Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    javabotnetflix
    @javabotnetflix
    http.csrf().disable()        
                     .formLogin().disable()
                     .logout().disable()
                     .authorizeExchange().pathMatchers(prefix + "/publish/**").hasRole("XYZ_ROLE")
                         .anyExchange().authenticated().and().httpBasic();
    how can i apply multiple user roles to single path?
    for single user role its working fine.
    Dennis Böckmann
    @dbck
    Hi, I want to provide a saml library/starter with a preconfigured saml and security configuration. How can I give the project, which uses this preconfigured library, control over the security configuration without breaking the saml and security configuration. For example, by default the whole application should be secured via saml if the library is listed as dependency. And the project which uses the preconfigured library should be able to exclude some paths from security configuration to give public access to a path.
    Should I use autoconfiguration to override the preconfigured security configuration of the saml library. Hopefully without the need to repeat anything from the saml configuration stuff. Or can I use multiple security configurations to extend the security configuration of the saml library? Any other solutions?
    Bruce Zhang
    @niyaode
    Infinite redirection after successful oauth2 authorization code
    Eddú Meléndez Gonzales
    @eddumelendez
    @OrangeDog currently there is no support for that. There is an open issue #4001 and a PR which I am working on
    Arthur Kazemi
    @bidadh

    Hi, I do have an issue setting up oauth2 alongside with the basic auth to protect some other APIs, and seems one is getting override by the other one. I know that's @Order and have already tried different Orders and still not working. I also tried setting up basic auth with adding properties only and same thing happens.
    That's much appreciated if someone helps me getting out of this.

    Here is the configuration:

    public class SecurityConfiguration {
    
      @Configuration
      public static class InternalWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
        @Override
        public void configure(HttpSecurity http) throws Exception {
          http
            .authorizeRequests()
            .antMatchers("/basic/**").authenticated()
            .and()
            .httpBasic();
        }
      }
    
      @Configuration
      @EnableResourceServer
      @EnableGlobalMethodSecurity(prePostEnabled = true)
      public static class DefaultWebSecurityConfigurationAdapter extends ResourceServerConfigurerAdapter {
    
        @Override
        public void configure(HttpSecurity http) throws Exception {
          http
            .csrf().disable()
            .authorizeRequests()
            .and()
            .exceptionHandling()
            .and()
            .authorizeRequests()
            .anyRequest()
            .authenticated();
        }
      }
    }
    I modified it a little bit to make it as simple as possible
    Eleftheria Stein-Kousathana
    @eleftherias

    @bidadh you need to specify which matcher your configuration applies to. Your first configuration should look like this

    http
        .antMatcher("/basic/**")
        .authorizeRequests()
            .anyRequest().authenticated()
    ...

    Check out this section of the documentation https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity

    Arthur Kazemi
    @bidadh
    Thanks @eleftherias . I tried it but seems I was was doing something else wrong. it works as expected now.
    Mike
    @mikeloll
    Hi all. Does anyone have any pointers on how I could get a list of all of the RequestMatchers which are configured via the HttpSecurity class? I have a spring boot web app and I want to capture a list of RequestMappings and the roles necessary to use them. I'd prefer to just autowire some spring class, but I could certainly write extra code to capture the info when I configure my HttpSecurity instance.
    Krystian Zybała
    @krystianzybala

    Hi,

    Does Spring Security support Authorization Server working with Webflux and Netty?

