spring-cloud / spring-cloud-common-security-config Goto Github PK
View Code? Open in Web Editor NEWA common security infrastructure used by Spring Cloud Data Flow and the projects in its ecosystem
A common security infrastructure used by Spring Cloud Data Flow and the projects in its ecosystem
@sabbyanandan commented on Thu Nov 14 2019
Decide how to pull spring-security-oauth2.2.3.7.RELEASE
as part of the 2.3 GA release.
This component will be updated in spring-cloud/spring-cloud-common-security-config
; eventually, we will bring the aligned security stack in SCDF and Skipper.
Maybe I misunderstood the authorization concept with scopes (as I only know a few of the idPs)
Scope-based access control is giving 3rd party application permission to execute actions on the user's behalf.
But, I consider the SCDF more as an enterprise application, which requires role-based access control.
The user shouldn't be allowed to give consent to these scopes and gain access to an enterprise application.
I guess most companies don't like that.
The permissions should be given by the companies access control.
Also, most company applications are accessible only through a gatekeeper, which is doing the authentication and authorization.
For that setup, only a ResourceServer with a JWT token is required, but the OAuthSecurityConfiguration will fail if there is only a resource server configuration without an OAuth ClientRegistrationRepository.
Did I miss something in the concept? This project is already used 4 years in SCDF.
Is there any company, which is using the scope base authentication?
I assume most companies will override this default OAuthSecurityConfiguration
by defining their own security configuration.
I'd be glad to learn more about where and how the scope-based access control is used.
Currently CustomOAuth2OidcUserService
gets confused if map-oauth-scopes
is set to true. This is because with azure permission name is dataflow.create
and exposed api aka scope api://dataflow-server/dataflow.create
.
While CustomOAuth2OidcUserService
would expect
role-mappings:
ROLE_CREATE: dataflow.create
And MappingJwtGrantedAuthoritiesConverter
expects
role-mappings:
ROLE_CREATE: api://dataflow-server/dataflow.create
All boils down to as jwt contains dataflow.create
in scp
field but other parts doing mapping will see api://dataflow-server/dataflow.create
.
For Client Credential Grants, we should not hit the UserInfo
REST endpoint (As that is an OpenId Connect-specific endpoint). As a temporary solution (until Spring Security 5.2 migration) we should only hit the UserInfo
REST endpoint if a the passed AccessToken is of scope openid
.
We should also, slightly expand the PrincipalExtractor
and search for properties cid
and client_id
. That way we have an identifiable moniker e.g. for auditing.
Hey,
currently we have an issue with the mapping of authorities. Our scopes containing information divided with a /
sign. Example: /F///FUNC/2000803036///X
Because of the following method:
/
.
Because of this we have to define our role / scope mapping like:
spring:
cloud:
dataflow:
security:
authorization:
user_login:
map-oauth-scopes: true
role-mappings:
ROLE_CREATE: 'F///FUNC/2000803037///X'
As of the RFC https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 scopes are just Strings and should be handled like this, so it might be good to make this functionality of parsing as a URI optional / configurable so that the scopes are not parsed when they shouldn't.
Thanks a lot in advance.
As we are opinionated with security. When we go and use IgnoreAllSecurityConfiguration
, we should also implement custom no-op UserDetailsService
not to create default user.
When retrieving an OAuth Token from the OAuth server and then use that token against the Spring Cloud Data Flow Server it seems that the scopes are not re-populated.
See also spring-projects/spring-boot#5096
This is for the 1.0.x branch only. We need to update the Boot version to 1.5.16.RELEASE
Currently we provide as a default a MapSessionRepository
. However, we should also provide an option to support SQL-based session storage:
https://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-jdbc
Possibly, we should also document on how to enable Redis-based session storage (without having a hard Redis-dependency in the project). Not sure if that would be possible, though.
Issue with dataflow 2.6.x
where we get due to a bit crazy version management in numbus poms. With dataflow 2.7.x
gets good versions from boot 2.3.x
but 2.2.x
doesn't manage nimbus so we should manage versions here in 1.4.x
line and then dataflow/skipper should get correct versions.
Original issue reported spring-cloud/spring-cloud-dataflow#4223
There is a change in core spring-projects/spring-framework@f399446, which now causes
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@27dc79f7, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]]
o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[*/*]
While in core 4.x we got
o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@44cb460e, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]]
o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[]
We're been using:
.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(loginPage), textHtmlMatcher)
.defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, AnyRequestMatcher.INSTANCE);
As MediaType.TEXT_HTML
always matches with */*
, we're always getting redirect to login page, instead of 401
with curl. We need to change this logic how entry point is chosen.
Hi Team,
May I know how can I integrate this 'spring-cloud-common-security-config-web' code in Spring Cloud Data Flow Server. When I tried to launch the program it is showing as that main method is missing.
Thanks,
Anumol
Create a core
module, so that code can be re-used with having to trigger AutoConfiguration classes.
When security is enabled and session is invalid, http requests from UI will be given header
www-authenticate: Basic realm="Spring"
We want to use a common X-Requested-With
hack to conditionally just return plain 401
to UI by using something like:
.defaultAuthenticationEntryPointFor(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest"))
Remove dependencies and test for deprecated spring-security-oauth2.
