Spring Boot Microservices with JWT Issues
I try to implement an example of Spring Boot Microservices with JWT. I have some problems following:
1 ) I cannot run all integration tests of product service even if I defined bearer token
2 ) After login and get access token, I cannot send any request to product service. I got 500 Internal Server Error.
How can I fix it? I hope you can help me?
Here is the repo : https://github.com/Rapter1990/springbootmicroserviceswithsecurity
GitHub
GitHub - Rapter1990/springbootmicroserviceswithsecurity
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
108 Replies
⌛ This post has been reserved for your question.
Hey @direct_x_34! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./closeor theClose Postbutton above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
Can you show the stack trace?
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.@dan1st | Daniel I see the logs
When I send a request to another service through Api gateway.
https://stackoverflow.com/q/47505778/10871900 or similar may be useful
Stack Overflow
Wrapping blocking I/O in project reactor
I have a spring-webflux API which, at a service layer, needs to read from an existing repository which uses JDBC.
Having done some reading on the subject, I would like to keep the execution of the
don't call blocking methods in reactor
I think it happens here: https://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/main/apigateway%2Fsrc%2Fmain%2Fjava%2Fcom%2Fspringbootmicroservices%2Fapigateway%2Ffilter%2FJwtAuthenticationFilter.java#L56
GitHub
springbootmicroserviceswithsecurity/apigateway/src/main/java/com/sp...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
@dan1st | Daniel I asked someone and opened a pull request. https://github.com/Rapter1990/springbootmicroserviceswithsecurity/pull/1/files
GitHub
Refactor JwtAuthenticationFilter by hary-singh · Pull Request #1 · ...
Refactor JwtAuthenticationFilter to efficiently manage calls to external services in an asynchronous manner, ensuring the application remains responsive.
https://cdn.discordapp.com/attachments/1262865975192322149/1263043580952449116/image.png?ex=6698cc7f&is=66977aff&hm=0e80db29b55a30d76a3806c761de44d8c877c2072206a5c83fe9bcc0b6233994&
https://cdn.discordapp.com/attachments/1262865975192322149/1263043522962001951/image.png?ex=6698cc72&is=66977af2&hm=a1b59839e8d899638e92c6e92ffd84aae6b98ab076ac7e7f6a76c83559d957f1&
I got this error issue ?
@dan1st | Daniel I still couldn't fix the issue ?
so you have this interface: https://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/main/apigateway%2Fsrc%2Fmain%2Fjava%2Fcom%2Fspringbootmicroservices%2Fapigateway%2Fclient%2FUserServiceClient.java
GitHub
springbootmicroserviceswithsecurity/apigateway/src/main/java/com/sp...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
this is blocking
which you cannot use with reactive
you could use Spring's
WebClient instead I guess@dan1st | Daniel One guy opened a pull request but I still got the same error.
Why would the PR change anything?
Product service has also this. https://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/main/productservice/src/main/java/com/springbootmicroservices/productservice/filter/CustomBearerTokenAuthenticationFilter.java
GitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
that's not in reactive code
Do you know the difference between synchronous/blocking and asynchronous/reactive/nonblocking code?
I revise the JwtAuthenticationFilter in api gateway. I got 401 instead of 500 even if I use a token.
I updated my repo -> https://github.com/Rapter1990/springbootmicroserviceswithsecurity
GitHub
GitHub - Rapter1990/springbootmicroserviceswithsecurity
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
Spring Security verbose logging?
Here is the console result of API Gateway ?
@dan1st | Daniel
I just updated my repo again. Here is the results.
Did you enable verbose logging in Spring Security?
Yeah, I got this message after I enabled it. I just updated my repo again.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.@Twala Hi, I think you can help me. I couldn't fix my issue.
@dan1st | Daniel Hi, What's up? I couldn't still fix the issue.
I also add some logs to check if token is valid or not. The token is valid from user service.
Is it possible to look through it?
Hi, I revised it again. I got this error in product service.
Here is the screenshot
I updated my repo again. I still got the error. @dan1st | Daniel
Did you add verbose Spring Security logs yet? I don't see it in the image
What's the code responsible for that?
I added it into application.yml files of the services.
Can you look through my latest post as I still couldn't fix it?
which post?
the repo is a bit too much to look through on my phone lol
@dan1st | Daniel
Here are the posts
Is there a filter response for it?
