Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Johannes Edmeier
    Is the Oauth2 feature matrix (https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix) up to date?
    Also this blog post https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security mentions that The plan is to also provide support for ... Authorization Server by the end of 2018 or early 2019. What is the current plan on the Authorization Server?
    Donald F Coffin
    @joshiste See @jgrandja and @jzheaux comments in Spring Security Issue #6733. Spring Security Authorization Server support by Spring Security is currently planned for initial Authorization Server release in Spring Security 5.3.0
    David Barda
    Hey, I'm trying to add authroziation server, which will be a proxy to existing legacy monolith service(and then move some logic incremently)
    if I want to delegate the authentication(and authorization) to a monolith, with Oauth2 Authorization server, how can I do it?
    Shradha Bharti
    HI ..I recently upgraded my spring boot ..from 1.X to 2.1.7 , i am using zuul as a gateway and once i put username and pwd to go to another service ..authetication is successfull but m getting 403 error as in unautorised
    we are using ldap for security and rediss session as saving part
    can anybody tell me for this issue
    Shradha Bharti
    i think its not getting the session ..so its creating the new session

    2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
    2019-09-09 10:42:15.231 DEBUG 27576 --- [nio-8888-exec-1] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER

    java.lang.RuntimeException: For debugging purposes only (not an error)
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:338) [spring-session-core-2.1.8.RELEASE.jar:2.1.8.RELEASE]

    this is the class

    public class SessionSavingZuulPreFilter extends ZuulFilter {

    private static final Logger log = LoggerFactory.getLogger(SessionSavingZuulPreFilter.class);
    public SessionSavingZuulPreFilter() {
        log.info("SessionSavingZuulPreFilter Instantiated");
    private SessionRepository<? extends Session> repository;
    public Object run() {
        RequestContext context = RequestContext.getCurrentContext();
        HttpSession httpSession = context.getRequest().getSession();
        Session session=repository.findById(httpSession.getId()) ;
          if (session != null) { context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
          log.debug("Session saving filter: SB session proxy: " + session.getId()); } else {
          log.warn("Session saving filter: SB session is null"); }
          return null;
    public boolean shouldFilter() {
        return true;
    public String filterType() {
        return "pre";
    public int filterOrder() {
        return 1;


    previously before the 2.1.7 ..instead of findbyId method we have used getSession(httpSession.getId())
    hi all.
    Any idea how to deal with event published twice in spring security oauth2 ?
    In my case, AuthenticationSuccessEvent is published twice.
    spring.security.user.name am using the form-based authentication spring security 5 ..server is not started with unable read user.name properties
    are we chnaged the properties in spring security 5 ?
    Please ignore the above message
    Alwyn Schoeman
    Can anyone tell me how and/or where Spring Security discriminates between webflux and webmvc?
    Alwyn Schoeman
    Found @ConditionalOnWebApplication
    Choubani Amir
    Is It possible to choose components execution order ?
    I need that AuthenticationSuccessEventListenerexecutes before UserDetailsService
    James Howe
    That's impossible. Authentication cannot be successful unless the user can be found.
    Noel Hahn
    I have a created an Authentication Server which works fine, however, I am trying to create a CRUD for ease of token creation. My biggest hurdle is the login page. I am able to get the login page and all other endpoint permissions correct except now when hitting the oauth/token endpoint with bad credentials, instead of receiving a 403, i receive a 200 with the login page. I tried to nest the form login lines under an ant matcher but doing so results in the login page not being able to read CSRF. When disabling CSRF, I get a 405 when trying to login. Any idea how to prevent the oauth endpoints from triggering the login page?
    Noel Hahn
    Here's the configuration if it helps
    override fun configure(http: HttpSecurity) {
                        .antMatchers("/actuator", "/actuator/health", "/actuator/info").permitAll()
                        .antMatchers("/css/**", "/img/**", "/webjars/**").permitAll()
                        .antMatchers("/", "/client/**").hasAuthority("ADMIN")
    i basically don't want the above to return 200 with the login html for endpoint /oauth/token and oauth/check_token and instead return its normal 403
    Vadim Bryksin

    Hey guys, I'm doing reactive security and got stuck with UserDetailsService
    basically, in the non-react approach I was extending WebSecurityConfigurerAdapter where I had to overwrite: configure(AuthenticationManagerBuilder auth) and provide userService which implementing UserDetailsService

    however now, I'm using a reactive approach, and implementing ReactiveUserDetailsService, but WebSecurityConfigurerAdapter doesn't take it anymore.

    As I understand from this example: https://github.com/spring-projects/spring-security/blob/5.2.0.RC1/samples/boot/webflux-form/src/main/java/sample/WebfluxFormSecurityConfig.java
    I don't need to extend WebSecurityConfigurerAdapter anymore, but rather create beans with SecurityWebFilterChain, but not sure what bean I should create to provide my already made ReactiveUserDetailsService?

    Karan "Sunny" D.

    Hi, I just did a fresh checkout of master branch for spring-security and tried to build it but some unit tests failed. My java home is set to /Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/

    The unit tests that failed:

    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndNullThenTrue FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:41
    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndNotEmtpyThenFalse FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:35
    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndEmptyThenFalse FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:46

    Command to run the tests: ./gradlew spring-security-crypto:test

    Can anyone please help me build spring security? Also how do I import it properly in intellij? It's not able to figure out the project structure and as a result all the references are broken.

