ordina-jworks.github.io | Ordina JWorks Business Unit Tech Blog | Blog library
kandi X-RAY | ordina-jworks.github.io Summary
kandi X-RAY | ordina-jworks.github.io Summary
The JWorks Tech Blog is powered by Jekyll. The blog posts are written in Markdown and are converted to HTML by Jekyll. Most code editors and IDEs have support for Markdown files. Some of them, such as IntelliJ, offer a preview view to see the result as you type. For running the blog locally you can either opt for using Docker or setting up Jekyll yourself.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ordina-jworks.github.io
ordina-jworks.github.io Key Features
ordina-jworks.github.io Examples and Code Snippets
Community Discussions
Trending Discussions on ordina-jworks.github.io
QUESTION
Since this turned out longer than expected here's a tl;dr:
My Angular application is not sending the bearer token it receives from Azure AD to the API and thus the API returns a 401 response. The setup is based on a blog post explanation for how to implement it. The sample application mentioned in the blog post works with my Azure AD setup and correctly provides the token on API calls.
Long version:
I'm working on a relatively simple Angular based front-end with a Spring Boot back-end. Front-end and back-end communicate via a REST API. The application is deployed on Azure Spring Cloud. For user Authentication the application requests and receives a bearer token from Azure AD. It should then transmit this token with each REST request to the API.
I followed this blog post to setup the necessary changes. Azure AD does deliver a valid JWT token.
My problem is, that the token is not passed on to the back-end in the REST calls and thus authentication fails and a 401 status is returned.
Here are the relevant configurations I made on the front-end side (based on the descriptions in the blog post linked):
app.module.ts
...ANSWER
Answered 2021-Jun-01 at 09:07OP here. As it turns out the problem was caused because the "X-Frame-Options" response header was set to "DENY". This header if set to "DENY" blocks invisible frames from being opened. The implementation uses an iFrame for the silent redirect during the authentication process and this crucial part was blocked.
To solve the issue I changed it to "SAME ORIGIN" in the back-end configurations
QUESTION
We are using Azure AD for authentication and authorization. Our angular spa has been enabled SSO with Azure AD. We need to secure our backend service and only allow API which has a valid jwt token.
What we have done so far is:
Registered our angular app in Azure AD.
We have configured spring microservice as a resource server and application properties contain jwt.issuer-uri
spring.security.oauth2.resourceserver.jwt.issuer-uri=XXXXXXXXXXX-XXXXXXXXX-XXXXXXX-XXXXXXXXXXX
The issue is the token that we get from Azure AD is having an audience as "00000003-0000-0000-c000-000000000000" which means the token is generated for the Microsoft graph. I also tried accessing graph Api with this token and it worked. But what we want is to verify this token in our own spring microservice and grant permission based on jwt provided.
To solve this issue I had to make some config changes in our Azure registered Angular app. I have added a custom scope api://<>/app and use this scope while acquiring the token. Now the token is being validated in the backend and API working fine.
This config somehow works but doesn't seem correct to me. I am new to azure so am not sure how all things tie-up.
- The new token which is now being generated has an audience as our angular spa client Id. Is this correct? Shouldn't it be the backend service? Any why it's getting validated by the backend with the current configuration?
- My understanding is that we don't have to register our spring microservice with Azure Ad. I will just act as a resource server and will decode the token provided by the angular app using the issuer-url.
- In case we need to register our backend services with azure AD then would it be difficult to do the same for all microservices?
I have done all settings by referencing. https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html
In some other links, I find a completely different config for setting up backend service. I am not sure which one is correct. https://docs.microsoft.com/en-us/java/api/overview/azure/active-directory-spring-boot-starter-readme?view=azure-java-stable
...ANSWER
Answered 2021-Apr-09 at 11:00Azure AD is a little confusing when following a standards based approach. I wrote a blog post on this a couple of years back:
You have already figured out that you need at least one API registration to work, to expose an API scope - so that you get usable access tokens
The generated id from the API entry in Azure then becomes your audience, as in step 9 of the article.
What we'd really like to do is this, so that we can do things like forward the JWT in microservice to microservice calls:
Get Azure AD to issue an audience claim such as api.mycompany.com that is common to all microservices
Issue multiple scopes in the access tokens, based on areas of data in microservices - as in this Curity doc
I would aim for a single entry in Azure AD to represent your platform of APIs. Then each microservice can use the same generated audience value.
