I am using the Spring Boot Admin plugin for my project.
The application that i would like to monitor using my Spring Boot Admin project has been deployed behind a Gateway, and hence to access the Actuator end-points i need to pass certain headers as a part of the request. Is there any way i can configure these additional headers.
Configuring Spring Boot Admin with HTTP Authentication does not suffice.
If anyone else searching for an answer for this try referring the documentation
Related
I am new to Spring Boot and Firebase. I have generated REST endpoints from my model and repositories using spring-boot-starter-data-rest.
I also created a front-end application (front is a SPA written in React - back works with Spring boot - these are 2 separate apps).
My front-end app contains a login form and I use the Firebase JS SDK to authenticate the user and get an ID token for him.
Now I would like to add authentication to my endpoints so only authorized users can reach them, using the token I get in the front-end app.
I can put the token in the Authorization header of each request, but I dont't know how to:
Extract and check the token in Spring Boot, in order to get user information. I saw this, is this ok?
Pass the user information to the endpoint methods (currently I got no controller, since they are generated from the repositories (they extend PagingAndSortingRepository or CrudRepository))
Specify which endpoints are public and which are private (using WebSecurityConfigurerAdapter I guess).
Also, some endpoints could be accessible only by some users. But I saw nothing in Firebase that allows me to distinct user grants.
I have read several tutorials but I have not enough details to understand everything, and they do not answer all my questions.
Thanks
The spring boot admin console displays only two options in details. How to make sure all other details are displayed like environment,JMX,logging,etc
Image of display button
If you use Spring Boot 2.0 you need to explicitly expose the actuator endpoint via setting management.endpoints.web.exposure.include property
We have Angular 2 app with Spring Security and Spring MVC for REST API. Before we implemented authentication both on frontend and backed, it was working fine. Since we added simple basic authentication, we are having problem about sending custom auth token to backend. I have two filters setup, one we CORSFilter setup in web.xml and has code like this
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-AUTH-TOKEN");
response.addHeader("Access-Control-Max-Age", "60000");
}
All API requests are being intercepted by this filter and as you see it is allowing our custom auth token.
Now we enter the Spring Security filter chain where we have custom filter to validate that token, which tries to get the X-AUTH-TOKEN from request header and it always retuns null.
Can anyone tell me what might be setting this value to null? I did check that my frontend is sending X-AUTH-TOKEN with correct value based on Firefox debugger tool and if I take that token and use postman client to make that REST API call then also it is working fine. Only problem happens when I test the frontend with Chrome or Firefox.
Note: Frontend is served on port 4200 and backend is served on port 8080.
ok, after some clues from above replies, I realized that in my custom spring security filter, i was trying to access "x-auth-token" on every request for api. But in case of CORS, browser make OPTIONS pre flight request before it make actual request.
After adding check to ignore OPTIONS method, things worked fine. So now my custom JWT Auth filter only check for presence of token in GET,POST,PUT and DELETE request.
Also as per suggestion from "dur", I have also removed CORSFilter i developed since spring mvc 4.1.x provides inbuild CORS support and you can customize it as if it is your own custom filter. Thank you "dur" for your link.
You might want to add OPTIONS to allowed methods.
I'd like to capture custom request headers in my Azure websites but I don't have access to the website's source code (ASP.NET). I do of course have access to the web.config.
Can I capture custom request headers via a configuration change? I see that IIS allows enabling of advanced logging (https://www.iis.net/learn/extensions/advanced-logging-module/advanced-logging-for-iis-custom-logging#server_logging) which can capture custom request headers but I don't see how to do it on Azure websites.
I don't think Azure Web Sites has enabled the Advanced Logging (or Enchanced Logging) so this doesn't seem to be possible using the standard Azure logging mechanism.
But to make sure, have you tried enabling the diagnostics for your site? Especially the Web Server Logs should be interesting for you. The following Azure documentation deals with logging on Azure Web Sites.
Enable diagnostics logging for web apps in Azure App Service
I've got the Spring Security preauthentication sample configured and working with JBoss. The next step is to somehow get the user information into a flex client GUI.
What are some methods that will let me get the Authentication or UserDetails object that's created by spring-security on http access into the flex client? Since I'm logging in externally, I can't use channelset.login(), right? All the examples I've seen so far assume that the user logs in manually through the flex client, but the requirement is for container-based authentication.
Using flex3, spring 3.0.4, spring-security-3.0.3
If you use spring-flex together with blazeds for the flex to java http plumbing,
then what you have to do is to :
enable the Spring Security filter chain in web.xml
secure your blazeds service with your expected security constraints
make your spring-security AuthenticationProvider use your authentication mechanism
There is an article on Adobe DevNet covering this topic:
http://www.adobe.com/devnet/flex/articles/flex_security.html
Use PreAuthenticatedAuthenticationProvider as your authentication provider. Flex sessions will automatically map 1:1 with HTTP sessions, and you can access the authentication object using a session-scoped call to SecurityContextHolder.getContext().getAuthentication()