0

Is it correct that the eureka and config endpoints provided by the jhipster-registry are not secured or am I doing something wrong?

I started the jhipster-registry (latest docker image) with oauth2 profile and a keycloak configuration. When I try calling the eureka/apps REST endpoint without basic authentication I get the login page html of keycloak - that's ok. If I send the basic authentication header I always get a result - even if I send it empty or with a user that does not exist.

Is this the intended behaviour or am I missing some configuration?

Thanks! Kristina

Kristina
  • 31
  • 1
  • If you logged in to Keycloak, you will send the cookie with each request (even when accessing the URL directly in a browser). I couldn't reproduce your issue, I get a 401 error when trying with curl, which doesn't send the cookies by default: `curl -v http://user:user@localhost:8761/api/eureka/applications ` – Jon Ruddell Feb 12 '19 at 18:16
  • With your URI (with the api part) I get a 401 as well - but with the following I get a result: curl -v http://user:user@localhost:8761/eureka/apps – Kristina Feb 13 '19 at 07:27
  • If I understand it correctly, /api/eureka/applications is a Resource that is defined by the jhipster-registry itself, to show the applications in the UI. /eureka/apps is a REST endpoint defined by eureka itself. Is basic authentication supposed to work for the eureka endpoints? – Kristina Feb 14 '19 at 07:51
  • You're right, that's definitely not the intended behavior. I opened a PR fixing it here: https://github.com/jhipster/jhipster-registry/pull/331 – Jon Ruddell Feb 15 '19 at 06:37

0 Answers0