Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Filip Hanik
    @fhanik
    James Howe
    @OrangeDog
    That looks like it's only for XML config? That wouldn't apply if using (as is generally recommended) Java config.
    Filip Hanik
    @fhanik
    yes, that's correct, the UAA originated in 2011, the samples have Java examples
    James Howe
    @OrangeDog
    Ah yes, nesting the composites like that would also work.
    Wilber Saca
    @wsaca
    I resolved it, now the app is configured to use the alg RS512
    Donald F Coffin
    @dfcoffin
    Is there a planned release date for OAuth 2 Authorization Server support in Spring Security?
    Evgen Koshmaryk
    @koshmaryk
    Hi all. I trying to setup spring security within spring cloud gateway. There are specific gateway security headers, as Zuul had before. Previously in non reactive applications I have used WebSecurityConfigurerAdapter with the help of which I could ignore some routes, but in reactive apps I couldn’t use it. Those routes are related to legacy service, which can’t work with those security headers. So I am trying to find alternatives. It would be great if someone could advise how it’s possible
    Andreas Falk
    @andifalk
    @dfcoffin this is part of spring security version 5.3 which does Not yet have a release date. Please see here
    https://github.com/spring-projects/spring-security/milestone/136
    Donald F Coffin
    @dfcoffin
    @andifalk Thanks for the update
    Pascal Zwick
    @pas2al
    Hi everyone, since days I and my team struggle to have a clean test setup in combination with spring security. The application works in general. We want to test our Controllers with @WebMvcTest and this works in general too, but as soon as we add more dependencies in our WebSecurityConfig the problems start. We cannot autowire all necessary dependencies (NoSuchBeanDefinitionException: No qualifying bean of type 'com.example.demo.MyUserDetailsService' available:) Does anyone have experience and can help? I did create a demo project with tests that shows the problem in a simple way. It is on my GitHub profile (https://github.com/pas2al/spring-playground). Any help would be super awesome.
    Pascal Zwick
    @pas2al
    Mahdi Robatipoor
    @robatipoor
    Does anyone know how AuthenticationManager authenticat user under the hood ???
    SeyedAliZiaei
    @Seyed_zia_twitter

    @Seyed_zia_twitter
    hi
    I have problem.
    i am using from spring boot and angular . i will use ldap from authentication . spring boot running on tomcat and angular running on apache
    i will redirect in to angular page in spring security config for login but

    'http:localhost:4200/auth?error' is not a valid redirect URL

    this spring security config :
    package org.sap;

    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.crypto.password.LdapShaPasswordEncoder;

    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/auth").permitAll().
    antMatchers("/**").fullyAuthenticated().and().formLogin().loginPage("http:localhost:4200/auth").successForwardUrl("/");
    }

     @Override
     public void configure(AuthenticationManagerBuilder auth) throws Exception{
         auth.ldapAuthentication().userDnPatterns("uid={0}")
                 .contextSource().url("ldap://dc.msv.net:389/dc=msv,dc=net");
     } 

    }

    molexx
    @molexx

    In token based 'remember me' tokens, would it be fair to say that the 'key' is more of a 'seed' than a 'key', and if it were discovered wouldn't be that useful because it's part of the string hashed with the user's password and other (possibly guessable) things?

    https://docs.spring.io/spring-security/site/docs/current/reference/html5/#remember-me-hash-token

    Mike Noordermeer
    @MikeN123

    Hi. I'm looking into the Spring Security SAML 2.0 branch, but am hitting some obstacles and am wondering if these things are already on the roadmap and/or if I can help out implementing them.

    1.) It does not seem to be possible to use a custom Principal/UserDetails object. The 'raw' assertion and NameId are put in a DefaultSamlAuthentication object and that's it. There does not even seem to be an override possibility in the SamlAuthenticationResponseFilter. Is this correct? This is an issue as it makes it impossible to: a.) use a 'username' other than the NameID, and often the NameID is not what we use as a username. b.) specify/load/parse any GrantedAuthorities for the user.

    2.) It seems only raw metadata is cached. It seems that for every request the metadata is parsed again. In case of large metadata files, this will bring down your server quite rapidly (e.g., UK federation has 50+ MB metadata). Shouldn't the parsed metadata be cached?

    3.) It seems metadata is only cached for 10 minutes. Metadata usually has a validUntil property that should/could be used? With large metadata files this is again an issue.

    4.) It does not seem possible to load metadata from the filesystem, other than directly embedded in the properties or with custom code that does the loading from file, is that correct?

    5.) InResponseTo does not seem to be checked. DefaultValidator.validate specifies 'null' as the value for mustMatchInResponseTo. The checks only succeed because unsolicited responses are accepted by default. This seems like a bug to me.

    6.) Unsolicited responses are enabled by default, but the absence of a InResponseTo field is not checked. Should be according to the spec (4.1.5 of profiles spec). This opens up the SP to replay attacks. Enabling unsolicited responses/IdP initiated SSO by default is debatable as well, as it opens up the SP to login CSRF attacks where the attacker logs the user in under his own account.

    Could anyone let me know if my findings are correct and if I can help out somewhere?

    James Howe
    @OrangeDog
    @MikeN123 I'm sure you're aware, but the current release doesn't have any of those issues (unless you count new FilesystemMetadataProvider as custom code)
    SeyedAliZiaei
    @Seyed_zia_twitter
    Hi,I have problem for authentication in spring security with ldap. username and password is correct but get to me :Bad credentials

    this is my code.