Depended on by spring-cloud/spring-cloud-dataflow#2582
As boot2 effectively removed all of its tweaks for security auto-configuration, we need to come up with config which effectively disables all security features. As we used to hook into boot1 security.basic.enabled
and other settings, we need to come up with a condition which is true if user haven't added any security settings. This condition would then craft a dummy security config which would fake boot not to enable its own WebSecurityConfigurerAdapter
which then effectively adds springSecurityFilterChain
and @EnableWebSecurity
is enabled.
There were a discussion in spring-projects/spring-boot#10306 to make this easier in boot but that ticket didn't go anywhere and I'm not sure any kind of security features would belong into boot anyway. Our use case is highly opinionated and these opinionated use cases were reason boot removed its own tweak in favour of forcing users to do their own configs.
For a sole support for identity providers which provides jwt
tokens.
Hello,
I've been trying to configure the latest SCDF to authenticate with UAA.
While authentication seems to work, when using custom authorization using map-oauth-scopes, I ended up getting an exception from CustomPlainOAuth2UserService.loadUser, which attempts to call spring security DefaultOAuth2UserService, stating that "authorities cannot be empty".
To my understanding (and looking at https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html#introspect-token), authorities are only applicable for client tokens.
@ghillert Any idea how should this flow work?
Here's additional info:
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT 2020-01-02 15:58:07.345 ERROR 7 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT java.lang.IllegalArgumentException: authorities cannot be empty
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.util.Assert.notEmpty(Assert.java:464)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.oauth2.core.user.DefaultOAuth2User.(DefaultOAuth2User.java:63)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.cloud.common.security.support.CustomPlainOAuth2UserService.loadUser(CustomPlainOAuth2UserService.java:54)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider.authenticate(OAuth2LoginAuthenticationProvider.java:116)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
2020-01-02T15:58:07.34+0000 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
The project spring-cloud-common-security-demo demonstrates the problem by including same basic configuration and dependencies as Spring Cloud DataFlow and Spring Cloud Skipper.
***************************
APPLICATION FAILED TO START
***************************
Description:
The dependencies of some of the beans in the application context form a cycle:
┌─────┐
| org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration
↑ ↓
| org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration
↑ ↓
| org.springframework.cloud.common.security.OAuthSecurityConfiguration
└─────┘
Action:
Relying upon circular references is discouraged and they are prohibited by default. Update your application to remove the dependency cycle between beans. As a last resort, it may be possible to break the cycle automatically by setting spring.main.allow-circular-references to true.
Making a simple boot app with web and security deps, including this project. Then add simple imports to main class:
@Import({ BasicAuthSecurityConfiguration.class, DefaultBootUserAuthenticationConfiguration.class,
OAuthSecurityConfiguration.class })
App will fail with:
***************************
APPLICATION FAILED TO START
***************************
Description:
A component required a bean of type 'org.springframework.security.config.annotation.ObjectPostProcessor' that could not be found.
Action:
Consider defining a bean of type 'org.springframework.security.config.annotation.ObjectPostProcessor' in your configuration.
This is same error I'm seeing dataflow when trying to upgrade to boot2.
With the migration to Spring Security 5.2.x we added a regression in regards to the
ExternalOauth2ResourceAuthoritiesMapper
.
If this is not empty: authorizationProperties.getExternalAuthoritiesUrl()
then we should configure the ExternalOauth2ResourceAuthoritiesMapper
instead the default DefaultAuthoritiesMapper
.
From @ghillert on May 4, 2017 19:58
As a follow-up to spring-cloud/spring-cloud-dataflow#1465, we need to add tests that verify that authentication via OAuth authorization code is working properly.
Copied from original issue: spring-cloud/spring-cloud-dataflow#1468
provide a demo with Oauth2 by springcloud (2022.0.0)
Depends on spring-cloud/spring-cloud-dataflow#3418
@sabbyanandan commented on Mon Aug 05 2019
Now that we have consumable milestones of Spring Security 5.2, let's study what is coming in the upcoming releases, so we can refactor and adapt to it for consistency.
Specifically, look out for whether:
As a developer, while integrating with Azure AD, I notice the OpaqueTokenIntrospector
bean is automatically created; however, in Azure AD there's no support for "introspection" endpoint yet, so it needs to be an optional property.
OAuthSecurityConfiguration
class creates a OpaqueTokenIntrospector
bean, expecting the following additional configuration to be present:
spring:
security:
oauth2:
...
resourceserver:
opaquetoken:
introspection-uri: http://this.is.wrong:8080/introspect
client-id: the_client_id_from_the_app_registration
client-secret: the_client_secret_from_the_app_registration
Acceptance:
introspection-uri
Leave the auto-configuration to a single condition security.oauth2.xxx
Should be able to defind claim name where username is resolved as
now we simply set it to default which is jwt sub.
Many oauth libs like okta support using role/group claims from a jwt and as scopes those could be mapped into spring security roles.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.