    Hi all,

    In order to build a custom authentication system (similar to a pre-authentication scenario) using Spring Security, is the only required step populating the security context with the current principal in a custom filter?

    Documentation refers to Spring Security 3.0 and Java 5 runtime, which seems to be wrong: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#runtime-environment
    Corneil du Plessis
    Assuming my application managing it's own user profiles and credentials and store passwords encoded with bcrypt password encoder. During a password change operation I don't like the password being in clear text because it may end up in a browser cache or log. Does anyone know if there are bcrypt implementations that are compatible with Spring bcrypt password encoder?
    Shradha Bharti
    i think this code if u will use
    public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
    Andreas Falk

    Documentation refers to Spring Security 3.0 and Java 5 runtime, which seems to be wrong: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#runtime-environment

    @behrangsa I opened a new issue for this: spring-projects/spring-security#7440

    David Martin Rehle

    is it possbile to implement two completely separate chains of oauth/resource servers in one app?

    dom1.com authenticates on /oauth/token1 using userdata from userTable1 and serving only resources from /api1
    dom2.com authenticates on /oauth/token2 using userdata from userTable2 and serving only resources from /api2

    James Howe
    @daveyx yes, but you'll need to configure more beans manually
    David Martin Rehle
    @OrangeDog i can not find something on google what covers this case, do you have any hint how to start?
    James Howe
    do it for one path, then do it for the other
    David Martin Rehle
    do i need implementations of the follwoing twice?
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    do it for one path, then do it for the other

    on the way...

    David Martin Rehle

    when i provide a second AuthorizationServerConfig, i get:

    The bean 'authenticationManagerBean', defined in class path resource [.../security2/SecurityConfig2.class], could not be registered. A bean with that name has already been defined in class path resource [.../security/SecurityConfig.class] and overriding is disabled.
    Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true

    this happens in line 47 here:

    when providing a AuthenticationManager

    Rajas Gujarathi
    I am new to this forum and by reading articles on internet came to know that Spring Cloud Gateway with OAuth2 was not supported until December 2018, however, wanted to know if it is still not supported? Because I have spent sufficient time to get it working but no luck so far.
    David Martin Rehle
    can i have multiple AuthenticationManagers ?
    David Martin Rehle
    obviously i can have only one AuthenticationManager

    i've provided now a second config for
    SecurityConfig extends WebSecurityConfigurerAdapter
    AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
    ResourceServerConfig extends ResourceServerConfigurerAdapter


    if i comment out the second config, i get a token with the config 1

    if i activate the second config, something seems to be messed up with the httpbasic-auth:

    try config 1 with

    curl -X POST http://localhost:8080/oauth1/token -H 'Authorization: Basic dGVzdGp3dGNsaWVudGlkOlhZN2ttem9OemwxMDA' --data "username=user&password=password&grant_type=password"

    results in "Forbidden","path":"/oauth1/token"

    try config 2 with

    curl -X POST http://localhost:8080/oauth2/token -H 'Authorization: Basic dGVzdGp3dGNsaWVudGlkMjpYWTdrbXpvTnpsMTAwMg==' --data "username=user2&password=password2&grant_type=password"

    results in "error":"invalid_grant","error_description":"Bad credentials"

    David Martin Rehle

    i didnt get it working with two WebSecurityConfigurerAdapter, so i started with only one WebSecurityConfigurerAdapter and only one AuthorizationServerConfigurerAdapter, but two UserDetailsServices


    i can get a token with both client ids

    the downside is that i have only one authentication endpoint, but this is not a big problem

    i've provided two AuthenticationProviders, each connected to a different UserDetailsService

    The behaviour is now that both UserDetailsServices are tested if they can find the user, i see it as a downside too

    what i want to have is:
    case a) user with clientid X triggers only UserDetailsService1
    case b) user with clientid Y triggers only UserDetailsService2

    in case a) user has only access to resources of /api1
    in case b) user has only access to resources of /api2

    how can i achieve that?

    Andreas Schilling
    Hi all! We're currently facing the issue, that the Set-Cookie header with the JSESSIONID triggers a firewall rule. Does anyone know whether any update in Spring Security or Spring Boot might be the reason that this header is set now? Other services that use the same setup don't have this header set in their responses. Unfortunately tracking down why this header is set now is difficult, because the service that shows this behaviour is the result of two services being merged, so there was quite some change going on. The underlying setup as such however didn't change, it's based on Spring Boot 2.1.6 (and we're using a custom, but shared Resource Server Setup in all our services)
    James Howe
    JSESSIONID is managed by the application server (tomcat, jetty, undertow). You can usually disable it in Spring Security with http.sessionManagement().sessionCreationPolicy(STATELESS)
    Hey everyone, I have a pull request I made and got stuck a little. First of all, this is my first time ever contributing to projects other than the ones I'm working on at work, or on my own. I think the issue is really annoying and common as well, but the solution is not necessarily all that trivial, without messing up the flow of the project