    @EnableWebSecurity(debug = true)
    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String url = "ldap://dc.msv.net:389/DC=msv,DC=net";
    private String domain = "dc.msv.net";
    private String userDNPattern = "sAMAccountName={0},DC=msv,DC=net";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
    
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication().contextSource().url(url).managerDn("arpa").managerPassword("masterone4408$$)*").and().userSearchFilter("memberOf=(&(CN={0}))");
    }
    Mike Noordermeer
    @MikeN123
    @OrangeDog if you mean Spring Security SAML v1.x releases, that's true. But that is using an unsupported OpenSAML library. Getting the new branch up to par would be really welcome.
    James Howe
    @OrangeDog
    @MikeN123 it's unsupported? Last release was in April.
    They're not published to Central, you need to add https://build.shibboleth.net/nexus/content/repositories/releases/
    Mike Noordermeer
    @MikeN123
    Those are the 3.x releases. Spring Security SAML 1.x branch uses the 2.x releases.
    That has been unsupported, without any security support, since 2016.
    James Howe
    @OrangeDog
    @MikeN123 oh, I see. There aren't any CVEs against them at least.
    Mike Noordermeer
    @MikeN123
    Yeah, but getting the new SAML stuff ready for production would be welcome, so just trying to see if I can help here.
    James Howe
    @OrangeDog
    :thumbsup:
    Mike Noordermeer
    @MikeN123
    @fhanik any thoughts on this? :point_up: July 31, 2019 8:45 PM
    bricerader
    @bricerader
    Hey all, I've been upgrading an API to Greenwich and I'm now using spring-security-web 5.1.4 with a security config. When I run the request I receive a 403 with CSRF Token has been associated to this client. I've tried disabling csrf and authorizing the POST request I'm running, both to no avail. Any ideas?
    @EnableWebSecurity
    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        @SuppressWarnings({"PMD.SignatureDeclareThrowsException"})
        protected void configure(final HttpSecurity http) throws Exception  {
            http.csrf().disable();
    
    //        http.csrf().disable()
    //                .authorizeRequests()
    //                .antMatchers(HttpMethod.POST, "/my/valid/url").permitAll();
        }
    }
    Eleftheria Stein-Kousathana
    @eleftherias
    @bricerader If you are using WebFlux the security configuration is different. You don't extend WebSecurityConfigurerAdapter. Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/5.1.6.RELEASE/reference/htmlsingle/#explicit-webflux-security-configuration
    Lovro Pandžić
    @lpandzic
    hello, I have a question regarding csrf protection, I've succesfully injected csrf token into my first ajax request but when second ajax request gets executed it seems that the csrf token has changed?
    flow is as follows -> GET index then GET data -> POST data (simplified)
    now I assume that second GET triggers csrf token change but how can I get the new csrf value of second GET and is this the recommended approach or should I somehow exclude API endpoints from csrf change mechanism?
    bricerader
    @bricerader
    @eleftherias Thanks! This was a great reference, had to do a little more digging to get it right. This is what I ended up with if anyone is curious. To me, this should be there default example for the bare minimum:
    @Configuration
    @EnableWebFluxSecurity
    public class SecurityConfig {
    
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            // Disable login form
            http
                    .httpBasic().disable()
                    .formLogin().disable()
                    .csrf().disable()
                    .logout().disable();
    
            // Authorize everyone
            http
                    .authorizeExchange()
                    .anyExchange().permitAll();
            return http.build();
        }
    }
    Pieter Pletinckx
    @pspletinckx
    I've finished the book "Hands-On Spring Security 5 for Reactive Applications" some weeks ago. It should be called "Spring Security and Reactive Applications" because the overlap is very very thin. I'm now seeking for some more in depth webflux & spring security. Anyone have a good example?
    Dessie
    @dkirrane
    Hi, has anyone done OIDC dynamic client registration
    With keycloak
    Pieter Pletinckx
    @pspletinckx
    I've written an AuthenticationWebfilter for my protocol, how to I make use of the "RememberMe" functionality in spring-security & webflux?
    James Howe
    @OrangeDog
    @pspletinckx you need to call methods on the RememberMeServices
    specifically the same instance that the RememberMeAuthenticationFilter is using
    Piotr Kucharski
    @Sketusky
    I'm considering to use OAuth2 with PKCE support to authorize users in mobile application. I've heard that it is not available in Spring Security. What can you propose to use?
    James Howe
    @OrangeDog
    There's a PR here you can use as a start.
    spring-projects/spring-security-oauth#675
    Dennis Böckmann
    @dbck
    Hello, is there a roadmap, when spring-security-saml will be integrated in spring-security-core?
    Which version of spring-security-saml should I use with spring boot 2.1.6 in the meantime?
    rxxy
    @rxxy
    阿斯蒂芬
    James Howe
    @OrangeDog
    @dbck 1.0.9.RELEASE
    James Howe
    @OrangeDog
    Are the default CSRF tokens implemented in such a way as to mitigate BREACH? For example, have them change frequently.
    javabotnetflix
    @javabotnetflix
    http.csrf().disable()        
                     .formLogin().disable()
                     .logout().disable()
                     .authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
                         .anyExchange().authenticated().and().httpBasic();
    how can i apply multiple user roles to single path?
    for single user role its working fine.
    Dennis Böckmann
    @dbck
    Hi, I want to provide a saml library/starter with a preconfigured saml and security configuration. How can I give the project, which uses this preconfigured library, control over the security configuration without breaking the saml and security configuration. For example, by default the whole application should be secured via saml if the library is listed as dependency. And the project which uses the preconfigured library should be able to exclude some paths from security configuration to give public access to a path.
    Should I use autoconfiguration to override the preconfigured security configuration of the saml library. Hopefully without the need to repeat anything from the saml configuration stuff. Or can I use multiple security configurations to extend the security configuration of the saml library? Any other solutions?
    Bruce Zhang
    @niyaode
    Infinite redirection after successful oauth2 authorization code