Spring Sweets: Add (Extra) Build Information To Info Endpoint

With Spring Boot Actuator we get some useful endpoints in our application to check on our application when it is running. One of the endpoints is the /info endpoint. We can add information about our application if Spring Boot finds a file META-INF/build-info.properties in the classpath of our application. With the Gradle Spring Boot plugin we can generate the build-info.properties file. When we apply the Gradle Spring Boot plugin to our project we get a Gradle extension springBoot in our build file. With this extension we can configure Spring Boot for our project. To generate project information that is used by the /info endpoint we must add the method statement buildInfo() inside the springBoot extension. With this method statement the Gradle Spring Boot plugin generates a file build/main/resources/META-INF/build-info.properties..

Let’s run our application and send a request for /info:

To override the default properties or to add new properties we must provide a configuration closure to the buildInfo method. If we a built-in key as the name of the property it is overridden with a new value, otherwise the key is added as a new property. In the following example we add some extra properties and override the properties time and name:

We restart the application and invoke the /info endpoint to get more results for the build:

Written with Spring Boot 1.4.2.RELEASE.

Original blog post

Angular2 and Spring Boot: Getting Started

Combining Angular2 and Spring Boot is a great way of getting up and running quickly with a new web application. However, it can be challenging to fit all the different pieces together in the beginning. In this blog post we will create a new project that is easy to build and run across different environments. The goal is to create a minimal, but runnable, application with as little dependencies and setup as possible. You can then start expanding the application however you see fit.

We will create the Angular2 application using angular-cli. This allows us to easily generate a new project with a clear structure. This will also make it easy to add new elements to our Angular2 application. When adding new elements with angular-cli, we will maintain the same structure and wire the new elements together automatically. Angular-cli is an npm module, so it requires Node and npm to install and run. Make sure to install a recent version of both of these applications before continuing with the steps below. We will use Maven as the overall build manager for our application.

The steps should be easy to follow and will not require a lot of work. However, you can get the result directly in this GitHub repository if you want to. There is a seperate commit for every step.

Step 1: Generate a new Spring Boot project

The first step is to generate a new Spring Boot project at https://start.spring.io. I’ve used the values in the screenshot below. Of course you can use your own group and artifact ids. We need at least the Web plugin to let Spring Boot serve the Angular2 application. If you already know you need more dependencies for your project, feel free to add them.

Click on Generate Project to download the zip file with your new Spring Boot project. Extract the zip file somewhere on your computer. Then open a command prompt and go to the newly created project directory.

Step 2: Split the project into seperate modules

We will want to use seperate Maven modules for the frontend and backend. Let’s start by creating the correct directory structure and copying the pom file.

Edit pom.xml in the top level project directory and make it look like this:

Next, edit pom.xml in the backend directory and make it look like this:

Finally, copy the pom.xml from the backend directory to the frontend directory and edit it to look like this:

Step 3: Add the Angular2 application to the project

If angular-cli is not installed on your system already, use npm to install it now.

To keep the blog post readable, I’m not showing the output of the command. You can ignore any warnings about optional dependencies. The -g flag tells npm to install it globally. This means you can run the command ng from the command line anywhere on your computer. Let’s use angular-cli to generate our Angular2 application in the frontend\src\main\frontend directory.

We just told angular-cli to generate a new project. We let it skip creating a git repository, because we are not in the top level directory of our project. We specified that the output directory should be frontend and called the new application ng2boot. We chose src\main\frontend to prevent maven from putting the source files, including the node_modules directory, in our jar.

Step 4: Configure Maven to build the Angular2 application

We will use the frontend-maven-plugin to build the Angular 2 application with Maven. First, let’s add the plugin to the fronted pom in the build/plugins section.

We specify the node and npm versions and the working directory in the configuration section. We also add three executions. The first execution downloads and installs node and npm to the directories node and node_modules. Npm will download a lot of packages, so add both directories to the ignore list of your version control system. The second execution runs npm install in the working directory to download all npm dependencies of our project. The third execution runs npm run build in the working directory to build the Angular2 application.

By default, angular-cli will write the final Angular2 application in the src\main\frontend\dist directory. We can adhere to the Maven standard directory layout better by configuring angular-cli to write it to the target directory. This will also delete the built application, along with all other build artifacts, when we run mvn clean. Edit .angular-cli.json and change the outDir in the apps section.

Step 5: Let Spring Boot serve the Angular2 application

Maven will now build (and clean) the Angular2 application, but it will not end up in our final jar. Spring Boot will serve static content from a number of directories on the Java classpath. So we have to make sure that the Angular2 application ends up in one of those directories. Files on the classpath that are not Java classes, are known as resources. Maven copies all resources (normally found in src\main\resources) into the final jar. Add the packaged Angular2 application to the resources by adding the snippet below to the build section in pom.xml. The given targetPath will put it in /static on the classpath and Spring Boot will serve it from there.