    Diod FR
    @diodfr
    Hi all,
    I am about to push a PR on the Oauth client provider.
    The issue I try to fix is a token expiration error. If the server and the client have the same clock, an expired token will be sent during 60 seconds.
    I think the proper way to manage the token renewal is to ensure that the token is valid at least for clockSkew.
    It looks like @jgrandja is in charge of this part of the code.
    Could you tell me if I am wrong ?
    Thanks for your work.
    Thomas Hackel
    @thackel
    Hi there. I have a hard time with spring-sec and the resource-server. I have no clue why it uses my normal "form-login" chain instead of the chain with the oauth filters. As far as i know i can play with @Order and with the httpSecurity.antRequestMatcher, but currently without luck. any idea what can be the cause that the WebSecurityConfigurerAdapter kicks in when the ResourceServerConfigurerAdapter should be used. I reversed the order and i even let the resource server "listen" on /**... i have no clue how to debug this, even with TRACE debug levels the decision path is not shown
    Thomas Hackel
    @thackel
    found my mistake. shame on me... the ResourceServerConfigurerAdapter was missing the @Configuration annotation.
    lir-ht
    @lir-ht
    Hi. I'm trying to secure my service component, so that (most) users can't access other users' data. It seems the way to do it is with PreAuthorize/PostAuthorize and Spring expression language...? But since the end result of this seems to be an AccessDeniedException being thrown (and turned into a 403 in the web layer), what's the advantage of using annotations and SpEL over simply putting the logic (in Java) in the method itself and explicitly throwing the exception as appropriate? Would the plain-Java-and-exceptions approach cause some kind of problem with other parts of Spring?
    Pravin Rahangdale
    @pravin-raha
    Hi, is there any way to exclude single POST/PUT request from spring security?
    Thomas Hackel
    @thackel
    @pravin-raha yes, e.g. webSecurity.ignoring().antMatchers(HttpMethod.POST, "/fooBar/**")in the adapter configuration
    Pravin Rahangdale
    @pravin-raha
    ok thanks
    Johannes Edmeier
    @joshiste
    Is the Oauth2 feature matrix (https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix) up to date?
    Also this blog post https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security mentions that The plan is to also provide support for ... Authorization Server by the end of 2018 or early 2019. What is the current plan on the Authorization Server?
    Donald F Coffin
    @dfcoffin
    @joshiste See @jgrandja and @jzheaux comments in Spring Security Issue #6733. Spring Security Authorization Server support by Spring Security is currently planned for initial Authorization Server release in Spring Security 5.3.0
    David Barda
    @davebarda
    Hey, I'm trying to add authroziation server, which will be a proxy to existing legacy monolith service(and then move some logic incremently)
    if I want to delegate the authentication(and authorization) to a monolith, with Oauth2 Authorization server, how can I do it?
    Shradha Bharti
    @bharti.shradha_gitlab
    HI ..I recently upgraded my spring boot ..from 1.X to 2.1.7 , i am using zuul as a gateway and once i put username and pwd to go to another service ..authetication is successfull but m getting 403 error as in unautorised
    we are using ldap for security and rediss session as saving part
    can anybody tell me for this issue
    Shradha Bharti
    @bharti.shradha_gitlab
    i think its not getting the session ..so its creating the new session

    2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
    2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER

    java.lang.RuntimeException: For debugging purposes only (not an error)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:338) [spring-session-core-2.1.8.RELEASE.jar:2.1.8.RELEASE]

    this is the class

    public class SessionSavingZuulPreFilter extends ZuulFilter {

    private static final Logger log = LoggerFactory.getLogger(SessionSavingZuulPreFilter.class);
    
    public SessionSavingZuulPreFilter() {
        log.info("SessionSavingZuulPreFilter Instantiated");
    }
    
    @Autowired
    private SessionRepository<? extends Session> repository;
    
    @Override
    public Object run() {
        RequestContext context = RequestContext.getCurrentContext();
    
        HttpSession httpSession = context.getRequest().getSession();
        Session session=repository.findById(httpSession.getId()) ;
    
    
          if (session != null) { context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
          log.debug("Session saving filter: SB session proxy: " + session.getId()); } else {
          log.warn("Session saving filter: SB session is null"); }
    
          return null;
    
