Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    SeyedAliZiaei
    @Seyed_zia_twitter

    @Seyed_zia_twitter
    hi
    I have problem.
    i am using from spring boot and angular . i will use ldap from authentication . spring boot running on tomcat and angular running on apache
    i will redirect in to angular page in spring security config for login but

    'http:localhost:4200/auth?error' is not a valid redirect URL

    this spring security config :
    package org.sap;

    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.crypto.password.LdapShaPasswordEncoder;

    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/auth").permitAll().
    antMatchers("/**").fullyAuthenticated().and().formLogin().loginPage("http:localhost:4200/auth").successForwardUrl("/");
    }

     @Override
     public void configure(AuthenticationManagerBuilder auth) throws Exception{
         auth.ldapAuthentication().userDnPatterns("uid={0}")
                 .contextSource().url("ldap://dc.msv.net:389/dc=msv,dc=net");
     } 

    }

    molexx
    @molexx

    In token based 'remember me' tokens, would it be fair to say that the 'key' is more of a 'seed' than a 'key', and if it were discovered wouldn't be that useful because it's part of the string hashed with the user's password and other (possibly guessable) things?

    https://docs.spring.io/spring-security/site/docs/current/reference/html5/#remember-me-hash-token

    Mike Noordermeer
    @MikeN123

    Hi. I'm looking into the Spring Security SAML 2.0 branch, but am hitting some obstacles and am wondering if these things are already on the roadmap and/or if I can help out implementing them.

    1.) It does not seem to be possible to use a custom Principal/UserDetails object. The 'raw' assertion and NameId are put in a DefaultSamlAuthentication object and that's it. There does not even seem to be an override possibility in the SamlAuthenticationResponseFilter. Is this correct? This is an issue as it makes it impossible to: a.) use a 'username' other than the NameID, and often the NameID is not what we use as a username. b.) specify/load/parse any GrantedAuthorities for the user.

    2.) It seems only raw metadata is cached. It seems that for every request the metadata is parsed again. In case of large metadata files, this will bring down your server quite rapidly (e.g., UK federation has 50+ MB metadata). Shouldn't the parsed metadata be cached?

    3.) It seems metadata is only cached for 10 minutes. Metadata usually has a validUntil property that should/could be used? With large metadata files this is again an issue.

    4.) It does not seem possible to load metadata from the filesystem, other than directly embedded in the properties or with custom code that does the loading from file, is that correct?

    5.) InResponseTo does not seem to be checked. DefaultValidator.validate specifies 'null' as the value for mustMatchInResponseTo. The checks only succeed because unsolicited responses are accepted by default. This seems like a bug to me.

    6.) Unsolicited responses are enabled by default, but the absence of a InResponseTo field is not checked. Should be according to the spec (4.1.5 of profiles spec). This opens up the SP to replay attacks. Enabling unsolicited responses/IdP initiated SSO by default is debatable as well, as it opens up the SP to login CSRF attacks where the attacker logs the user in under his own account.

    Could anyone let me know if my findings are correct and if I can help out somewhere?

    James Howe
    @OrangeDog
    @MikeN123 I'm sure you're aware, but the current release doesn't have any of those issues (unless you count new FilesystemMetadataProvider as custom code)
    SeyedAliZiaei
    @Seyed_zia_twitter
    Hi,I have problem for authentication in spring security with ldap. username and password is correct but get to me :Bad credentials

    this is my code.

    @EnableWebSecurity(debug = true)
    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private String url = "ldap://dc.msv.net:389/DC=msv,DC=net";
    private String domain = "dc.msv.net";
    private String userDNPattern = "sAMAccountName={0},DC=msv,DC=net";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin();
    
