How to consume a spring rest api which is protected by OAuth2Sso? - rest

Good afternoon everyone.
I have a dilemma.
Recently I have been assigned to create an API Documentation with Swagger 2, version 2.6.1 using SpringFox and the #EnableSwagger2 annotation. After doing so, I was given the task to "secure" it, preferably with Oauth2. At the beginning I have researched how to do it, and after many trials and errors I gave up and came up with the idea of securing the whole package and apis. My method of doing it was the following. I created a basic Oauth2 server and client folowing some tutorials on the web and I've added the swagger and the rest methods in the client. The client works in the following manner. After i enter on the site http://localhost:8082/ui/index.html, it prompts me to login. I press on login, it redirects me to the login form on the auth server at http://localhost:8081/auth/login where I enter my credentials, and after that it redirects me to my swagger. If i enter any of the links from the client in the browser url, it forwards me to the index.html if i haven't logged in previously.
My problem is that right now, Swagger works, is secured and all, but if try to call my methods from postman It displays my login page in html. I am a beginner in rest apis, can you give me some indications?
I have used the following code to do the redirects.
#Override
public void addViewControllers(ViewControllerRegistry registry) {
super.addViewControllers(registry);
registry.addViewController("/")
.setViewName("forward:/index");
registry.addViewController("/index");
registry.addRedirectViewController("/ui/v2/api-docs", "/v2/api-docs").setKeepQueryParams(true);
registry.addRedirectViewController("/ui/swagger-resources/configuration/ui","/swagger-resources/configuration/ui");
registry.addRedirectViewController("/ui/swagger-resources/configuration/security","/swagger-resources/configuration/security");
registry.addRedirectViewController("/ui/swagger-resources", "/swagger-resources");
registry.addViewController("/api");
}
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**")
.addResourceLocations("/resources/").addResourceLocations("/ui");
registry.addResourceHandler("/ui/**").addResourceLocations("classpath:/META-INF/resources/");
}
For example, if I acces http://localhost:8082/ui/api2/getConf, one of the methods for the api, if I am not logged in, I redirects me to the login.
If i have to test the api with postman, how can I integrate the login into it?
The login is based on a user and password.
Thank you.

Related

how to redirect/map to externalregistration page from AuthenticateExternalAsync to angular page

I am using external providers to login to my web app. (for example Google). In my custom userservice I get to AuthenticateExternalAsync and from there I want (if need to) redirect to Angular page.
public override Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
{
...
...
context.AuthenticateResult = new AuthenticateResult("~/externalregistration", user.Subject, name, identityProvider: user.Provider);
return Task.FromResult(0);
}
i have html page
at https://localhost:44300/Content/app/externalregistration.html
How do I map externalregistration to this page?
At the moment I get an error
https://localhost:44300/identity/externalregistration#
HTTP Error 404.0 - Not Found
thank you
Mark
The page for the partial login has to be with IdentityServer - see that it's looking for it at /identity/ and not /Content/app/.
If from your user service you issue a partial login, then that web page is entirely up to you to serve up from the server. If that partial login page needs to know the identity of the user, then it needs to be hosted in the same path as IdentityServer so the partial login cookie can be read on the server. If you then want that page to be a SPA, then you'd have to have some server side code issue something into the browser for your SPA to know the identity of the user. If you want that page to be a SPA and make Ajax calls back to the server, you need to include some XSRF protection.
All in all, custom partial pages are easiest implemented as standard server-rendered MVC pages.

Docusign Embedded Signing returnUrl issue

I am displaying an Embedded Signing view in an iFrame. I am able to get the embedded signing view to display correctly using templates. I am calling an internal service (server-side) from the client (browser) and the internal service calls the Post Recipient View endpoint in the Docusign API.
In order to redirect the user to the correct view in my web app after the Signing view redirects to the returnUrl, I need to have query string parameters on the returnUrl. Here is an example of the returnUrl:
{
...
"returnUrl": "http://localhost:5000/#/my/path/redirect?sname=MY_VALUE&debug=foo,baz"
}
I am using the sname query parameter to hold the value for a string I will use to route to a view once the user is redirected from the Docusign Signing view.
The Problem:
When the iframe is redirected to the returnUrl after the Signing view is complete, the query string in the returnUrl is cutoff and the url of the iframe is:
http://localhost:5000/#/my/path/redirect?sname
when it should be
http://localhost:5000/#/my/path/redirect?sname=MY_VALUE&debug=foo,baz
I also read in the api documentation that an event parameter should also be present in the query string when redirecting, but that is not there either.
Is there a step that I am missing or is this a bug in the api?
I've tried a few tests using Postman and the resulting returnUrl is working for me. I even tried using yours directly (even though I obviously won't be able to connect to it) and it came up correctly as
http://localhost:5000/#/my/path/redirect?sname=MY_VALUE&debug=foo,baz&event=signing_complete
I even tried using an iframe for the signing session like you, still seems to be using the right URL when it redirects. So I've not been able to replicate your problem.
Are you attempting this in the demo environment?

