Sender | Message | Time |
---|---|---|
18 Dec 2020 | ||
Josh Cummings (Gitter) | If cognitoConfig gives you the issuer, you can instead to JwtValidators.createDefaultWithIssuer(cognitoConfig.issuerUrl)`, and that will give you issuer validation as well. | 15:48:09 |
Josh Cummings (Gitter) | (edited) If `cognitoConfig gives ... => If `cognitoConfig` gives ... | 15:48:17 |
Josh Cummings (Gitter) | (edited) ... instead to `JwtValidators.createDefaultWithIssuer(cognitoConfig.issuerUrl)`, ... => ... instead do `JwtValidators.createDefaultWithIssuer(cognitoConfig.issuerUrl)`, ... | 15:49:23 |
Josh Cummings (Gitter) | Your RSocketSecurity.JwtSpec config would then change to | 15:50:23 |
Braffolk (Gitter) | (edited) ... separate issues. => ... separate issues. | 15:50:23 |
Braffolk (Gitter) | (edited) ... separate issues. => ... separate issues. | 15:52:24 |
Josh Cummings (Gitter) | Regarding the sample, I was able to get it to work with some tweaks to the client code. I submitted a pull request, and we can chat over there if you like: Braffolk/spring-rsocket-stream-security-issue#1 | 15:52:24 |
Josh Cummings (Gitter) | (edited) Regarding the sample, I was able to get it to work with some tweaks to the client code. I submitted a pull request, and we can chat over there if you like: https://github.com/Braffolk/spring-rsocket-stream-security-issue/pull/1 => @guibernardi I wonder if the right component for you is `OAuth2UserService`, which is intended for OAuth 2.0 UserInfo endpoints. | 21:56:15 |
Guilherme Bernardi (Gitter) | You're right about that, my resource server will use oauth2-client. I create some tests here based on sample for migration, but I'm having trouble to how to configure my clientRepository to everytime my Resource Server receives a request with a Bearer Token I call the "fake auth-server" to validate the token and return. | 21:56:15 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 21:57:35 |
Guilherme Bernardi (Gitter) | I'm trying to search, but I didn't find how could I do this. My resource server is always calling the | 21:57:35 |
19 Dec 2020 | ||
Marcel Widmer (Gitter) joined the room. | 12:55:55 | |
Marcel Widmer (Gitter) | Hello I am searching for a sample for best practice about just JWT Validation and basic Security Configuration... without
}``` | 12:55:55 |
Marcel Widmer (Gitter) | (edited) ... way... ``` @Configuration @EnableConfigurationProperties(JwtSecurityProperties::class, SecurityProperties::class) @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true) class SecurityConfiguration( private val jwtSecurityProperties: JwtSecurityProperties, private val securityProperties: SecurityProperties ) : WebSecurityConfigurerAdapter() { companion object { private val API_DOCUMENT = "/api/document/**" private val API_SALARY = "/api/salary/**" private val FAKE_TOKEN = "/faketoken/**" } @Throws(Exception::class) override fun configure(http: HttpSecurity) { SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http // disable default security .httpBasic().and() .formLogin().disable() .logout().disable() .csrf().disable() .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .securityContext().disable() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) }``` => ... way... ``` @Configuration @EnableConfigurationProperties(JwtSecurityProperties::class, SecurityProperties::class) @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true) class SecurityConfiguration( private val jwtSecurityProperties: JwtSecurityProperties, private val securityProperties: SecurityProperties ) : WebSecurityConfigurerAdapter() { companion object { private val API_DOCUMENT = "/api/document/**" private val API_SALARY = "/api/salary/**" private val FAKE_TOKEN = "/faketoken/**" } @Throws(Exception::class) override fun configure(http: HttpSecurity) { SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http // disable default security .httpBasic().and() .formLogin().disable() .logout().disable() .csrf().disable() .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .securityContext().disable() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) }``` | 12:56:14 |
Marcel Widmer (Gitter) | (edited) ... SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http // disable default security .httpBasic().and() .formLogin().disable() .logout().disable() .csrf().disable() .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .securityContext().disable() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) }``` ... => ... SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) ``` ... | 12:58:54 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 16:02:32 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 16:02:34 |
Ali Akbar Azizkhani (Gitter) joined the room. | 16:35:01 | |
Ali Akbar Azizkhani (Gitter) | Hi all , how set my UserDetails to principal in oauth2Login after login succes | 16:35:02 |
Alba (Gitter) | (edited) ... want that => ... want that | 17:00:02 |
Alba (Gitter) | Okey. I will change. Thank you very much. Greetings! | 17:00:02 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 18:31:06 |
Guilherme Bernardi (Gitter) | I don't know if I misunderstood or I'm doing something wrong, but in my "protected resource" (oauth2-client) I declare: | 18:31:06 |
Guilherme Bernardi (Gitter) | I setup my config as:
I tried with both oidc and userService. | 18:31:52 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 18:31:52 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 18:32:38 |
Guilherme Bernardi (Gitter) | But when I request with a Bearer Token the project always call the authorization-uri instead of user-info-uri | 18:32:38 |
Guilherme Bernardi (Gitter) | (edited) But when I request with a Bearer Token the project always call the `authorization-uri` instead of `user-info-uri` => I don't know if I misunderstood or I'm doing something wrong, but in my "protected resource" (oauth2-client) I declare: ``` provider: delegator: user-info-uri: http://localhost:9999/uaa/me authorization-uri: http://localhost:9999/uaa/auth token-uri: http://localhost:9999/uaa/foo ``` | 18:33:35 |
Guilherme Bernardi (Gitter) | What am I missing? I followed the docs to create the WebClientConfig and the custom UserServices. | 18:35:30 |
Josh Cummings (Gitter) | (edited) ... UserInfo endpoints. => ... UserInfo endpoints. | 18:35:30 |