I have built an gateway service and it worked perfectly. Now I want to delete some routes in that gateway, I use the API /actuator/gateway/routes/{route_id} with DELETE request as in the document of Spring, but it responses Not found Route by id, but when I use the API /actuator/gateway/routes/{route_id} with GET request, I got the routes.
Is there any wrong with the API of Spring?
After delete you should call refresh.
Related
I am authenticating against an OAuth2 service that provides me 3 endpoints:
http://bobsoauth.com/oauth2/authorize
http://bobsoauth.com/oauth2/token
http://bobsoauth.com/oauth2/userdata
This service DOES NOT issue JWTs.
I need to use an Angular client application, connecting to a Spring Cloud Gateway, which in turn connects to multiple Spring Boot microservices.
Without JWTs, can I still use a token relay setup between the gateway and the microservices?
Without JWTs, you'll have to configure your resource-servers with token introspection (http.oauth2ResourceServer().opaqueToken() instead of http.oauth2ResourceServer().jwt() in spring-security conf). This is far less efficient than JWT decoding because each micro-service has to submit token to authorization-server for each and every request it processes.
Sample here: https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_introspection
The endpoint is usually called introspect, but I guess you'll have to figure out a way to use userdata in your case.
Have your Angular application authenticate against your authorization-server, and use the gateway just to forward Authorization header.
For Angular, I use angular-auth-oidc-client. Just put in the conf the URLs you mentioned in your question.
I am executing an ASP.net Web API which is finally redirecting to a Web URL. I am doing this via Postman. The scenario is slimier to authentication API which is finally redirect to a Login UI.
When I execute the API nothing is happening. It is not even hitting the API it self. When I execute the same API URL via Browser it is working fine.
Why this is not happening and is there any setting in Postman which enables this? Is there any API test tool which covers this scenario?
Edit : Note that these APIs are SAML SSO related APIs. But when we disregard the SAML factor, this is kind of normal web API, which finally redirects to a web page.
Thanks in advance.
Darshani
Asp.net Web API function should return JSON data and for Authentication you should use Bearer Token.
There can be multiple reasons for this:-
First thing, is that if we are setting the valid authentication token in the header so that API is accessible.
Second, if your site is hosted on some domain then check which email id you are login into your Postman.
As it happened to me, for my project I need to login to Postman with 'domain.com' to access API.
I'm looking to do 3 legged oauth on istio+kubernetes. I did not find a way to route unauthenticated requests to an authentication proxy service which performs the authentication and route the traffic back to the target service. I've done this with nginx kubernetes ingress controller using the following annotations -
nginx.ingress.kubernetes.io/auth-url //Auth url that requests will be forwarded to
nginx.ingress.kubernetes.io/auth-signin //Sign in page the request is routed to when the above returns 401
I did not find equivalent ones in Istio. I've checked the documentation and it says it supports custom auth in addition to jwt, however I did not find any such support.
Answering my own question.
At this point I've figured out the only way to do this is via EnvoyFilter on istio. This allows us to write a custom lua filter to to route unauthenticated requests to an oauth proxy which can perform 3-legged oauth flow.
The request control flow is
client --> ingress gateway --> istio-proxy sidecar --> envoy filter --> target
The filter is capable of making http calls and manipulate headers, which fits this requirement.
Edit:
Details about it are here.
I have an own OAuth2 provider where you can ask for a token and validate it. I want to protect my REST API (resource server) with OAuth2, so, in every single request, the access token must be validated, against OAuth2 server.
I have been doing this validation in the REST API code itself, by intercepting every request and doing another request to OAuth2 server.
I wonder if there is any way to do it in the Nginx server instead of in the REST API. This way, it would be easier to setup in another REST API, instead of copy/paste the code (or share a library).
Maybe, should I create my own nginx module? Or running an script in every request? If so, how can I do it?
Any advice will be appreciated.
Yes, you can use the auth-request module in nginx.
We have Angular 2 app with Spring Security and Spring MVC for REST API. Before we implemented authentication both on frontend and backed, it was working fine. Since we added simple basic authentication, we are having problem about sending custom auth token to backend. I have two filters setup, one we CORSFilter setup in web.xml and has code like this
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-AUTH-TOKEN");
response.addHeader("Access-Control-Max-Age", "60000");
}
All API requests are being intercepted by this filter and as you see it is allowing our custom auth token.
Now we enter the Spring Security filter chain where we have custom filter to validate that token, which tries to get the X-AUTH-TOKEN from request header and it always retuns null.
Can anyone tell me what might be setting this value to null? I did check that my frontend is sending X-AUTH-TOKEN with correct value based on Firefox debugger tool and if I take that token and use postman client to make that REST API call then also it is working fine. Only problem happens when I test the frontend with Chrome or Firefox.
Note: Frontend is served on port 4200 and backend is served on port 8080.
ok, after some clues from above replies, I realized that in my custom spring security filter, i was trying to access "x-auth-token" on every request for api. But in case of CORS, browser make OPTIONS pre flight request before it make actual request.
After adding check to ignore OPTIONS method, things worked fine. So now my custom JWT Auth filter only check for presence of token in GET,POST,PUT and DELETE request.
Also as per suggestion from "dur", I have also removed CORSFilter i developed since spring mvc 4.1.x provides inbuild CORS support and you can customize it as if it is your own custom filter. Thank you "dur" for your link.
You might want to add OPTIONS to allowed methods.