spring-projects/spring-security

Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security

Mohsin AR

@iammohsinar

BTW AuthFilter is for if user is already authenticated so it is working fine for that purpose. i need to stop execute this on exception which occurs in LoginFilter for wrong user and pass

Hamza Ouni

@HamzaOuni17_twitter

Hello, how can i add a custom attribute to samlRequest (im my case the attribute specify the sending channel : web or mobile).
i do some research about this , i found two solutions either put this in extensions element or in the relayState?

Sivabalan

@jofisiva

Hello Team

We are currently using wso2 for identity access management and SSO integration with ADFS .Plan to cut down WSO2 dependency

Is Spring Security 5 can give all functionality ?

Any thoughts

we are looking some kind of open source access identity access management

With SSO capabilities

James Howe

@OrangeDog

There are Spring Security implementations of SAML and OpenID Connect

Sivabalan

@jofisiva

thanks James

Keerthi Meda

@krmeda

Hello Team...
I am trying to make a starter library (for reactive microservices) for my organization where in I want to configure only the /actuator/** endpoints. I managed to isolate the configuration into an auto-configuration library and am defining the securityWebFilterChain bean where i am able to use a securityMatcher and perform the filtering...

Further down the chain, when one of the microservices using this library wants to add their own authentication scheme (e.g JWT checking) to the path, they are now having to re-define the full bean including the actuator config to get the required results.

Is there a built in way of allowing for this customization and injection of additional securityMatchers downstream if a library does the init upstream?

Sanjeev Ghimire

@sanjeevghimire

is it possible to debug @PreAuthorize?
I added a ROLE at runtime and when I try to hit the API which has that role in hasAnyRole the API gives me Access Denied Exception
Any Idea?
when I get that user I see that ROLE in the list of authorities

this is my API definition:

@GetMapping("/browse/{videoCatalogType}")
    @PreAuthorize("hasAnyRole(\"" + AuthoritiesConstants.ADMIN + "," + AuthoritiesConstants.CHALCHITRA + "," + AuthoritiesConstants.SUBSCRIBED + "\")")

Ruslan Stelmachenko

@xak2000

@sanjeevghimire Make sure the roles you passed in to hasAnyRole method doesn't contain a ROLE_ prefix. If they contain that prefix, use hasAnyAuthorityinstead.

piyush-devnow-io

@piyush-devnow-io

Hi, I have an api which registers a user into my system. I call it signup api which takes a request including email, password and username and creates a record in the database.
There is another api which logs in the user (the sign in api) which provides an access token, its expiration duration, emailId as a response.
My question is -> Can I provide an access token in the response of the signup api as a separate data node in the response? Is it a good design practice ? Is there any other reason why I should not include a access token in the signup api response ?

Rakesh

@ravening

Hi, Im implementing security using JWT in spring boot by following the guide in https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/ . I am unable to handle the TokenExpiredExcpetion. Does anyone have experience or code samples in doing so?

Andrew Zurn

@AndrewZurn

I'm trying to enable spring security only on the actuator endpoints, and allow all other requests, regardless of auth scheme to pass into the app code (which handles security in it's own regard).

Right now this is what I have:

    @Bean
    fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        // NOTE: This will only add spring security to the actuator endpoints, all other endpoints will be handled
        // by the JWT auth handling.
        // https://stackoverflow.com/questions/38403740/authenticate-only-selected-rest-end-points-spring-boot
        return http.authorizeExchange()
            .pathMatchers("/actuator/**").authenticated()
            .anyExchange().permitAll()
            .and().httpBasic()
            .and().csrf().disable()
            .build()
    }

    @Bean
    fun userDetailsService(): MapReactiveUserDetailsService {
        return MapReactiveUserDetailsService(
            User.withDefaultPasswordEncoder()
                .username(actuatorAdminUsername)
                .password(actuatorAdminPassword)
                .roles("SUPERUSER")
                .build()
        )
    }

This works to ensure that:
1) http basic auth can be used to access the actuator endpoints
2) any bearer request is passed through into the app code (which is what I want)

but doesn't allow an http basic auth request to pass through and be handled by my app code. I've tried a few different incantations to get it working as expected, but mostly get the current state or I get it to pass through http basic requests (at which case my auth on the actuator endpoints doesn't work). Any pointers?

Andrew Zurn

@AndrewZurn

Something else of interest, if I change the Authorization header key on the request I'm sending to Proxy-Authentication, it passes through just fine.

