Sync docs from master to gh-pages
This commit is contained in:
@@ -477,18 +477,8 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
|
||||
<li><a href="#_turbine">Turbine</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#spring-cloud-feign">Declarative REST Client: Feign</a>
|
||||
<ul class="sectlevel2">
|
||||
<li><a href="#spring-cloud-feign-without-eureka">Example: How to Use Feign Without Eureka</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#spring-cloud-ribbon">Client Side Load Balancer: Ribbon</a>
|
||||
<ul class="sectlevel2">
|
||||
<li><a href="#_customizing_the_ribbon_client">Customizing the Ribbon Client</a></li>
|
||||
<li><a href="#_using_the_ribbon_api_directly">Using the Ribbon API Directly</a></li>
|
||||
<li><a href="#_spring_resttemplate_as_a_ribbon_client">Spring RestTemplate as a Ribbon Client</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#spring-cloud-feign">Declarative REST Client: Feign</a></li>
|
||||
<li><a href="#spring-cloud-ribbon">Client Side Load Balancer: Ribbon</a></li>
|
||||
<li><a href="#_external_configuration_archaius">External Configuration: Archaius</a></li>
|
||||
<li><a href="#_router_and_filter_zuul">Router and Filter: Zuul</a>
|
||||
<ul class="sectlevel2">
|
||||
@@ -523,7 +513,6 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
|
||||
<li><a href="#_token_relay">Token Relay</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#_configuring_downstream_authentication">Configuring Downstream Authentication</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#_spring_cloud_for_cloud_foundry">Spring Cloud for Cloud Foundry</a>
|
||||
@@ -636,10 +625,7 @@ repository. Then try it out as a client:</p>
|
||||
repository (at "spring.cloud.config.server.git.uri") and use it to
|
||||
initialize a mini <code>SpringApplication</code>. The mini-application’s
|
||||
<code>Environment</code> is used to enumerate property sources and publish them
|
||||
via a JSON endpoint.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>The HTTP service has resources in the form:</p>
|
||||
via a JSON endpoint. The service has resources in the form:</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
@@ -655,10 +641,7 @@ via a JSON endpoint.</p>
|
||||
<code>SpringApplication</code> (i.e. what is normally "application" in a regular
|
||||
Spring Boot app), "profile" is an active profile (or comma-separated
|
||||
list of properties), and "label" is an optional git label (defaults to
|
||||
"master".)</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>The YAML and properties forms are coalesced into a single
|
||||
"master".) The YAML and properties forms are coalesced into a single
|
||||
map, even if the origin of the values (reflected in the
|
||||
"propertySources" of the "standard" form) has multiple sources.</p>
|
||||
</div>
|
||||
@@ -689,7 +672,7 @@ users. Example Maven configuration:</p>
|
||||
<dependency>
|
||||
<groupId>org.springframework.cloud</groupId>
|
||||
<artifactId>spring-cloud-starter-parent</artifactId>
|
||||
<version>1.0.0.BUILD-SNAPSHOT</version>
|
||||
<version>1.0.0.RC1</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
@@ -795,66 +778,10 @@ Server? The strategy that governs this behaviour is the
|
||||
<code>EnvironmentRepository</code>, serving <code>Environment</code> objects. This
|
||||
<code>Environment</code> is a shallow copy of the domain from the Spring
|
||||
<code>Environment</code> (including <code>propertySources</code> as the main feature). The
|
||||
<code>Environment</code> resources are parametrized by three variables:</p>
|
||||
</div>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p><code>{application}</code> maps to "spring.application.name" on the client side;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>{profile}</code> maps to "spring.active.profiles" on the client (comma separated list); and</p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>{label}</code> which is a server side feature labelling a "versioned" set of config files.</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Repository implementations generally behave just like a Spring Boot
|
||||
application loading configuration files from a "spring.config.name"
|
||||
equal to the <code>{application}</code> parameter, and "spring.profiles.active"
|
||||
equal to the <code>{profiles}</code> parameter. Precedence rules for profiles are
|
||||
also the same as in a regular Boot application: active profiles take
|
||||
precedence over defaults, and if there are multiple profiles the last
