Following this tutorial i'm developing a web application using symfony authentication/authorization architecture.
After designing the whole structure (routes, pages and security levels) i'm stuck: how can i develop my pages without enter credentials all the time? Is there any way to disable or turn off the entire firewall functionality? Should i use data fixtures?
In your app/config/security.yml file, under the firewalls config option add or modify the dev...
firewalls:
dev:
pattern: ^/
security: false
The security.firewalls.dev: configuration is used in every Symfony environment (dev,test,prod)!
In Symfony 4, to achieve disabling firewalls for all routes in just dev environment, you could do something like this:
Setup:
config/packages/security.yaml:
parameters:
# Adds a fallback SECURITY_DEV_PATTERN if the env var is not set.
env(SECURITY_DEV_PATTERN): '^/(_(profiler|wdt)|css|images|js)/'
security:
firewalls:
dev:
pattern: '%env(SECURITY_DEV_PATTERN)%'
security: false
Override per Symfony environment:
create a new file config/packages/dev/parameters.yaml:
parameters:
env(SECURITY_DEV_PATTERN): '^/'
Now all routes are reachable without firewall in Symfony dev environ
Override using environment variables:
You could also override SECURITY_DEV_PATTERN in the .env file:
SECURITY_DEV_PATTERN=^/
This only works if you don't include the .env in your production environment, or if you specifically override the SECURITY_DEV_PATTERN environment variable there as well.
Related
I can't find a way to figure out where is the host name configuration provided for the SPA application to connect to.
The command passed into the application from ASP.NET Core server while running the SPA is
ng serve --port 44472 --ssl --ssl-cert %APPDATA%\ASP.NET\https\%npm_package_name%.pem --ssl-key %APPDATA%\ASP.NET\https\%npm_package_name%.key
And I could not find any of the above strings localhost:7219, or 5219, or 7219 in the ClientApp / ClientApp/src folder (7219 and 5219 are the server ports and 44472 is the client npm port).
Do the server URLs passed from launchSettings.json asp project directly?
If so, if there a way to configure the server URLs directly from ClientApp if the client application is run from a different host, other than localhost (any where the settings (are | should be) stored)?
I can see the #Injected service everywhere but where does it store the settings is unclear (for how to configure this injected BASE_URL?):
constructor(http: HttpClient, #Inject('BASE_URL') baseUrl: string) {
http.get<WeatherForecast[]>(baseUrl + 'weatherforecast').subscribe((result : any) => {
this.forecasts = result;
}, (error : any) => console.error(error));
}
The derived question is: should by default the client Bearer authorization also work for a remote host?
The remote host for example is github pages. How to properly set the remote host configuration within client application for a particular webpack deployment with angular-cli-ghpages if the CORS hosts are configured within Program.cs? Should the client configuration for a remote host (apart from localhost) or server CORS configuration, include additional "Bearer-Cors" configuration (as for the certificate npm start script mentioned in the question above – should it be just skipped without any parameters passed in it)?
Are there any comprehensive guidelines on this subject?
Half of the answer to this question is that the template uses proxy config, which is described here https://angular.io/guide/build#proxying-to-a-backend-server and stores the configuration in proxy.conf.js within ClientApp folder. I will try to extend my answer with any found information in the future.
Update: The second part of the answer is to add the Cookie.SameSite = SameSiteMode.None; cookie authorization configuration in Startup.cs / Program.cs. Take a look at the solution: https://stackoverflow.com/a/75239406/6897369
I have 5 profiles for my Spring Boot application
application.yml
application-prod.yml
application-stg.yml
application-dev.yml
application-local.yml
One default config and 4 for different environments.
application.yml looks like this
spring:
cloud:
vault:
enabled: ${VAULT_ENABLED:false}
host: ${VAULT_HOST}
port: ${VAULT_PORT}
authentication: aws_iam
aws-iam:
role: ${VAULT_POLICY}
server-name: ${VAULT_HOST}
kv:
backend: kv
enabled: true
Some of the properties are provided by the host in the environment variables.
To support local development I am overriding authentication in local profile like this
spring:
cloud:
vault:
enabled: true
authentication: token
token: ${VAULT_TOKEN}
Now the question is how to import config correctly?
If I will do spring.config.import: "vault:" in application.yml it will fail while running with local profile. As ConfigData API will try to resolve vault properties immediately after default profile is processed (but auth info not yet loaded). But as local profile is supposed to use different auth method, it cannot access Vault and fails.
Another question is how to disable Vault in some cases? I could do spring.cloud.vault.enabled=false, but this again would cause failure as ConfigData cannot resolve vault:.
Yes I could use legacy bootstrap mode which would work fine for my scenario, but in the longer run wouldn't be ideal...
Only thing that comes on my mind is to create additional profile, eg vault which would be loaded as a last one. With enabling / disabling this profile I could control if config from Vault is imported or not...
Any other ideas?
We have the same problem, but we have found a workaround overriding the default import order of Spring Boot by importing also the profile-specific configuration files explicitly using spring.config.import in application.yml like this:
spring:
profiles:
active: ${STAGE:local}
config:
import:
- optional:classpath:application-${STAGE:local}.yml
- vault://secret/our-secret
Note that the STAGE environment variable corresponds to the profile used per stage. We made the import of the profile-specific configuration file optional, as we don't have a dedicated file for every stage.
By providing the import for the profile-specific configuration files explicitly before the vault config, we can override the default vault settings before the vault is accessed.
