23

I understand that a Spring Cloud Config Server can be protected using an user name and password , which has to be provided by the accessing clients.

How can i prevent the clients from storing these user name and password as clear text in the bootstrap.yml files in the client application/services ?

yathirigan
  • 5,619
  • 22
  • 66
  • 104

3 Answers3

8

The very basic "basic authentication" (from here https://github.com/spring-cloud-samples/configserver)

You can add HTTP Basic authentication by including an extra dependency on Spring Security (e.g. via spring-boot-starter-security). The user name is "user" and the password is printed on the console on startup (standard Spring Boot approach). If using maven (pom.xml):

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

If you want custom user/password pairs, you need indicate in server configuration file

security:
    basic:
        enabled: false

and add this minimal Class in your code (BasicSecurityConfiguration.java):

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
//@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class BasicSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("#{'${qa.admin.password:admin}'}") //property with default value
        String admin_password;

    @Value("#{'${qa.user.password:user}'}") //property with default value
            String user_password;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("user").password(user_password).roles("USER")
        .and()
            .withUser("admin").password(admin_password).roles("USER", "ACTUATOR");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .httpBasic()
         .and()
            .authorizeRequests()
            .antMatchers("/encrypt/**").authenticated()
            .antMatchers("/decrypt/**").authenticated()
            //.antMatchers("/admin/**").hasAuthority("ROLE_ACTUATOR")
            //.antMatchers("/qa/**").permitAll()

        ;
    }

}

@Value("#{'${qa.admin.password:admin}'}") allow passwords to be defined in property configuration file, environment variables or command line.

For example (application.yml):

server:
  port: 8888

security:
    basic:
        enabled: false

qa:
  admin:
    password: adminadmin
  user:
    password: useruser

management:
  port: 8888
  context-path: /admin

logging:
  level:
    org.springframework.cloud: 'DEBUG'

spring:
  cloud:
    config:
      server:
        git:
          ignoreLocalSshSettings: true
          uri: ssh://git@gitlab.server.corp/repo/configuration.git

This works for me.

Edit: Instead of the Class, you can put basic user configuration directly in application.yaml:

security:
  basic:
    enabled: true
    path: /**
  ignored: /health**,/info**,/metrics**,/trace**
  user:
    name: admin
    password: tupassword

For Spring Boot 2 the configuration in application.yml are now under spring.security.* (https://docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#security-properties)

spring.security:
  basic:
    enabled: true
    path: /**
  ignored: /health**,/info**,/metrics**,/trace**
  user:
    name: admin
    password: tupassword
EmberSystems
  • 3
  • 2
alpoza
  • 460
  • 4
  • 7
  • How should a client request this configurations? Thanks. – Fernando Pie Jul 30 '19 at 16:22
  • 1
    I think the question was about not storing a password and username as a clear text at all, for security reason, that I also discover right now. – Kirill Ch Aug 26 '19 at 15:09
  • You can use org.springframework.security.crypto.factory.PasswordEncoderFactories.createDelegatingPasswordEncoder(); and org.springframework.security.crypto.password.PasswordEncoder.encode(password); to ensure the passwords are not stored in memory in a plain test form. – abh Jul 22 '20 at 12:39
7

Basic authentication configuration that works for me.

Server-side:

Needed depedency: org.springframework.boot:spring-boot-starter-security

bootstrap.yml

server:
  port: 8888

spring:
  cloud:
    config:
      server:
        git:
          uri: git@bitbucket.org:someRepo/repoName.git
          hostKeyAlgorithm: ssh-rsa
          hostKey: "general hostKey for bitbucket.org"

  security:
    user:
      name: yourUser
      password: yourPassword

Client-side:

bootstrap.yml

spring:
  application:
    name: config
  profiles:
    active: dev
  cloud:
    config:
      uri: http://localhost:8888
      username: yourUser
      password: yourPassword

management:
  security:
    enabled: false

Sources: Spring doc security feautres, Spring cloud config client security

PawelS
  • 131
  • 2
  • 5
  • Hi, Once i addedd following my client side not resolving properties. Any idea on that? – dasun_001 Feb 04 '21 at 06:12
  • Hello, not sure, maybe just invalid .yml format (it can be sometimes a bit annoying)? can you send some details? – PawelS Feb 09 '21 at 10:46
  • Do I need spring security dependency on both client and server? Can't make it work :/ still is unathoraized – BugsForBreakfast Nov 09 '21 at 16:39
  • Hey, should work with adding dependency only for config server. You can check if without this dependency you are able to get your config without any authorization and if this works add dependency once again, try to get config from browser and you should be redirect to /login page. – PawelS Nov 10 '21 at 11:09
1

encrypted text can be placed in bootstrap.yml.

Check -> http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption

Vibhaanshu
  • 169
  • 2
  • 10