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication().contextSource().url(url).managerDn("arpa").managerPassword("masterone4408$$)*").and().userSearchFilter("memberOf=(&(CN={0}))");
    }
    Mike Noordermeer
    @MikeN123
    @OrangeDog if you mean Spring Security SAML v1.x releases, that's true. But that is using an unsupported OpenSAML library. Getting the new branch up to par would be really welcome.
    James Howe
    @OrangeDog
    @MikeN123 it's unsupported? Last release was in April.
    They're not published to Central, you need to add https://build.shibboleth.net/nexus/content/repositories/releases/
    Mike Noordermeer
    @MikeN123
    Those are the 3.x releases. Spring Security SAML 1.x branch uses the 2.x releases.
    That has been unsupported, without any security support, since 2016.
    James Howe
    @OrangeDog
    @MikeN123 oh, I see. There aren't any CVEs against them at least.
    Mike Noordermeer
    @MikeN123
    Yeah, but getting the new SAML stuff ready for production would be welcome, so just trying to see if I can help here.
    James Howe
    @OrangeDog
    :thumbsup:
    Mike Noordermeer
    @MikeN123
    @fhanik any thoughts on this? :point_up: July 31, 2019 8:45 PM
    bricerader
    @bricerader
    Hey all, I've been upgrading an API to Greenwich and I'm now using spring-security-web 5.1.4 with a security config. When I run the request I receive a 403 with CSRF Token has been associated to this client. I've tried disabling csrf and authorizing the POST request I'm running, both to no avail. Any ideas?
    @EnableWebSecurity
    @Configuration
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        @SuppressWarnings({"PMD.SignatureDeclareThrowsException"})
        protected void configure(final HttpSecurity http) throws Exception  {
            http.csrf().disable();
    
    //        http.csrf().disable()
    //                .authorizeRequests()
    //                .antMatchers(HttpMethod.POST, "/my/valid/url").permitAll();
        }
    }
    Eleftheria Stein-Kousathana
    @eleftherias
    @bricerader If you are using WebFlux the security configuration is different. You don't extend WebSecurityConfigurerAdapter. Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/5.1.6.RELEASE/reference/htmlsingle/#explicit-webflux-security-configuration
    Lovro Pandžić
    @lpandzic
    hello, I have a question regarding csrf protection, I've succesfully injected csrf token into my first ajax request but when second ajax request gets executed it seems that the csrf token has changed?
    flow is as follows -> GET index then GET data -> POST data (simplified)
    now I assume that second GET triggers csrf token change but how can I get the new csrf value of second GET and is this the recommended approach or should I somehow exclude API endpoints from csrf change mechanism?
    bricerader
    @bricerader
    @eleftherias Thanks! This was a great reference, had to do a little more digging to get it right. This is what I ended up with if anyone is curious. To me, this should be there default example for the bare minimum:
    @Configuration
    @EnableWebFluxSecurity
    public class SecurityConfig {
    
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            // Disable login form
            http
                    .httpBasic().disable()
                    .formLogin().disable()
                    .csrf().disable()
                    .logout().disable();
    
            // Authorize everyone
            http
                    .authorizeExchange()
                    .anyExchange().permitAll();
            return http.build();
        }
    }
    Pieter Pletinckx
    @pspletinckx
    I've finished the book "Hands-On Spring Security 5 for Reactive Applications" some weeks ago. It should be called "Spring Security and Reactive Applications" because the overlap is very very thin. I'm now seeking for some more in depth webflux & spring security. Anyone have a good example?
    Dessie
    @dkirrane
    Hi, has anyone done OIDC dynamic client registration
    With keycloak
    Pieter Pletinckx
    @pspletinckx
    I've written an AuthenticationWebfilter for my protocol, how to I make use of the "RememberMe" functionality in spring-security & webflux?
    James Howe
    @OrangeDog
    @pspletinckx you need to call methods on the RememberMeServices
    specifically the same instance that the RememberMeAuthenticationFilter is using
    Piotr Kucharski
    @Sketusky
    I'm considering to use OAuth2 with PKCE support to authorize users in mobile application. I've heard that it is not available in Spring Security. What can you propose to use?
    James Howe
    @OrangeDog
    There's a PR here you can use as a start.
    spring-projects/spring-security-oauth#675
    Dennis Böckmann
    @dbck
    Hello, is there a roadmap, when spring-security-saml will be integrated in spring-security-core?
    Which version of spring-security-saml should I use with spring boot 2.1.6 in the meantime?
    rxxy
    @rxxy
    阿斯蒂芬
    James Howe
    @OrangeDog
    @dbck 1.0.9.RELEASE
    James Howe
    @OrangeDog
    Are the default CSRF tokens implemented in such a way as to mitigate BREACH? For example, have them change frequently.
    javabotnetflix
    @javabotnetflix
    http.csrf().disable()        
                     .formLogin().disable()
                     .logout().disable()
                     .authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
                         .anyExchange().authenticated().and().httpBasic();
    how can i apply multiple user roles to single path?
    for single user role its working fine.
    Dennis Böckmann
    @dbck
    Hi, I want to provide a saml library/starter with a preconfigured saml and security configuration. How can I give the project, which uses this preconfigured library, control over the security configuration without breaking the saml and security configuration. For example, by default the whole application should be secured via saml if the library is listed as dependency. And the project which uses the preconfigured library should be able to exclude some paths from security configuration to give public access to a path.
    Should I use autoconfiguration to override the preconfigured security configuration of the saml library. Hopefully without the need to repeat anything from the saml configuration stuff. Or can I use multiple security configurations to extend the security configuration of the saml library? Any other solutions?
    Bruce Zhang
    @niyaode
    Infinite redirection after successful oauth2 authorization code
    Eddú Meléndez Gonzales
    @eddumelendez
    @OrangeDog currently there is no support for that. There is an open issue #4001 and a PR which I am working on
    Arthur Kazemi
    @bidadh

