Update to spring boot 2

[8rV1n]

I'm using a spring boot release 2 and I found something are different especially in the security part that made my application hard to transfer to angular.

[dsyer]

No, these samples have not been upgraded to Spring Boot 2.0. Please see the migration guide if you want help with your own project (or are volunteering to update this one): https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide.

[8rV1n]

I'm trying something with formLogin right now but something strange occured that I just got error situations without any more information avaliable. I will try basic login in a few days and if it success I might update this.

[Wolfonye]

Sorry if this is is potential content for a new issue but I think the relation is strong enough to this one, so my question is:

Is it planned for the near future to update this guide to more recent versions?

I am not only asking this with regards to spring-boot(->security) but also to angular which underwent some major changes in the meantime. The corresponding tutorial is hard to follow as it is now with recent versions, due to the changes that have to be researched and made. Until now I didn't find a good introduction of similar scope which was quite well, so it would be really helpful to see an update on this one.

[8rV1n]

@Wolfonye I had used this version of spring for integration with angular the latest about a month ago and it was working in form login case. I think it's also the same mechanism for both the angular and the spring boot 2.0. So from what I've understood, you're worrying changes from angular that may affect the tutorial and the correction of the tutorial, is it right?

[Wolfonye]

@ArvinSiChuan Correct; at least that's what I ran into while doing the tutorial; I will try to give some examples; first: the linked source which describes integrating angular into the build mechanisms is not up to date with changes in Angular (changed naming of the cli-config-file, that one is quite simple to fix; I think there is an open issue on their side). Further, as of Angular...6.. I think, this:

this.http.post('logout', {}).finally(() => [...]

will no longer work as refered in app.component.ts (I refer to the version of the file after first revision of security issues with basic authentication, which btw. may need explanation of creation of own certificates for testing, but that's not this issue I suppose) in the official tutorial:

https://spring.io/guides/tutorials/spring-security-and-angular-js/

due to breaking changes in rxjs; see:

https://github.com/ReactiveX/rxjs/blob/master/doc/pipeable-operators.md

Relevant Versions I used:

• Angular CLI: 6.0.0 -> rxjs 6.2.0
• Angular: 6.0.4

[avi613]

Hi,

I'm starting a brand new project using Spring Boot 2 and Angular 5 (hopefully 6 rapidly).

A "Getting Started" tutorial in those up-to-date versions would be most welcome.

Hope it's coming out any time soon.

[dsyer]

There's a branch "boot2" which you can use to get off the ground. Coverage is limited to the first two or three sections of the guide at the minute.

[Wolfonye]

@dsyer Good to see there is work going on on this! Thank you for your efforts! I am not sure; should I open a separate issue for the angular-part of this?

[dsyer]

Up to you. My plan was to get Boot 2 working first and then upgrade Angular (seems like it won't be too hard).

[avi613]

The Angular part of the tutorial would be extremely welcome anyway!

[dsyer]

The "vanilla" sample is now working on the boot2 branch. I think upgrading Angular will be easy (see https://github.com/dsyer/spring-boot-angular for example - there's an "upgrade" branch where I moved from Angular 4 to 6, and master is Angular 6).

[dsyer]

The "proxy" sample is now working with Boot 2. I removed the "spring-session" sample (never liked that one anyway).

[avi613]

Keep going! THX!

[avi613]

Just want to make sure, the way to run down this tutorial is

1. basic
2. vanilla
3. proxy
4. ...

?

[dsyer]

Yes. Look at the top level README.

[dsyer]

@avi613 that's a comment on a different project, right? Can you open a new issue there, please?

[avi613]

sure! sorry!

I just deleted my comment not to confuse people.

I opened the following issue #11 in your project.

[mradulpandey]

Please keep going, waiting for oauth2 examples thanks.

[a759116]

Thank you very much for a great tutorial that demonstrates various aspects of architecture and provides complete solution. I' trying to make "double" work for Spring Boot 2.1.2. I'm facing some issues, and having some observations too. I would appreciate if you could clarify my understanding and answer my questions.

• It seems like session persistence is very sensitive to Spring Boot version. When I had Gateway in 2.1.2, and resource in 2.1.1, it threw serialization / deserialization issue. It will be concerning to build production solutions relying on session persistence if that would require for all backend solutions to be upgraded / running on same Spring Boot version. I may be missing something. Can you please clarify?

• I see that "spring-cloud-netflix-zuul" is maintenance mode. Would you recommend switching to Spring Cloud Gateway?

• The Spring Cloud Gateway is no more compatible with "spring-boot-starter-web". It seems like the Gateway application has to be developed using Webflux. Would this have any impact on current Angular code?

I took the tutorial code developed for Spring Boot 1.5, and modified it to use Spring Boot 2.1.2. I used Webflux for Gateway application. However, it's not working as expected. When I launch the application, it's throwing the basic login pop-up, not sure why is that happening. After login, I can see options to navigate to UI or Admin. But the navigation to UI is not working. It seems like session sharing is not happening.

I would appreciate if you could clarify my doubts and provide some guidance.

[dsyer]

Session persistence would be an issue you should raise in the Spring Session project: https://github.com/spring-projects/spring-session. Having said that, I don't think it's a good solution for single-sign on (and the text in the tutorial says as much), so I wouldn't use it if I were you. I think the "double" sample only uses it because it is easy to set up and usually doesn't distract from the rest of the features it is exposing.

Zuul with Spring Cloud remains the best general purpose gateway for the servlet API - maintenance mode doesn't mean it isn't supported. I would switch when it was convenient - e.g. when I don't need the servlet API any more.

If you have questions about how the Gateway (Webflux new version) works with OAuth2, this is also not the right place to ask. Try here: https://github.com/spring-cloud/spring-cloud-gateway.

This guide might stay on Spring Boot 1.5 until all the features it uses are available in Spring Boot 2.x (e.g. see https://github.com/spring-projects/spring-security/issues/6320), or we could migrate it using the shim project (https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/) - there is a "boot2" branch in this project that does that (it's work in progress, as mentioned already above).

[a759116]

Dave, Thanks for your prompt response. I could make double work with boot 2, and raised a pull request with my changes.

I liked the simplicity of spring session to take care of SSO in a distributed architecture. However, I would not use it. I would try with OAuth / JWT. I would see if I could make it work for double. Would you have any recommendation?

Thanks

[a759116]

I could update oauth2-vanilla and oauth2 to boot 2. I also changed double to integrate with authserver and use JWT for SSO. I've made pull request for all these changes.

[a759116]

Dave,

I've fixed junit test issues, and added a pom for double-oauth2. For some reason, my local settings flag pom to be in error state if I add the following

npm-test npm run-script e2e test

Hence, I've commented that out, and build angular from the command prompt using ng build. Please review and let me know if you have any comments.

[tamaro-skaljic]

I've created a new fork to migrate from Spring Boot 1...RELEASE to 2.2.5.RELEASE. Finished: basic,

In progress: single Adding Default HTTP Request Headers does not work anymore, browser pop up the basic authentication dialogue (which destroy the logout behavior, see #231)

If you run the app at this point you will find that the browser pops up a Basic authentication dialogue (for user and password). It does this because it sees a 401 reponse from the XHR requests to /user and /resource with a "WWW-Authenticate" header. The way to suppress this popup is to suppress the header, which is coming from Spring Security. And the way to suppress the reponse header is to send a special, conventional request header "X-Requested-With=XMLHttpRequest".

Coming soon: vanilla, spring-session, proxy, oauth2, oauth2-vanilla, oauth2-logout, double, testing