• Guest, before posting your code please take these rules into consideration:
    • It is required to use our BBCode feature to display your code. While within the editor click < / > or >_ and place your code within the BB Code prompt. This helps others with finding a solution by making it easier to read and easier to copy.
    • You can also use markdown to share your code. When using markdown your code will be automatically converted to BBCode. For help with markdown check out the markdown guide.
    • Don't share a wall of code. All we want is the problem area, the code related to your issue.


    To learn more about how to use our BBCode feature, please click here.

    Thank you, Code Forum.

Java Spring Boot Microservice - 403 Forbidden among API Gateway and some services

datdatyul

Active Coder
Hi , As I'ven't solved the okta issue for nearly one month, I created and auth service (creating user and login).

I have a security problem about connection among auth service, api gateway and order service.
After I created a user and then login, I tried to make a request to order service with hte usage of api gateway but I got 403 error.
I couldn't solve the issue. I hope you can help me.

To run the app,
1 ) Run Service Registery (Eureka Server)
2 ) Run config server
3 ) Run zipkin and redis through these commands shown below on docker
Code:
docker run -d -p 9411:9411 openzipkin/zipkin     
docker run -d --name redis -p 6379:6379 redis
4 ) Run api gateway
5 ) Run other services
Here is the link : Link
 
Hi , As I'ven't solved the okta issue for nearly one month, I created and auth service (creating user and login).

I have a security problem about connection among auth service, api gateway and order service.
After I created a user and then login, I tried to make a request to order service with hte usage of api gateway but I got 403 error.
I couldn't solve the issue. I hope you can help me.

To run the app,
1 ) Run Service Registery (Eureka Server)
2 ) Run config server
3 ) Run zipkin and redis through these commands shown below on docker
Code:
docker run -d -p 9411:9411 openzipkin/zipkin    
docker run -d --name redis -p 6379:6379 redis
4 ) Run api gateway
5 ) Run other services
Here is the link : Link
A HTTP status of 403 - Forbidden, means that you do not have access to it because you do not have proper permissions to do so.
 
A HTTP status of 403 - Forbidden, means that you do not have access to it because you do not have proper permissions to do so.
I alredy knew what the issue is.
Where is the problem in api gateway, auth service or order service in terms of security chain?
Can you help me?
As I couldn't solve , I just wanted to ask it to you.
 
I alredy knew what the issue is.
Where is the problem in api gateway, auth service or order service in terms of security chain?
Can you help me?
As I couldn't solve , I just wanted to ask it to you.
Are you able to authenticate properly? if you were to put a breakpoint at the auth call, and step through, are you getting a valid auth token?
 
I also asked it in stackoverflow. Here is the link : Link

Here are some screenshots about it : Link
In regards to the screenshots, can you post them here if possible.
Also, never fails lol. CORS issues. Here, this may come in handy :)
 
Last edited:
In regards to the screenshots, can you post them here if possible.
Also, never fails lol. CORS issues. Here, this may come in handy :)
37.PNG
 

Attachments

  • 38.PNG
    38.PNG
    187 KB · Views: 3
  • 39.PNG
    39.PNG
    213.5 KB · Views: 3
  • 40.PNG
    40.PNG
    220.6 KB · Views: 2
  • 41.PNG
    41.PNG
    218.9 KB · Views: 1
  • 42.PNG
    42.PNG
    246.5 KB · Views: 1
  • 43.PNG
    43.PNG
    239.8 KB · Views: 1
  • 45.PNG
    45.PNG
    245.1 KB · Views: 1
  • 44.PNG
    44.PNG
    291.3 KB · Views: 1
In regards to the screenshots, can you post them here if possible.
Also, never fails lol. CORS issues. Here, this may come in handy :)
I think there can be a problem of security config in api gateway, order service and auth service.
I also asked it stackoverflow but noone answered me. Can you help me?
Here is the link : Text
 
I think there can be a problem of security config in api gateway, order service and auth service.
I also asked it stackoverflow but noone answered me. Can you help me?
Here is the link : Text
Have you inspected what that jwt token contains?
 
Did you try to implement the suggestions here?
After I created a user and login, I tried to make a request to order service with the usage of bearer token through the port number of api gateway but I got 403 error.
I cannot run any test method in OrderControllerTest as well.
There are my issues which I cannot handle.
 
After I created a user and login, I tried to make a request to order service with the usage of bearer token through the port number of api gateway but I got 403 error.
I cannot run any test method in OrderControllerTest as well.
There are my issues which I cannot handle.
A couple of messages ago, you mentioned something about there potentially being something wrong with the config... Let's look at that and compare it to this, which comes from that reference I provided you from Stack Overflow:

1669580455203.png


 
A couple of messages ago, you mentioned something about there potentially being something wrong with the config... Let's look at that and compare it to this, which comes from that reference I provided you from Stack Overflow:

View attachment 1805


I already disabled in all security config as you can see.
Which security config should ı revise it?
Maybe there is a problem in gateway?
Can you look through it?
 
All endpoints are defined properly. There is no problem in terms of enpoints.
I already shared all detailed information about my issue with you.
Is it possible to test my code through my shared instructions which are defined above if you don't mind?
What happens if you remove that PreAuthorize directive? Are you able to call the endpoint properly?
 
All endpoints are defined properly. There is no problem in terms of enpoints.
I already shared all detailed information about my issue with you.
Is it possible to test my code through my shared instructions which are defined above if you don't mind?
Unfortunately, I do not have possession of your code, so trying to actually comb through your code and check all of it for any bugs that may be causing the issue and/or issues, is not feasible. This is why I am basically playing 21-questions with you lol, so that I can rule out certain potential causes. Just to give you a short tl;dr...there was a similar issue at my work, where we weren't able to make certain calls to the client api endpoint after upgrading to .netcore 6. Part of the issues: Outdated documentation for the api services being used. Several endpoints were changed, and not properly documented. The format for the credentials for postman testing were also changed and not documented. So, from experience, I can tell you to bear with me lol
 

New Threads

Latest posts

Buy us a coffee!

300x250
Top Bottom