If so, can you debug that?
Yeah, it comes from Custom filter in Product Service.
Is the filter called?
I debugged it. Filter is called.
what happens then?
in the debugger
Just a moment. I'm currently using my PC.
Here is the login
Here is the process of creating Product via access token
Here is the logs of api gateway
Here are the logs of other services
I run product service as debug mode.
Token is valid through filter defined in Product service.
Here is result which I show
What does
getAuthentication() return?
seems like
getAuthentication isn't doing something rightI can get the right values from claims
I look through it again. Here is the information
Can you step to the
?
what is
jwt and authorities there?There are the information
Here is the token info
So you are using
UsernamePasswordAuthenticationToken.authenticated(jwt, null, authorities)
Is the filter called once or twice per request?Here is authentication to be sent to product service.
Which service is that?
User Service
I use user service to validate token through product service
Is that also the user service?
Right
so if you are there the jwt and authorities are filled but if you use step over/step out, you get an empty
UsernamePasswordAuthenticationToken?Here is the filter in product service. Authentication information is empty
When you were debugging that, did it come from the filter or from somewhere else?
It is UserController's method in User Service.
GitHub
springbootmicroserviceswithsecurity/userservice/src/main/java/com/s...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
oh so the
getAuthentication method is making a call feign
I think you can't transmit UsernamePasswordAuthenticationToken over the network like thatGitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
Where is the problem?
Can you make
getAuthentication return a custom object (ideally a record) storing just the information you need?GitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
you returning a
UsernamePasswordAuthenticationToken there
this is a network call that cannot properly transmit a UsernamePasswordAuthenticationToken
instead, try to transmit a custom object both parties have that contains all the information for authenticationI already did https://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/main/productservice/src/main/java/com/springbootmicroservices/productservice/config/JacksonConfig.java for UsernamePasswordAuthenticationToken
GitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
and then your
CustomBearerTokenAuthenticationFilter can convert it to a UsernamePasswordAuthenticationToken
oh I think you can also use that way but I think your mixin is not sufficienthttps://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/main/productservice/src/main/java/com/springbootmicroservices/productservice/serializer/UsernamePasswordAuthenticationTokenDeserializer.java
https://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/main/productservice/src/main/java/com/springbootmicroservices/productservice/serializer/UsernamePasswordAuthenticationTokenMixin.java
I also defined serializer for it before.
GitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
GitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
I think you'd need a custom serializer/deserializer for the
UsernamePasswordAuthenticationToken
Can you debug the deserializer? What is p? Does it have all the information you need?
You might also need a serializerYou just attempt to deserialize the principal and the credentials. You deserialize the principal as a string meaning you expect that to be a string. You don't deserialize the authorities. Are you sure about that?
https://github.com/Rapter1990/springbootmicroserviceswithsecurity/blob/8bbb6a01c7799c5b1b87406336ab76a20a32bd5d/productservice/src/main/java/com/springbootmicroservices/productservice/serializer/UsernamePasswordAuthenticationTokenDeserializer.java#L15-L25
GitHub
springbootmicroserviceswithsecurity/productservice/src/main/java/co...
Contribute to Rapter1990/springbootmicroserviceswithsecurity development by creating an account on GitHub.
I check it now
What the problem is: You serialize a token, send it, receive it, deserialize it and then you don't have the same token (but a token with pretty much no relevant information)
Here is the information of
p ?
oh that's good
if you step over once, what is
principal?Here is the result
ok so the
node.get("principal").asText() seems to be the problem
What should the principal be?
I revised it but nothing changed. I still get the same error.
@dan1st | Daniel I want to show the console output of it.
yeah ok ig that's better
But why set the principal to that json?
What should I do?
What should the principal be?
Here is the principal information
if you want that on the other side as well, you need to deserialize it to a Jwt or equivalent object
not a String
I did it but I got this error message.
ok it seems you cannot deserialize that jwt class
so just create a record with the same components
Ok. I'll try it.
I implemented it.
Here is the error
it means the JWT has an issuedAt field but your record doesn't
you could add that to the record
or if you don't need it, configure jackson to ignore missing fields
I get the same error again .
Here are console result
Is it possible to test my example as I'm stuck there?
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.