What is allowFormAuthenticationForClients parameter of class org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer for.
I've searched in spring Oauth documentation and also spring API and there is no description about this parameter ( by default it's sets to false).
This is a the security constraints on the TOKEN ENDPOINT(ex. oauth/token).
Spring's documantation said;
The token endpoint is protected for you by default by Spring OAuth in the #Configuration support using HTTP Basic authentication of the client secret.
The allowFormAuthenticationForClients parameter set to true means that it is protected using basic authentication and form authentication.
Related
We are using the following stack :
Kotlin 1.6.0 running on JVM 11
com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter 5.0.4
com.netflix.graphql.dgs:graphql-dgs-subscriptions-websockets 5.0.4
com.netflix.graphql.dgs:graphql-dgs-subscriptions-websockets-autoconfigure 5.0.4
org.springframework.boot:spring-boot-starter-security 2.6.7
org.springframework.boot:spring-boot-starter-oauth2-resource-server 2.6.7
We are authenticating using the Google Identity Platform from the client side and passing the resulting Bearer token to the DGS API.
The pure HTTP requests (DgsQuery, DgsMutation) are able to extract the processed/validated token without an issue - and we are able to determine the userId from this.
Expected Results
When calling a subscription graph call we are expecting to extract the same details from the processed Bearer token - so we can then utilise the User Identification within the business logic.
Actual Results
The SecurityContextHolder returns an authorization value that is null. And passing in an invalid token still correctly returns subscribed results, suggesting that the subscription endpoint is not being hooked into the JWT authentication at all.
Question
What would be the recommended approach in providing the same authentication behavior and availability of Security Context to Subscriptions as is available to both DGSQuery and DGSMutation annotated functions?
From research - I understand that this needs to be performed in the initial handshake and then saved to the session.
Worth mentioning - that when calling the server from the GraphiQL UI - therefore using the newest protocol - the authentication occurs and the Security Context is populated with the correct information. However, this then fails with "Trying to execute subscription on /graphql. Use /subscriptions instead!" - which is to be expected with the incompatible client/server versions.
I have a requirement where I have the Azure APIM public facing URL - https://api.example.com/api/v1/storenumber/ordernumber
And
Back-end service URL (Notice - There is no URL path suffix here) - https://back-end.service.com
So I need to remove "/api/v1/storenumber/ordernumber" in APIM.
How to achieve this in Azure APIM policies?
Thanks,
Aneesh.
Let's say you have APIM service with hostname my-service.azure-api.net. An API in APIM service with URL suffix my-api, and a backend URI of https://my-backend.com. And an operation in this API with URI template of my/uri/template.
So for an incoming call to
https://my-service.azure-api.net/my-api/my/uri/template
without any additional configuration APIM service will make a call to
https://my-backend.com/my/uri/template
Because by default APIM service replaces in source URI scheme+hostname+api suffix with backend URI defined for an API in question.
In most simple case when your API has only one operation you could set API suffix to api/v1/storenumber/ordernumber and operation template to /. That would result in public facing URI of
https://api.example.com/api/v1/storenumber/ordernumber
and backend URI for this operation of
https://back-end.service.com/
Of course this is approach is harder to use when you have multiple operations in API. In that case you'll need to use policies: https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#RewriteURL. For that you can set your API suffix and operation URI template to anything, but add this policy into operation's inbound section:
<rewrite-uri template="/" />
what rewrite-uri policy does is overrides operation URI template for backend request.
I'm building a REST back end based on spring and i'm using spring security to secure the requests. But i'm lookin for an issue to login by sending parameters in json rather than defaults parameters sent by the default login page of spring security.
I'm working with spring security 4.0.1 and spring 4.1
Any issue please?
If you're using just username and password, you can simply add a new filter to the stack, akin to the existing UsernamePasswordAuthenticationFilter, that would react to a specific URL only (just like the default one reacts to j_spring_security_check only), parse the JSON and create the very same UsernamePasswordAuthenticationToken that the default filter creates. This leaves the auth provider the same as the token didn't change.
If you need more fields in addition to username and password, either create a new token type (or use existing one if it makes sense) and a new auth provider that can deal with that token type. You can also just cram extra fields into UsernamePasswordAuthenticationToken using setDetails(), but this is a bit hacky.
I am using the native Facebook SDK (through an opensource tool called 'SimpleFacebook') to authenticate with Facebook. That part is working great. I find the Microsoft Azure implementation of Facebook authentication to be lacking.
Anyway, the next step is to use the token from this Facebook session and authenticate with MS/Azure. There are two methods like look like they should do the job
public void login(java.lang.String provider,
java.lang.String oAuthToken,
UserAuthenticationCallback callback)
Invokes Windows Azure Mobile Service authentication using a provider-specific oAuth token
Parameters:
provider - The provider used for the authentication process
oAuthToken - The oAuth token used for authentication
callback - Callback to invoke when the authentication process finishes
And another very similar method where the second param is a JSON object of type:
com.google.gson.JsonObject oAuthToken,
Is it just me or is the documentation lacking here? I tried just calling the Facebook session's .getAccessToken() and passing that to the functions and I get an error from Azure:
Caused by: com.microsoft.windowsazure.mobileservices.MobileServiceException: {"code":400,"error":"Error: invalid json"}
at com.microsoft.windowsazure.mobileservices.MobileServiceConnection$1.onNext(MobileServiceConnection.java:115)
How do we know what the correct JSON format is?
Am Using the right token?
More information can be found at:
at this Azure site
I think I have this figured out. Essentially all I had to do was create a JSON object (which is fairly new for me). I tried this earlier but I had imported the wrong JSON class (I had imported org.json.JsonObject or something rather than the com.google.gson.JsonObject).
once I did that I had to figure out what the correct json properties should be. Through a lot of Google searches I found out this is the correct format:
JsonObject jo = new JsonObject();
jo.addProperty("access_token", token);
Then use jo.toString() in the call like:
mClient.login(MobileServiceAuthenticationProvider.Facebook, jo.toString(), new UserAuthenticationCallback() {
.....
}
Really not that difficult, but why wouldn't Azure team put this in their docs???
Maybe this is just "obvious" information for a seasoned dev, but it took me a whole evening to figure out.
I'm creating a proxy service for translating an existing SOAP Web Service to REST. I mean, to create a REST Controller based on Spring for creating the REST interface that will call the existing SOAP Web Service.
The SOAP response must be translated into JSON on the REST service's response.
The steps I followed were:
I have generated the SOAP WebService classes thanks to CXF
(wsdl2java). OK.
I have created the REST Controller for invoking the existing SOAP WS with the previous classes. OK.
The input JSON parameter corresponds to the SOAP input parameter. Can I reuse the JAXB classes I generated on the wsdl2java process?
So I tried to define the REST controller as:
public #ResponseBody WebServiceJAXBOutput service(#RequestBody WebServiceJAXBInput input){
...
}
Nevertheless, the REST call always returns 400 (Bad request) if I specify the data values. Although it works if the input JSON fields are null:
{
"application":null,
"center":null,
"language":null
}
I guess the JAXB getter/setters are failing because of the JAXBElement (public JAXBElement getApplication()).
Should this approach work? Did I miss something?
Many thanks!!
Sergi