Because the Spring Boot backend is in another module, we will need to add a dependency to the Angular2 application. Edit the backend pom file and add the following to the list of dependencies.

Step 6: Fire it up!

We are now ready to build and run our application. From the top level directory of our project, run:

Wait for the application to start and then point your browser to http://localhost:8080

Angular2 application served by Spring Boot

If you have configured everything properly, your application should look just like the above image. If it doesn’t, have a look at the GitHub repository which has the finished application in it. And of course, don’t hesitate to leave a reply if you’re having trouble getting the application to build or start.

Step 7: Using the angular-cli development server with your Spring Boot backend

One of many nice features of angular-cli is the development server. It will serve the Angular2 application, just like Spring Boot. However, every time we save a source file, it will automatically rebuild the application and refresh the browser.

There is one problem though. Maven (running our backend) and the development server (running our frontend) are seperate processes listening on seperate ports. This prevents Angular2 from making backend requests because it violates the Same Origin Policy of our web browser. Web browsers only allow backend requests to the same origin that the web application making the requests was downloaded from.

Thankfully, we can let angular-cli act as a proxy for our Spring Boot backend. The Angular2 application will send backend requests to thedevelopment server, which will forward them to Spring Boot. Now, the Angular2 application can make backend requests to the same origin it came from.

Edit package.json and change the start script to add the proxy configuration.

The start script now references proxy.conf.json. Create that file, with the following content:

This configuration assumes all backend requests will be made to (sub paths of) /api. You can of course choose any url you like. Now, when you run npm start in the frontend\src\main\frontend directory, the development server will run your Angular2 application. It can be reached at http://localhost:4200. Don’t forget you have to start your backend seperately. You can do this by running mvn spring-boot:run in the backend directory.

I hope you enjoyed this blog post. If you found it useful, or if you have any questions, please let me know by leaving a reply. Happy coding!

Het ontstaan van de passie voor het moderne maken

Als JDriven ervaren we elke dag hoe schaars het talent is dat nodig is om onze klanten optimaal te ondersteunen. Deels omdat we op zoek zijn naar echte specialisten maar vooral omdat we verwachten dat collega’s een passie hebben voor hun vak en erg gemotiveerd zijn om mooie dingen te maken.

Deze passie is voor ons essentieel en wat mij betreft is dit de basis van succesvol software ontwikkelen oftewel het moderne maken. Continue reading

Securing your application landscape with Spring Cloud Security – Part 1

Securing an application is difficult. Securing an entire application landscape is even more difficult! In this modern era of blazing fast microservices we do not want the additional complexity of having to secure it all manually. This is where Spring Cloud Security comes in. By combining proven technologies, it helps us achieve performant, configurable end-to-end security across multiple applications.

So what technologies are being combined? Well, a lot… We will not mention them all here, but the foundation relies on Spring Boot and Spring Security OAuth.

OAuth, or, in our case, OAuth2 is basically an authorization delegation protocol. To quote Wikipedia, OAuth:

[…] specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.

In our context, the resource owners are the users of our applications, server resources are the data we store about our users (e.g. the list of shop orders), and third-parties are the applications (or services) in our landscape which perform actions on the user data.

A common mistake people make is thinking that OAuth also provides authentication. It doesn’t, but that’s where Spring Security kicks in. For more information about the difference between authentication and authorization in an OAuth context, we refer you to this article.

Basically, the picture below visualizes the type of application landscape we want to achieve with this series of articles.

Overview

An overview of the type of application landscape we want to achieve

In the following series of articles, we will build a concrete implementation of the above displayed application landscape from the ground up, with as little code and configuration as possible. We will make some concessions regarding complexity and functionality, mainly to enable us to focus on the basic principles.

The project source code is available on Bitbucket, so feel free to clone the Git repository:

The master branch contains the complete solution. Each article in this series will represent a separate step in the development of the solution. Several Git tags have been created in the repository to be able to follow along with each step.

How to run it

To be able to run the applications, the following software is required:

  • Gradle (tested with version 2.12)
  • Java 8 Development Kit

All three applications in the Git repository can be run from the command line, by executing the following command from the root directory of the application to run:

Alternatively, it is possible to run the main method in the relevant Spring Boot Application class (MyAuthServerApplication / MyWebsiteApplication / MyRestApiApplication) from an IDE or command line.

It does not matter in which order the applications are started.

