Latest Snapshot version with brixton.release
I have 1 of my spring boot apps that is secure with basic auth. When I enter my credential it's never accept it. I tried to rollback to 1.3.2 and that is working.
I'm working with Eureka Brixton.Release too.
If you think it's absolutly not on your side I will dig more.
Thanks
With Spring Cloud Brixton sensitive headers (like authorization, cookie, set-cookie) are by default not passed along to the downstream server.
Please update to the latest Spring Boot Admin snapshot. With this version you can disable the filtering of the authorization header by setting zuul.sensitiveHeaders= in your application.properties.
For more information on this topic:
http://cloud.spring.io/spring-cloud-static/spring-cloud.html#_cookies_and_sensitive_headers
Sorry Johanne, i may be slow but i'm not sure to understand.
I tried to put
zuul:
sensitive-headers: Authorization
or
zuul:
sensitive-headers:
in my project that admin-server is running but it's not doing anything more. Still not let me login to my service, What I'm missing?
Thanks for the help
Did you fetch the latest snapshot? (mvn clean install -U)
setting this in my application.yml works for me.
zuul:
sensitiveHeaders:
So no header is filtered.
If you specify Authorization it won't work, cause it will get filtered.
I run from the command line instead of intellij and it works! Sorry for that!
Hi @joshiste,
When using security for the clients, do they have to use the same username/password as the spring boot admin security?
I've been trying to get the user/passwords to pass from spring boot and the only way I've gotten it to work is by setting:
zuul.sensitiveHeaders=
in application.properties and by setting the security.user.name and security.user.password the same for my client application and the spring boot admin application.
If i use different credentials thent he box just keeps popping up until i click cancel, where it gets a 401 response.
Is there a way to have the username and password on a "per client" basis? Would it be possible to add some properties like:
spring.boot.admin.client.username
spring.boot.admin.client.password
Which spring boot admin could then use to create an Authorization header when sending the request to the client endpoint?
When using security for the clients, do they have to use the same username/password as the spring boot admin security?
When using basic auth, yes. Here are some samples using a different approach: https://github.com/joshiste/spring-boot-admin-samples
Is there a way to have the username and password on a "per client" basis?
There isn't. Currently credentials aren't submitted to the admin server when registering. At the moment I refuse to have the credentials inside the admin server, cause the need extra protection.
Thanks for the reply @joshiste I'm going to spend some time today having a look at the possibility of adding an "in memory" ADMIN user for each application, that could read the spring.boot.admin.user and password properties from the application.properties file.
I'll let you know if I make any progress :)
Your example doesn't work for me.
spring.boot.admin.auth.* doesn't exist in the class AdminServerPropertiesAuthorization header. But the admin server app replies with a HTTP code 401 and the HTTP basic auth is prompted again immediately.@carlmoser if it helps, it looks to be commented out here (line 49):
https://github.com/joshiste/spring-boot-admin-samples/blob/master/basic-auth/admin-server/src/main/java/com/github/joshiste/spring/boot/admin/samples/admin/AdminApplication.java
Not sure if that's useful or not?
Most helpful comment
Did you fetch the latest snapshot? (
mvn clean install -U)setting this in my
application.ymlworks for me.So no header is filtered.
If you specify
Authorizationit won't work, cause it will get filtered.