Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Lovro Pandžić
    @lpandzic
    hello, I have a question regarding csrf protection, I've succesfully injected csrf token into my first ajax request but when second ajax request gets executed it seems that the csrf token has changed?
    flow is as follows -> GET index then GET data -> POST data (simplified)
    now I assume that second GET triggers csrf token change but how can I get the new csrf value of second GET and is this the recommended approach or should I somehow exclude API endpoints from csrf change mechanism?
    bricerader
    @bricerader
    @eleftherias Thanks! This was a great reference, had to do a little more digging to get it right. This is what I ended up with if anyone is curious. To me, this should be there default example for the bare minimum:
    @Configuration
    @EnableWebFluxSecurity
    public class SecurityConfig {
    
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            // Disable login form
            http
                    .httpBasic().disable()
                    .formLogin().disable()
                    .csrf().disable()
                    .logout().disable();
    
            // Authorize everyone
            http
                    .authorizeExchange()
                    .anyExchange().permitAll();
            return http.build();
        }
    }
    Pieter Pletinckx
    @pspletinckx
    I've finished the book "Hands-On Spring Security 5 for Reactive Applications" some weeks ago. It should be called "Spring Security and Reactive Applications" because the overlap is very very thin. I'm now seeking for some more in depth webflux & spring security. Anyone have a good example?
    Dessie
    @dkirrane
    Hi, has anyone done OIDC dynamic client registration
    With keycloak
    Pieter Pletinckx
    @pspletinckx
    I've written an AuthenticationWebfilter for my protocol, how to I make use of the "RememberMe" functionality in spring-security & webflux?
    James Howe
    @OrangeDog
    @pspletinckx you need to call methods on the RememberMeServices
    specifically the same instance that the RememberMeAuthenticationFilter is using
    Piotr Kucharski
    @Sketusky
    I'm considering to use OAuth2 with PKCE support to authorize users in mobile application. I've heard that it is not available in Spring Security. What can you propose to use?
    James Howe
    @OrangeDog
    There's a PR here you can use as a start.
    spring-projects/spring-security-oauth#675
    Dennis Böckmann
    @dbck
    Hello, is there a roadmap, when spring-security-saml will be integrated in spring-security-core?
    Which version of spring-security-saml should I use with spring boot 2.1.6 in the meantime?
    rxxy
    @rxxy
    阿斯蒂芬
    James Howe
    @OrangeDog
    @dbck 1.0.9.RELEASE
    James Howe
    @OrangeDog
    Are the default CSRF tokens implemented in such a way as to mitigate BREACH? For example, have them change frequently.
    javabotnetflix
    @javabotnetflix
    http.csrf().disable()        
                     .formLogin().disable()
                     .logout().disable()
                     .authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
                         .anyExchange().authenticated().and().httpBasic();
    how can i apply multiple user roles to single path?
    for single user role its working fine.
    Dennis Böckmann
    @dbck
    Hi, I want to provide a saml library/starter with a preconfigured saml and security configuration. How can I give the project, which uses this preconfigured library, control over the security configuration without breaking the saml and security configuration. For example, by default the whole application should be secured via saml if the library is listed as dependency. And the project which uses the preconfigured library should be able to exclude some paths from security configuration to give public access to a path.
    Should I use autoconfiguration to override the preconfigured security configuration of the saml library. Hopefully without the need to repeat anything from the saml configuration stuff. Or can I use multiple security configurations to extend the security configuration of the saml library? Any other solutions?
    Bruce Zhang
    @niyaode
    Infinite redirection after successful oauth2 authorization code
    Eddú Meléndez Gonzales
    @eddumelendez
    @OrangeDog currently there is no support for that. There is an open issue #4001 and a PR which I am working on
    Arthur Kazemi
    @bidadh

    Hi, I do have an issue setting up oauth2 alongside with the basic auth to protect some other APIs, and seems one is getting override by the other one. I know that's @Order and have already tried different Orders and still not working. I also tried setting up basic auth with adding properties only and same thing happens.
    That's much appreciated if someone helps me getting out of this.

    Here is the configuration:

    public class SecurityConfiguration {
    
      @Configuration
      public static class InternalWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
        @Override
        public void configure(HttpSecurity http) throws Exception {
          http
            .authorizeRequests()
            .antMatchers("/basic/**").authenticated()
            .and()
            .httpBasic();
        }
      }
    
      @Configuration
      @EnableResourceServer
      @EnableGlobalMethodSecurity(prePostEnabled = true)
      public static class DefaultWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
    
        @Override
        public void configure(HttpSecurity http) throws Exception {
          http
            .csrf().disable()
            .authorizeRequests()
            .and()
            .exceptionHandling()
            .and()
            .authorizeRequests()
            .anyRequest()
            .authenticated();
        }
      }
    }
    I modified it a little bit to make it as simple as possible
    Eleftheria Stein-Kousathana
    @eleftherias

    @bidadh you need to specify which matcher your configuration applies to. Your first configuration should look like this

    http
        .antMatcher("/basic/**")
        .authorizeRequests()
            .anyRequest().authenticated()
    ...

    Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity

    Arthur Kazemi
    @bidadh
    Thanks @eleftherias . I tried it but seems I was was doing something else wrong. it works as expected now.
    Mike
    @mikeloll
    Hi all. Does anyone have any pointers on how I could get a list of all of the RequestMatchers which are configured via the HttpSecurity class? I have a spring boot web app and I want to capture a list of RequestMappings and the roles necessary to use them. I'd prefer to just autowire some spring class, but I could certainly write extra code to capture the info when I configure my HttpSecurity instance.
    Krystian Zybała
    @krystianzybala

    Hi,

    Does Spring Security support Authorization Server working with Webflux and Netty?

    Diod FR
    @diodfr
    Hi all,
    I am about to push a PR on the Oauth client provider.
    The issue I try to fix is a token expiration error. If the server and the client have the same clock, an expired token will be sent during 60 seconds.
    I think the proper way to manage the token renewal is to ensure that the token is valid at least for clockSkew.
    It looks like @jgrandja is in charge of this part of the code.
    Could you tell me if I am wrong ?
    Thanks for your work.
    Thomas Hackel
    @thackel
    Hi there. I have a hard time with spring-sec and the resource-server. I have no clue why it uses my normal "form-login" chain instead of the chain with the oauth filters. As far as i know i can play with @Order and with the httpSecurity.antRequestMatcher, but currently without luck. any idea what can be the cause that the WebSecurityConfigurerAdapter kicks in when the ResourceServerConfigurerAdapter should be used. I reversed the order and i even let the resource server "listen" on /**... i have no clue how to debug this, even with TRACE debug levels the decision path is not shown
    Thomas Hackel
    @thackel
    found my mistake. shame on me... the ResourceServerConfigurerAdapter was missing the @Configuration annotation.
    lir-ht
    @lir-ht
    Hi. I'm trying to secure my service component, so that (most) users can't access other users' data. It seems the way to do it is with PreAuthorize/PostAuthorize and Spring expression language...? But since the end result of this seems to be an AccessDeniedException being thrown (and turned into a 403 in the web layer), what's the advantage of using annotations and SpEL over simply putting the logic (in Java) in the method itself and explicitly throwing the exception as appropriate? Would the plain-Java-and-exceptions approach cause some kind of problem with other parts of Spring?
    Pravin Rahangdale
    @pravin-raha
    Hi, is there any way to exclude single POST/PUT request from spring security?
    Thomas Hackel
    @thackel
    @pravin-raha yes, e.g. webSecurity.ignoring().antMatchers(HttpMethod.POST, "/fooBar/**")in the adapter configuration
    Pravin Rahangdale
    @pravin-raha
    ok thanks
    Johannes Edmeier
    @joshiste
    Is the Oauth2 feature matrix (https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix) up to date?
    Also this blog post https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security mentions that The plan is to also provide support for ... Authorization Server by the end of 2018 or early 2019. What is the current plan on the Authorization Server?
    Donald F Coffin
    @dfcoffin
    @joshiste See @jgrandja and @jzheaux comments in Spring Security Issue #6733. Spring Security Authorization Server support by Spring Security is currently planned for initial Authorization Server release in Spring Security 5.3.0
    David Barda
    @davebarda
    Hey, I'm trying to add authroziation server, which will be a proxy to existing legacy monolith service(and then move some logic incremently)
    if I want to delegate the authentication(and authorization) to a monolith, with Oauth2 Authorization server, how can I do it?
    Shradha Bharti
    @bharti.shradha_gitlab
    HI ..I recently upgraded my spring boot ..from 1.X to 2.1.7 , i am using zuul as a gateway and once i put username and pwd to go to another service ..authetication is successfull but m getting 403 error as in unautorised
    we are using ldap for security and rediss session as saving part
    can anybody tell me for this issue
    Shradha Bharti
    @bharti.shradha_gitlab
    i think its not getting the session ..so its creating the new session

    2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
    2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER

    java.lang.RuntimeException: For debugging purposes only (not an error)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:338) [spring-session-core-2.1.8.RELEASE.jar:2.1.8.RELEASE]

    this is the class

    public class SessionSavingZuulPreFilter extends ZuulFilter {

    private static final Logger log = LoggerFactory.getLogger(SessionSavingZuulPreFilter.class);
    
    public SessionSavingZuulPreFilter() {
        log.info("SessionSavingZuulPreFilter Instantiated");
    }
    
    @Autowired
    private SessionRepository<? extends Session> repository;
    
    @Override
    public Object run() {
        RequestContext context = RequestContext.getCurrentContext();
    
        HttpSession httpSession = context.getRequest().getSession();
        Session session=repository.findById(httpSession.getId()) ;
    
    
          if (session != null) { context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
          log.debug("Session saving filter: SB session proxy: " + session.getId()); } else {
          log.warn("Session saving filter: SB session is null"); }
    
          return null;
    
    
    }
    
    @Override
    public boolean shouldFilter() {
        return true;
    }
    
    @Override
    public String filterType() {
        return "pre";
    }
    
    @Override
    public int filterOrder() {
        return 1;
    }

    }

    previously before the 2.1.7 ..instead of findbyId method we have used getSession(httpSession.getId())
    nawressissa
    @nawressissa
    hi all.
    Any idea how to deal with event published twice in spring security oauth2 ?
    In my case, AuthenticationSuccessEvent is published twice.
    Sivabalan
    @jofisiva
    spring.security.user.name am using the form-based authentication spring security 5 ..server is not started with unable read user.name properties