Comments (19)
I've also put together a standalone example of method-based security with gRPC (using pre-post-annotations instead of secured-annotations) with an exception-to-status translator, using Authorization metadata for Basic Auth credentials and JWT tokens. It works pretty well for our production use-case, though the default ThreadLocal security context storage is less than ideal.
from grpc-spring-boot-starter.
Maybe related but there is also the need to translate the exception. An exception translator like Spring's ControllerAdvice
would be awesome
from grpc-spring-boot-starter.
Out of interest I've put together an example of Secured annotation (which just works) and a basic exception-to-status translation interceptor.
I don't think that would be sufficient to cover a meaningful scenario though. Just curious, where the authentication will be coming from in the intended use case?
from grpc-spring-boot-starter.
WARNING: The security demo by revinate and the security example by pagrus7 are vulnerable to concurrency issues.
THANK YOU SO MUCH!!! I just ran into the concurrency issue mentioned above and super lucky found your post. Also just in time for the release of net.devh:grpc-spring-boot-starter:2.2.0.RELEASE.
from grpc-spring-boot-starter.
Probably not interested anymore, but if so:
I created a simple JWT Spring Boot Starter extending this library from LogNet: https://github.com/majusko/grpc-jwt-spring-boot-starter
Already using it in few production projects so it will be definitely supported. Also, feel free to contribute ;)
Simple usage showcase here:
https://github.com/majusko/grpc-example/blob/master/src/main/kotlin/io/github/majusko/grpc/example/ServerExample.kt
from grpc-spring-boot-starter.
probably same as #41 ?
from grpc-spring-boot-starter.
I guess I should try again because spring.aop.proxy-target-class=true
didn't work for me when I tried it ...
from grpc-spring-boot-starter.
I've also had weird issues with the method security AOP interceptors not applying to the gRPC implementation class at times. In fact, in my standalone example, if I remove spring-jdbc from runtime dependencies, the AOP stops applying.
from grpc-spring-boot-starter.
@alexleigh I think you are hitting another flavour of the autoproxying issue. By default spring boot 1.x would use a a dynamic proxies, but with spring-jdbc and spring-tx pulled into the classpath the autoconfiguration kicks in and configures cglib proxies instead.
I opened a PR which explicitly specifies proxyTargetClass = true
on @EnableGlobalMethodSecurity
annotation. Security then still works without spring-boot-starter-jdbc.
from grpc-spring-boot-starter.
That's really good to know. Thanks for the help!
from grpc-spring-boot-starter.
See also grpc/grpc-java#4970
EDIT
WARNING
The security examples linked above have security vulnerabilities and are dangerous to use. See below for more details.
from grpc-spring-boot-starter.
@ST-DDT I've seen your discussion on the grpc-java issue. Do you know how to proceed ?
from grpc-spring-boot-starter.
In order for SpringSecurity to work you need two things:
- ServerInterceptors (
See the example linked above(Security issues))- With Exception mapping
- With SecurityContext builder/Authentication
- A security annotated GrpcService impl
Which has either an interface with ALL methods (created and maintained by yourself, or somehow generated at compile time)- Or you use
@EnableGlobalMethodSecurity(proxyTargetClass = true)
and be okay with one line of warning per service class during each startup.
If you get an INTERNAL
status response, then you have an issue with the first one.
If you get an UNAVAILABLE
status response, then you have an issue with the second one.
If the user can pass through unauthenticated then you probably have to configure the annotation to enable your desired annotation.
As an alternative you could avoid the security annotation and use another server interceptor to map the access checks yourself. Using something like similar to a Map<MethodDescriptor, AccessDecider>
.
PS: I might be able to contribute the server interceptors (if I get the permission).
from grpc-spring-boot-starter.
@cbornet , @ST-DDT , have you seen this ? He is using this starter and implemented interceptors to integrate spring security together with authorization.
I've asked the author if he want to contribute to this repo... still no answer.
from grpc-spring-boot-starter.
That example is somewhat better than the above mentioned, as it used an AuthenticationManager. But it also has a few drawbacks:
- It hasn't been contributed to this project and is no standalone library (-> copy & paste)
- It uses a different license (-> so you have to actually add the license statements to those classes/wrapper library (not that big of a problem though))
- Analyses the cause stack which you might not want, especially if you have other ExceptionMappers
- Lacks in code documentation/javadocs
- EDIT: Both have security issues
Don't get me wrong, it is good code, but puts some obstacle in your way to use and maintain it.
EDIT: And its dangerous to use.
from grpc-spring-boot-starter.
WARNING
The security demo by revinate and the security example by pagrus7 are vulnerable to concurrency issues.
You might see the following issues:
- Unauthenticated users can execute calls
- Authenticated requests get rejected due to
UNAUTHENTICATED
- Authenticated requests might show a different username
During my tests this issues only occurred in very few cases (aka hard to reproduce) .
It's easily reproducible by executing at least two calls (with different auth status) simultaneously .
It's easier to reproduce the bug with (many) concurrent calls by different users (including unauthenticated ones) and maybe a busy CPU (to force the thread context switches).
You can avoid that issue by rewriting the authenticating interceptors to work similar to grpc-contexts
.
Or have a look at my PR (https://github.com/yidongnan/grpc-spring-boot-starter/pull/126) which tries to fix that issue for a different grpc-spring-boot library.
See also this SO question/answer
That issue is not related to this repository. It's only related to the mentioned security demo and all variants that work in a similar way.
from grpc-spring-boot-starter.
Thanks for sharing, @majusko. I'll definitely have a look
from grpc-spring-boot-starter.
Is there some plan on supporting spring security? Thanks.
from grpc-spring-boot-starter.
It's better later than never :-), implemented in 4.0.0
from grpc-spring-boot-starter.
Related Issues (20)
- Upgrade to grpc 1.57.0
- 5.1.0 changes status exception behaviour HOT 6
- Spring Boot 3 and gRPC HOT 1
- 5.0.0 to 5.1.4 changes status exception behaviour HOT 13
- Upgrade grpc to 1.58
- spring cloud config problem HOT 3
- Does it support mTLS while registering services to Consul ? HOT 1
- Buggy interceptors @Order annotation processing HOT 5
- Spring Security Keycloak integration HOT 5
- Order annotation for @GRpcGlobalInterceptor not working correctly when using 'org.springframework.boot.autoconfigure.AutoConfiguration.imports'
- `SecurityInterceptor` extends a deprecated interface (6.1.4) HOT 3
- actuator/health/grpc endpoint continue reporting grpc services as SERVING even if grpc server has been stopped HOT 1
- Stream closed before write could take place HOT 1
- Using custom implementation for auth token ,How to leverage security context holder to get authentication if token is not changed for subsequent request HOT 1
- Updating spring-boot to 3.2.0 breaks with "An AuthenticationManager is required" HOT 9
- Request level bean creation
- grpc default executor not overriding in server builder
- Security API enhancements #2
- Update grpc dependencies from 1.58.0 to 1.62.* or later
- Update gRPC to 1.63 due to client retry fixed in this version of gRPC HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-spring-boot-starter.