    
    }
    
    @Override
    public boolean shouldFilter() {
        return true;
    }
    
    @Override
    public String filterType() {
        return "pre";
    }
    
    @Override
    public int filterOrder() {
        return 1;
    }

    }

    previously before the 2.1.7 ..instead of findbyId method we have used getSession(httpSession.getId())
    nawressissa
    @nawressissa
    hi all.
    Any idea how to deal with event published twice in spring security oauth2 ?
    In my case, AuthenticationSuccessEvent is published twice.
    Sivabalan
    @jofisiva
    spring.security.user.name am using the form-based authentication spring security 5 ..server is not started with unable read user.name properties
    are we chnaged the properties in spring security 5 ?
    Sivabalan
    @jofisiva
    Please ignore the above message
    Alwyn Schoeman
    @alwyn
    Can anyone tell me how and/or where Spring Security discriminates between webflux and webmvc?
    Alwyn Schoeman
    @alwyn
    Found @ConditionalOnWebApplication
    choubani amir
    @amirensit
    Is It possible to choose components execution order ?
    I need that AuthenticationSuccessEventListenerexecutes before UserDetailsService
    James Howe
    @OrangeDog
    That's impossible. Authentication cannot be successful unless the user can be found.
    Noel Hahn
    @diendanyoi54
    I have a created an Authentication Server which works fine, however, I am trying to create a CRUD for ease of token creation. My biggest hurdle is the login page. I am able to get the login page and all other endpoint permissions correct except now when hitting the oauth/token endpoint with bad credentials, instead of receiving a 403, i receive a 200 with the login page. I tried to nest the form login lines under an ant matcher but doing so results in the login page not being able to read CSRF. When disabling CSRF, I get a 405 when trying to login. Any idea how to prevent the oauth endpoints from triggering the login page?
    Noel Hahn
    @diendanyoi54
    Here's the configuration if it helps
    override fun configure(http: HttpSecurity) {
            http
                    .authorizeRequests()
                        .antMatchers("/actuator", "/actuator/health", "/actuator/info").permitAll()
                        .antMatchers("/css/**", "/img/**", "/webjars/**").permitAll()
                        .antMatchers("/actuator/**").authenticated()
                        .antMatchers("/", "/client/**").hasAuthority("ADMIN")
                        .anyRequest().denyAll()
                        .and()
                    .formLogin()
                        .loginPage("/login")
                        .failureUrl("/login?error")
                        .usernameParameter("username").passwordParameter("password")
                        .permitAll()
        }
    i basically don't want the above to return 200 with the login html for endpoint /oauth/token and oauth/check_token and instead return its normal 403
    Vadim Bryksin
    @Bryksin

    Hey guys, I'm doing reactive security and got stuck with UserDetailsService
    basically, in the non-react approach I was extending WebSecurityConfigurerAdapter where I had to overwrite: configure(AuthenticationManagerBuilder auth) and provide userService which implementing UserDetailsService

    however now, I'm using a reactive approach, and implementing ReactiveUserDetailsService, but WebSecurityConfigurerAdapter doesn't take it anymore.

    As I understand from this example: https://github.com/spring-projects/spring-security/blob/5.2.0.RC1/samples/boot/webflux-form/src/main/java/sample/WebfluxFormSecurityConfig.java
    I don't need to extend WebSecurityConfigurerAdapter anymore, but rather create beans with SecurityWebFilterChain, but not sure what bean I should create to provide my already made ReactiveUserDetailsService?

    Karan "Sunny" D.
    @kdhindsa

    Hi, I just did a fresh checkout of master branch for spring-security and tried to build it but some unit tests failed. My java home is set to /Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/

    The unit tests that failed:

    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndNullThenTrue FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:41
    
    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndNotEmtpyThenFalse FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:35
    
    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndEmptyThenFalse FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:46

    Command to run the tests: ./gradlew spring-security-crypto:test

    Can anyone please help me build spring security? Also how do I import it properly in intellij? It's not able to figure out the project structure and as a result all the references are broken.
    Behrang
    @behrangsa

    Hi all,

    In order to build a custom authentication system (similar to a pre-authentication scenario) using Spring Security, is the only required step populating the security context with the current principal in a custom filter?

    Behrang
    @behrangsa
    Documentation refers to Spring Security 3.0 and Java 5 runtime, which seems to be wrong: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#runtime-environment
    Corneil du Plessis
    @corneil
    Assuming my application managing it's own user profiles and credentials and store passwords encoded with bcrypt password encoder. During a password change operation I don't like the password being in clear text because it may end up in a browser cache or log. Does anyone know if there are bcrypt implementations that are compatible with Spring bcrypt password encoder?
    Shradha Bharti
    @bharti.shradha_gitlab
    i think this code if u will use