Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 02 14:38

    gregturn on master

    Migrate to Jenkins for CI. (compare)

  • Jun 02 14:37

    gregturn on master

    Migrate to Jenkins for CI. (compare)

  • May 18 12:12

    bclozel on main

    Fix unsupported curl syntax for… (compare)

  • May 14 17:00
    AlerpCoder closed #241
  • May 14 16:51
    pivotal-cla commented #241
  • May 14 16:46
    pivotal-cla commented #241
  • May 14 16:46
    AlerpCoder opened #241
  • Apr 27 14:45

    gregturn on main

    (compare)

  • Apr 27 14:44
    gregturn edited #7
  • Apr 27 14:44
    gregturn edited #180
  • Apr 27 14:44
    gregturn edited #211
  • Apr 27 14:44
    gregturn edited #215
  • Apr 27 14:43
    gregturn edited #228
  • Apr 27 14:43
    gregturn edited #232
  • Jan 27 14:55
    BeaRRRRR closed #235
  • Dec 23 2020 23:22
    AJDowds closed #200
  • Dec 23 2020 23:22
    AJDowds closed #201
  • Oct 19 2020 14:08
    Buzzardo synchronize #232
  • Oct 19 2020 14:08

    Buzzardo on boot2

    Update oauth2-vanilla to Boot 2… (compare)

