Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    James Howe
    @OrangeDog
    @fhanik How do they get the composite granter though? That's the messy bit.
    Sudhakar
    @sudhakarbetha

    Hello,
    I am trying to secure my /api/* via OAuth2 Authroization Code, I have the oauth2 working for endpoint
    http://localhost:8080/ where the redirect url is http://localhost:8080/login/oauth2/code/azure

    but when I try to hit http://localhost:8080/api/user , I get
    "The reply url specified in the request does not match the reply urls "
    where the redirect_uri=http://localhost:8080/api/user

    Here is my SecurityConfig

      http.authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                    .oauth2Login();
    James Howe
    @OrangeDog
    @sudhakarbetha you seem confused about how oauth works. An authorization code is a grant to obtain an access token from an authorisation server. It doesn't secure a resource server.
    Sudhakar
    @sudhakarbetha

    THanks @OrangeDog I was trying to write an OAuthClient, redirect the user to login against Azure Active Directory and then provide access to my /api/* upon successful login
    I was able to do that now, but when I try to do

     String response = oAuth2RestTemplate.getForObject("https://graph.microsoft.com/v1.0/me", String.class);

    This request is redirecting again to Azure AD and failing at "The reply url specified in the request does not match the reply urls "
    I thought oAuth2RestTemplate does not redirect to Azure AD when accessing graph API instead, it will use the same access token obtained earlier

    Is there anything I am missing ? @OrangeDog
    James Howe
    @OrangeDog
    No idea. Never used Asure AD login.
    Filip Hanik
    @fhanik

    @OrangeDog

    How do they get the composite granter though? That's the messy bit.

    I'm not sure what you mean. It appears as though the Spring Security OAuth2 library simply exposes a bean named oauth2TokenGranter and the UAA code does nothing, so nothing can't really be messy :)

    Filip Hanik
    @fhanik
    @OrangeDog UAA only invokes a method on the already existing bean, to add a TokenGranter to it.
    James Howe
    @OrangeDog
    @fhanik Doesn't look like it does to me. And if it did it would be the aforementioned delegate wrapper by default.
    Filip Hanik
    @fhanik
    James Howe
    @OrangeDog
    That looks like it's only for XML config? That wouldn't apply if using (as is generally recommended) Java config.
    Filip Hanik
    @fhanik
    yes, that's correct, the UAA originated in 2011, the samples have Java examples
    James Howe
    @OrangeDog
    Ah yes, nesting the composites like that would also work.
    Wilber Saca
    @wsaca
    I resolved it, now the app is configured to use the alg RS512
    Donald F Coffin
    @dfcoffin
    Is there a planned release date for OAuth 2 Authorization Server support in Spring Security?
    Evgen Koshmaryk
    @koshmaryk
    Hi all. I trying to setup spring security within spring cloud gateway. There are specific gateway security headers, as Zuul had before. Previously in non reactive applications I have used WebSecurityConfigurerAdapter with the help of which I could ignore some routes, but in reactive apps I couldn’t use it. Those routes are related to legacy service, which can’t work with those security headers. So I am trying to find alternatives. It would be great if someone could advise how it’s possible
    Andreas Falk
    @andifalk
    @dfcoffin this is part of spring security version 5.3 which does Not yet have a release date. Please see here
    https://github.com/spring-projects/spring-security/milestone/136
    Donald F Coffin
    @dfcoffin
    @andifalk Thanks for the update
    Pascal Zwick
    @pas2al
    Hi everyone, since days I and my team struggle to have a clean test setup in combination with spring security. The application works in general. We want to test our Controllers with @WebMvcTest and this works in general too, but as soon as we add more dependencies in our WebSecurityConfig the problems start. We cannot autowire all necessary dependencies (NoSuchBeanDefinitionException: No qualifying bean of type 'com.example.demo.MyUserDetailsService' available:) Does anyone have experience and can help? I did create a demo project with tests that shows the problem in a simple way. It is on my GitHub profile (https://github.com/pas2al/spring-playground). Any help would be super awesome.
    Pascal Zwick
    @pas2al
    Mahdi Robatipoor
    @robatipoor
    Does anyone know how AuthenticationManager authenticat user under the hood ???
    SeyedAliZiaei
    @Seyed_zia_twitter

    @Seyed_zia_twitter
    hi
    I have problem.
    i am using from spring boot and angular . i will use ldap from authentication . spring boot running on tomcat and angular running on apache
    i will redirect in to angular page in spring security config for login but

    'http:localhost:4200/auth?error' is not a valid redirect URL

    this spring security config :
    package org.sap;

    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.crypto.password.LdapShaPasswordEncoder;

    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/auth").permitAll().
    antMatchers("/**").fullyAuthenticated().and().formLogin().loginPage("http:localhost:4200/auth").successForwardUrl("/");
    }

     @Override
     public void configure(AuthenticationManagerBuilder auth) throws Exception{
         auth.ldapAuthentication().userDnPatterns("uid={0}")
                 .contextSource().url("ldap://dc.msv.net:389/dc=msv,dc=net");
     } 

    }

    molexx
    @molexx

    In token based 'remember me' tokens, would it be fair to say that the 'key' is more of a 'seed' than a 'key', and if it were discovered wouldn't be that useful because it's part of the string hashed with the user's password and other (possibly guessable) things?

    https://docs.spring.io/spring-security/site/docs/current/reference/html5/#remember-me-hash-token

    Mike Noordermeer
    @MikeN123

    Hi. I'm looking into the Spring Security SAML 2.0 branch, but am hitting some obstacles and am wondering if these things are already on the roadmap and/or if I can help out implementing them.

    1.) It does not seem to be possible to use a custom Principal/UserDetails object. The 'raw' assertion and NameId are put in a DefaultSamlAuthentication object and that's it. There does not even seem to be an override possibility in the SamlAuthenticationResponseFilter. Is this correct? This is an issue as it makes it impossible to: a.) use a 'username' other than the NameID, and often the NameID is not what we use as a username. b.) specify/load/parse any GrantedAuthorities for the user.

    2.) It seems only raw metadata is cached. It seems that for every request the metadata is parsed again. In case of large metadata files, this will bring down your server quite rapidly (e.g., UK federation has 50+ MB metadata). Shouldn't the parsed metadata be cached?

    3.) It seems metadata is only cached for 10 minutes. Metadata usually has a validUntil property that should/could be used? With large metadata files this is again an issue.

    4.) It does not seem possible to load metadata from the filesystem, other than directly embedded in the properties or with custom code that does the loading from file, is that correct?

    5.) InResponseTo does not seem to be checked. DefaultValidator.validate specifies 'null' as the value for mustMatchInResponseTo. The checks only succeed because unsolicited responses are accepted by default. This seems like a bug to me.

    6.) Unsolicited responses are enabled by default, but the absence of a InResponseTo field is not checked. Should be according to the spec (4.1.5 of profiles spec). This opens up the SP to replay attacks. Enabling unsolicited responses/IdP initiated SSO by default is debatable as well, as it opens up the SP to login CSRF attacks where the attacker logs the user in under his own account.

    Could anyone let me know if my findings are correct and if I can help out somewhere?

    James Howe
    @OrangeDog
    @MikeN123 I'm sure you're aware, but the current release doesn't have any of those issues (unless you count new FilesystemMetadataProvider as custom code)
    SeyedAliZiaei
    @Seyed_zia_twitter
    Hi,I have problem for authentication in spring security with ldap. username and password is correct but get to me :Bad credentials

    this is my code.

    @EnableWebSecurity(debug = true)
    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String url = "ldap://dc.msv.net:389/DC=msv,DC=net";
    private String domain = "dc.msv.net";
    private String userDNPattern = "sAMAccountName={0},DC=msv,DC=net";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
    
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication().contextSource().url(url).managerDn("arpa").managerPassword("masterone4408$$)*").and().userSearchFilter("memberOf=(&(CN={0}))");
    }
    Mike Noordermeer
    @MikeN123
    @OrangeDog if you mean Spring Security SAML v1.x releases, that's true. But that is using an unsupported OpenSAML library. Getting the new branch up to par would be really welcome.
    James Howe
    @OrangeDog
    @MikeN123 it's unsupported? Last release was in April.
    They're not published to Central, you need to add https://build.shibboleth.net/nexus/content/repositories/releases/
    Mike Noordermeer
    @MikeN123
    Those are the 3.x releases. Spring Security SAML 1.x branch uses the 2.x releases.
    That has been unsupported, without any security support, since 2016.
    James Howe
    @OrangeDog
    @MikeN123 oh, I see. There aren't any CVEs against them at least.
    Mike Noordermeer
    @MikeN123
    Yeah, but getting the new SAML stuff ready for production would be welcome, so just trying to see if I can help here.
    James Howe
    @OrangeDog
    :thumbsup:
    Mike Noordermeer
    @MikeN123
    @fhanik any thoughts on this? :point_up: July 31, 2019 8:45 PM
    bricerader
    @bricerader
    Hey all, I've been upgrading an API to Greenwich and I'm now using spring-security-web 5.1.4 with a security config. When I run the request I receive a 403 with CSRF Token has been associated to this client. I've tried disabling csrf and authorizing the POST request I'm running, both to no avail. Any ideas?
    @EnableWebSecurity
    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        @SuppressWarnings({"PMD.SignatureDeclareThrowsException"})
        protected void configure(final HttpSecurity http) throws Exception  {
            http.csrf().disable();
    
    //        http.csrf().disable()
    //                .authorizeRequests()
    //                .antMatchers(HttpMethod.POST, "/my/valid/url").permitAll();
        }
    }
    Eleftheria Stein-Kousathana
    @eleftherias
    @bricerader If you are using WebFlux the security configuration is different. You don't extend WebSecurityConfigurerAdapter. Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/5.1.6.RELEASE/reference/htmlsingle/#explicit-webflux-security-configuration
    Lovro Pandžić
    @lpandzic
    hello, I have a question regarding csrf protection, I've succesfully injected csrf token into my first ajax request but when second ajax request gets executed it seems that the csrf token has changed?
    flow is as follows -> GET index then GET data -> POST data (simplified)
    now I assume that second GET triggers csrf token change but how can I get the new csrf value of second GET and is this the recommended approach or should I somehow exclude API endpoints from csrf change mechanism?
    bricerader
    @bricerader
    @eleftherias Thanks! This was a great reference, had to do a little more digging to get it right. This is what I ended up with if anyone is curious. To me, this should be there default example for the bare minimum:
    @Configuration
    @EnableWebFluxSecurity
    public class SecurityConfig {
    
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            // Disable login form
            http
                    .httpBasic().disable()
                    .formLogin().disable()
                    .csrf().disable()
                    .logout().disable();
    
            // Authorize everyone
            http
                    .authorizeExchange()
                    .anyExchange().permitAll();
            return http.build();
        }
    }
    Pieter Pletinckx
    @pspletinckx
    I've finished the book "Hands-On Spring Security 5 for Reactive Applications" some weeks ago. It should be called "Spring Security and Reactive Applications" because the overlap is very very thin. I'm now seeking for some more in depth webflux & spring security. Anyone have a good example?
    Dessie
    @dkirrane
    Hi, has anyone done OIDC dynamic client registration
    With keycloak
    Pieter Pletinckx
    @pspletinckx
    I've written an AuthenticationWebfilter for my protocol, how to I make use of the "RememberMe" functionality in spring-security & webflux?
    James Howe
    @OrangeDog
    @pspletinckx you need to call methods on the RememberMeServices
    specifically the same instance that the RememberMeAuthenticationFilter is using
    Piotr Kucharski
    @Sketusky
    I'm considering to use OAuth2 with PKCE support to authorize users in mobile application. I've heard that it is not available in Spring Security. What can you propose to use?