Question
I am working on an application to better understand the spring security and microservcies architecture
i have setup:
gateway - module with gateway, oauth2 client, jdbc and psql driver and web dependencies
auth - module with oauth2 authorization server and web dependencies
problems-service with web, jdbc, psql driver, oauth2 resource server dependencies
auth module security config
class AuthSecurityConfiguration {
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.oauth2AuthorizationServer(as -> as.oidc(withDefaults()))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/", "/register").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated())
.formLogin(withDefaults());
return http.build();
}
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
return new JdbcUserDetailsManager(dataSource);
}
RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
RegisteredClient registeredClient = RegisteredClient
.withId("gateway-client")
.clientId("gateway")
.clientSecret(passwordEncoder().encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("http://localhost:8000/login/oauth2/code/gateway")
.scope("openid")
.scope("problems.read")
.build();
if (jdbcRegisteredClientRepository.findByClientId("gateway") == null) {
jdbcRegisteredClientRepository.save(registeredClient);
}
return jdbcRegisteredClientRepository;
}
}auth module app.yml
spring:
application:
name: auth
datasource:
url: jdbc:postgresql://localhost:5432/db
username: user
password: pass
sql:
init:
mode: always
server:
port: 8002
logging:
level:
org.springframework.security: TRACEGateway security config:
public class GateSecurityConfig {
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated())
.oauth2Login(Customizer.withDefaults())
.oauth2Client(Customizer.withDefaults());
return http.build();
}
}Gateway app.yml
spring:
application:
name: gateway
security:
oauth2:
client:
registration:
gateway:
provider: auth
client-id: gateway
client-secret: secret
authorization-grant-type: authorization_code
client-authentication-method: client_secret_basic
redirect-uri: "http://localhost:8000/login/oauth2/code/{registrationId}"
scope:
- openid
provider:
auth:
issuer-uri: "http://localhost:8002"
server:
port: 8000
logging:
level:
org:
springframework:
security: TRACEgateway module redirect logic:
n
public class GatewayApplication {
static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
(Ordered.HIGHEST_PRECEDENCE)
RouterFunction<ServerResponse> backendRoutes(){
return route ()
.before(BeforeFilterFunctions.uri("http://localhost:8001/"))
.before(BeforeFilterFunctions.rewritePath("/problems/", "/"))
.filter(TokenRelayFilterFunctions.tokenRelay())
.GET("/problems/**", http())
.build();
}
am working on an application to better understand the spring security and microservcies architecture
i have setup:
gateway - module with gateway, oauth2 client, jdbc and psql driver and web dependencies
auth - module with oauth2 authorization server and web dependencies
problems-service with web, jdbc, psql driver, oauth2 resource server dependencies
auth module security config
class AuthSecurityConfiguration {
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.oauth2AuthorizationServer(as -> as.oidc(withDefaults()))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/", "/register").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated())
.formLogin(withDefaults());
return http.build();
}
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
return new JdbcUserDetailsManager(dataSource);
}
RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
RegisteredClient registeredClient = RegisteredClient
.withId("gateway-client")
.clientId("gateway")
.clientSecret(passwordEncoder().encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("http://localhost:8000/login/oauth2/code/gateway")
.scope("openid")
.scope("problems.read")
.build();
if (jdbcRegisteredClientRepository.findByClientId("gateway") == null) {
jdbcRegisteredClientRepository.save(registeredClient);
}
return jdbcRegisteredClientRepository;
}
}
auth module app.yml
spring:
application:
name: auth
datasource:
url: jdbc:postgresql://localhost:5432/db
username: user
password: pass
sql:
init:
mode: always
server:
port: 8002
logging:
level:
org.springframework.security: TRACE
Gateway security config:
public class GateSecurityConfig {
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated())
.oauth2Login(Customizer.withDefaults())
.oauth2Client(Customizer.withDefaults());
return http.build();
}
}
Gateway app.yml
spring:
application:
name: gateway
security:
oauth2:
client:
registration:
gateway:
provider: auth
client-id: gateway
client-secret: secret
authorization-grant-type: authorization_code
client-authentication-method: client_secret_basic
redirect-uri: "http://localhost:8000/login/oauth2/code/{registrationId}"
scope:
- openid
provider:
auth:
issuer-uri: "http://localhost:8002"
server:
port: 8000
logging:
level:
org:
springframework:
security: TRACE
gateway module redirect logic:
n
public class GatewayApplication {
static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
(Ordered.HIGHEST_PRECEDENCE)
RouterFunction<ServerResponse> backendRoutes(){
return route ()
.before(BeforeFilterFunctions.uri("http://localhost:8001/"))
.before(BeforeFilterFunctions.rewritePath("/problems/", "/"))
.filter(TokenRelayFilterFunctions.tokenRelay())
.GET("/problems/**", http())
.build();
}
u/Order()
RouterFunction<ServerResponse> frontendRoutes(){
return route ()
.before(BeforeFilterFunctions.uri("http://localhost:5173"))
.GET("/**", http())
.build();
}
}
resource server app.yml file
spring:
application:
name: problems-service
datasource:
url: jdbc:postgresql://localhost:5432/db
username: user
password: pass
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8002
sql:
init:
mode: always
server:
port: 8001
The problem im running into is that when i hit my gateway i get
redirected to the auth server endpoint which is 8002 as expected but
when i authenticate with a user name and password that already existing
in the datasource it then redirects me back to gateway where i am show
an error of invalid credentials
i woudve provided trace logs but hit the word limit
If anyone please help me understand this security shabang as im very
exhausted at this point not being able to figure this stuff out!
If you can please explain how to correctly implement the logic im
trying here and show the example as well. Also if you can mention how to
properly consume the gateway redirects as flow on the frontend
()
RouterFunction<ServerResponse> frontendRoutes(){
return route ()
.before(BeforeFilterFunctions.uri("http://localhost:5173"))
.GET("/**", http())
.build();
}
}resource server app.yml file
spring:
application:
name: problems-service
datasource:
url: jdbc:postgresql://localhost:5432/db
username: user
password: pass
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8002
sql:
init:
mode: always
server:
port: 8001The problem im running into is that when i hit my gateway i get redirected to the auth server endpoint which is 8002 as expected but when i authenticate with a user name and password that already existing in the datasource it then redirects me back to gateway where i am show an error of invalid credentials
i woudve provided trace logs but hit the word limit
If anyone please help me understand this security shabang as im very exhausted at this point not being able to figure this stuff out!
If you can please explain how to correctly implement the logic im trying here and show the example as well. Also if you can mention how to properly consume the gateway redirects as flow on the frontend