Hopefully you can get multiple custom scopes to work also, though there are some annoyances here, especially when you want to use built in OpenID Connect User Info scopes, which Azure AD exposes via the Graph API.
QUESTION
I'm building an REST API which should be protected by Azure AD. So I have the following OAuth2 items
- Resource Server: My REST API server
- Authorization Server: Azure Active Directory
- Client: Postman
- Resource Owner: me
I've been trying to configure AD using this blog post but then it goes straight to configure a frontend application. In the blog post, the author configured a front end application but during development, the front end is not yet ready, so I will be using Postman
And when I tried using Postman using the Get New Access Token functionality (Grant type is Authorization code with PKCE), it is failing with error Error: AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests
Any thoughts on how I can properly test this? What am I doing wrong?
...ANSWER
Answered 2020-Nov-10 at 13:33Please refer to this cogent article on testing Azure AD protected Springboot API: Securing a RESTful API using Spring Boot and Microsoft’s Azure Active Directory.
Here are some screenshots for quick reference on setting up Postman:
QUESTION
I have a multi module gradle project. The project contains two subproject, i.e. a spring-boot application server and an npm front-end ui (which is just static javascript).
I can build both sub-projects. I can define:
...ANSWER
Answered 2020-Apr-28 at 15:26The implementation
not found is caused by the lack of plugins applied to your root project. The implementation
configuration is created by the java plugins in Gradle.
What you are trying to achieve requires a good understanding of Gradle and all the magic provided by the Spring Boot plugin. You are effectively trying to reproduce some of that integration in your root project, without the help of the plugins.
An approach that might be easier would be to migrate your application project to be the root project and then have the ui as a subproject.
QUESTION
I'm trying to setup Automated Canary Analysis for my application running in an On-Prem Kubernetes cluster using the steps here . We are using Prometheus for monitoring/metrics.
I'm faced with the following error in the Canary Analysis
stage when running the pipeline:
ANSWER
Answered 2019-Jan-10 at 19:23I was able to resolve this by adding a filter template in the metric of the canary config. The canary analysis task was able to run without error after adding this
QUESTION
I'm trying to understand this blog post about JOSE. In the part about JWS, it says the following:
Including the public key in the protected header would not only give the server the ability the validate the signature, we will also be sure that it is the correct one since the protected header is integrity protected!
This is what the example object looks like:
...ANSWER
Answered 2018-Oct-19 at 13:26You are on the right path. What the article is probably referring to is the "jwk"
header parameter defined in RFC-7515 as follows:
The "jwk" (JSON Web Key) Header Parameter is the public key that corresponds to the key used to digitally sign the JWS. This key is represented as a JSON Web Key.
JSON Web Key (JWK) is another part of JOSE defined in RFC-7517. It defines how to represent cryptographic keys in JSON format so they can be transmitted e.g. in a JWS header. An RSA key in JWK format might look something like this:
QUESTION
I'm building a Spring Data REST / Spring HATEOAS based application and I'm attempting to following the principles of DDD outlined here (and elsewhere):
BRIDGING THE WORLDS OF DDD & REST - Oliver Gierke
In particular the concept of aggregates and complex state changes via dedicated resources.
Also avoid using HTTP PATCH or PUT for (complex) state transitions of your business domain because you are missing out on a lot of information regarding the real business domain event that triggered this update. For example, changing a customer’s mailing address is a POST to a new "ChangeOfAddress" resource, not a PATCH or PUT of a “Customer” resource with a different mailing address field value.
What I'm struggling with is a means of enforcing this while allowing cosmetic changes to the aggregate root.
Using this simplified example:
...ANSWER
Answered 2017-Nov-20 at 20:53@Entity public class Customer { private @Id @GeneratedValue(strategy = GenerationType.AUTO) Long id; private String name; private String comment; @JsonProperty(access = JsonProperty.Access.READ_ONLY) @Access(AccessType.PROPERTY) @OneToMany(cascade = CascadeType.ALL, orphanRemoval = true) private Set
addresses = new HashSet<>(); }
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ordina-jworks.github.io
Ruby (>= 2.4.0): this can be easily accomplished by using rvm.
ImageMagick: this can be easily accomplished by using Homebrew.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page