Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
RememberMeAuthenticationFilter
is using
http.csrf().disable()
.formLogin().disable()
.logout().disable()
.authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
.anyExchange().authenticated().and().httpBasic();
how can i apply multiple user roles to single path?Hi, I do have an issue setting up oauth2 alongside with the basic auth to protect some other APIs, and seems one is getting override by the other one. I know that's @Order and have already tried different Orders and still not working. I also tried setting up basic auth with adding properties only and same thing happens.
That's much appreciated if someone helps me getting out of this.
Here is the configuration:
public class SecurityConfiguration {
@Configuration
public static class InternalWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/basic/**").authenticated()
.and()
.httpBasic();
}
}
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class DefaultWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.and()
.exceptionHandling()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
}
}
@bidadh you need to specify which matcher your configuration applies to. Your first configuration should look like this
http
.antMatcher("/basic/**")
.authorizeRequests()
.anyRequest().authenticated()
...
Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
@Order
and with the httpSecurity.antRequestMatcher
, but currently without luck. any idea what can be the cause that the WebSecurityConfigurerAdapter
kicks in when the ResourceServerConfigurerAdapter
should be used. I reversed the order and i even let the resource server "listen" on /**
... i have no clue how to debug this, even with TRACE
debug levels the decision path is not shown
The plan is to also provide support for ... Authorization Server by the end of 2018 or early 2019
. What is the current plan on the Authorization Server?
2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER
java.lang.RuntimeException: For debugging purposes only (not an error)
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:338) [spring-session-core-2.1.8.RELEASE.jar:2.1.8.RELEASE]
public class SessionSavingZuulPreFilter extends ZuulFilter {
private static final Logger log = LoggerFactory.getLogger(SessionSavingZuulPreFilter.class);
public SessionSavingZuulPreFilter() {
log.info("SessionSavingZuulPreFilter Instantiated");
}
@Autowired
private SessionRepository<? extends Session> repository;
@Override
public Object run() {
RequestContext context = RequestContext.getCurrentContext();
HttpSession httpSession = context.getRequest().getSession();
Session session=repository.findById(httpSession.getId()) ;
if (session != null) { context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
log.debug("Session saving filter: SB session proxy: " + session.getId()); } else {
log.warn("Session saving filter: SB session is null"); }
return null;
}
@Override
public boolean shouldFilter() {
return true;
}
@Override
public String filterType() {
return "pre";
}
@Override
public int filterOrder() {
return 1;
}
}
AuthenticationSuccessEvent
is published twice.
AuthenticationSuccessEventListener
executes before UserDetailsService