|
||||
one wins (like adding entries to a <code>Map</code>).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Example: a client application has this bootstrap configuration:</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="title">bootstrap.yml</div>
|
||||
<div class="content">
|
||||
<pre>spring:
|
||||
application:
|
||||
name: foo
|
||||
profiles:
|
||||
active: dev,mysql</pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>(as usual with a Spring Boot application, these properties could also
|
||||
be set as environment variables or command line arguments).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>If the repository is file-based, the server will create an
|
||||
<code>Environment</code> from <code>application.yml</code> (shared between all clients), and
|
||||
<code>foo.yml</code> (with <code>foo.yml</code> taking precedence). If the YAML files have
|
||||
documents inside them that point to Spring profiles, those are applied
|
||||
with higher precendence (in order of the profiles listed), and if
|
||||
there are profile-specific YAML (or properties) files these are also
|
||||
applied with higher precedence than the defaults. Higher precendence
|
||||
translates to a <code>PropertySource</code> listed earlier in the
|
||||
<code>Environment</code>. (These are the same rules as apply in a standalone
|
||||
Spring Boot application.)</p>
|
||||
</div>
|
||||
<div class="sect3">
|
||||
<h4 id="_git_backend">Git Backend</h4>
|
||||
<div class="paragraph">
|
||||
<p>The default implementation of <code>EnvironmentRepository</code> uses a Git
|
||||
backend, which is very convenient for managing upgrades and physical
|
||||
default implementation of <code>EnvironmentRepository</code> uses a Git backend,
|
||||
which is very convenient for managing upgrades and physical
|
||||
environments, and also for auditing changes. To change the location of
|
||||
the repository you can set the "spring.cloud.config.server.git.uri"
|
||||
the repository you can set the "spring.cloud.config.server.uri"
|
||||
configuration property in the Config Server (e.g. in
|
||||
<code>application.yml</code>). If you set it with a <code>file:</code> prefix it should work
|
||||
from a local repository so you can get started quickly and easily
|
||||
@@ -865,29 +792,18 @@ would need to have all instances of the server pointing to the same
|
||||
repository, so only a shared file system would work.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>This repository implementation maps the <code>{label}</code> parameter of the
|
||||
HTTP resource to a git label (commit id, branch name or tag).</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect3">
|
||||
<h4 id="_file_system_backend">File System Backend</h4>
|
||||
<div class="paragraph">
|
||||
<p>There is also a "native" profile in the Config Server that doesn’t use
|
||||
Git, but just loads the config files from the local classpath or file
|
||||
system (any static URL you want to point to with
|
||||
"spring.cloud.config.server.native.locations"). To use the native
|
||||
profile just launch the Config Server with
|
||||
"spring.profiles.active=native".</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>This repository implementation maps the <code>{label}</code> parameter of the
|
||||
HTTP resource to a suffix on the search path, so properties files are
|
||||
Git, but just loads the config files from the local classpath (or
|
||||
anywhere else you want to point to with
|
||||
"spring.cloud.config.server.locations"). To use the native profile
|
||||
just launch the Config Server with "spring.profiles.active=native". In
|
||||
the native profile the repository the "label" specification in the
|
||||
HTTP resources is added to the search path, so properties files are
|
||||
loaded from each search location <strong>and</strong> a subdirectory with the same
|
||||
name as the label (the labelled properties take precedence in the
|
||||
Spring Environment).</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_security">Security</h3>
|
||||
<div class="paragraph">
|
||||
@@ -1692,10 +1608,7 @@ is more convenient to use it behind a wrapper of some sort. Spring
|
||||
Cloud has support for <a href="#spring-cloud-feign">Feign</a> (a REST client
|
||||
builder) and also <a href="#spring-cloud-ribbon">Spring <code>RestTemplate</code></a> using
|
||||
the logical Eureka service identifiers (VIPs) instead of physical
|
||||
URLs. To configure Ribbon with a fixed list of physical servers you
