Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
@WebMvcTest
and this works in general too, but as soon as we add more dependencies in our WebSecurityConfig the problems start. We cannot autowire all necessary dependencies (NoSuchBeanDefinitionException: No qualifying bean of type 'com.example.demo.MyUserDetailsService' available:
) Does anyone have experience and can help? I did create a demo project with tests that shows the problem in a simple way. It is on my GitHub profile (https://github.com/pas2al/spring-playground). Any help would be super awesome.
@Seyed_zia_twitter
hi
I have problem.
i am using from spring boot and angular . i will use ldap from authentication . spring boot running on tomcat and angular running on apache
i will redirect in to angular page in spring security config for login but
'http:localhost:4200/auth?error' is not a valid redirect URL
this spring security config :
package org.sap;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.LdapShaPasswordEncoder;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/auth").permitAll().
antMatchers("/**").fullyAuthenticated().and().formLogin().loginPage("http:localhost:4200/auth").successForwardUrl("/");
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception{
auth.ldapAuthentication().userDnPatterns("uid={0}")
.contextSource().url("ldap://dc.msv.net:389/dc=msv,dc=net");
}
}
In token based 'remember me' tokens, would it be fair to say that the 'key' is more of a 'seed' than a 'key', and if it were discovered wouldn't be that useful because it's part of the string hashed with the user's password and other (possibly guessable) things?
https://docs.spring.io/spring-security/site/docs/current/reference/html5/#remember-me-hash-token
Hi. I'm looking into the Spring Security SAML 2.0 branch, but am hitting some obstacles and am wondering if these things are already on the roadmap and/or if I can help out implementing them.
1.) It does not seem to be possible to use a custom Principal/UserDetails object. The 'raw' assertion and NameId are put in a DefaultSamlAuthentication object and that's it. There does not even seem to be an override possibility in the SamlAuthenticationResponseFilter. Is this correct? This is an issue as it makes it impossible to: a.) use a 'username' other than the NameID, and often the NameID is not what we use as a username. b.) specify/load/parse any GrantedAuthorities for the user.
2.) It seems only raw metadata is cached. It seems that for every request the metadata is parsed again. In case of large metadata files, this will bring down your server quite rapidly (e.g., UK federation has 50+ MB metadata). Shouldn't the parsed metadata be cached?
3.) It seems metadata is only cached for 10 minutes. Metadata usually has a validUntil property that should/could be used? With large metadata files this is again an issue.
4.) It does not seem possible to load metadata from the filesystem, other than directly embedded in the properties or with custom code that does the loading from file, is that correct?
5.) InResponseTo does not seem to be checked. DefaultValidator.validate specifies 'null' as the value for mustMatchInResponseTo. The checks only succeed because unsolicited responses are accepted by default. This seems like a bug to me.
6.) Unsolicited responses are enabled by default, but the absence of a InResponseTo field is not checked. Should be according to the spec (4.1.5 of profiles spec). This opens up the SP to replay attacks. Enabling unsolicited responses/IdP initiated SSO by default is debatable as well, as it opens up the SP to login CSRF attacks where the attacker logs the user in under his own account.
Could anyone let me know if my findings are correct and if I can help out somewhere?
this is my code.
@EnableWebSecurity(debug = true)
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private String url = "ldap://dc.msv.net:389/DC=msv,DC=net";
private String domain = "dc.msv.net";
private String userDNPattern = "sAMAccountName={0},DC=msv,DC=net";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication().contextSource().url(url).managerDn("arpa").managerPassword("masterone4408$$)*").and().userSearchFilter("memberOf=(&(CN={0}))");
}
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@SuppressWarnings({"PMD.SignatureDeclareThrowsException"})
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
// http.csrf().disable()
// .authorizeRequests()
// .antMatchers(HttpMethod.POST, "/my/valid/url").permitAll();
}
}
WebSecurityConfigurerAdapter
. Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/5.1.6.RELEASE/reference/htmlsingle/#explicit-webflux-security-configuration
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
// Disable login form
http
.httpBasic().disable()
.formLogin().disable()
.csrf().disable()
.logout().disable();
// Authorize everyone
http
.authorizeExchange()
.anyExchange().permitAll();
return http.build();
}
}
RememberMeAuthenticationFilter
is using
http.csrf().disable()
.formLogin().disable()
.logout().disable()
.authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
.anyExchange().authenticated().and().httpBasic();
how can i apply multiple user roles to single path?Hi, I do have an issue setting up oauth2 alongside with the basic auth to protect some other APIs, and seems one is getting override by the other one. I know that's @Order and have already tried different Orders and still not working. I also tried setting up basic auth with adding properties only and same thing happens.
That's much appreciated if someone helps me getting out of this.
Here is the configuration:
public class SecurityConfiguration {
@Configuration
public static class InternalWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/basic/**").authenticated()
.and()
.httpBasic();
}
}
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class DefaultWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.and()
.exceptionHandling()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
}
}
@bidadh you need to specify which matcher your configuration applies to. Your first configuration should look like this
http
.antMatcher("/basic/**")
.authorizeRequests()
.anyRequest().authenticated()
...
Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity