Skip to content

Navigation Menu

Explore
By company size
By use case
By industry
View all solutions
Topics
- AI
- DevOps
- Security
- Software Development
- View all
Explore
- GitHub Sponsors
  Fund open source developers
- The ReadME Project
  GitHub community articles
Repositories
- Enterprise platform
  AI-powered developer platform
Available add-ons
Pricing

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

zowe / api-layer Public

Notifications You must be signed in to change notification settings
Fork 65
Star 57

Code
Issues 140
Pull requests 9
Discussions
Actions
Projects 1
Wiki
Security
Insights

Additional navigation options

Code
Issues
Pull requests
Discussions
Actions
Projects
Wiki
Security
Insights

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: replace default spring x509 authentication in zaas #3971

Merged

richard-salac merged 13 commits into v3.x.x from reboot/fix/replace-default-x509-auth

Feb 5, 2025

Merged

fix: replace default spring x509 authentication in zaas #3971

richard-salac merged 13 commits into v3.x.x from reboot/fix/replace-default-x509-auth

Feb 5, 2025

Conversation 6 Commits 13 Checks 28 Files changed

Conversation

Copy link

Contributor

richard-salac commented Jan 30, 2025 •

edited

Loading

Description

Zaas is using two level authentication, Zowe server certificate is required on top of traditional client authentication (x509, credentials, token,....). This is causing unexpected behavior with spring X509 authentication when Zowe server certificate may get propagated as authenticated username. To avoid such situations the spring x509 was disabled when possible.

Linked to # (issue)
Part of the # (epic)

Type of change

Please delete options that are not relevant.

fix: Bug fix (non-breaking change which fixes an issue)
feat: New feature (non-breaking change which adds functionality)
docs: Change in a documentation
refactor: Refactor the code
chore: Chore, repository cleanup, updates the dependencies.
BREAKING CHANGE or !: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

My code follows the style guidelines of this project
PR title conforms to commit message guideline ## Commit Message Structure Guideline
I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
I have made corresponding changes to the documentation
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
The java tests in the area I was working on leverage @nested annotations
Any dependent changes have been merged and published in downstream modules

For more details about how should the code look like read the Contributing guideline

Sorry, something went wrong.

All reactions

pull-request-size bot added the size/XL label

github-actions bot added the Sensitive Sensitive change that requires peer review label


          fix: replace default x509 with categorize certs filter in zaas

8fa0f70

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

richard-salac force-pushed the reboot/fix/replace-default-x509-auth branch from 26ecb0e to 8fa0f70 Compare

January 30, 2025 10:43

pull-request-size bot added size/L and removed size/XL labels

richard-salac added 2 commits

January 30, 2025 15:48


          wip: force gateway always use server certificate when calling zaas

beb4dea

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

Signed-off-by: Richard Salac <richard.salac@broadcom.com>


          wip: new filter to check for client certificate presence

027cf25

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

pull-request-size bot added size/XL and removed size/L labels


          Merge branch 'v3.x.x' into reboot/fix/replace-default-x509-auth

0ec425d

Signed-off-by: Richard Salač <richard.salac@broadcom.com>

richard-salac force-pushed the reboot/fix/replace-default-x509-auth branch 3 times, most recently from 9d17404 to c75cd98 Compare

January 31, 2025 23:00

pull-request-size bot added size/XXL and removed size/XL labels

richard-salac added 2 commits

February 4, 2025 19:07


          fix: replace default spring x509 authentication in zaas

a3595fe

Signed-off-by: Richard Salac <richard.salac@broadcom.com>


          fix: merge and cleanup

db72134

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

richard-salac force-pushed the reboot/fix/replace-default-x509-auth branch from 7f3f1b0 to db72134 Compare

February 4, 2025 18:07


          Merge branch 'v3.x.x' into reboot/fix/replace-default-x509-auth

b5636ce

pull-request-size bot added size/L and removed size/XXL labels


          chore: code cleanup

9bd52ee

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

pablocarle reviewed

View reviewed changes

zaas-service/src/test/resources/application.yml Show resolved Hide resolved

...y-common/src/test/java/org/zowe/apiml/security/common/auth/saf/SafResourceAccessSafTest.java Outdated Show resolved Hide resolved

richard-salac and others added 3 commits

February 5, 2025 13:14

cr

633ccfe

Signed-off-by: Richard Salac <richard.salac@broadcom.com>


          Update apiml-security-common/src/test/java/org/zowe/apiml/security/co…

d68139f

…mmon/auth/saf/SafResourceAccessSafTest.java

Co-authored-by: Pablo Carle <pablocarle@users.noreply.github.com>
Signed-off-by: Richard Salač <richard.salac@broadcom.com>


          chore: javadoc

b1ad98f

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

pablocarle approved these changes

View reviewed changes

Copy link

Contributor

pablocarle left a comment

There was a problem hiding this comment.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple minor comments

Sorry, something went wrong.

All reactions

zaas-service/src/main/java/org/zowe/apiml/zaas/security/config/NewSecurityConfiguration.java Outdated Show resolved Hide resolved

zaas-service/src/main/java/org/zowe/apiml/zaas/security/config/NewSecurityConfiguration.java Show resolved Hide resolved

richard-salac added 2 commits

February 5, 2025 17:26


          fix: cleanup the CertificateOrAuthProtectedEndpoints security config

7d8edfe

Signed-off-by: Richard Salac <richard.salac@broadcom.com>


          remove obsolete comment

097d1cf

Signed-off-by: Richard Salac <richard.salac@broadcom.com>

Copy link

sonarqubecloud bot commented Feb 5, 2025

Quality Gate failed

Failed conditions
75.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

All reactions

Sorry, something went wrong.

richard-salac merged commit 6290b1f into v3.x.x

27 of 28 checks passed

richard-salac deleted the reboot/fix/replace-default-x509-auth branch

February 5, 2025 19:07

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

pablocarle pablocarle approved these changes

Assignees

No one assigned

Labels

Sensitive change that requires peer review

Projects

API Mediation Layer Backlog Management

Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.

Footer

© 2025 GitHub, Inc.

Footer navigation

Terms
Privacy
Security
Status
Docs
Contact

You can’t perform that action at this time.