|
||||
can simply set <code><client>.ribbon.listOfServers</code> to a comma-separated
|
||||
list of physical addresses (or hostnames), where <code><client></code> is the ID
|
||||
of the client.</p>
|
||||
URLs.</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
@@ -2040,9 +1953,6 @@ for details on the properties available.</p>
|
||||
<div class="paragraph">
|
||||
<p>The <code>cluster</code> parameter must match an entry in <code>turbine.aggregator.clusterConfig</code>.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Value returned from eureka are uppercase, thus the examples of all uppercase <code>CUSTOMERS</code></p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre>turbine:
|
||||
@@ -2095,86 +2005,13 @@ public interface StoreClient {
|
||||
}</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>In the <code>@FeignClient</code> annotation the String value ("stores" above) is
|
||||
the arbitrary name of the client, used to create a configuration
|
||||
prefix (see <a href="#spring-cloud-ribbon">below for details of Ribbon
|
||||
support</a>).</p>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="spring-cloud-feign-without-eureka">Example: How to Use Feign Without Eureka</h3>
|
||||
<div class="paragraph">
|
||||
<p>Eureka is a convenient way to abstract the discovery of remote servers
|
||||
so you don’t have to hard code their URLs in clients, but if you
|
||||
prefer not to use it, Ribbon and Feign are still quite
|
||||
amenable. Suppose you have declared a Feign client as above for
|
||||
"stores", and Eureka is not in use (and not even on the
|
||||
classpath). You should find that the Ribbon client defaults to a
|
||||
configured server list, and you can supply the configuration like this</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="title">application.yml</div>
|
||||
<div class="content">
|
||||
<pre>stores:
|
||||
ribbon:
|
||||
listOfClients: example.com,google.com</pre>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect1">
|
||||
<h2 id="spring-cloud-ribbon">Client Side Load Balancer: Ribbon</h2>
|
||||
<div class="sectionbody">
|
||||
<div class="paragraph">
|
||||
<p>Ribbon is a client side load balancer which gives you a lot of control
|
||||
over the behaviour of HTTP and TCP clients. Feign already uses Ribbon,
|
||||
so if you are using <code>@FeignClient</code> then this section also applies.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>A central concept in Ribbon is that of the named client. Each load
|
||||
balancer is part of an ensemble of components that work together to
|
||||
contact a remote server on demend, and the ensemble has a name that
|
||||
you give it as an application developer (e.g. using the <code>@FeignClient</code>
|
||||
annotation). Spring Cloud creates a new ensemble as an
|
||||
<code>ApplicationContext</code> on demand for each named client using
|
||||
<code>RibbonClientConfiguration</code>. This contains (amongst other things) an
|
||||
<code>ILoadBalancer</code>, a <code>RestClient</code>, and a <code>ServerListFilter</code>.</p>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_customizing_the_ribbon_client">Customizing the Ribbon Client</h3>
|
||||
<div class="paragraph">
|
||||
<p>You can configure some bits of a Ribbon client using external
|
||||
properties in <code><client>.ribbon.*</code>, which is no different than using
|
||||
the Netflix APIs natively, except that you can use Spring Boot
|
||||
configuration files (example
|
||||
<a href="#spring-cloud-feign-without-eureka">above</a>). The native options can
|
||||
be inspected as static fields in <code>CommonClientConfigKey</code> (part of
|
||||
ribbon-core).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Spring Cloud also lets you take full control of the client by
|
||||
declaring additional configuration (on top of the
|
||||
<code>RibbonClientConfiguration</code>) using <code>@RibbonClient</code>. Example:</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre class="highlight"><code class="language-java" data-lang="java">@Configuration
|
||||
@RibbonClient(name = "foo", configuration = FooConfiguration.class)
|
||||
public class TestConfiguration {
|
||||
}</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>In this case the client is composed from the components already in
|
||||
<code>RibbonClientConfiguration</code> together with any in <code>FooConfiguration</code>
|
||||
(where the latter generally will override the former).</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_using_the_ribbon_api_directly">Using the Ribbon API Directly</h3>
|
||||
<div class="paragraph">
|
||||
<p>You can also use the <code>LoadBalancerClient</code> directly. Example:</p>
|
||||
<p>Usage of <code>LoadBalancerClient</code> directly:</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
@@ -2190,12 +2027,8 @@ public class TestConfiguration {
|
||||
}</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_spring_resttemplate_as_a_ribbon_client">Spring RestTemplate as a Ribbon Client</h3>
|
||||
<div class="paragraph">
|
||||
<p>You can use Ribbon indirectly via an autoconfigured <code>RestTemplate</code>
|
||||
(provided Spring Cloud and Ribbon are both on the classpath):</p>
|
||||
<p>Indirect usage via <code>RestTemplate</code>.</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
@@ -2210,14 +2043,6 @@ public class TestConfiguration {
|
||||
}</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>The URI is inspected to see if it has a full host name, or a virtual
|
||||
one. If it is virtual the Ribbon client is used to create a full
|
||||
physical address. See
|
||||
<a href="http://github.com/{github-repo}/tree/{github-tag}/spring-cloud-netflix-core/src/main/java/org/springframework/cloud/netflix/ribbon/RibbonAutoConfiguration.java">RibbonAutoConfiguration</a>
|
||||
for details of how the <code>RestTemplate</code> is set up.</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect1">
|
||||
@@ -2469,7 +2294,7 @@ sure you have
|
||||
<div class="literalblock">
|
||||
<div class="content">
|
||||
<pre>$ spring version
|
||||
Spring CLI v1.2.0.RELEASE</pre>
|
||||
Spring CLI v1.2.0.RC1</pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
@@ -2477,8 +2302,8 @@ Spring CLI v1.2.0.RELEASE</pre>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre class="highlight"><code>$ gvm install springboot 1.2.0.RELEASE
|
||||
$ gvm use springboot 1.2.0.RELEASE</code></pre>
|
||||
<pre class="highlight"><code>$ gvm install springboot 1.2.0.RC1
|
||||
$ gvm use springboot 1.2.0.RC1</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
@@ -2487,7 +2312,7 @@ $ gvm use springboot 1.2.0.RELEASE</code></pre>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre class="highlight"><code>$ mvn install
|
||||
$ spring install org.springframework.cloud:spring-cloud-cli:1.0.0.BUILD-SNAPSHOT</code></pre>
|
||||
$ spring install org.springframework.cloud:spring-cloud-cli:1.0.0.RC1</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
@@ -2585,7 +2410,7 @@ running on port 8080.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>To limit the scope that the client asks for when it obtains an access token
|
||||
you can set <code>spring.oauth2.client.scope</code> (comma separated or an array in YAML). By
|
||||
you can set <code>oauth2.client.scope</code> (comma separated or an array in YAML). By
|
||||
default the scope is empty and it is up to to Authorization Server to
|
||||
decide what the defaults should be, usually depending on the settings in
|
||||
the client registration that it holds.</p>
|
||||
@@ -2655,96 +2480,46 @@ following properties in the <code>Environment</code>:</p>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p><code>spring.oauth2.client.*</code> with <code>*</code> equal to <code>clientId</code>, <code>clientSecret</code>,
|
||||
<code>accessTokenUri</code>, <code>userAuthorizationUri</code> and one of:</p>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<p><code>oauth2.client.*</code> with <code>*</code> equal to <code>clientId</code>, <code>clientSecret</code>,
|
||||
<code>tokenUri</code>, <code>authorizationUri</code> and one of:</p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>spring.oauth2.resource.userInfoUri</code> to use the "/me" resource
|
||||
<p><code>oauth2.resource.preferTokenInfo=false</code> and
|
||||
<code>oauth2.resource.userInfoUri</code> to use the "/me" resource
|
||||
(e.g. "https://uaa.run.pivotal.io/userinfo" on PWS), or</p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>spring.oauth2.resource.tokenInfoUri</code> to use the token decoding endpoint
|
||||
(e.g. "https://uaa.run.pivotal.io/check_token" on PWS).</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>If you specify both the <code>userInfoUri</code> and the <code>tokenInfoUri</code> then
|
||||
you can set a flag to say that one is preferred over the other
|
||||
(<code>preferTokenInfo=true</code> is the default). Or</p>
|
||||
</div>
|
||||
<p><code>oauth2.resource.tokenInfoUri</code> to use the token decoding endpoint
