I created a SpringBoot application with a couple of REST endpoints and deployed it to Google App Engine Standard. Everything works fine and I am able to hit the endpoints.
Now I want to secure these endpoints and allow only users authorized as admin to be able to call one of the endpoints. I tried to add a web.xml file to my project with the following configuration:
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5">
<security-constraint>
<web-resource-collection>
<web-resource-name>api</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>status</web-resource-name>
<url-pattern>/api/status</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>ping</web-resource-name>
<url-pattern>/api/ping</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
I can deploy this to GAE, but I cannot call the endpoints anymore. All I get now is a bunch of 404 not found, on the same URL as before. Is there any other way to secure SpringBoot endpoints in Google App Engine Standard?
Forgot to mention that the security configuration works when I run the app locally, but start getting 404s as soon as I deploy to GAE.
After contacting Google Cloud support, it is not possible to secure a Spring application with Google APP engine configuration files. It needs to be done like any other Spring application, but if you go with OAUTH for example you need to use Google libraries for token authentication.
Related
I am trying to secure my java EE application running on a JBOSS server with Keycloak. To do so I made the following addition in web.xml file:
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
I added the following dependency in my pom.xml file:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-core</artifactId>
<version>3.0.0.Final</version>
</dependency>
and the below module in my jboss standalone.xml:
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
Apart from this, I have followed all the directions given on keycloak.org like installing keycloak server, creating realm and a client followed by creating users. After doing this, when I click on login page of my application, it perfectly redirects to keycloak login page and once I login there, it redirects to my application login page. In case the user is already login on keycloak, directly the application login is displayed.
Now I want that in case the user logs into keycloak application, s/he does not need to login again to my application but he should be directed to home page since authentication has already been done by keycloak. To do this, do we need to maintain the authentication tokens in our database and validate these against the token generated by Keycloak or there is some other approach? I am clueless at this point after doing the above tasks.
I want to make my website pages password protected.I make the website using restful webservices in java using jersey.So can any one tell me how to protect my web pages using apache shiro.Any one have implemented example to securing a website using apache shiro if yes than plz share the example.I shall be thankful :)
For protecting your webservices using shiro you can use following template files and can customize with your own requirements. Include the jars or add to pom as required.
Add these to web.xml
<filter>
<filter-name>Shiro</filter-name>
<filter-class>
org.apache.shiro.web.servlet.IniShiroFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>Shiro</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Now for shiro.ini to be place in WEB-INF (I am using basic Authentication with username and roles in shiro.ini which you can use from database etc as per your need, Assuming that /rest is the url for jersey rest services)
[main]
[urls]
/rest/** = noSessionCreation,authcBasic
/**= anon
[users]
admin=admin
I am trying to setup a new ATG site. while accessing the Site Administration-->Site assets
from the ATG bussiness control center, it generating a popup
Unable to connect to the server at http://localhost:8180/FlexUI/messagebroker/amf
While checking the server error logs and cmd, It showing
[[MessageBrokerServlet]] Servlet MessageBrokerServlet is currently unavailable.
Can anyone help me to resolve this issue?
Try deleting your cookies and login again. I sometimes get that error when my session has expired, but the Flex interface is not aware of it.
If the problem persists, take a look at your logs, and see if there were any errors during the BCC startup. If so, post them here so I can try and help you.
Which browser are you running. I am hoping JBOSS, if yes. Go to your BCC server under jboss. And In its deploy folder check for
FlexUI.war > WEB-INF > web.xml
by the end of the file you will find
<servlet>
<servlet-name>MessageBrokerServlet</servlet-name>
<servlet-class>flex.messaging.MessageBrokerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>MessageBrokerServlet</servlet-name>
<url-pattern>/messagebroker/*</url-pattern>
<load-on-startup>1</load-on-startup>
</servlet-mapping>
Remove <load-on-startup>1</load-on-startup> and restart your BCC. The error should go away.
Hope this helps!
Removing the MessageBrokerServlet load-on-startup works
I am having an Rest Web Services application and Admin web application,
Rest web services will be interacted with mobile , where are Admin web application will be used for maintaining purpose.
for both webservice application and amin web application the credentails are same.
so i need josso to provide single sign on for this.
Can you please help how to star configure. I have gone through Josso site where there was a basic info. can any one please help me out if u have any doc to configure .Thank you
I have a similar application setup where one web application provides Rest Services as well as user-facing web application. As far as I know, JOSSO will provide you with user-facing SSO authentication and is not intended to work with rest services.
Instead what I have done is define the URLs of my rest services in the deployment descriptor (web.xml) under a web-resource-collection that will be ignored under JOSSO configuration. Then I defined a separate filter to handle the rest authentication separately. More specifically:
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>public-resources</web-resource-name>
<url-pattern>/restservices/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
josso-agent-config.xml
<configuration>
<agent:agent-configuration>
<agent:partner-apps>
<agent:partner-app id="myapplication-sp" vhost="10.1.8.11" context="/myappcontext" ignore-web-resource-collections="public-resources"/>
</agent:partner-apps>
</agent:agent-configuration>
</configuration>
With this I was able to use JOSSO to secure most of my web application and ignore the rest services I have. I used a custom authentication filter for my rest services (Spring).
Hope this helps!
I want to use a python backend while developing a SmartGWT front end. In order to get the debugging working correctly, I think I need the dev server running in eclipse which means the webserver will be running in eclipse.
My python (Django) backend needs to serve the requests for the data and I'd like it to not be a cross-domain issue, however cross-domain also seems to require the ports match too.
What is the simplest way to work around this? Been thinking about setting up my hosts file with a bogus domain and then have two entries, one for data, one for js. But, this requires setting up a second IP on the machine because the ports have to match too.
If I want anyone else to be able to see the pages I can't use localhost and my external IP since they won't be able to get to my localhost.
Is there some simpler setup?
Is there some simple proxy piece I could drop into the eclipse dev server that would proxy the data requests to a different server?
Other ideas?
I am using a proxy servlet in my gwt setup for this purpose.
I am using a tomcat proxy servlet from jetty util artifact:
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-util</artifactId>
<version>6.1.22</version>
<scope>runtime</scope>
</dependency>
My web.xml looks like this:
<servlet>
<servlet-name>JettyProxy</servlet-name>
<servlet-class>org.mortbay.servlet.ProxyServlet$Transparent</servlet-class>
<init-param>
<param-name>ProxyTo</param-name>
<param-value>http://yourserver</param-value>
</init-param>
<init-param>
<param-name>Prefix</param-name>
<!-- will be removed from request -->
<param-value>/prefix/</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>JettyProxy</servlet-name>
<url-pattern>/prefix/*</url-pattern>
</servlet-mapping>
If you get some weired error about some _context variable, make sure that the jetty-util.jar is in your classpath before the GWT SDK.
Use -noserver for the DevMode. See http://code.google.com/webtoolkit/doc/latest/DevGuideCompilingAndDebugging.html#How_do_I_use_my_own_server_in_development_mode_instead_of_GWT's
The easiest way to do it is if you have both backend and frontend on your development machine.
For my projects I am using GWT on the frontend and cherrypy (python) on the backend.
I set up both projects in eclipse and when developing I start a debugger for the cherrypy backend and one for the GWT frontend. So I can basically debug backend and frontend at the same time. Works really good.
Communication between python backend and gwt frontend is done via RequestBuilder (JSON) and the good thing about this setup is that I can test the backend's data communication directly without GWT.
So the development url is usually something like: http://localhost:8080/?gwt.codesvr=127.0.0.1:9997
Port 8080 is used by my cherrypy backend.