What is the best way to change the default logout behaviour of Spring Boot Admin? Currently everything else is working perfectly. I am using an OAuth2 security provider, and login works fine. Currently I am using the standard Spring Boot Admin defaults for everything, except that my application.properties looks like this:
spring.cloud.kubernetes.discovery.all-namespaces=false
spring.security.oauth2.client.provider.---.jwk-set-uri=https://...
spring.security.oauth2.client.provider.---.issuer-uri=https://...
spring.security.oauth2.client.registration.---.client-id=client-id
spring.security.oauth2.client.registration.---.client-secret=secrect
spring.security.oauth2.client.registration.---.client-name=client-name
spring.security.oauth2.client.registration.---.scope=openid,client-name
The logout button currently performs a POST request to base_path/logout, which fails with a 403. (Sidetrack: if it was a GET it would successfully logout of Spring Boot Admin, but that is not exactly what I want since it does not logout of the security provider.) What I want is for it to direct me to the logout url for my OAuth2 security provider.
What is the best way to change nothing but the url that the logout button directs me to?
I have already tried a few things, (though I don't think most were noteworthy since they didn't work), including
#Configuration
public class SBAdminSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.logout(logout -> logout.logoutUrl(
"{oauth2 logout URL placeholder}?post_logout_redirect_uri={sba base url placeholder}%2Flogout"));
}
}
This does not work because it removes all other security configuration, including whatever default WebSecurityConfigurerAdapter has already been configured behind the scenes. With this, when I try to go to my Spring Boot Admin app, there is no security at all.
I suspect a way to solve this would be to copy whatever existing configuration is being done by imported libraries into my own WebSecurityConfigurerAdapter and edit it slightly to change the logout URL. However I have not been able to find anything to tell me where this existing configuration is or what it might be.
One way is to logout from Spring Boot application first and redirect the logout success url to OAuth2 security provider logout url.
Sample configuration
#Configuration
public class ProjectConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.logout()
.logoutSuccessUrl("/oauth2/logouturl/here");
}
}
Related
I am using Kyecloak:4.8.0, and have enabled Brute force attack for my realm.
Now whenever user provides wrong credentials for 3 times user will be locked temporarily.
But still user will see "Invalid username/password".
According to this thread Keycloak have done this intentionally:
https://issues.jboss.org/browse/KEYCLOAK-5284
But still i want to show user that his account has been locked.
Is there any way to customize this message?
I tried doing this by adding message in custom keycloak theme as below:
location: themes\adminlte\login\messages\messages_en.properties
accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.
This change is not working.
After going through Keycloak base code what i found is: Keycloak uses Messages.INVALID_USER (invalidUserMessage) from properties which is written in AbstractFormAuthenticator class.
This class is at the end extended by UsernamePasswordForm now to change this to custom message i Wrote Custom Authenticator (Keycloak SPI) like below
public class CustomUsernameFormAuthenticator extends UsernamePasswordForm {
#Override
protected String tempDisabledError() {
return Messages.ACCOUNT_TEMPORARILY_DISABLED;
}
}
After this deploy spi Jar in keycloak and enable it in your realm.
And we are done :)
Good afternoon everyone.
I have a dilemma.
Recently I have been assigned to create an API Documentation with Swagger 2, version 2.6.1 using SpringFox and the #EnableSwagger2 annotation. After doing so, I was given the task to "secure" it, preferably with Oauth2. At the beginning I have researched how to do it, and after many trials and errors I gave up and came up with the idea of securing the whole package and apis. My method of doing it was the following. I created a basic Oauth2 server and client folowing some tutorials on the web and I've added the swagger and the rest methods in the client. The client works in the following manner. After i enter on the site http://localhost:8082/ui/index.html, it prompts me to login. I press on login, it redirects me to the login form on the auth server at http://localhost:8081/auth/login where I enter my credentials, and after that it redirects me to my swagger. If i enter any of the links from the client in the browser url, it forwards me to the index.html if i haven't logged in previously.
My problem is that right now, Swagger works, is secured and all, but if try to call my methods from postman It displays my login page in html. I am a beginner in rest apis, can you give me some indications?
I have used the following code to do the redirects.
