Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Marco Zanghì
    @marcozanghi
    Can I ask you how it is possible to force ehcache to persists a record in db when i update acl. I am trying to test it into a junit test but it seems that the acl update is stored only in memory
    James Howe
    @OrangeDog
    @marcozanghi it will be transaction config again
    I go to http://demo.bkit.vn , login success, then redirect to http://localhost:8081/desktop , then web-app fail.
    Marco Zanghì
    @marcozanghi
    @OrangeDog thanks my fault!
    James Howe
    @OrangeDog
    Is it possible to @PostFilter a Page?
    Filip Hanik
    @fhanik
    @donhuvy https://docs.spring.io/spring-boot/docs/1.1.3.RELEASE/reference/html/howto-embedded-servlet-containers.html#howto-use-tomcat-behind-a-proxy-server
    server.tomcat.remote-ip-header=x-forwarded-for
    server.tomcat.protocol-header=x-forwarded-proto
    Nasibulloh
    @Nasibulloh
    @xak2000 Thanks a lot
    compfantasy
    @compfantasy
    Hello team, several days ago, I found I can not use jwsAlogrithm but RS256 because it is hard coded in the authentication provider, please refer to spring-projects/spring-security#6883, per Joe Grandja's advice, I upgrade the version of spring-security-oauth2-client and spring-secuirty-oauth2-core to 5.2.0.M2, but I don't know how to change the jwsAlgorithmResolver for OidcAuthorizationCodeAuthenticationProvider, would you please kindly give me some tips?
    hersonalfarogl
    @hersonalfarogl

    @reneschroeder0000

    hi, what is the best way to mock an oauth2-openid connect server for my client? i would like to have something like a local test repository that doesnt need to query other services.

    my current implementation is as follows:

    @TestConfiguration
    class OAuth2TestConfiguration {
    
        @Bean
        fun getInMemoryReactiveClientRegistrationRepository(
                @Value("\${spring.security.oauth2.client.registration.foo.client-id}") clientId: String,
                @Value("\${spring.security.oauth2.client.registration.foo.client-secret}") clientSecret: String,
                @Value("\${foobar.token-uri}") tokenUri: String
        ): ReactiveClientRegistrationRepository {
            return InMemoryReactiveClientRegistrationRepository(
                    ClientRegistration.withRegistrationId("foo")
                            .tokenUri(tokenUri)
                            .clientId(clientId)
                            .clientSecret(clientSecret)
                            .scope("doesnt matter here")
                            .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                            .build()
            )
        }
    
        @Bean
        fun getServerOAuth2AuthorizedClientRepository(
                @Autowired authorizedClientService: ReactiveOAuth2AuthorizedClientService
        ): AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository {
            val repo = AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService)
            repo.setAnonymousAuthorizedClientRepository(UnAuthenticatedServerOAuth2AuthorizedClientRepository())
            return repo
        }
    
        @Bean
        fun getInMemoryReactiveOAuth2AuthorizedClientService(
                @Autowired repository: ReactiveClientRegistrationRepository
        ): ReactiveOAuth2AuthorizedClientService = InMemoryReactiveOAuth2AuthorizedClientService(repository)
    
        @MockBean
        lateinit var jwtDecoder: ReactiveJwtDecoder
    }

    and wiremock for the tokenUri:

    {
      "request": {
        "method": "POST",
        "url": "/token"
      },
      "response": {
        "status": 200,
        "headers": {
          "Content-Type": "application/json"
        },
        "jsonBody": {
          "access_token": "some token",
          "token_type": "Bearer"
        }
      }
    }

    Have you guys found a way to do Unit Testing on either @OAuth2Client or @ResourceServer mode when using WebFlux? spring-security-test examples (https://docs.spring.io/spring-security/site/docs/current/reference/html/test.html#test-method) only demonstrate how to mock Basic Auth.
    If there's a RTFM link, I would appreciate it as well.

    Henrique Luis Schmidt
    @henriquels25
    Hi team,
    I created a question related to testing an oauth2 resource server using @WebMvcTest (https://stackoverflow.com/questions/57103518/spring-security-oauth2-resource-server-tests).
    I would appreciate if someone could take a look at that.
    choubani amir
    @amirensit
    hello.
    I am implementing implicit-flow with oauth2. The problem I am having now is what should be the value of redirectUris for a mobile application.
    I tried this window.location.origin but It does not work. Any idea please. (I am using ionic 4 as front end client). For dev I set http://localhost:8100 and It works.
    James Howe
    @OrangeDog

    I'm trying to add a token granter with spring-security-oauth2, but it seems to be very difficult. The default one is an anonymous class that wraps a CompositeTokenGranter created on first use. There's no way to modify the list of granters it will use, nor modify them after it's been made. To construct any granter (in order to set one onAuthorizationServerEndpointsConfigurer) you need to already have three other of the objects managed by that configurer.

    Am I missing something?

