Hello people, I would like to get some assistance. It appears that I can't invoke /encrypt and /decrypt endpoints. Even if I provide valid auth credentials, I still get HTTP 401. Here is the current example code: https://github.com/kamiKAZIK/sensoric-configuration-service

Trying to invoke and getting HTTP/1.1 401: curl -v -u configuration-user:configuration-user 'http://127.0.0.1:38888/encrypt' -H 'content-type: text/plain;charset=UTF-8' --data 'dummy'

The application is launched using local profile: --spring.profiles.active=local

Comment From: dsyer

Security (as in authentication and access control) is not really a concern for this repository. I see fromyour sample that you added it yourself, which is fine, but as far as I can see you never set the user passwords. Is that the problem?

Comment From: ekazakas

The user passwords are set using these property blocks:

sensoric: security: user: name: configuration-user roles: USER manager: name: configuration-manager roles: ACTUATOR

sensoric: security: user: password: '{noop}configuration-user' manager: password: '{noop}configuration-manager'

And then those properties are used in com.sensoric.configuration.config.SecurityConfiguration to build UserDetailsService. The second block is used when profile is set to local, since other environments should use different password configurations.

Comment From: ekazakas

Strange fact is that calling this: curl -v -u configuration-user:configuration-user 'http://127.0.0.1:38888/encrypt/status' Returns status OK

Comment From: dsyer

OK so not really an issue with Spring Cloud then? Just some confusion about the authentication configuration. We don’t really field general support questions (even about Spring Cloud) if we can help it in this forum. Please try Stack Overflow for some help with Spring Security.

Comment From: ekazakas

Probably. I will probably have to debug the Spring Security modules, since this is a tricky one... It might be something with security filters, since GET /encrypt/status works as expected and POST /encrypt does not.

Comment From: ekazakas

In case someone else will stumble upon the same issue, the solution is to disable csrf().

http.csrf() .disable() .authorizeRequests() .requestMatchers(EndpointRequest.toAnyEndpoint()) .hasRole(ROLE_ACTUATOR) .anyRequest() .hasRole(ROLE_USER) .and() .httpBasic();

Comment From: dsyer

FWIW csrf protection should have returned a 403 for an authenticated request. So there’s still something broken probably. Glad you found a way to make it work though.

Comment From: ekazakas

Most likely. I'm using Finchley.M7 BOM, that pulls various milestone releases. Since it's very new and fresh, that means some dependencies might be still unstable. I'll wait till final release and if the problem persists, I will probably try to poke Spring Security guys regarding this issue.

Comment From: gmcouto

Thanks kamiKAZIK! I was not able to use the tutorials to encrypt data using curl localhost:8888/encrypt -u user:password -d oi -H "Content-Type: text/plain" As it returned a 401 for requests only on /encrypt and /decrypt. All other requests worked fine.

I disabled CSRF using:

@Configuration
public class ActuatorSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .httpBasic();
    }
}

And was able to use it now.

Comment From: elanhershcovitz

gmcouto code did get the encrypt/decrypt end point back so i can use postman or other to test but FYI the spring code will work even without this so a call for config server files that include prop like tenantid={cipher}09844b0f20732b4690b... will come cack with correct decrypt value

Comment From: HagarJNode

Thanks kamiKAZIK! I was not able to use the tutorials to encrypt data using curl localhost:8888/encrypt -u user:password -d oi -H "Content-Type: text/plain" As it returned a 401 for requests only on /encrypt and /decrypt. All other requests worked fine.

I disabled CSRF using:

@Configuration public class ActuatorSecurityConfigurer extends WebSecurityConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.csrf() .disable() .httpBasic(); } }

And was able to use it now.

I had one issue with this - accessing /info/whatever made the config server reply with all from the application.yml - even thou it should have replied with a 401. Adding super.configure(http) in the start of the method solved it.