Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Hi I am using spring-cloud-starter-gateway with spring-boot-start-webflux and spring-boot-starter-security. As the IDP using UAA. When app comes up it serves the login page and investigating the cookies I see a cookie called SESSION. Now if I log in immediately all is fine. If I delete the cookie SESSION I get a 500 Error [authorization_request_not_found]. Now if I get to the login page and just wait there for over 30 minutes or so the cookie SESSION is there but then I also get the [authorization_request_not_found]. The questions I have are: 1) how do I configure this timeout ? 2) How do I prevent this from happening ?
    Ashish Agre
    hello, i have one small issue related to scope with google login as provider and spring as resource server, i am posting stackoverlfow question link here, let me know if this is ok otherwise i shall ask question here only: link
    hi to all
    Dawid Kubicki
    Hi, has spring supported pkce already ?
    Thilo-Alexander Ginkel
    Hi there! Any idea which autoconfiguration is responsible for creating OAuth2AuthorizedClientService for current Spring Boot / ~ Security?
    Andreas Falk
    @dkubicki yes current spring security 5.x already supports PKCE.
    Hello all,
    We have implemented SCDF 2.5.1 on Kubernetes and trying to enable OAuth2.0 authentication with CA SSO (a.k.a Siteminder) or ADFS.
    SCDF documentation proposes integration with UAA which maps granted scopes to LDAP groups and returns only those.
    SCDF maps scopes to roles to resolve access to resources.
    CA SSO and ADFS do not have this scopes manipulation capability.
    Is there a way to map claims from id_token to roles instead of scopes?
    Or, can you share how to integrate IDPs which do not have this scope manipulation capability?
    Releated SCDF documentation can be found here: Customizing Authorization
    Could not find help in SCDF Room.
    Ariel Himmelstern
    Hello all,
    I’m trying to run a SAML integration using spring-security-saml2-service-provider but I’m running into verification issues once we release it to our staging environment. That environment is behind a load balancer (AWS ALB), causing the recipient to mismatch, and the validation to fail. Is there a way to configure the OpenSamlAuthenticationProvider to use the url of the load balancer and not the address of the server? Any help is appreciated it here.
    Adam Richeimer
    Hey all, I'm having trouble figuring out how to use Spring Security SAML2 Provider with G Suite as the SAML Idp
    I posted my question on SO there above
    If anyone can help me, I'd really appreciate it.
    Hello everyone,
    i am new here.
    I have implemented an jwt authentication with spring security in microservice architecture. i have created on auth-service which only authenticate user and return jwt token, and zuul gateway service which check jwt for any other API request and every microservice request through this. This works well. but i want to improve in this system is that is there any better way to authenticate user if i directly make request to other microservice instead of zuul gateway. like if i request directly any microservice than microservice should have to check jwt token itself.
    Arvind Kumar GS

    Hi, is there a way to exclude some URIs from extending the session time out. I have certain websocket APIs that constantly poll my server, this causes the session to extend even though the user is idle. So ideally these idle sessions should timeout. But the polling calls reset the session time out, and never time out.
    I am setting the session time out using following configuration in web.xml


    I have googled and found following ways,

    1. Adding a Http filter that intercepts all requests as defined here . Once it intercepts the request, and URI is a polling, then create a new session, so original session is untouched.
    2. Getting the StandardManager as mentioned here, then it should be as "simple" as getting the manager from the ServletContext, and then using the manager's findSession(request.getRequestedSessionId()). Once we have StandardManager, we can create a new session, leaving existing session.
    3. Another approach is creating a custom session manager instead of tomcats StandardManager as defined here
    4. Have the websocket/polling APIs on a separate sessionless sub-domain (possibly running on a separate tomcat server) - details
    5. Or don’t send any JSESSION cookies for the polling APIs so the server thinks it is a new request and will not extend the existing session. This may not work due to spring-security enforced.

    Is there a simple configuration on say web.xml that allows us to exclude some URIs from resetting the session timeout?

    Hello everyone
    Quick question, i'm not the best when it comes to reactive programming but i think what I have done should be ok. I wanted to run it by people who might know better.
    I wrote some code that fetches the signature algorithms of a remote JWK source in NimbusJwtDecoder & NimbusReactiveJwtDecoder. The Regular one I have should be fine, but the reactive on i had to use a blocking request during the application startup to fetch the JWKs initially... Does that seem problematic at face value?