    James Howe
    @OrangeDog
    Right now I've got this horrible thing
    @Bean
    public TokenGranter internalTokenGranter(AuthorizationServerEndpointsConfiguration endpoints)
            throws ReflectiveOperationException
    {
        AuthorizationServerEndpointsConfigurer configurer = endpoints.getEndpointsConfigurer();
        TokenGranter tokenGranter = configurer.getTokenGranter();
        tokenGranter.grant(null, null);
        Field field = tokenGranter.getClass().getDeclaredField("delegate");
        field.setAccessible(true);
        CompositeTokenGranter compositeTokenGranter = (CompositeTokenGranter) field.get(tokenGranter);
        compositeTokenGranter.addTokenGranter(new InternalTokenGranter(
                configurer.getTokenServices(),
                configurer.getClientDetailsService(),
                configurer.getOAuth2RequestFactory()
        ));
        return tokenGranter;
    }
    Filip Hanik
    @fhanik

    @OrangeDog There are different ways to solve this, I'm just showing you one way.
    The Cloud Foundry UAA project created a class called AddTokenGranter (link)

    The library exposes the composite granter as oauth2TokenGranter, in the UAA xml they add token granters in 3 different places as such:

        <bean id="addUserTokenGranter"
              class="org.cloudfoundry.identity.uaa.oauth.token.AddTokenGranter">
            <constructor-arg name="userTokenGranter" ref="userTokenGranter"/>
            <constructor-arg name="compositeTokenGranter" ref="oauth2TokenGranter"/>
        </bean>
    James Howe
    @OrangeDog
    @fhanik How do they get the composite granter though? That's the messy bit.
    Sudhakar
    @sudhakarbetha

    Hello,
    I am trying to secure my /api/* via OAuth2 Authroization Code, I have the oauth2 working for endpoint
    http://localhost:8080/ where the redirect url is http://localhost:8080/login/oauth2/code/azure

    but when I try to hit http://localhost:8080/api/user , I get
    "The reply url specified in the request does not match the reply urls "
    where the redirect_uri=http://localhost:8080/api/user

    Here is my SecurityConfig

      http.authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                    .oauth2Login();
    James Howe
    @OrangeDog
    @sudhakarbetha you seem confused about how oauth works. An authorization code is a grant to obtain an access token from an authorisation server. It doesn't secure a resource server.
    Sudhakar
    @sudhakarbetha

    THanks @OrangeDog I was trying to write an OAuthClient, redirect the user to login against Azure Active Directory and then provide access to my /api/* upon successful login
    I was able to do that now, but when I try to do

     String response = oAuth2RestTemplate.getForObject("https://graph.microsoft.com/v1.0/me", String.class);

    This request is redirecting again to Azure AD and failing at "The reply url specified in the request does not match the reply urls "
    I thought oAuth2RestTemplate does not redirect to Azure AD when accessing graph API instead, it will use the same access token obtained earlier

    Is there anything I am missing ? @OrangeDog
    James Howe
    @OrangeDog
    No idea. Never used Asure AD login.
    Filip Hanik
    @fhanik

    @OrangeDog

    How do they get the composite granter though? That's the messy bit.

    I'm not sure what you mean. It appears as though the Spring Security OAuth2 library simply exposes a bean named oauth2TokenGranter and the UAA code does nothing, so nothing can't really be messy :)

    Filip Hanik
    @fhanik
    @OrangeDog UAA only invokes a method on the already existing bean, to add a TokenGranter to it.
    James Howe
    @OrangeDog
    @fhanik Doesn't look like it does to me. And if it did it would be the aforementioned delegate wrapper by default.
    Filip Hanik
    @fhanik
    James Howe
    @OrangeDog
    That looks like it's only for XML config? That wouldn't apply if using (as is generally recommended) Java config.
    Filip Hanik
    @fhanik
    yes, that's correct, the UAA originated in 2011, the samples have Java examples
    James Howe
    @OrangeDog
    Ah yes, nesting the composites like that would also work.
    Wilber Saca
    @wsaca
    I resolved it, now the app is configured to use the alg RS512
    Donald F Coffin
    @dfcoffin
    Is there a planned release date for OAuth 2 Authorization Server support in Spring Security?
    Evgen Koshmaryk
    @koshmaryk
    Hi all. I trying to setup spring security within spring cloud gateway. There are specific gateway security headers, as Zuul had before. Previously in non reactive applications I have used WebSecurityConfigurerAdapter with the help of which I could ignore some routes, but in reactive apps I couldn’t use it. Those routes are related to legacy service, which can’t work with those security headers. So I am trying to find alternatives. It would be great if someone could advise how it’s possible
    Andreas Falk
    @andifalk
    @dfcoffin this is part of spring security version 5.3 which does Not yet have a release date. Please see here
    https://github.com/spring-projects/spring-security/milestone/136
    Donald F Coffin
    @dfcoffin
    @andifalk Thanks for the update
    Pascal Zwick
    @pas2al
    Hi everyone, since days I and my team struggle to have a clean test setup in combination with spring security. The application works in general. We want to test our Controllers with @WebMvcTest and this works in general too, but as soon as we add more dependencies in our WebSecurityConfig the problems start. We cannot autowire all necessary dependencies (NoSuchBeanDefinitionException: No qualifying bean of type 'com.example.demo.MyUserDetailsService' available:) Does anyone have experience and can help? I did create a demo project with tests that shows the problem in a simple way. It is on my GitHub profile (https://github.com/pas2al/spring-playground). Any help would be super awesome.
    Pascal Zwick
    @pas2al
    Mahdi Robatipoor
    @robatipoor
    Does anyone know how AuthenticationManager authenticat user under the hood ???
    SeyedAliZiaei
    @Seyed_zia_twitter