Still, this approach feels a bit awkward, but it's the only way so far we found to work around the issue, so better solutions would be appreciated.
I created spring config server with s3 backend as it described here:
https://cloud.spring.io/spring-cloud-config/reference/html/#_aws_s3_backend
I created 4 files in my-config-server s3 bucket:
app-default.properties
app-dev.properties
client-app-default.properties
client-app-dev.properties
When I ran client-app application with dev profile, I got only client-app-dev.properties properties.
I am interested if it is possible to get also client-app-default.properties, app-dev.properties and app-default.properties properties, if its were not defined in client-app-dev.properties
In another words, Is it possible to support following hierarchic:
application.properties # Applicable for all environments.
application-dev.properties # Environment level commons across all services.
client-app-dev.properties # Overrides specific to the service for one environment.
client-app2-dev.properties
for example:
client-app-dev.properties
my.property1="my-propertyDev1"
client-app-default.properties
my.property1="my-propertyDefault1"
my.property2="my-property2Default"
app-default.properties
my.property3="my-propertyAppDefault3"
when I am running client-app application with dev profile I what to get:
#Value("${my.property1}")
private String property1; //"my-propertyDev1"
#Value("${my.property2}")
private String property2; //"my-property2Default"
#Value("${my.property3}")
private String property3; //"my-propertyAppDefault3"
It works so with regular spring config server but I didn't succeed with s3 backed. It goes directly to specific app and specific profile
I have following configuration on server side:
server:
port: 8888
spring:
profiles:
active: native
cloud:
config:
server:
native:
search-locations: "classpath:/config"
security:
user:
name: test
password: test
And following configuration on client side:
spring:
cloud:
config:
fail-fast: true
profile: "${spring.profiles.active}"
uri: "${SPRING_CLOUD_CONFIG_URI:http://localhost:8888/}"
username: test
password: test
I can successfully access properties from browser using user/pwd as test/test, but when my client tries to fetch it failed with 401 error:
INFO 7620 --- [5cee934b64bfd92] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at : http://localhost:8888
WARN 7620 --- [5cee934b64bfd92] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: 401 null
I tried setting the log level for spring cloud to DEBUG but nothing additional got logged, so I have no clue why I'm getting a 401 from client while I can access properties successfully via browser using the same credentials.
I've also tried removing the security from server and client and it worked perfectly, which means rest of the configurations are quite ok. But then the question is, what am I overlooking when I apply basic security and why it is not working and throwing a 401 instead?
Try checking these configurations:
spring.cloud.config.username
spring.cloud.config.password
Both properties should be defined at bootstrap.properties (not application.properties)
Please check if the way you are specifying profile name is correct and if it is getting resolved properly in Java code. You can implement CommandLineRunner and print active profiles from Environment variable.
If you specified property spring.profiles.active as native in pom.xml, you can resolve it in application/yaml file as #spring.profiles.active#
If you specified property file as VM argument, then it should work with current implementation.
If you did not specify spring.profiles.active in pom or VM argument, it will resolve to default profile, not native profile. Profile in config client and config server should be same.
Yes we have to use bootstrap properties because When the Spring Cloud application starts, it creates a bootstrap context. The bootstrap context is searching for a bootstrap.properties or a bootstrap.yaml file, whereas the application context is searching for an application.properties or an application.yaml file. The bootstrap context is the parent context for the main application
So I'm writing a Facebook App using Rails, and hosted on Heroku.
On Heroku, you deploy by pushing your repo to the server.
When I do this, I'd like it to automatically change a few dev settings (facebook secret, for example) to production settings.
What's the best way to do this? Git hook?
There are a couple of common practices to handle this situation if you don't want to use Git hooks or other methods to modify the actual code upon deploy.
Environment Based Configuration
If you don't mind having the production values your configuration settings in your repository, you can make them environment based. I sometimes use something like this:
# config/application.yml
default:
facebook:
app_id: app_id_for_dev_and_test
app_secret: app_secret_for_dev_and_test
api_key: api_key_for_dev_and_test
production:
facebook:
app_id: app_id_for_production
app_secret: app_secret_for_production
api_key: api_key_for_production
# config/initializers/app_config.rb
require 'yaml'
yaml_data = YAML::load(ERB.new(IO.read(File.join(Rails.root, 'config', 'application.yml'))).result)
config = yaml_data["default"]
begin
config.merge! yaml_data[Rails.env]
rescue TypeError
# nothing specified for this environment; do nothing
end
APP_CONFIG = HashWithIndifferentAccess.new(config)
Now you can access the data via, for instance, APP_CONFIG[:facebook][:app_id], and the value will automatically be different based on which environment the application was booted in.
Environment Variables Based Configuration
Another option is to specify production data via environment variables. Heroku allows you to do this via config vars.
Set up your code to use a value based on the environment (maybe with optional defaults):
facebook_app_id = ENV['FB_APP_ID'] || 'some default value'
Create the production config var on Heroku by typing on a console:
heroku config:add FB_APP_ID=the_fb_app_id_to_use
Now ENV['FB_APP_ID'] is the_fb_app_id_to_use on production (Heroku), and 'some default value' in development and test.
The Heroku documentation linked above has some more detailed information on this strategy.
You can explore the idea of a content filter, based on a 'smudge' script executed automatically on checkout.
You would declare:
some (versioned) template files
some value files
a (versioned) smudge script able to recognize its execution environment and generate the necessary (non-versioned) final files from the value files or (for more sensitive information) from other sources external to the Git repo.