    Hi, I do have an issue setting up oauth2 alongside with the basic auth to protect some other APIs, and seems one is getting override by the other one. I know that's @Order and have already tried different Orders and still not working. I also tried setting up basic auth with adding properties only and same thing happens.
    That's much appreciated if someone helps me getting out of this.

    Here is the configuration:

    public class SecurityConfiguration {
    
      @Configuration
      public static class InternalWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
        @Override
        public void configure(HttpSecurity http) throws Exception {
          http
            .authorizeRequests()
            .antMatchers("/basic/**").authenticated()
            .and()
            .httpBasic();
        }
      }
    
      @Configuration
      @EnableResourceServer
      @EnableGlobalMethodSecurity(prePostEnabled = true)
      public static class DefaultWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
    
        @Override
        public void configure(HttpSecurity http) throws Exception {
          http
            .csrf().disable()
            .authorizeRequests()
            .and()
            .exceptionHandling()
            .and()
            .authorizeRequests()
            .anyRequest()
            .authenticated();
        }
      }
    }
    I modified it a little bit to make it as simple as possible
    Eleftheria Stein-Kousathana
    @eleftherias

    @bidadh you need to specify which matcher your configuration applies to. Your first configuration should look like this

    http
        .antMatcher("/basic/**")
        .authorizeRequests()
            .anyRequest().authenticated()
    ...

    Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity

    Arthur Kazemi
    @bidadh
    Thanks @eleftherias . I tried it but seems I was was doing something else wrong. it works as expected now.
    Mike
    @mikeloll
    Hi all. Does anyone have any pointers on how I could get a list of all of the RequestMatchers which are configured via the HttpSecurity class? I have a spring boot web app and I want to capture a list of RequestMappings and the roles necessary to use them. I'd prefer to just autowire some spring class, but I could certainly write extra code to capture the info when I configure my HttpSecurity instance.
    Krystian Zybała
    @krystianzybala

    Hi,

    Does Spring Security support Authorization Server working with Webflux and Netty?

    Diod FR
    @diodfr
    Hi all,
    I am about to push a PR on the Oauth client provider.
    The issue I try to fix is a token expiration error. If the server and the client have the same clock, an expired token will be sent during 60 seconds.
    I think the proper way to manage the token renewal is to ensure that the token is valid at least for clockSkew.
    It looks like @jgrandja is in charge of this part of the code.
    Could you tell me if I am wrong ?
    Thanks for your work.
    Thomas Hackel
    @thackel
    Hi there. I have a hard time with spring-sec and the resource-server. I have no clue why it uses my normal "form-login" chain instead of the chain with the oauth filters. As far as i know i can play with @Order and with the httpSecurity.antRequestMatcher, but currently without luck. any idea what can be the cause that the WebSecurityConfigurerAdapter kicks in when the ResourceServerConfigurerAdapter should be used. I reversed the order and i even let the resource server "listen" on /**... i have no clue how to debug this, even with TRACE debug levels the decision path is not shown
    Thomas Hackel
    @thackel
    found my mistake. shame on me... the ResourceServerConfigurerAdapter was missing the @Configuration annotation.
    lir-ht
    @lir-ht
    Hi. I'm trying to secure my service component, so that (most) users can't access other users' data. It seems the way to do it is with PreAuthorize/PostAuthorize and Spring expression language...? But since the end result of this seems to be an AccessDeniedException being thrown (and turned into a 403 in the web layer), what's the advantage of using annotations and SpEL over simply putting the logic (in Java) in the method itself and explicitly throwing the exception as appropriate? Would the plain-Java-and-exceptions approach cause some kind of problem with other parts of Spring?
    Pravin Rahangdale
    @pravin-raha
    Hi, is there any way to exclude single POST/PUT request from spring security?
    Thomas Hackel
    @thackel
    @pravin-raha yes, e.g. webSecurity.ignoring().antMatchers(HttpMethod.POST, "/fooBar/**")in the adapter configuration