Multiple Client ID's on Rest API

shazzababs · September 10, 2019, 12:53pm

Hi there,

We are developing an application that has 2 distinct sets of URL’s in the rest-api.
The first set are based on the V1 portal and in use by our UI, and have been in place for some time.
The second new and to be for external users and provide a restricted set of calls/data for users to integrate parts of our system into theirs.

Our problem is that we want to stop the users of the second set of URL’s being able to call the first set at the URL level (and not be introducing extra data constraints). The default way of managing this in Spring Security would be by giving the second set of users a separate client and secret and then checking the url against the client ID before it was processed.

The CUBA application.properties only allows for a single client id for all consumers of the API, and has overriden much of the spring security that it is hard to see where we would change things to make it work differently (even if we used the user ID / token to do the check).

We are looking at solving this issue by writing a wrapper that implements multiple client ID’s and then checks the id or user token against an allowed list of URL’s before forwarding it on to the CUBA Rest API. But before doing this (its not going to be pretty) I was wondering if anyone had solved a similar issue from within the CUBA framework.

b.tel · November 5, 2019, 2:16pm

Same question here. In a multi-tenant solution one would expect to have an opportunity to somehow set multiple client ID’s…

gorbunkov · November 5, 2019, 2:55pm

To register multiple REST API clients you may try the following:

Create and register a project-level rest-dispatcher-spring.xml file. An example how to do it can be found in the documentation
In the rest-dispatcher-spring.xml override the clientDetailsService bean. In the bean specify all required clients:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
       xmlns:security="http://www.springframework.org/schema/security">

    <oauth2:client-details-service id="clientDetailsService">
        <oauth2:client client-id="client1"
                       secret="{noop}secret1"
                       access-token-validity="${cuba.rest.client.tokenExpirationTimeSec}"
                       refresh-token-validity="${cuba.rest.client.refreshTokenExpirationTimeSec}"
                       authorized-grant-types="${cuba.rest.client.authorizedGrantTypes}"
                       scope="rest-api"/>
        <oauth2:client client-id="client2"
                       secret="{noop}secret2"
                       access-token-validity="${cuba.rest.client.tokenExpirationTimeSec}"
                       refresh-token-validity="${cuba.rest.client.refreshTokenExpirationTimeSec}"
                       authorized-grant-types="${cuba.rest.client.authorizedGrantTypes}"
                       scope="rest-api"/>
    </oauth2:client-details-service>
</beans>

b.tel · November 5, 2019, 3:28pm

Thanks Max - this is great and should help me out just fine!

-b

b.tel · November 18, 2019, 9:25am

Hi @gorbunkov,

I’ve tried to apply this approach but using release 6.10 there is no effect. I could not use the variables you included although they are set in the app.properties file. They gave some errors but once they were replaced with actual values that disappeared.

But there is no effect either. I’m still able to use the original settings (within the app.properties file) but using the newly configured values does not seem to work.

Am I missing something or is this only working for release 7+?

Thanks for any advice.
-b

gorbunkov · November 18, 2019, 9:57am

Hi,

What variables are you talking about?

Just in case, here is a sample where everything works as expected. It is build on CUBA 7.1. Look at it, maybe you’ve missed something.

rest-multiple-clients.zip (77.0 KB)

If you still have problems with 6.10, please create a sample that demonstrates the issue and attach it here. It’ll be easier to troubleshoot the problem.

b.tel · December 4, 2019, 9:49am

Hi @gorbunkov,

Thanks for your sample project. I finally got the time to test this out and found some improvements for my implementation.

But the main issue is that I am unable to use variables like ${cuba.rest.client.tokenExpirationTimeSec}, they do not get parsed with the values set in web-app.properties. This gives error on the mentioned expiration variables as they need to be integer values, but - more importantly - the ‘secrets’ cannot be set this way which is needed to provide a way to override them per application instance.

I’m pretty sure this is the issue as I have debugged the code in the org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory class in which these properties get set / converted.

Any ideas why these variables are not parsed? Note I’m still on release 6.10.

Regards ,
-b

gorbunkov · December 5, 2019, 2:26pm

Just tried to do the same as I did in previous sample project for a new project based on 6.10. Everything works fine there.

Take a look: rest-multiple-clients-610.zip (77.9 KB)

The only difference between 6.10 and 7.0 is that client passwords don’t need the {noop} prefix in 6.10. See the issue.

Everything else is the same. All properties (myapp.rest.client1.id, cuba.rest.client.tokenExpirationTimeSec) are read from the web-app.properties file.