  • Oct 19 2020 14:08
    Buzzardo closed #240
André Ananias Barreto
@andre.barreto_gitlab
@PostMapping()
@ResponseStatus(HttpStatus.CREATED)
@PreAuthorize("hasAnyAuthority('role_admin', 'role_user')")
User create(@RequestBody User user) {
return this.userService.create(user);
}
I don't know if only adding role to the controller is enough, like up there
I also don't know how to create both beans and direct the correct roles to the correct service bean(role_admin check with admin auth service, role_user check with user auth service)
Marcos Barbero
@marcosbarbero
Let me take a step back and ask you, why do you need two auth servers?
André Ananias Barreto
@andre.barreto_gitlab
Since is a microservice architecture we've made two protection services one for authenticating admin roles and other for the users because the have different user structures and databases
majiedahamed
@majiedahamed
Hi ...How can i use oauth2 accesstoken(opaque) received by doing an http(clientid,secret,usr,pass as params) call to an oauth2 server(password grant) for authenticating in springsecurity (for setting securitycontext)
majiedahamed
@majiedahamed
Iam trying to do external integration with my Springsecurity-Oauth2 based application https://i.stack.imgur.com/hVv8E.png
Please let me know if the approach is right ?
muhmadtabrez
@muhmadtabrez
@marcosbarbero Is there a way to allow token authentication for endpoints in an application which uses @EnableOAuth2Sso
I had seen that @EnableOAuth2Sso will in zuul WebsecurityConfigurerAdapter uanble to pass the access token to downstream api. even if i send the proper authorization header.
Marcos Barbero
@marcosbarbero
@muhmadtabrez follow up on #spring-cloud channel as it's also related to Zuul
Marcos Barbero
@marcosbarbero
Hi @muhmadtabrez I think you have some misunderstandings. What's the Client A and Client B, are they completely different applications consuming the API through Zuul?
majiedahamed
@majiedahamed
@marcosbarbero They are different applications,one gets the token another uses the token
Marcos Barbero
@marcosbarbero
How do you exchange the token between them? Why do you have this setup where one application requests the token while another one uses it?
@majiedahamed
majiedahamed
@majiedahamed
@marcosbarbero Thanks.I have two cases to integrate 1) legacy system where it does plain DB authentication and i cannot think of any protocol support even SSO 2) For a Mobile App for which i believe an oauth2 token can be stored and in need can request for a refresh token.
Marcos Barbero
@marcosbarbero
@majiedahamed Thanks for the update but i'm still not that sure how are you going to exchange the token. You mentioned storing the token in the mobile app and use the refresh token, do you mean store the token within the app and use whenever it's necessary? If that's the case I strongly advice you to not
it's a really big security breach
majiedahamed
@majiedahamed
@marcosbarbero you are right ! but my mobile app dev scripting framework does not provide me any Oauth2 plugins.I can only think of encrypting the tokens while storing .Please suggest other options to move ahead for mobile app.
Marcos Barbero
@marcosbarbero
It's basically just a matter of making HTTP requests, if you can handle it at your framework then you are good to go. You just need to choose the right grant type
majiedahamed
@majiedahamed
@marcosbarbero for client side user specific authentication i can use either code grant or password grant both responds with oauth2 token...and once authenticated client needs to send the token in the request to check token end point to verify authorization for any resource access.
Marcos Barbero
@marcosbarbero
Hi @majiedahamed , good morning! So, you are correct about the grant types I would say you can pick what works better for you, I would go for username & password one in this case. About the /check_token endpoint part, it's not really necessary, you can skip it
fschollmeyer
@fschollmeyer
Hi guys... I'm using a zuul proxy to connect to an oauth2 authorization server. Everything works fine, unless the refresh token is expired. In that case the zuul filter OAuth2TokenRelayFilter throws an BadCredentialsException and this one is forwarded directly to the user. What would be the right place to go for redirecting the user to the login page instead?
fschollmeyer
@fschollmeyer
Also after updating to spring-boot-2.1/spring-cloud-greenwich-RC2, the registeredRedirectUrl seems to match the whole path. So e.g. if my registeredRedirectUrl is https://localhost:9443/, e.g. https://localhost:9443/login is not a valid redirect URL anymore. Is that on purpose?
That was not the case with spring-boot-2.0.6 and cloud finchley SR2
fschollmeyer
@fschollmeyer
Hi... I have a server with server.use-forward-headers set to true... nonetheless in LoginUrlAuthenticationEntryPoint useForward is set to false. Is this a bug?
Joris Schellekens
@jorisschellekens
Hi
Joris Schellekens
@jorisschellekens
I'm building an Alexa Skill. This requires me to build an oAuth Security Provider (so that -upon installing my skill- users get a login form and receive tokens they can use to talk to my endpoints). I have an LDAP server (hosted on AWS).
Are there any good examples that could help me?
Chris Overgaauw
@chrisovergaauw
I would like to print the bearer token received by my spring application as I am running into an issue where .hasAuthority(<some string>) always seems to fail and I keep getting 401 responses.
Does anyone know how to do this or how to debug this in general? spring root and security logging are already at debug level
Srinivas
@Sriniva63328880_twitter
Hi all
Ivan
@advancedwebdeveloper
who is interested to speak about security at http://devopsstage.com/ ?
Pedro
@pgardunoc_twitter
That would be interesting
Attoumane
@akuma8
Hi there, I am a bit confused about all security dependencies available to secure a cloud application. When should we use:
-org.springframework.cloud:spring-cloud-security:<version>?
-org.springframework.cloud:spring-cloud-starter-security:<version>?
-org.springframework.security.oauth:spring-security-oauth2:<version>?
-org.springframework.boot:spring-boot-starter-oauth2-client:<version>?
-org.springframework.boot:spring-boot-starter-oauth2-resource-server:<version>
Attoumane
@akuma8
I am currently migrating standalone Spring Boot applications to Spring Cloud and until now I used:
org.springframework.boot:spring-boot-starter-security:<version> and org.springframework.security.oauth:spring-security-oauth2:<version> to secure my applications. I have a central application dedicated to issuing access token, a Spring Cloud Gateway and other Spring Boot applications. The question is which dependencies should I use in each case? Thanks a lot
fschollmeyer
@fschollmeyer
Hi guys... I'm using spring-security-oauth2-client to login via an OAuth2 server. My server supports strong authentication via attaching the desired acr_values to the authorization uri. Is there a way to set the acr_value? Or at least to modify the redirect URI to the authorization server manually?
Basavaraj K N
@rajiff
Hi, I am trying to implement a app with "Sign in with Google" functionality in a Microservice env (Zuul, Eureka, Config Server), confused where to put my initial UI (which logged in and need to be behind the API gateway), should I be using "Spring Cloud Security" or "Spring Security", which among them are more latest ?
PS: I am new to spring and java
naveenchirayath
@naveenchirayath
HI how to secure eureka naming server? I am added spring security in the eureka server. but while client registration I am getting "com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server". I am given the eureka.client.service-url.default-zone=http://username:password@localhost:8761. but its not working..
miha-
@miha-