Securing a basic website with a separate Identity Provider

As a starting point, we have created a Spring Boot application, called My Website. The application is bootstrapped using Spring Initializr, with the Web and Thymeleaf dependencies.

The application is pretty straightforward, containing a single Spring MVC Controller, to render a web page which displays the current time (like mentioned before, the functionality of the application is irrelevant, so we keep this simple). For now, the application is not secured in any way.

Tip To see the application in its initial state (not secured), checkout the Git tag insecure-website from the repository. To see the end result of this step (the website is secured using an Identity Provider), checkout the tag secure-website.

To view the current time, run the My Website application (see How to run it), and navigate to: http://localhost:8080/time

Creating the Identity Provider

The first step in securing My Website involves creating My Auth Server. This application will function as an Identity Provider for My Website. To achieve this, we will be using Spring Cloud Security, in combination with Spring Security OAuth2.

In OAuth2, the role of Identity Provider is split in two parts. The first part, the Authorization Server, verifies the identity of a resource owner (the user) and provides some kind of access token to applications wanting to act as the user. The second part, the Resource Server, provides resources (e.g. information about the user), based on the given token.

Important The OAuth2 specification doesn’t state anything about authentication. It basically defines how to delegate authorizations to access protected resources to third parties. In our context: the Authorization Server tells our application(s) that it may act as some user (resource owner), and thus access their data (resources). So how does the Authorization Server know which user it concerns? That’s where Spring Security enters the picture. Spring Security will handle the authentication part, and Spring Security OAuth2 will do the rest. For more general information about user authentication with OAuth2, see here.

With Spring Security OAuth2 it is possible to create two separate applications, one acting as Authorization Server and one as Resource Server. But it is also possible to combine the two parts into one application, which is what we will be doing.

Again, we will use Spring Initializr to bootstrap the application, with the Web and Thymeleaf dependencies, but this time we also add the Cloud OAuth2 dependency. We configure the application to run at http://localhost:9090/auth (see the properties in my-auth-server/src/main/resources/application.yml).

My Auth Server application is configured as both an Authorization Server and Resource Server, and is secured with Spring Security, with the help of a few Spring configurer adapters. These are explained below.

Authorization Server configuration

The AuthorizationServerConfigurer allows you to modify the default configuration (enabled by the annotation @EnableAuthorizationServer) to be able to act as an OAuth2 Authorization Server. Furthermore, we configure the client details service. This service specifies details about the way ‘clients’ (== other applications) interact with the Authorization Server.

  1. We configure everything in-memory for simplicity, but it is also possible to get the details from e.g. a database
  2. The client authenticates with the credentials myauthserver / verysecretpassword
  3. Specify the allowed redirect URI patterns, this prevents random parties from gaining an access token (e.g. XSRF attacks)
  4. OAuth2 supports different grant types, of which the Authorization Code type is the most known. For more information about grant types, see here
  5. When a client (application) authorizes with the Authorization Server, the server can assign one or more scopes to the client. In simple terms, a client scope can be seen as a specific permission for this client. With client scopes, it is possible to allow some applications to have more access rights to user resources than other applications. This is out of scope (pun intended) for this article.
  6. It is possible to make the Authorization Server ask the user permission for the client to obtain rights to access their resources. In our case we automatically approve the request.

Resource Server configuration

An application acting as an OAuth2 client to My Auth Server may need to be able to fetch information about a user, given a valid OAuth2 access token. To serve this information, we add a REST Controller, and secure this resource by configuring the My Auth Server as an OAuth2 Resource Server.

The REST Controller is a standard Spring @RestController, with one request mapping:

  1. The currently logged in user is injected by Spring as an OAuth2Authentication object. This is basically a standard Java Principal, with some added OAuth2-specific details.
  2. We return a map containing the current username,
  3. and a set of user roles.

This is the minimal set of details required for a Spring-enabled OAuth2 client to reconstruct its own OAuth2 Principal object. It is possible to add more details here, if needed. Instead of a Map, some examples on the internet just return the Principal object directly. Although this saves you the overhead of creating a map, we feel it exposes too much unnecessary information. With our approach, we are in control of what information is shared about the user.

The next step is to secure this resource. Of course, we can only provide valid user information, if we have a logged in user. Therefore, we configure My Auth Server as an OAuth2 Resource Server, which basically is a server hosting protected resources, capable of serving these resources when presented with a valid access token. In this case, the protected resource is information about the logged in user. The Resource Server security configuration is defined in ResourceServerConfigurer, using the @EnableResourceServer annotation.

  1. We match our security configuration on the URL /user, matching the request mapping in our ResourceController.
  2. Only authenticated access is allowed.

Spring Security configuration

The last step for My Auth Server is to configure the application security, to define how we want our users to authenticate themselves. We use a pretty standard Spring Security setup, but for the sake of completeness, we describe the configuration below.

The WebSecurityConfigurer modifies the default Spring Security configuration (enabled by the annotation @EnableWebSecurity annotation). We configure the URLs to secure, enable Cross-Site Request Forgery protection, setup a login form, and add some user credentials.

  1. The login page is located at /login, and should be publicly available.
  2. All other requests should be authenticated.
  3. Enable Cross-Site Request Forgery (CSRF) protection.
  4. Configure the form login page at /login.
  5. For simplicity, we use an in-memory user database with two users: a normal user and an administrator.

The login form is a simple html form, generated using a Thymeleaf template. The template is located at my-auth-server/src/main/resources/templates/login.html, and made available using a Spring MVC View Controller, defined in my-auth-server/src/main/java/com/jdriven/example/cloudsecurity/config/WebMvcConfigurer.java.

Using the Identity Provider to secure My Website

Now that we have set up our Identity Provider (My Auth Server), we need to configure My Website to use it. This is a very easy task, consisting of three parts.

Spring Cloud Starter OAuth2

We add a dependency in the My Website project to Spring Cloud Starter OAuth2.

Spring Security Configuration

We configure the security in WebSecurityConfigurer (which is a Spring Web Security Configurer Adapter), using the @EnableOAuth2Sso annotation to enable OAuth2. The security configuration itself is pretty straightforward.

  1. Allow navigating to the index page at /.
  2. Secure all the other URLs.

Application configuration

The last step is to add some properties to our application configuration in application.yml. These properties configure My Website to use the URLs provided by My Auth Server.

  1. The URL used by an OAuth2 client to acquire an OAuth2 access token.
  2. The URL to which the user will be redirected to authorize access to a resource.
  3. The client ID specified earlier in the Authorization Server configuration.
  4. The client password specified earlier in the Authorization Server configuration.
  5. The user info resource URL, specified earlier in the Resource Server configuration.
Tip To see the resulting source code at this point, checkout the Git tag secure-website.

That’s it! If we run both the My Auth Server application and the My Website application (see How to run it), and navigate to http://localhost:8080/time, we will see that the URL is now secured, and we need to login first. Congratulations, your website is now secure!

Up next

In the next articles in this series, we will discuss the following topics:

  • After having secured a single application, we will add a new application, a REST service, which we will also secure through My Auth Server in a Single Sign On (SSO) configuration.
  • We will call the REST service from the browser using client side Javascript, proxying the service calls through My Website using Netflix Zuul.
  • Then, we will make the REST service stateless (no sessions), remaining secure by using JSON Web Tokens (JWT).
  • Finally, we will add the ability to login using a Google account.

Spicy Spring : Dynamically create your own BeanDefinition

When we a have Spring managed application, we want to let Spring manage all of our beans. Beside the regular way of creating beans with known solutions like Annotated beans, Java Configuration and XML Configuration, there is also a way in which we can create our own BeanDefinition.

With a BeanDefinitionRegistryPostProcessor it is possible to create a specific post processor which can add BeanDefinitions to the BeanDefinitionRegistry.
It differs from the BeanPostProcessor, which only has hooks for Bean Initialization (construction of your POJO), where the BeanDefinitionRegistryPostProcessor has a hook on the BeanDefinitionRegistry. This gives us the ability to define our own BeanDefinition.

First we create a BeanDefinitionRegistryPostProcessor implementation as listed in the example. We implement the required method, and will be able to add our own bean definition to the registry. The defined BeanDefinition will be picked up by the ApplicationContext and the POJO will be constructed. Our result is A Spring managed bean

Stateless Spring Security Part 3: JWT + Social Authentication

This third and final part in my Stateless Spring Security series is about mixing previous post about JWT token based authentication with spring-social-security. This post directly builds upon it and focusses mostly on the changed parts. The idea is to substitude the username/password based login with “Login with Facebook” functionality based on OAuth 2, but still use the same token based authentication after that.

Login flow

Client-side

The user clicks on the “Login with Facebook” button which is a simple link to “/auth/facebook”, the SocialAuthenticationFilter notices the lack of additional query parameters and triggers a redirect leading the user of your site to Facebook. They login with their username/password and are redirected back, again to “/auth/facebook” but this time with “?code=…&state=…” parameters specified. (If the user previously logged in at facebook and had a cookie set, facebook will even instantly redirect back and no facebook screen is shown at all to the user.) The fun part is that you can follow this in a browsers network log as it’s all done using plain HTTP 302 redirects. (The “Location” header in the HTTP response is used to tell the browser where to go next)

Continue reading