Grails spring security facebook plugin redirecting to wrong page

I'm using the Grails Spring Security Core plugin and now adding in Facebook authentication via the Facebook Authentication for Spring Security Core plugin. I'm able to authenticate with Facebook, however it's always redirecting back to an incorrect URL. I want to redirect to localhost:8080/rar/user/home, however after login I'm redirected to localhost:8080/rar/#_=_. When logging in through a standard login form I am redirected properly to localhost:8080/rar/user/home.
My FB app settings has http://localhost:8080/rar/ for the Site URL. I'm using these plugins:
compile ':spring-security-core:2.0-RC2'
compile ":spring-security-ui:1.0-RC1"
compile ":spring-security-facebook:0.15.2-CORE2"
And have these config settings:
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/user/home'
grails.plugin.springsecurity.facebook.filter.type='redirect'
grails.plugin.springsecurity.facebook.domain.classname='mvp.FacebookUser'
grails.plugin.springsecurity.facebook.domain.appUserConnectionPropertyName='user'
grails.plugin.springsecurity.facebook.appId='<APPID>'
grails.plugin.springsecurity.facebook.secret='<SECRET>'
grails.plugin.springsecurity.facebook.filter.redirect.failureHandler='redirectFailureHandlerExample'
grails.plugin.springsecurity.facebook.autoCreate.roles=['ROLE_USER', 'ROLE_FACEBOOK']
I don't think it matters for this problem, but I have a FacebookAuthService that implements create() to search for existing users with the same email address as the Facebook user, and merges the accounts if it finds one. Currently my redirectFailureHandlerExample does nothing but log a message, which is never hit.
Any help greatly appreciated!
You should set the following setting too at config.groovy
grails.plugin.springsecurity.facebook.filter.redirect.successHandler='redirectSuccessHandlerExample'
And at the resources.groovy:
beans = {
redirectSuccessHandlerExample(org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler) {
defaultTargetUrl = '/rar/user/home'
}
}

App with no DB: You must call the "WebSecurity.InitializeDatabaseConnection" method before you call any other method of the "WebSecurity" class

First things first. I'm a complete OAuth newbie. This will be my first stab at it, and things are getting hairy...
I'm writing a single page application using Durandal & Web API.
The user needs to be able to login using any social network.
I don't have access to a database whatsoever, I have to call an unprotected 3rd party web service which I consume server-side, and need to protect using OAuth.
So I've managed to add the files to my solution which generates the login using facebook contol/button (created a new MVC4 web application, and did a manual copy and paste of all the auth related files, updated bootstrappers etc..), and the code seems to work for the most part.
When facebook redirects back to
[AllowAnonymous]
public ActionResult ExternalLoginCallback(string returnUrl)
{
AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(this.Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl }));
if (!result.IsSuccessful)
{
return this.RedirectToAction("ExternalLoginFailure");
}
if (OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
{
return this.RedirectToLocal(returnUrl);
}
//code removed for brevity ....
}
I get the error specified once the following line tries to execute.
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false)
I've removed the [InitializeSimpleMembership] attribute from the controller, as I don't have a database.
Please forgive me if this is the dumbest question ever, but...
Why does the login fail? I mean at that point, isn't the app trying to log into facebook, why does it need a databse? Or am I correct in saying I can remove/replace that code section, with a login/authorise call on the web-service I'm using?
Not the dumbest question ever. Not by a long shot. But you are getting the error because your membership provider is still set to use the SimpleMembershipProvider and OAuthWebSecurity will use the default membership provider. If you don't want to use a database you will have to create or find a different membership provider to use.
EDIT:
I know you said you don't have access to a DB but if you can use SQL Compact you can just stick with the default SimpleMembershipProvider(check out Hanselman's blog) or DevArt has a SQLLite provider. Also the MemFlex Project has a RavenDb provider. If none of those work I think you might just have to write your own.

grails+spring-security-facebook listen to login success event

im a newbie both in spring security and spring-security-facebook and in an app that we are building we have to couple them.Everything is working well i will need to know the way to listen to the facebook login success event. is there some one that already did a stuff that impose him to catch the facebook event success?? I need that because in the begining of the app (before adding the spring -security-Facebook plugin ); we have a special behaviour attached to the "grails.plugins.springsecurity.onInteractiveAuthenticationSuccessEvent" event (configured in the config.groovy file) and we have to execute the same special behaviour when the user connect with facebook account. Is there an event (extending springsecurity kinds of events) that we have to listen to?
any idea ??
Ps: when searching for solution we found a way to catch the FB js Events and work around to reach what we want as result but we would as possible to want to not go that way ....
The problem with it that current Spring Security Facebook authenticates user on each request (by listening to FB cookie, transparently), so you'll get this event on each request. Probably it's not what you want, right? It the same as having a filter on each request.
Btw, you can handle situation when user login into your app first time, but implementing onCreate(user, token) or afterCreate(user, token) in service FacebookAuthService (you have to create such service at this case)
Example:
File grails-app/services/FacebookAuthService.groovy:
class FacebookAuthService {
void afterCreate(def user, def token) {
log.info("New user!") //or any code there
}
}