@miha-
Hello, can some one help me understand this:
i need to sign en encrypt soap request
https://docs.spring.io/spring-ws/site/reference/html/security.html
The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
so for this only in policy has to be added, other things are the same

@Bean
    public KeyStoreCallbackHandler callback() throws Exception{
        KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();


        callbackHandler.setPrivateKeyPassword("t_passwordo");
        callbackHandler.setDefaultAlias("snet");
        callbackHandler.setKeyStore(keyStoreFactoryBean());
        callbackHandler.setTrustStore(TrustFactoryBean());

        return callbackHandler;
    }

signeture works ok
but for encrypt i get
2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
tnx

Abdullah Al-ahmar
@aalahmar_gitlab
I wanna ask about Zuul as an aouth2 client! Anybody has experience
Attoumane
@akuma8
Hi there,
Is there a guide to migrate an Spring Security OAuth2's Authorization Server with custom UserDetailService to the new Spring Security 5.2 changes?
About Spring Security OAuth2 support, I think it would be nice to take account the users opinion before deciding to no longer provide Authorization Server support.
That decision was so brutal, we are not ready yet.
M G R
@grajuu
Hey there,
Is it good to configure security and gateway in same micro service ..?
jerryniu
@geercode
@grajuu I don't think so.If you are creating a sso or uaa service, you should take auhorizaion and authetication as a system service.
M G R
@grajuu
Then how security will intercept gateway?
i mean gateway service is first entry point for all micro services.
You mean Request flow will gateway-> security-> microserviceA so on ..?
Basavaraj K N
@rajiff
How to support data driven RBAC with spring security and Zuul gateway ?
Srini555
@Srini555
Hi
MichaelvdHeuvel
@MichaelvdHeuvel

Hallo, I am working on an implementation of SAML 2.0 in our Spring boot application and we were following a tutorial where it is stated that the SAMLProcessorImpl needs a HTTPPostBinding with a Parserpool from OpenSaml. However the openSaml version of the tutorial is deprecated and I can not seem to find replacement. I noticed that the ParserPoolHolder has a static function for getting Pool, but when running the application it can not access the object:

Error:(149, 60) java: cannot access org.opensaml.xml.parse.ParserPool
class file for org.opensaml.xml.parse.ParserPool not found

Can anyone take a look with me, how to make sure the parsing is implementated correctly?

nguyennv84
@nguyennv84
Hi, is there a way to propagate the Authentication details in a web request to the event listeners that receive events raised in a web request?
Dhruv
@iamdhrv
Hello Everyone.
i am new here.
parameswaranvv
@parameswaranvv
I have a spring boot application serving web content using Thymeleaf. It has been secured using Spring Security and have enabled CSRF. This application is fronted by a Spring Zuul Proxy which enforced SSO auth before the backend Spring Boot app can be accessed. My issue is that the CSRF token correctly renders on the html forms as hidden elements, but when I submit the form, I get the error from the backend Spring Boot app that "Could not verify the provided CSRF token because your session was not found". Any pointers here is greatly appreciated
Cesar Manuel Cruzata De la Cruz
@cruzatadelacruzc
Hello, I need to know the version spring-cloud-security was to add support to Token Refresh