We have a project (contains a web backend and a mobile api backend) hosted using google app engine (we also using cloud endpoints).
We use spring framework for the web application, mvc & security.
The problem now is that once I enable <csrf/> in our security.xml, the cloud endpoints project will also require a token because of this setting.
<http auto-config="true">
<intercept-url pattern="/" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="email"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<!-- <csrf/> -->
</http>
Is that possible to config only certain folder or certain controller require this <csrf/> protection? Because I just want this csrf setting to protect my web backend.
Have a separate URI structure for mobile apis like for example "api/mob/getPostsByUserId" and create a new http tag in spring-security config file as
<http auto-config="false" pattern="/mob/**">
//.. your other settings
</http>
Related
I have an react Web Application. That application needs to use authorization and authentication with SAML2 based on an ADFS IDP.
I need to use Spring Boot Security for that.
How do I integrate my react app into the Spring Boot Security Part? I need authentication / authorization on the Front-End Part for displaying menu options.
I get some Roles and Claims back from ADFS in my Spring Boot Service.
How to do this?
Components:
HTML, Bootstrap, AJAX Single Page Application (SPA) --> Deployed on-premise on tomcat 1
Azure Application Proxy 1 fronting SPA with pre-authentication as passthrough
REST API (API) --> Deployed on-premise on tomcat 2
Azure Application Proxy 2 fronting API with pre-authentication as Azure Active Directory
Microsoft MSAL Javascript library: https://github.com/AzureAD/microsoft-authentication-library-for-js
Flow:
User accesses SPA using Application Proxy 1 external URL eg. https://appProxy1.com/spa
The SPA has a sign-in button, when clicked invokes the Microsoft js MSAL library.
The user is presented a pop-up and upon entering credentials, is authenticated against Azure AD and an OAuth token is fetched.
Once authenticated successfully, the user is allowed to perform search on the SPA.
When the user searches, the SPA invokes the REST API using the application proxy 2 url eg. https://appProxy2.com/rest/.search
The REST call is blocked by browser due to CORS. It seems that Application Proxy/Azure AD is not allowing cross origin calls.
Note:
CORS has been enabled in the REST API code and SPA is able to invoke the REST API if Application Proxy 2 pre-authentication mode is set as passthrough.
I have gone through https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-understand-cors-issues. This workaround is possible if HTML application and REST service are deployed on the same application server.
Question:
Is there any option to enable/configure CORS on Application Proxy.
Currently there is no way to configure/enable the CORS on Application Proxy.
There a user voice request for CORS App Proxy. Please feel free to up vote this user voice request.
I have an app where in the Camel context I have defined a CXFRS endpoint for a publishing REST API. A snippet from the Camel route:
from("cxfrs:http://localhost:18080?resourceClasses=com.example.RestService&bindingStyle=SimpleConsumer&providers=#jsonProvider")
.toD("direct:${header.operationName}");
I also need to publish a separate SOAP service (but hosted in the same app). The bean definition for the CXF endpoint is:
<!-- setting up a Camel CXF web-service -->
<cxf:cxfEndpoint id="orderEndpoint"
address="http://localhost:9000/order/"
serviceClass="camelinaction.order.OrderEndpoint"
wsdlURL="wsdl/order.wsdl">
</cxf:cxfEndpoint>
When loading the app with both, the SOAP service will work but the REST service will not. The connection is being refused at port 18080. This is solved by removing the endpoint for the SOAP service. I suspect that by wiring both endpoints, the SOAP endpoint is overriding defaults the REST endpoint needs. Is there anything that needs to be manually configured to use CXF and CXFRS in the same context?
I have a web service (currently localhost:100) which uses Windows Authentication, is served through IIS and is set up with Access Control Allow Origin properties in the web.config:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:81" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
I'm trying to access them from an angularJS app served from static files (html, css & js) which is running from a different server which I'm running on IIS (port 81 currently):
var productSearch = $resource("http://localhost:100/api/ProductSearch/:id");
but I'm getting 401 (Unathorised).
I've set the requesting site to use Windows authentication but with no server side I've no way of knowing if that's working or not. It's not sending any user credentials through to the web service.
So I was being a bit stupid. the line of code I was looking for was:
$http.defaults.withCredentials = true;
This makes it work from anywhere - include the Node dev server.
I have created a simple Google App Engine web application with Spring MVC and JSP. This app
is configured so that only admin users allow to access.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
It also contains several restful web service methods defined in a web controller. Clients for those methods could be a java app with Spring Rest Template or a Web Based Client.
Since restful web service is stateless, how do I make every http request sent from client authenticated to GAE.
The problem I am facing right now is the returned http response for every request contains google login page content.
Google provides a framework to do such with its Google Cloud Endpoints. In particular you should check the section regarding Using auth with endpoints.
If you have requirements where GCEs don't fit (and I see you're using Spring) then Spring has a nice OAuth project that you can use to achieve your goals.
Spring security OAuth
Note however that implementing OAuth can be a relatively intensive task and depending on your requirements and audience you may be able to settle for easier and potentially less secure or standard solutions. Amazon's APIs also may give you ideas how to secure your own API.
As an example of "other" less recommended solutions you may just be able to set a header value with each request and check that it matches a list of accepted values on the server. Alternatively you could make your API stateful, use your login in the first call and then pass the session to your rest calls.
Your final solution will most likely depend on your exact requirements.