|
||||
(e.g. "https://uaa.run.pivotal.io/check_token" on PWS), or</p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>spring.oauth2.resource.jwt.keyValue</code> to
|
||||
<p><code>oauth2.resource.jwt.keyValue</code> or <code>oauth2.resource.jwt.keyUri</code> to
|
||||
decode a JWT token locally, where the key is a verification key. The
|
||||
verification key value is either a symmetric secret or PEM-encoded
|
||||
RSA public key. If you don’t have the key and it’s public you can
|
||||
provide a URI where it can be downloaded (as a JSON object with a
|
||||
"value" field) with <code>spring.oauth2.resource.jwt.keyUri</code>. E.g. on PWS:</p>
|
||||
"value" field). E.g. on PWS:
|
||||
+</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre>$ curl https://uaa.run.pivotal.io/token_key
|
||||
{"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}</pre>
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div class="admonitionblock warning">
|
||||
<table>
|
||||
<tr>
|
||||
<td class="icon">
|
||||
<div class="title">Warning</div>
|
||||
</td>
|
||||
<td class="content">
|
||||
If you use the <code>spring.oauth2.resource.jwt.keyUri</code> the authorization
|
||||
server needs to be running when your application starts up. It will
|
||||
log a warning if it can’t find the key, and tell you what to do to fix
|
||||
it.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>You can set the preferred scope (as a comma-separated list or YAML
|
||||
array) in <code>spring.oauth2.client.scope</code>. It defaults to empty, in which case
|
||||
array) in <code>oauth2.client.scope</code>. It defaults to empty, in which case
|
||||
most Authorization Servers will ask the user for approval for the
|
||||
maximum allowed scope for the client.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>There is also a setting for <code>spring.oauth2.client.clientAuthenticationScheme</code> which
|
||||
<p>There is also a setting for <code>oauth2.client.authenticationScheme</code> which
|
||||
defaults to "header" (but you might need to set it to "form" if, like
|
||||
Github for instance, your OAuth2 provider doesn’t like header
|
||||
authentication). The <code>spring.oauth2.client.*</code> properties are bound to an instance
|
||||
of <code>AuthorizationCodeResourceDetails</code> so all its properties can be specified.</p>
|
||||
</div>
|
||||
<div class="admonitionblock tip">
|
||||
<table>
|
||||
<tr>
|
||||
<td class="icon">
|
||||
<div class="title">Tip</div>
|
||||
</td>
|
||||
<td class="content">
|
||||
<div class="paragraph">
|
||||
<p>To set an RSA key value in YAML use the "pipe" continuation
|
||||
marker to split it over multiple lines ("|") and remember to indent
|
||||
the key value (it’s a standard YAML language feature). Example:</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre class="highlight"><code class="language-yaml" data-lang="yaml">oauth2:
|
||||
resource:
|
||||
jwt:
|
||||
keyValue: |
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC...
|
||||
-----END PUBLIC KEY-----</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
authentication).</p>
|
||||
</div>
|
||||
<div class="sect3">
|
||||
<h4 id="_access_decision_rules">Access Decision Rules</h4>
|
||||
@@ -2767,7 +2542,7 @@ the matching patterns for the OAuth2 SSO, even if you have
|
||||
<code>OAuth2SsoConfigurer</code> beans as well. The default logout path is
|
||||
"/logout" and it gets similar treatment, as does the "home" page
|
||||
(which is the logout success page, defaults to "/"). Those paths can
|
||||
be overriden by setting <code>spring.oauth2.sso.*' (`loginPath</code>, <code>logoutPath</code> and
|
||||
be overriden by setting <code>oauth2.sso.\*' (`loginPath</code>, <code>logoutPath</code> and
|
||||
<code>home.path</code>).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
@@ -2792,40 +2567,6 @@ Spring Boot access control (Basic authentication, or whatever custom
|
||||
filters you put in place).</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect3">
|
||||
<h4 id="_integrating_with_the_actuator_endpoints">Integrating with the Actuator Endpoints</h4>
|
||||
<div class="paragraph">
|
||||
<p>The Spring Boot Actuator endpoints ("/env", "/metrics", etc.) if
|
||||
present will, by default, be protected by the standard Spring Boot
|
||||
basic authentication. The SSO authentication filter is added in a
|
||||
position directly behind the filter that intercepts requests to the
|
||||
Actuator endpoints by default (i.e.