#Override
public void addViewControllers(ViewControllerRegistry registry) {
super.addViewControllers(registry);
registry.addViewController("/")
.setViewName("forward:/index");
registry.addViewController("/index");
registry.addRedirectViewController("/ui/v2/api-docs", "/v2/api-docs").setKeepQueryParams(true);
registry.addRedirectViewController("/ui/swagger-resources/configuration/ui","/swagger-resources/configuration/ui");
registry.addRedirectViewController("/ui/swagger-resources/configuration/security","/swagger-resources/configuration/security");
registry.addRedirectViewController("/ui/swagger-resources", "/swagger-resources");
registry.addViewController("/api");
}
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**")
.addResourceLocations("/resources/").addResourceLocations("/ui");
registry.addResourceHandler("/ui/**").addResourceLocations("classpath:/META-INF/resources/");
}
For example, if I acces http://localhost:8082/ui/api2/getConf, one of the methods for the api, if I am not logged in, I redirects me to the login.
If i have to test the api with postman, how can I integrate the login into it?
The login is based on a user and password.
Thank you.
I'm using the Grails Spring Security Core plugin and now adding in Facebook authentication via the Facebook Authentication for Spring Security Core plugin. I'm able to authenticate with Facebook, however it's always redirecting back to an incorrect URL. I want to redirect to localhost:8080/rar/user/home, however after login I'm redirected to localhost:8080/rar/#_=_. When logging in through a standard login form I am redirected properly to localhost:8080/rar/user/home.
My FB app settings has http://localhost:8080/rar/ for the Site URL. I'm using these plugins:
compile ':spring-security-core:2.0-RC2'
compile ":spring-security-ui:1.0-RC1"
compile ":spring-security-facebook:0.15.2-CORE2"
And have these config settings:
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/user/home'
grails.plugin.springsecurity.facebook.filter.type='redirect'
grails.plugin.springsecurity.facebook.domain.classname='mvp.FacebookUser'
grails.plugin.springsecurity.facebook.domain.appUserConnectionPropertyName='user'
grails.plugin.springsecurity.facebook.appId='<APPID>'
grails.plugin.springsecurity.facebook.secret='<SECRET>'
grails.plugin.springsecurity.facebook.filter.redirect.failureHandler='redirectFailureHandlerExample'
grails.plugin.springsecurity.facebook.autoCreate.roles=['ROLE_USER', 'ROLE_FACEBOOK']
I don't think it matters for this problem, but I have a FacebookAuthService that implements create() to search for existing users with the same email address as the Facebook user, and merges the accounts if it finds one. Currently my redirectFailureHandlerExample does nothing but log a message, which is never hit.
Any help greatly appreciated!
You should set the following setting too at config.groovy
grails.plugin.springsecurity.facebook.filter.redirect.successHandler='redirectSuccessHandlerExample'
And at the resources.groovy:
beans = {
redirectSuccessHandlerExample(org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler) {
defaultTargetUrl = '/rar/user/home'
}
}
I built a small sample application combining Spring Security and GWT besides a few other things. You can find it at:
https://github.com/steinsag/gwt-maven-scala
Login and authentication are working fine. In the resulting GWT page, I inserted a Logout link. It should point to the Spring Security logout link. I used the following GWT code:
Anchor logoutLink = new Anchor("Logout");
logoutLink.addClickHandler(new ClickHandler() {
#Override
public void onClick(ClickEvent event) {
Window.Location.assign("j_spring_security_logout");
}
});
If the user clicks the link, the session is terminated and the user is logged out. However, the user is not forwarded to the login page. How can I achieve that? As far as I see, I can't forward him to another URL after j_spring_security_logout.
Any ideas how to achieve that?
You can specify logout url in your spring security configuration
<http auto-config='true'>
...
<logout logout-success-url="/login.jsp"/>
...
</http>
I was facing similar kind of issue though I was getting 404 on j_spring_security_logout page and wasted too much time on finding the solution. Thought of sharing here in case someone is facing similar issue. I had to change
Window.Location.assign("j_spring_security_logout");
to
Window.Location.replace(GWT.getHostPageBaseURL()+"j_spring_security_logout");
and the issue was resolved.
I have the following restful service in Salesforce:
#RestResource(urlMapping='/testRest')
global class testRest {
#HttpPost
global static void doPost(){
// do some stuff
}
}
I have this class accessible to a site, so that anyone (unauthenticated) can hit this service at https://mydomain.force.com/sitename/services/apexrest/testRest
I want to make this service accessible to the user in a shorter url, I'd like them to be able to hit the service at https://mydomain.force.com/sitename/rest/testRest
Is there a way to do this? I tried using Site.UrlRewriter with the following code:
if(url.toLowerCase().startsWith('/rest/testrest')){
return new PageReference('/services/apexrest/testRest');
But this redirects me to a FileNotFound page. Am I missing something here?