JHipster UAA does not work on the master branch

[jdubois]

I'm testing the current master branch, which will become JHipster 5 soon.

Doing a simple microservice architecture with JHipster UAA, I'm not redirected to the UAA server, so obviously I'm not correctly authenticated and it fails.

@xetys do you have the time to take a look? It might not be very complex, we didn't touch that part as far as I remember

[xetys]

seems like it's time to move all my kubernetes/go/bachelor-thesis stuff aside...I'll schedule the next weeks for more JHipster topics as the list is growing..

[jdubois]

I'm sorry about this @xetys - I hope it's not something very complex, I don't understand why there is anything broken here, we're mostly working on React, so the Angular part should work as well as before

[xetys]

don't feel sorry, you are doing a huge piece of work on v5 and it's obvious that stuff gets broken. I just had a lot of time problems in the past, as of my k8s focus and pending thesis and some private issues...

hard to keep everything in focus, but yeah, I will do that the next days.

[jdubois]

Oh, but whatever happens, put your private issues first....

[BhawaniSingh]

I'll look over this weekend.

[BhawaniSingh]

@jdubois I think I've found the source of issue,

Issue is in UAA

In Spring security 4, in DaoAuthenticationProvider class, PasswordEncoder from package org.springframework.security.authentication.encoding is used, and for matching the password boolean isPasswordValid(String encPass, String rawPass, Object salt); was being used, for requests with Basic Authorization Header salt is null, so the encPass && rawPass is always same (changeit)

But In Spring security 5, in DaoAuthenticationProvider class, PasswordEncoder from package org.springframework.security.crypto.password is used, and for matching the password
boolean matches(CharSequence rawPassword, String encodedPassword); is used, but the value for rawPassword, encodedPassword is same (changeit in our case), but encodedPassword has to be a BcryptString or else it will, this is causing UAA to fail

When I generated the UAA from the latest release (4.14.1) and other part of microservices from the master branch, login was success

Let me know If more detail is required,

Sorry for my bad English

[BhawaniSingh]

To fix this issue, we need to add PasswordEncoder dependency from package org.springframework.security.crypto.password.PasswordEncoder in UaaConfiguration and encode the inMemory Secret.

I've tested it and It works fine. Its too late now (4 AM) I'll create a pull request for the same

[jdubois]

Oh thanks so much for the detailed analysis!!! Could you do a PR on this?

[BhawaniSingh]

Sure, but it’s too late over here now, I’ll do one over the weekend

…

On Sat, 17 Mar 2018 at 4:42 AM, Julien Dubois ***@***.***> wrote: Oh thanks so much for the detailed analysis!!! Could you do a PR on this? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7301 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACk9e_2t3BDlPpJbU19Lq7jfy-64MjZdks5tfEb0gaJpZM4SsVbS> .

[jdubois]

Closing as #7310 is merged