Secure a Spring microservices architecture with Spring Security and OAuth + this tutorial. No Okta SDKs required!
One interesting thing I found during this tutorial. Steps to reproduce:
1. Run eureka-service
2. Run edge-service
3. Run beer-catalog
4. Open http://localhost:8081/good-beers, login and than see empty list of beers. During debug I found that BeerClient.readBeers() throws an error.
5. Open http://localhost:8081/home - everything are OK.
6. Open http://localhost:8081/good-beers - see list of beers.
Question - why this happens? how to fetch user info automatically if this is not present in session?
Hello Oleksandr - I was able to reproduce the issue you mention here. I’m not sure why it happens, but I’m guessing it’s because there’s no authorization header sent after the redirect. If you use the Angular client, everything should work as expected.
Hello, How to write this code using SAML ? Do we have some documentation with the below approach:
1. Frontend: Angular/ReactJs or any other platform
2. Backend: Spring boot + Spring security + JWT + SAML + OKTA
Kindly help !
Why do you want to use SAML? OIDC is much more capable and can work with many use cases beyond the browser.
Thanks for a quick reply Matt !!
This is what we need to use as our client wants this I have seen your tutorial regarding SAML and implemented web based project referring to that. But client now wants to have two different projects. One for frontend and other for backend(now we need rest services)
I’m sorry, I don’t know how to implement this same architecture with SAML. You could try posting your question to our Developer Forums.
Great article! Thanks a lot for sharing, Matt! The most important thing I take with me is the use of
HttpSecurity.requestMatcher(.) to enable multiple security configurations.
One question: the configure(.) method on the edge service uses “antMatchers(”/**").authenticated()" whereas the beer service uses "anyRequest().fullyAuthenticated().
I would think that this is mostly the same (except that fullyAuthenticated doesn’t accept “remembered” users). Why the difference?
Thanks Ben - I’m glad you like it!
anyRequest() mean the same thing. As for
fullyAuthenticated() it appears the latter results in true if the user did not use remember me to authenticate.
Langton Favor Rebel Mudyiwa
Hie Mattie , thanx for the tutorial on React and springboot
but i am runnung into a number of bugs since i understand react with JSX so now when i change my App.jsx to App.Tsx my code will not be readable since interfaces are for typescript, is there away around intefaces so my code will be read by jsx
because changing to tsx i am getting an error
Module build failed: Error: ENOENT: no such file or directory, open ‘C:\Users\MR L\Downloads\MyEclipse\React\SpringReactdemo\src\me\src\App.jsx’"
and i am struggling, thank you
React is not a part of this particular tutorial. Can you please post your question to our Developer Forums? I’d be happy to answer it there.
Excellent article as usual!
I have followed it with my own small service and adapted for Spring Boot 1.5.x. But I am facing the issue where I am prompted to login with the browser’s basic authentication dialog after I entered by okta credentials from the Okta domain. It looks like it is the service that requires the basic authentication but I don’t see how to remove it.
Can you please try the example on GitHub and see if you can reproduce the problem? If not, I’d suggest comparing your code with the example and see if you can figure out what’s different. SmartSynchronize can work well for comparing two different directories.
Thank you Matt. I’ve tried again this morning and it worked. I will look at the example to double check I am not doing anything wrong…
Can a custom Login screen be done with this ? I have tried some of the custom logins example but when combined with this example I can not get them to work
You should be able to customize the login screen that’s hosted on Okta. You’ll need to log in to your dashboard, then go to Customization > Signin Page. You can play with customization settings and see your changes in real-time at https://developer.okta.com/….
Tharaka De Silva
@mattraible Amazing guide!! However, in order to have the Authorization header forwarded from the zuul proxy to the “/home” service, I had to add the following to the application.yml in my zuul proxy application:
Is there a better way to proceed here?
This seems to be caused by an issue that happens when upgrading from Spring Boot 2.0.3 to 2.0.4. It affects affects JHipster 5.2.0 as well. A workaround seems to be:
sensitive-headers: Cookie,Set-Cookie #see Finchley.SR1 Authorization Header is not being forward · Issue #3126 · spring-cloud/spring-cloud-netflix · GitHub
I updated this post to include
Hi @mattraible , Thanks for the wonderful article.
I have a question, it seems if i hit beer-catalog-service directly from a client then it shouldn’t allow me access to it unless i have an authorization tag in the header, Can you please confirm on this ? because in my case i can access /beers with the direct URL without having to pass an authorization header,