Andrew Zurn

@AndrewZurn

Looks like using the securityMatcher on the http object and setting up separate filters seems to have done the trick.

Marco Zanghì

@marcozanghi

Hi everyone, I am trying to save to db an acl entry using acl spring. I am using the mustableaclservice but i can't see any new record in the db. (I am using also ehcache) any ideas?

choubani amir

@amirensit

hello.
Please any idea what is the difference between these two dependencies:
spring-security-config and spring-security-web ?

James Howe

@OrangeDog

@amirensit they do completely different things, as indicated by the names

Marco Zanghì

@marcozanghi

hi @OrangeDog, do you have any ideas how to save acl entries by using spring security support? It is possible to do that whit jdbc mutable service?

James Howe

@OrangeDog

That's literally what JdbcMutableAclService says it's for

Marco Zanghì

@marcozanghi

Sì, ma quando eseguo un updateAcl non ho la relativa voce acl nella tabella acl_entry

I am using ehcache .

Yes but when i perform an updateAcl i don't have the related acl entry into acl_entry table

James Howe

@OrangeDog

transaction settings perhaps

Marco Zanghì

@marcozanghi

thanks.. the problem was the @transactional annotation. I have deleted it and now it works

Caleb Cushing

@xenoterracide

@jgrandja https://stackoverflow.com/q/56844287/206466 could you verify whether what Ii'm asking is possible? if it's not I think I should open a ticket to make it possible

Mohsin AR

@iammohsinar

how to secure both web browser request (thymeleaf) and Restful request in one spring boot project ??

Caleb Cushing

@xenoterracide

@iammohsinar https://spring.io/guides/gs/securing-web/

https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/mvc.html

molexx

@molexx

Is there a correct way for a REST API to return a simple short text message along with a 403? I've tried various combinations of setting the contentType and response.writer.println() and response.writer.write()but I can't get it to display in the browser.

Ruslan Stelmachenko

@xak2000

@molexx How did you setup this? You need to create a custom AccessDeniedHandler implementation and set it through HttpSecurity.exceptionHandling().accessDeniedHandler(myAccessDeniedHandler). Then you can implement handle method as you wish.
For example:

        response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        response.setStatus(HttpStatus.FORBIDDEN.value());
        response.getWriter().write(objectMapper.writeValueAsString(responseBody));

Or, in your case, you can set content-type to text/plain and write a String.

molexx

@molexx

@xak2000 thanks yes I have the accessDeniedHandler set up, looks very similar to that but not exactly, I'll try those thanks!

molexx

@molexx

@xak2000 done that, thanks, looking in the Firefox devtools its a 403 with responseType 'json' but there is no body - it just says 'No response data available for this request'. I'm logging to ensure that code is being run and a message is being written.

response content-length is 0

Ruslan Stelmachenko

@xak2000

It's strange. Maybe some filter/interceptor started the output before using response.getOutputStream()? Then response.getWriter() will not work AFAIK.
Also try to add response.flushBuffer() at the end of the handle() execution.

molexx

@molexx

@xak2000 no flushBuffer() doesn't help :-( it's the last line of the handler.

molexx

@molexx

It was setting some cookies but I've commented that out now. Nothing else touching the response in the handler.

molexx

@molexx

Works when I call writer.close(), didn't think I'd have to. Thanks for the pointers!

Marco Zanghì

@marcozanghi

Can I ask you how it is possible to force ehcache to persists a record in db when i update acl. I am trying to test it into a junit test but it seems that the acl update is stored only in memory

James Howe

@OrangeDog

@marcozanghi it will be transaction config again

donhuvy

@donhuvy

Please help me https://stackoverflow.com/questions/57002057/production-environment-spring-security-login-success-redirect-to-localhost

I go to http://demo.bkit.vn , login success, then redirect to http://localhost:8081/desktop , then web-app fail.

Marco Zanghì

@marcozanghi

@OrangeDog thanks my fault!

James Howe

@OrangeDog

Is it possible to @PostFilter a Page?

Filip Hanik

@fhanik

@donhuvy https://docs.spring.io/spring-boot/docs/1.1.3.RELEASE/reference/html/howto-embedded-servlet-containers.html#howto-use-tomcat-behind-a-proxy-server

server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto

Nasibulloh

@Nasibulloh

@xak2000 Thanks a lot

Where communities thrive

People

Repo info

Activity