    @Seyed_zia_twitter
    hi
    I have problem.
    i am using from spring boot and angular . i will use ldap from authentication . spring boot running on tomcat and angular running on apache
    i will redirect in to angular page in spring security config for login but

    'http:localhost:4200/auth?error' is not a valid redirect URL

    this spring security config :
    package org.sap;

    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.crypto.password.LdapShaPasswordEncoder;

    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/auth").permitAll().
    antMatchers("/**").fullyAuthenticated().and().formLogin().loginPage("http:localhost:4200/auth").successForwardUrl("/");
    }

     @Override
     public void configure(AuthenticationManagerBuilder auth) throws Exception{
         auth.ldapAuthentication().userDnPatterns("uid={0}")
                 .contextSource().url("ldap://dc.msv.net:389/dc=msv,dc=net");
     } 

    }

    molexx
    @molexx

    In token based 'remember me' tokens, would it be fair to say that the 'key' is more of a 'seed' than a 'key', and if it were discovered wouldn't be that useful because it's part of the string hashed with the user's password and other (possibly guessable) things?

    https://docs.spring.io/spring-security/site/docs/current/reference/html5/#remember-me-hash-token

    Mike Noordermeer
    @MikeN123

    Hi. I'm looking into the Spring Security SAML 2.0 branch, but am hitting some obstacles and am wondering if these things are already on the roadmap and/or if I can help out implementing them.

    1.) It does not seem to be possible to use a custom Principal/UserDetails object. The 'raw' assertion and NameId are put in a DefaultSamlAuthentication object and that's it. There does not even seem to be an override possibility in the SamlAuthenticationResponseFilter. Is this correct? This is an issue as it makes it impossible to: a.) use a 'username' other than the NameID, and often the NameID is not what we use as a username. b.) specify/load/parse any GrantedAuthorities for the user.

    2.) It seems only raw metadata is cached. It seems that for every request the metadata is parsed again. In case of large metadata files, this will bring down your server quite rapidly (e.g., UK federation has 50+ MB metadata). Shouldn't the parsed metadata be cached?

    3.) It seems metadata is only cached for 10 minutes. Metadata usually has a validUntil property that should/could be used? With large metadata files this is again an issue.

    4.) It does not seem possible to load metadata from the filesystem, other than directly embedded in the properties or with custom code that does the loading from file, is that correct?

    5.) InResponseTo does not seem to be checked. DefaultValidator.validate specifies 'null' as the value for mustMatchInResponseTo. The checks only succeed because unsolicited responses are accepted by default. This seems like a bug to me.

    6.) Unsolicited responses are enabled by default, but the absence of a InResponseTo field is not checked. Should be according to the spec (4.1.5 of profiles spec). This opens up the SP to replay attacks. Enabling unsolicited responses/IdP initiated SSO by default is debatable as well, as it opens up the SP to login CSRF attacks where the attacker logs the user in under his own account.

    Could anyone let me know if my findings are correct and if I can help out somewhere?

    James Howe
    @OrangeDog
    @MikeN123 I'm sure you're aware, but the current release doesn't have any of those issues (unless you count new FilesystemMetadataProvider as custom code)
    SeyedAliZiaei
    @Seyed_zia_twitter
    Hi,I have problem for authentication in spring security with ldap. username and password is correct but get to me :Bad credentials

    this is my code.

    @EnableWebSecurity(debug = true)
    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String url = "ldap://dc.msv.net:389/DC=msv,DC=net";
    private String domain = "dc.msv.net";
    private String userDNPattern = "sAMAccountName={0},DC=msv,DC=net";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
    
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication().contextSource().url(url).managerDn("arpa").managerPassword("masterone4408$$)*").and().userSearchFilter("memberOf=(&(CN={0}))");
    }
    Mike Noordermeer
    @MikeN123
    @OrangeDog if you mean Spring Security SAML v1.x releases, that's true. But that is using an unsupported OpenSAML library. Getting the new branch up to par would be really welcome.
    James Howe
    @OrangeDog
    @MikeN123 it's unsupported? Last release was in April.
    They're not published to Central, you need to add https://build.shibboleth.net/nexus/content/repositories/releases/
    Mike Noordermeer
    @MikeN123
    Those are the 3.x releases. Spring Security SAML 1.x branch uses the 2.x releases.
    That has been unsupported, without any security support, since 2016.
    James Howe
    @OrangeDog
    @MikeN123 oh, I see. There aren't any CVEs against them at least.
    Mike Noordermeer
    @MikeN123
    Yeah, but getting the new SAML stuff ready for production would be welcome, so just trying to see if I can help here.
    James Howe
    @OrangeDog
    :thumbsup: