Serving logging.config from a secured config server

[ulmermark]

Currently serve up the logging.config file via plain text from an unsecured config server. Using:

logging.config: ${spn.spring.cloud.config.runtime.uri}/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label:master}/logback-spring.xml

Have now secured the web server with basic authentication and would like to use:

logging.config: http://${spring.cloud.config.username}:${spring.cloud.config.password}@localhost:8888/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label:master}/logback-spring.xml

The above throws:

java.io.IOException: Server returned HTTP response code: 401 for URL: http://user:cde3$RFV@localhost:8888/spn-rules-svc/local-cloud,debug,unsecured/WD-1675-the-management-env-dump-etc-endp/logback-spring.xml

It appears the Basic Authentication used to pull the remote configuration from the Config service for the microservice client is not used to pull the Plain text as well.

I am able to pull the clients configuration via curl with basic auth.

curl --user 'user:cde3$RFV' http://localhost:8888/spn-eureka-svc/local-cloud,unsecured,debug/WD-1675-the-management-env-dump-etc-endp/logback-spring.xml

Is Serving Plain text from a secured (basic auth) Config Server currently supported? And if so, where can I find any documentation on the proper configuration.

If not supported, where is the best place to start making changes to use a "Secured" Rest Template to add support for serving plain text from a secured config server?

[spencergibb]

So, I don't think this an issue with config server, but the client that loads the logging config.

[ulmermark]

Makes sense. But I see a call to

ResourceUtils.getURL(logConfig).openStream().close();
in org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration

that throws an exception prior to ever getting to the logback library and class that does the actual read of the file.

If the above line of code is in place and not modified, changes to read a logging.config file from a secured config server will not work even if the logback library is changed.

[spencergibb]

How about a full stack trace?

[ulmermark]

Here are some snapshots... Thread [restartedMain] (Suspended) PropertySourceBootstrapConfiguration$$EnhancerBySpringCGLIB$$5387cdcc(PropertySourceBootstrapConfiguration).reinitializeLoggingSystem(ConfigurableEnvironment, String, LogFile) line: 130 PropertySourceBootstrapConfiguration$$EnhancerBySpringCGLIB$$5387cdcc(PropertySourceBootstrapConfiguration).initialize(ConfigurableApplicationContext) line: 105 SpringApplication.applyInitializers(ConfigurableApplicationContext) line: 635 SpringApplication.prepareContext(ConfigurableApplicationContext, ConfigurableEnvironment, SpringApplicationRunListeners, ApplicationArguments, Banner) line: 349 SpringApplication.run(String...) line: 313 SpringApplication.run(Object[], String[]) line: 1186 SpringApplication.run(Object, String...) line: 1175 RulesApplication.main(String[]) line: 25 NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method] NativeMethodAccessorImpl.invoke(Object, Object[]) line: 62 DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43 Method.invoke(Object, Object...) line: 498 RestartLauncher.run() line: 49 [image: Inline image 2]

…

On Mon, Jun 19, 2017 at 10:00 AM, Spencer Gibb ***@***.***> wrote: How about a full stack trace? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#721 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADVJnVlzKq23tsX2qAG4xZvUGlYgUbRpks5sFozwgaJpZM4N8hb2> .

[spencergibb]

Please, no images of stack traces.

[ulmermark]

java.io.IOException: Server returned HTTP response code: 401 for URL: http://user:cde34RFV@localhost:8888/spn-rules-svc/local-cloud,debug,unsecured/WD-1675-the-management-env-dump-etc-endp/logback-spring.xml

[sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840), 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441),
 java.net.URL.openStream(URL.java:1045),
 org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.reinitializeLoggingSystem(PropertySourceBootstrapConfiguration.java:120),
 org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:105), 
org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:635), 
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:349), 
org.springframework.boot.SpringApplication.run(SpringApplication.java:313), 
org.springframework.boot.SpringApplication.run(SpringApplication.java:1186), 
org.springframework.boot.SpringApplication.run(SpringApplication.java:1175), 
com.spn.rules.RulesApplication.main(RulesApplication.java:25), 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62), 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43), 
java.lang.reflect.Method.invoke(Method.java:498), 
org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49)]

Thread [restartedMain] (Suspended)
PropertySourceBootstrapConfiguration$$EnhancerBySpringCGLIB$$5387cdcc(PropertySourceBootstrapConfiguration).reinitializeLoggingSystem(ConfigurableEnvironment,
String, LogFile) line: 130
PropertySourceBootstrapConfiguration$$EnhancerBySpringCGLIB$$5387cdcc(PropertySourceBootstrapConfiguration).initialize(ConfigurableApplicationContext)
line: 105
SpringApplication.applyInitializers(ConfigurableApplicationContext) line:
635
SpringApplication.prepareContext(ConfigurableApplicationContext,
ConfigurableEnvironment, SpringApplicationRunListeners,
ApplicationArguments, Banner) line: 349
SpringApplication.run(String...) line: 313
SpringApplication.run(Object[], String[]) line: 1186
SpringApplication.run(Object, String...) line: 1175
RulesApplication.main(String[]) line: 25
NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not
available [native method]
NativeMethodAccessorImpl.invoke(Object, Object[]) line: 62
DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43
Method.invoke(Object, Object...) line: 498
RestartLauncher.run() line: 49

[ulmermark]

If the code above did not throw an exception, I believe the next issue would be in the LogbackLoggingSystem class in the following method.

There is a call to ResourceUtils.getURL(location)) that would not use Basic Authentication

	@Override
	protected void loadConfiguration(LoggingInitializationContext initializationContext,
			String location, LogFile logFile) {
		super.loadConfiguration(initializationContext, location, logFile);
		LoggerContext loggerContext = getLoggerContext();
		stopAndReset(loggerContext);
		try {
			configureByResourceUrl(initializationContext, loggerContext,
					ResourceUtils.getURL(location));
		}
		catch (Exception ex) {
			throw new IllegalStateException(
					"Could not initialize Logback logging from " + location, ex);
		}
		List<Status> statuses = loggerContext.getStatusManager().getCopyOfStatusList();
		StringBuilder errors = new StringBuilder();
		for (Status status : statuses) {
			if (status.getLevel() == Status.ERROR) {
				errors.append(errors.length() > 0 ? String.format("%n") : "");
				errors.append(status.toString());
			}
		}
		if (errors.length() > 0) {
			throw new IllegalStateException(
					String.format("Logback configuration error detected: %n%s", errors));
		}
	}

[ulmermark]

Decided to go a different route and utilize Spring Security to "permitAll" to a list of URLs from the secured Spring Cloud Config Server.

This will allow the logback-spring.xml file to be accessed without Basic Authentication attached to the URL request. All other requests to the secured Spring Cloud Config Server for an application properties from the a config server client will still require basic authentication attached to the request which is part of the Spring Cloud Config Client.

[ravasconcelos]

Decided to go a different route and utilize Spring Security to "permitAll" to a list of URLs from the secured Spring Cloud Config Server.

This will allow the logback-spring.xml file to be accessed without Basic Authentication attached to the URL request. All other requests to the secured Spring Cloud Config Server for an application properties from the a config server client will still require basic authentication attached to the request which is part of the Spring Cloud Config Client.

So the conclusion is that it is not possible to have the property like below?
logging.config: http://${spring.cloud.config.username}:${spring.cloud.config.password}@localhost:8888/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label:master}/logback-spring.xml

[Rohit-Kmr]

I was able to find a way around but not solve it.
I put the
logging.config=${spn.spring.cloud.config.runtime.uri}/${spring.application.name}/${spring.profiles.active}/${spring.cloud.config.label:master}/logback-spring.xml
inside the properties file in the git repo.