HOAB

History of a bug

SpringBoot 2, OAUTH 2 and tokenStore

Rédigé par gorki Aucun commentaire

Problem :

Following the previous post (this one and this one) I configured a Authorization and Resource server on a a same JVM.

All was working well in my local machine, but when I send the springboot on the server, I get an "Invalid access token". The authorization request was accepted, I get an access token but it was refused by Resource server.

 

Solution :

I activate remote DEBUG, perform tests (I also had a reverse proxy but that's was not the problem). The issue was due to the tokenStore which :

  • on my local machine was the same instance
  • on the server was two different instance

In fact depending on the bean initialization order, the token store could be shared or not according to optional Autowire field of the authorization and resource server. If not available at init time, it could use a local instance.

So here is my updated configuration :

My AuthorizationServer is now :

package com.example;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {


    @Autowired
    public TokenStore tokenStore;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(new MyClientDetailsService());
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore);
    }
}

And my resource server :

package com.hexagon.hpa.security;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    private static final String RESOURCE_ID = "RESSOURCE_ID";

    @Autowired
    TokenStore tokenStore;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {

        resources.resourceId(RESOURCE_ID);
        resources.tokenStore(tokenStore);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.anonymous().disable()
                .authorizeRequests()
                .antMatchers("/api/**").authenticated()
                .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

}

A simple configurer :

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;

@Configuration
public class TokenStoreProvider {

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }
}

 

Tomcat, NIO, Hanging et CLOSE_WAIT

Rédigé par gorki Aucun commentaire

Problem :

We are testing a springboot application in AWS with ELB in front.

After a while of load-testing, the application was hanging :

  • HTTP 504 error code from Jmeter client
  • HTTP 502 if we raise ELB timeout
  • Once logged on the server :
    • telnet localhost 8080 was OK
    • sending GET / on this socket was not responding
    • plenty of CLOSE_WAIT socket
    • wget was also hanging (normal)
    • connection was established during wget hang
    • nothing in the log

 

Solution :

 

I initially think about the keepAlive timeout and pool of tomcat but

  1. SpringBoot copy the connectionTimeout parameter to keepAliveTimeout
  2. new socket is accepted and established
  3. CLOSE_WAIT wasn't shutdown after hour

Doing the test many times, I finally so a classical "Too many open files" in the log. That's why I could not see more log during the hang.

So we change the nproc and nofile in /etc/security/limits.conf

And taadaaaa ! Nothing change in :

cat /proc/<$PID>/limits

Thanks to blogs over the world like this one :

  • the service is start with systemd
  • to override ressources limits with systemd :
[Service]
...
LimitNOFILE=500000
LimitNPROC=500000

At last but not least, the value of Tomcat NIO socket queue is around 10000 + other files + other process... choose wisely your limit

SpringBoot 2, OAUTH 2 and client_credentials in POST parameters

Rédigé par gorki Aucun commentaire

Problem :

Edited : due to a bug, see also (https://www.hoab.fr/springboot-2-oauth-2-and-tokenstore)

I try to implements client credentials OAUTH flow for a server which is resource and authentication server. (Goody summary here : https://www.slideshare.net/halyph/oauth2-and-spring-security)

There is plenty of posts on how to make an oauth 2 authentication server, (like authentication code flow  less with client_credentials mode...

And in these examples :

But if I easily found how to perform this kind of request : POST + BasicAuth(client_id/client_secret), I wasn't able to do :

POST + optional BasicAuth + client_id/client_secret in post parameters

Solution :

I activate DEBUG on spring security and see that filter chains do not have UsernamePasswordAuthenticationFilter, I plan to add the filter in websecurity as in some examples but it was not working.

After a lot of unsuccessful tries, I finally understand that I have to add a kind of UsernamePasswordAuthenticationFilter on OAUTH2 filter chain and not on the others (yes, there is multiple security filter chain....)

Going back to origins, I check AuthorizationServerConfigurerAdapter override method and ... eurêka !

As simple as add a

ClientCredentialsTokenEndpointFilter

with

security.allowFormAuthenticationForClients()

method... So simple, so hard to find.