|
||||
<code>ManagementProperties.BASIC_AUTH_ORDER + 1</code> which is
|
||||
<code>Ordered.LOWEST_PRECEDENCE-9</code> or <code>2147483636</code>). If you want to change
|
||||
the order you can set <code>spring.oauth2.sso.filterOrder</code>. If you do that
|
||||
and the value is less than the default, then you will need to consider
|
||||
setting the access rules for the Actuator, since they will become
|
||||
accessible to all authenticated users who sign on with the external
|
||||
provider. One way to do that would be to set
|
||||
<code>management.contextPath=/admin</code> (for instance) and use an
|
||||
<code>OAuth2SsoConfigurer</code> to set the access rules, e.g.</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre class="highlight"><code class="language-java" data-lang="java"> @Configuration
|
||||
@EnableOAuth2Sso
|
||||
@EnableAutoConfiguration
|
||||
protected static class TestConfiguration extends OAuth2SsoConfigurerAdapter {
|
||||
@Override
|
||||
public void configure(HttpSecurity http) {
|
||||
http.authorizeRequests()
|
||||
.antMatchers("/admin/**").role("ADMIN")
|
||||
.anyRequest().authenticated();
|
||||
}
|
||||
}</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_resource_server">Resource Server</h3>
|
||||
@@ -2837,9 +2578,9 @@ doesn’t need a <code>clientId</code> and <code>clientSecret</code> if it i
|
||||
<code>tokenInfoUri</code> (i.e. if it has <code>jwt.*</code> or <code>userInfoUri</code>).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>By default <strong>all</strong> your endpoints are protected (i.e. "/**") but you can
|
||||
<p>By default <strong>all</strong> your endpoints are protected (i.e. "/<strong>") but you can
|
||||
pick and choose by adding a <code>ResourceServerConfigurerAdapter</code> (standard
|
||||
Spring OAuth feature), e.g. to protect only the "/api/**" resources</p>
|
||||
Spring OAuth feature), e.g. to protect only the "/api/</strong>" resources</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="title">Application.java</div>
|
||||
@@ -2857,9 +2598,9 @@ class Application extends ResourceServerConfigurerAdapter {
|
||||
.anyRequest().authenticated();
|
||||
}
|
||||
|
||||
@RequestMapping("/api")
|
||||
public String home() {
|
||||
return "Hello World";
|
||||
@RequestMapping('/api')
|
||||
String home() {
|
||||
'Hello World'
|
||||
}
|
||||
|
||||
}</code></pre>
|
||||
@@ -2883,6 +2624,12 @@ it is proxying. Thus the SSO app above can be enhanced simply like this:</p>
|
||||
@EnableZuulProxy
|
||||
class Application {
|
||||
|
||||
@RequestMapping('/')
|
||||
@ResponseBody
|
||||
String home() {
|
||||
'Hello World'
|
||||
}
|
||||
|
||||
}</code></pre>
|
||||
</div>
|
||||
</div>
|
||||
@@ -2903,12 +2650,6 @@ classpath (via <code>@EnableZuulProxy</code>). The
|
||||
just extracts an access token from the currently authenticated user,
|
||||
and puts it in a request header for the downstream requests.</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect1">
|
||||
<h2 id="_configuring_downstream_authentication">Configuring Downstream Authentication</h2>
|
||||
<div class="sectionbody">
|
||||
<div class="paragraph">
|
||||
<p>You can control the authorization behaviour downstream of an
|
||||
<code>@EnableZuulProxy</code> through the <code>proxy.auth.*</code> settings. Example:</p>
|
||||
@@ -2938,6 +2679,7 @@ ProxyAuthenticationProperties</a> for full details.</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<h1 id="_spring_cloud_for_cloud_foundry" class="sect0">Spring Cloud for Cloud Foundry</h1>
|
||||
<div class="openblock partintro">
|
||||
<div class="content">
|
||||
@@ -3031,11 +2773,11 @@ instance).</p>
|
||||
<h3 id="_oauth2_single_sign_on_2">OAuth2 Single Sign On</h3>
|
||||
<div class="paragraph">
|
||||
<p>Spring Cloud Security provides the <code>@EnableOAuth2Sso</code> annotation and
|
||||
binds the app to environment properties in <code>spring.oauth2.*</code>. Spring Cloud
