Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
specifically the same instance that the
RememberMeAuthenticationFilter is using
Which version of spring-security-saml should I use with spring boot 2.1.6 in the meantime?
http.csrf().disable()
.formLogin().disable()
.logout().disable()
.authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
.anyExchange().authenticated().and().httpBasic();for single user role its working fine.
Hi, I want to provide a saml library/starter with a preconfigured saml and security configuration. How can I give the project, which uses this preconfigured library, control over the security configuration without breaking the saml and security configuration. For example, by default the whole application should be secured via saml if the library is listed as dependency. And the project which uses the preconfigured library should be able to exclude some paths from security configuration to give public access to a path.
Should I use autoconfiguration to override the preconfigured security configuration of the saml library. Hopefully without the need to repeat anything from the saml configuration stuff. Or can I use multiple security configurations to extend the security configuration of the saml library? Any other solutions?
Should I use autoconfiguration to override the preconfigured security configuration of the saml library. Hopefully without the need to repeat anything from the saml configuration stuff. Or can I use multiple security configurations to extend the security configuration of the saml library? Any other solutions?
@OrangeDog currently there is no support for that. There is an open issue #4001 and a PR which I am working on
Hi, I do have an issue setting up oauth2 alongside with the basic auth to protect some other APIs, and seems one is getting override by the other one. I know that's @Order and have already tried different Orders and still not working. I also tried setting up basic auth with adding properties only and same thing happens.
That's much appreciated if someone helps me getting out of this.
Here is the configuration:
public class SecurityConfiguration {
@Configuration
public static class InternalWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/basic/**").authenticated()
.and()
.httpBasic();
}
}
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class DefaultWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.and()
.exceptionHandling()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
}
}
I modified it a little bit to make it as simple as possible
@bidadh you need to specify which matcher your configuration applies to. Your first configuration should look like this
http
.antMatcher("/basic/**")
.authorizeRequests()
.anyRequest().authenticated()
...Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
Hi all. Does anyone have any pointers on how I could get a list of all of the RequestMatchers which are configured via the HttpSecurity class? I have a spring boot web app and I want to capture a list of RequestMappings and the roles necessary to use them. I'd prefer to just autowire some spring class, but I could certainly write extra code to capture the info when I configure my HttpSecurity instance.
Hi all,
I am about to push a PR on the Oauth client provider.
The issue I try to fix is a token expiration error. If the server and the client have the same clock, an expired token will be sent during 60 seconds.
I think the proper way to manage the token renewal is to ensure that the token is valid at least for clockSkew.
It looks like @jgrandja is in charge of this part of the code.
Could you tell me if I am wrong ?
Thanks for your work.
I am about to push a PR on the Oauth client provider.
The issue I try to fix is a token expiration error. If the server and the client have the same clock, an expired token will be sent during 60 seconds.
I think the proper way to manage the token renewal is to ensure that the token is valid at least for clockSkew.
It looks like @jgrandja is in charge of this part of the code.
Could you tell me if I am wrong ?
Thanks for your work.
Hi there. I have a hard time with spring-sec and the resource-server. I have no clue why it uses my normal "form-login" chain instead of the chain with the oauth filters. As far as i know i can play with
@Order and with the httpSecurity.antRequestMatcher, but currently without luck. any idea what can be the cause that the WebSecurityConfigurerAdapter kicks in when the ResourceServerConfigurerAdapter should be used. I reversed the order and i even let the resource server "listen" on /**... i have no clue how to debug this, even with TRACE debug levels the decision path is not shown
Hi. I'm trying to secure my service component, so that (most) users can't access other users' data. It seems the way to do it is with PreAuthorize/PostAuthorize and Spring expression language...? But since the end result of this seems to be an AccessDeniedException being thrown (and turned into a 403 in the web layer), what's the advantage of using annotations and SpEL over simply putting the logic (in Java) in the method itself and explicitly throwing the exception as appropriate? Would the plain-Java-and-exceptions approach cause some kind of problem with other parts of Spring?
Is the Oauth2 feature matrix (https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix) up to date?
Also this blog post https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security mentions that
Also this blog post https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security mentions that
The plan is to also provide support for ... Authorization Server by the end of 2018 or early 2019. What is the current plan on the Authorization Server?
@joshiste See @jgrandja and @jzheaux comments in Spring Security Issue #6733. Spring Security Authorization Server support by Spring Security is currently planned for initial Authorization Server release in Spring Security 5.3.0
we are using ldap for security and rediss session as saving part
can anybody tell me for this issue
2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER
java.lang.RuntimeException: For debugging purposes only (not an error)
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:338) [spring-session-core-2.1.8.RELEASE.jar:2.1.8.RELEASE]
this is the class
public class SessionSavingZuulPreFilter extends ZuulFilter {
private static final Logger log = LoggerFactory.getLogger(SessionSavingZuulPreFilter.class);
public SessionSavingZuulPreFilter() {
log.info("SessionSavingZuulPreFilter Instantiated");
}
@Autowired
private SessionRepository<? extends Session> repository;
@Override
public Object run() {
RequestContext context = RequestContext.getCurrentContext();
HttpSession httpSession = context.getRequest().getSession();
Session session=repository.findById(httpSession.getId()) ;
if (session != null) { context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
log.debug("Session saving filter: SB session proxy: " + session.getId()); } else {
log.warn("Session saving filter: SB session is null"); }
return null;
}
@Override
public boolean shouldFilter() {
return true;
}
@Override
public String filterType() {
return "pre";
}
@Override
public int filterOrder() {
return 1;
}}
previously before the 2.1.7 ..instead of findbyId method we have used getSession(httpSession.getId())
In my case,
AuthenticationSuccessEvent is published twice.
are we chnaged the properties in spring security 5 ?
I need that
AuthenticationSuccessEventListenerexecutes before UserDetailsService
I have a created an Authentication Server which works fine, however, I am trying to create a CRUD for ease of token creation. My biggest hurdle is the login page. I am able to get the login page and all other endpoint permissions correct except now when hitting the oauth/token endpoint with bad credentials, instead of receiving a 403, i receive a 200 with the login page. I tried to nest the form login lines under an ant matcher but doing so results in the login page not being able to read CSRF. When disabling CSRF, I get a 405 when trying to login. Any idea how to prevent the oauth endpoints from triggering the login page?