But my AuthorizationServer is now :

Due to a bug, the code is now in (https://www.hoab.fr/springboot-2-oauth-2-and-tokenstore)

And a simple (for now) client detail service :

package com.example;

import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;

import java.util.Arrays;

public class MyClientDetailsService implements ClientDetailsService {

    private static final String CLIENT_CREDENTIALS = "client_credentials";
    private static final String REFRESH_TOKEN = "refresh_token";
    private static final String SCOPE_READ = "read";
    private static final String SCOPE_WRITE = "write";
    private static final String TRUST = "trust";
    private static final int VALID_FOREVER = -1;


    private static final String CLIENT_ID = "my-client";
    // encoding method prefix is required for DelegatingPasswordEncoder which is default since Spring Security 5.0.0.RC1
    // you can use one of bcrypt/noop/pbkdf2/scrypt/sha256
    // you can change default behaviour by providing a bean with the encoder you want
    // more: https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-encoding
    static final String CLIENT_SECRET = "{noop}my-secret";


    @Override
    public ClientDetails loadClientByClientId(String s) throws ClientRegistrationException {
        if (s.equals(CLIENT_ID)) {
            BaseClientDetails client = new BaseClientDetails();
            client.setClientId(s);
            client.setClientSecret(CLIENT_SECRET);
            client.setAuthorizedGrantTypes(Arrays.asList(CLIENT_CREDENTIALS, REFRESH_TOKEN));
            client.setScope(Arrays.asList(SCOPE_READ, SCOPE_WRITE, TRUST));
            client.setAccessTokenValiditySeconds(VALID_FOREVER);
            client.setRefreshTokenValiditySeconds(VALID_FOREVER);
            return client;
        }
        return null;
    }


}

And my resource server :

Due to a bug, the code is now in (https://www.hoab.fr/springboot-2-oauth-2-and-tokenstore)

The CORS filter from (https://www.hoab.fr/springboot-2-oauth-2-options-and-cors) :

package com.example;

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

    public SimpleCorsFilter() {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

And a protected resource :

package com.example;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping("/api/metrics")
@RestController
public class Metrics {

    @GetMapping
    String getToken() {
        return "OK";
    }
}

 

 

 

 

SpringBoot 2, OAUTH 2, OPTIONS and CORS

Rédigé par gorki Aucun commentaire

Problem :

I have a standalone application Angular running on localhost:4200 and a standalone SpringBoot2 Oauth running on 8080.

OAUTH is configured with "client_credentials".

As indicate by many articles, the OPTIONS preflight request is issued by browsers to request CORS configuration supported by servers.

I added the CORS filters thanks to this post, normal Webrequest CORS configuration is not working for OAUTH as this one is not handle by Spring MVC.

But still no POST request after the preflight OPTIONS request...

Solution :

I was checking my network requests in the browser console... and the solution was simply in the console... Yeah. Too early this morning.

The error was explicity written : "need to enable content-type headers in the Access-Control-Allow-Headers".

The preflight request say to the browser what kind of request can be emit, if the response of the OPTIONS does not match the original request, this one is not sent.

The preflight request has no authentication headers and must return 200.

Here is the filter code :

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

    public SimpleCorsFilter() {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

 

 

 

 

Oracle 12c et Debian

Rédigé par gorki Aucun commentaire

Le problème :

Après mon article "C'est galère d'installer Oracle XE sur windows 7 64 bits. Parfois ça marche, parfois ça marche pas." Je me suis décidé à utiliser une autre distribution non supportée pour installer Oracle.

Si, si...

Bon après CentOS c'est bien aussi (y'a pas fail2ban par défaut mais c'est bien quand même.).

Pour des bases de développement évidemment. Je ne veux pas voir ça ailleurs..

Solution :

On utilise Oracle EE disponible sur le site d'Oracle

  1. Creation user oracle
  2. Mot de passe oracle
  3. Mettre à jour le .bashrc comme on veut
  4. xhost + en root pour utiliser l'installateur graphique avec l'utilisateur oracle
  5. Les binaires se téléchargent ici : https://wiki.debian.org/DataBase/Oracle
    1. Attention, pas la distribution zlinux évidemment
  6. Les prérequis des librairies (et un certains nombres de tâches décrites ci-dessus) :
    1. https://github.com/antonioluna/oracle12c-debian/blob/master/Pre-install.sh
    2. c'est trop bien...
  7. Dans le .bashrc :
export ORACLE_HOME
export ORACLE_SID
  1. Installation de rlwrap si lors du lancement de sqlplus ca merde
apt-get install rlwrap
  1. Dans mon user oracle
cd ~/oracle-product/product/12.1.0/dbhome_1/dbs$
mv init.ora /home/oracle/oracle-product/product/12.1.0/dbhome_1/dbs/init<MABASE>.or
  1. Creation du repertoire de la base
mkdir /home/oracle/oradata/<MA BASE>
  1. create database
    1. https://docs.oracle.com/cd/B28359_01/server.111/b28310/create003.htm#ADMIN1107
  2. Editer le fichier /home/oracle/oracle-product/product/12.1.0/dbhome_1/dbs/init<MABASE>.ora

