*************************************************
*************************************************
-----END RSA PRIVATE KEY-----
Have gone through multiple other SO posts.
Tried with these ssh formats
git#bitbucket.org:project/repo.git >> failed to send channel request
ssh://git#bitbucket.org:project/repo.git >> extra / showed up because of jgit
ssh://bitbucket.org/project/repo.git >> giving auth fail
Now I'm confused.
Did try adding this
strict-host-key-checking: false
nothing changed
Any help what am I missing?

Spring cloud gateway not routing web-socket based requests

In order to add a route for a websocket based micro-service I have
Configured my application as per Spring cloud gateway documentation
- id: sample_service_web_socket_handshake_url
uri: lb:ws://sample-service
predicates:
- Path=/notification-service-ws/**
above notification-service-ws is the handshake url of websocket-service
upon accessing this websocket endpoint directly( without spring-cloud-gateway ) session has been connected with no issue
but upon trying to connect using spring-cloud-gateway the gateway gives following warning log
2020-01-09 10:44:02.923 WARN 5155 --- [-server-epoll-5] .a.w.r.e.DefaultErrorWebExceptionHandler : Failed to handle request [GET http://192.168.10.44:4260/notification-service-ws]: Response status 400 with reason "Invalid 'Upgrade' header: {Sec-WebSocket-Version=[13], Sec-WebSocket-Key=[0EJxcMdBmRhZ5suS/INKnQ==], Sec-WebSocket-Extensions=[permessage-deflate; client_max_window_bits], Host=[192.168.10.44:4260]}"
I have verified no HTTP request is being sent to websocket service
Issue resolved after adding following properties to spring-cloud-gateway application.yml file:
spring:
application:
name: burraq-api-gateway
profiles:
active: dev
cloud:
gateway:
filter:
remove-non-proxy-headers:
headers:
- Proxy-Authenticate
- Proxy-Authorization
- Keep-Alive
- TE
- Trailer
- Transfer-Encoding
This issue occurred because spring cloud gateway by default request headers as mentioned here

Zuul Proxy not able to route, resulting in com.netflix.zuul.exception.ZuulException: Forwarding error

I have simple services as:
transactions-core-service and transactions-api-service.
transactions-api-service invokes transactions-core-service to return a list of transactions. transactions-api-service is enabled with hystrix command.
Both are registered in Eureka server with below services ids:
TRANSACTIONS-API-SERVICE n/a (1) (1) UP (1) - 192.168.2.12:transactions-api-service:8083
TRANSACTIONS-CORE-SERVICE n/a (1) (1) UP (1) - 192.168.2.12:transactions-core-service:8087
Below is Zuul server:
#SpringBootApplication
#Controller
#EnableZuulProxy
public class ZuulApplication {
public static void main(String[] args) {
new SpringApplicationBuilder(ZuulApplication.class).web(true).run(args);
}
}
Zuul Configurations:
===============================================
info:
component: Zuul Server
server:
port: 8765
endpoints:
restart:
enabled: true
shutdown:
enabled: true
health:
sensitive: false
zuul:
ignoredServices: "*"
routes:
transactions-api-service:
path: transactions/accounts/**
serviceId: transactions-api-service
eureka:
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
logging:
level:
ROOT: INFO
org.springframework.web: DEBUG
===============================================
When I try to invoke transactions-api-service with url (http://localhost:8765/transactions/accounts/123/transactions/786) I get Zuul Exception:
2016-02-13 11:29:29.050 WARN 4936 --- [nio-8765-exec-1]
o.s.c.n.z.filters.post.SendErrorFilter : Error during filtering
com.netflix.zuul.exception.ZuulException: Forwarding error
at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.forward(RibbonRoutingFilter.java:131)
~[spring-cloud-net flix-core-1.1.0.M3.jar:1.1.0.M3]
at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.run(RibbonRoutingFilter.java:76)
~[spring-cloud-netflix- core-1.1.0.M3.jar:1.1.0.M3] ......
If I invoke the transactions-api-service individually (with localhost /accounts/123/transactions/786), it works fine.
Am I missing any configurations on Zuul?
You need to change zuul execution timeout by adding this property in application.yml of zuul server:
# Increase the Hystrix timeout to 60s (globally)
hystrix:
command:
default:
execution:
isolation:
thread:
timeoutInMilliseconds: 60000
Please refer to this thread on netflix issues: https://github.com/spring-cloud/spring-cloud-netflix/issues/321
Faced same issue. In my case, zuul was using service discovery. As a solution, below configuration worked like a charm.
ribbon.ReadTimeout=60000
Reference to the property usage is here.
You have an incorrect indentation. Instead of:
zuul:
ignoredServices: "*"
routes:
transactions-api-service:
path: transactions/accounts/**
serviceId: transactions-api-service
It should be:
zuul:
ignoredServices: "*"
routes:
transactions-api-service:
path: transactions/accounts/**
serviceId: transactions-api-service
you can use this to avoid 500 error
hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds=1000000
zuul.host.connect-timeout-millis=10000
zuul.host.socket-timeout-millis=1000000
In case if your Zuul gateway uses discovery service for service lookup in that case you can disable the hystrix timeout or increase the hysterix timeout as below :
# Disable Hystrix timeout globally (for all services)
hystrix.command.default.execution.timeout.enabled: false
#To disable timeout foror particular service,
hystrix.command.<serviceName>.execution.timeout.enabled: false
# Increase the Hystrix timeout to 60s (globally)
hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds: 60000
# Increase the Hystrix timeout to 60s (per service)
hystrix.command.<serviceName>.execution.isolation.thread.timeoutInMilliseconds: 60000
I was having same issue with zuul server, it got resolved with below property
Let's say you have 2 clients clientA and clientB,
so for clientA, spring.application.name=clientA and server.port=1111
for clientB spring.application.name=clientB and server.port=2222 in there respective application.propeties files.
You want to connect this 2 servers to ZuulServer which is running on port 8087.
add below properties in you ZuulServer application.properties file
spring.application.name=gateway-service
eureka.client.serviceUrl.defaultZone=http://localhost:8761/eureka
eureka.client.register-with-eureka=true
eureka.client.fetch-registry=true
clientA.ribbon.listOfServers=http://localhost:1111
clientB.ribbon.listOfServers=http://localhost:2222
server.port=8087
Note: I am using Eureka Client with my Zuul Server. you can skip that part. Adding this solution in case its helpful for someone.

Resources