    Hi, I have defined oauth2 resource server like this:

     .oauth2ResourceServer { oauth2ResourceServer ->
              .opaqueToken { opaqueToken ->

    and (in that same WebSecurityConfigurerAdapter) I have configured the access:


    and even though bearer tokens with the right scope arrive (I was debugging), they are not recognized and I get 403 at the end. I have been debugging inside Spring, at the last request filter, at the moment of Voters (AccessDecisionVoter perhaps), there is only ROLE voter configured, but no voters for SCOPE.. Is this the place where something is missing? Or, what I am missing? For the opaque tokens I needed to also add the "nimbusds" library, in case this is relevant..

    uh, my underscore was converted to italics.. I meant ROLE_ and SCOPE_
    So, again, the token is accepted, but then the scopes are not picked up. I am not using Spring Boot and suspect I may be missing some part of the configuration..
    Hi @monikma , try to change to this hasAuthority("#oauth2.hasScope('your_scope')").
    @MasterB54088886_twitter here they said access("#oauth2.hasScope('your_scope')") was replaced:, but hasAuthority with old syntax i have not tried yet..
    @monikma from what I understood, you use opaque token but the "nimbusds" lib is needed for JWT token only
    @MasterB54088886_twitter nimbusds is also needed for introspection - default implementation of OpaqueTokenIntrospector is implemented with nimbusds and is used for parsing of introspection response
    @monikma you said you don't use Spring Boot right? Then I guess you have to create OpaqueTokenIntrospector as a Bean, then config like this for example oauth2ResourceServer().opaqueToken().introspector(myIntrospector()) because the docs said Spring Boot exposes WebSecurityConfigurerAdapter and OpaqueTokenIntrospector as Beans
    @qavid thanks for correcting me pal. I just take a look at their source code and it actually uses that lib.
    @MasterB54088886_twitter she don't have to explicitly create OpaqueTokenIntrospector bean, OpaqueTokenIntrospector bean is configured by OpaqueTokenConfigurer by setting introspectionUri, introspectionClientCredentials
    anyway, introspection seems to work otherwise she would get 401 not 403
    @monikma I would check if introspected token contains claim "scope", then I would check if antMatcher matches given request (also security matcher if you have more than one security filter chain). If you are sure scope and matcher are correct, you can try to set breakpoint in SecurityExpressionRoot in method hasAuthority.
    Without more details it is hard to find problem, provided configuration seems to be OK
    @MasterB54088886_twitter thanks, hasAuthority("#oauth2.hasScope('your_scope')") does not make a difference, yes I did try with defining the @Bean (NimbusOpaqueTokenIntrospector), also no difference, yes I do not use Spring Boot..
    @qavid thanks, where should the "claim" be exactly? I am examining a principal that is resolved by BearerTokenAuthenticationFilter , it has attributes map property with my scope ("scope"->"myscope"), but no "authorities" set. Is this the place, or should it be another place?
    I think the matcher matches the request, because if I replace my hasAuthority with permitAll() then everything is working.
    In SecurityExpressionRoot.hasAnyAuthorityName the authorities are still empty and compared against role set that contains the SCOPE_myscope string.. that seems wrong, right?
    hmm, reading the code further, the attributes seems to be the claims

    hmm, in NimbusOpaqueTokenIntrospector:

    private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) {
            Collection<GrantedAuthority> authorities = new ArrayList<>();
            Map<String, Object> claims = response.toJSONObject();

    at this point the response and claims already have all the params and attributes, respectively, including scope.. and later this part of code is never executed:

    if (response.getScope() != null) {
                List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
                claims.put(SCOPE, scopes);
                for (String scope : scopes) {
                    authorities.add(new SimpleGrantedAuthority(this.authorityPrefix + scope));

    because response.getScope() is null.. why is it null?

        public Scope getScope() {
            try {
                return Scope.parse(JSONObjectUtils.getString(params, "scope"));
            } catch (ParseException e) {
                return null;

    there is a parse exception ignored.. saying Unexpected type of JSON object member with key "scope", even though there is a key scope in the params, but it contains another map, mapping scope to my scope finally.. maybe that is the problem? weird..