# Change '<ORACLE_BASE>' to point to the oracle base (the one you specify at
# install time)

db_name='MABASE'
memory_target=512M
processes = 150
audit_file_dest='/home/oracle/oracle-product/admin/orcl/adump'
audit_trail ='db'
db_block_size=8192
db_domain=''
db_recovery_file_dest='/home/oracle/oracle-product/fast_recovery_area'
db_recovery_file_dest_size=2G
diagnostic_dest='/home/oracle/oracle-product'
dispatchers='(PROTOCOL=TCP) (SERVICE=ORCLXDB)'
open_cursors=300
remote_login_passwordfile='EXCLUSIVE'
undo_tablespace='UNDOTBS1'
# You may want to ensure that control files are created on separate physical
# devices
control_files = (/home/oracle/oradata/mabase/ora_control1, /home/oracle/oradata/mabase/ora_control2)
compatible ='11.2.0'
  1. Recommencer si cela n'a pas fonctionné :

rm -rf /home/oracle/oradata/mabase/*

  1. Creation du user : sqlplus / as sysdba
STARTUP NOMOUNT;

CREATE DATABASE mybase
   USER SYS IDENTIFIED BY lozenge
   USER SYSTEM IDENTIFIED BY lozenge
   LOGFILE GROUP 1 ('/home/oracle/oradata/mybase/redo01.log') SIZE 100M,
           GROUP 2 ('/home/oracle/oradata/mybase/redo02.log') SIZE 100M,
           GROUP 3 ('/home/oracle/oradata/mybase/redo03.log') SIZE 100M
   MAXLOGFILES 5
   MAXLOGMEMBERS 5
   MAXLOGHISTORY 1
   MAXDATAFILES 100
   CHARACTER SET WE8MSWIN1252
   NATIONAL CHARACTER SET AL16UTF16
   EXTENT MANAGEMENT LOCAL
   DATAFILE '/home/oracle/oradata/mybase/system01.dbf' SIZE 200M REUSE AUTOEXTEND ON MAXSIZE UNLIMITED
   SYSAUX DATAFILE '/home/oracle/oradata/mybase/sysaux01.dbf' SIZE 200M REUSE AUTOEXTEND ON MAXSIZE UNLIMITED
   DEFAULT TABLESPACE calv14
      DATAFILE '/home/oracle/oradata/mybase/database.dbf'
      SIZE 500M REUSE AUTOEXTEND ON MAXSIZE UNLIMITED
   DEFAULT TEMPORARY TABLESPACE tempts1
      TEMPFILE '/home/oracle/oradata/mybase/temp01.dbf'
      SIZE 350M REUSE
   UNDO TABLESPACE undotbs1
      DATAFILE '/home/oracle/oradata/mybase/undotbs01.dbf'
      SIZE 350M REUSE AUTOEXTEND ON MAXSIZE UNLIMITED;

@${ORACLE_HOME}/rdbms/admin/catalog (long)
@${ORACLE_HOME}/rdbms/admin/catproc <-- dba_data_files est créé ici (encore plus long)
  1. Recommencer si cela n'a pas fonctionné :
    1.  drop user userBase cascade;
  2. Creation du user :
define SG_SCHEMA = 'userBase'
define DEFAULT_TBS = 'mytbs'
define TEMP_TBS = 'tempts1'

CREATE USER &SG_SCHEMA IDENTIFIED BY password
       DEFAULT   TABLESPACE &DEFAULT_TBS
       TEMPORARY TABLESPACE &TEMP_TBS
;
grant connect to &SG_SCHEMA;      
grant resource to &SG_SCHEMA;
GRANT UNLIMITED TABLESPACE TO &SG_SCHEMA;
GRANT CREATE SYNONYM TO &SG_SCHEMA ;
GRANT CREATE VIEW TO &SG_SCHEMA ;

 

Fil RSS des articles