|
||||
binds the app to environment properties in <code>oauth2.*</code>. Spring Cloud
|
||||
for Cloud Foundry just sets up default environment properties so that
|
||||
it all just works if you bind to a Cloud Foundry service instance
|
||||
called "sso". The service credentials are mapped to the SSO
|
||||
properties, i.e. (from <code>spring.oauth2.client.*</code>) <code>clientId</code>, <code>clientSecret</code>,
|
||||
properties, i.e. (from <code>oauth2.client.*</code>) <code>clientId</code>, <code>clientSecret</code>,
|
||||
<code>tokenUri</code>, <code>authorizationUri</code>, (and from <code>oauth2.resource.*</code>)
|
||||
<code>userInfoUri</code>, <code>tokenInfoUri</code>, <code>keyValue</code>, <code>keyUri</code>. Refer to the
|
||||
Spring Cloud Security documentation for details of which combinations
|
||||
@@ -3043,8 +2785,8 @@ will work together. The main thing is that in Cloud Foundry you only
|
||||
need one service to cover all the necessary credentials.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>To use a different service instance name (i.e. not "sso") just set
|
||||
<code>spring.oauth2.sso.serviceId</code> to your custom name.</p>
|
||||
<p>To use a different sercice instance name (i.e. not "sso") just set
|
||||
<code>oauth2.sso.serviceId</code> to your custom name.</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
@@ -3052,7 +2794,7 @@ need one service to cover all the necessary credentials.</p>
|
||||
<div class="paragraph">
|
||||
<p>Spring Cloud Security already has support for decoding JWT tokens if
|
||||
you just provide the verification key (as an environment property). In
|
||||
Cloud Foundry you can pick that property up from a service binding
|
||||
Cloud Foundry you can pick that property up from a servcice binding
|
||||
(<code>keyValue</code> or <code>keyUri</code>).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
@@ -3090,7 +2832,7 @@ service or the "resource" service if you have one).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>To use a different sercice instance name (i.e. not "resource" or
|
||||
"sso") just set <code>spring.oauth2.resource.serviceId</code> to your custom name.</p>
|
||||
"sso") just set <code>oauth2.resource.serviceId</code> to your custom name.</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
@@ -3101,13 +2843,13 @@ service or the "resource" service if you have one).</p>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p><code>spring.oauth2.sso.*</code> to <code>vcap.services.${spring.oauth2.sso.serviceId:sso}.credentials.*</code></p>
|
||||
<p><code>oauth2.sso.*</code> to <code>vcap.services.${oauth2.sso.serviceId:sso}.credentials.*</code></p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>spring.oauth2.client.*</code> to <code>vcap.services.${spring.oauth2.sso.serviceId:sso}.credentials.tokenUri:${vcap.services.${spring.oauth2.resource.serviceId:resource}.credentials.*</code></p>
|
||||
<p><code>oauth2.client.*</code> to <code>vcap.services.${oauth2.sso.serviceId:sso}.credentials.tokenUri:${vcap.services.${oauth2.resource.serviceId:resource}.credentials.*</code></p>
|
||||
</li>
|
||||
<li>
|
||||
<p><code>spring.oauth2.resource.(jwt).*</code> to <code>vcap.services.${spring.oauth2.resource.serviceId:resource}.credentials.tokenUri:${vcap.services.${spring.oauth2.sso.serviceId:sso}.credentials.*</code></p>
|
||||
<p><code>oauth2.resource.(jwt).*</code> to <code>vcap.services.${oauth2.resource.serviceId:resource}.credentials.tokenUri:${vcap.services.${oauth2.sso.serviceId:sso}.credentials.*</code></p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
@@ -3117,7 +2859,7 @@ service or the "resource" service if you have one).</p>
|
||||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2015-01-14 16:13:27 UTC
|
||||
Last updated 2015-01-15 00:14:05 UTC
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
Reference in New Issue
Block a user