    5 replies
    Jay Aisenbrey

    Hello. So I have a question about automatically logging in a user from a non-login request. For example when a new user is registered I want to automatically log them in. I've tried manually invoking the authentication manager and using request.login however both seem to be susceptible to session fixation attacks since neither go through the filter chain. By default a user logins via a form post. Here's the login piece of the security config


    I was thinking of forwarding or redirecting however those are GETs and not POSTs not to mention the actual form data that needs to be sent. I also considered using a custom authentication token however that's assuming that the login could be a GET. Thank you

    Rory Byrne

    Hi folks, I can't get global CORS to work. All tutorials I've seen have rather simple instructions, but in the end I don't see any CORS headers on responses. Here's my WebSecurityConfig:

    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      protected void configure(HttpSecurity http) throws Exception {
      public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
          public void addCorsMappings(CorsRegistry registry) {

    Am I missing something obvious?

    James Howe
    You only get them if the request has them
    Rory Byrne
    Which headers should the request include? Here's an example cURL I'm using to test this:
    ❯ curl -i http://localhost:8080/foo -H "Access-Control-Request-Method: GET"
    HTTP/1.1 200
    Vary: Origin
    Vary: Access-Control-Request-Method
    Vary: Access-Control-Request-Headers
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-Frame-Options: DENY
    Content-Type: text/plain;charset=UTF-8
    Content-Length: 4
    Date: Thu, 25 Jun 2020 14:24:41 GMT
    James Howe
    Rory Byrne
    Of course! Thank you
    James Howe
    Rory Byrne
    Thanks, I'll have a proper read of the docs to avoid any more gotchas.
    James Howe
    e.g. Access-Control-Request-Method does nothing on a GET.
    Jesse Moseman
    I got authentication to work, but I'm trying to figure out how to get my roles mapped out with spring security when they're not in the jwt claims but the userinfo response.
    Ingo Griebsch
    Hi all,
    we are still using the spring-security-oauth2 module and want to use @EnableOAuth2Client together with OAuth2ClientContext to implement a token relay.
    We defined @EnableOAuth2Client (together with @EnableResourceServer) in our service. We are using Feign to call the downstream service together with OAuth2FeignRequestInterceptor (means that OAuth2ClientContext and OAuth2ProtectedResourceDetails are available in the application context). So far all things seem to work like expected.
    But we realize that we are getting a status 401 from the downstream service from time to time. This sounds strange for us because the webapp which is calling the service is refreshing the access-token if necessary before calling the service. After some debugging we realize that the webapp is sending the up to date access-token to the service but the Feign client is sending the old access-token to the downstream service.
    After some more debugging it looks like that the AccessTokenContextRelay is only setting the access-token on the OAuth2ClientContext if not already available and that the OAuth2ClientContext is available in session-scope and therefore the old access-token is used.
    Long story short: We would like to understand why the OAuth2ClientContext is defined in session-scope? We would also like to understand if it is not intended that an access-token can/should be refreshed on subsequent requests and if we can configure the behavior in a way that the refreshed access-token is used?
    Any feedback is highly appreciated! :)
    Hey all
    I've got my web application connected to our Active Directory and it's working great. Is there any documentation that would show me how to implement a "change password" feature in connection with an Active Directory? All the examples seem to be focused on regular LDAP connections but not in connection with ActiveDirectoryLdapAuthenticationProvider. I've been trying to wire my own DefaultSpringSecurityContextSource, but when attempting to actually change the password, the bind credentials are rejected (probably because it's sending "uid=test.user,cn=users" instead of just sending the user-id with domain (for example "")).
    Any help is much appreciated!
    That's actually a traffic capture from the LDAP calls that go out. The first one is the actual login to the application, the last two requests happen when the user changes the password
    Jakub Kubryński
    Hi! I'm trying to compile spring-security from the master branch, but it looks like there are issues with spring maven repository. Does anyone encounter similar issues today?
      > Could not resolve io.projectreactor:reactor-bom:Dysprosium-SR+.
         Required by:
             project :spring-security-config
          > Failed to list versions for io.projectreactor:reactor-bom.
             > Unable to load Maven meta-data from
                > Could not HEAD ''. Received status code 403 from server: Forbidden
    Ingo Griebsch
    Hi all,
    I would like to politely ask again if someone can help us in solving the problem I have described above. Please let us know if we have overseen something in the documentation that should help to solve the problem. Any hint or tip is really appreciated. :)