Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Karan "Sunny" D.

    Hi, I just did a fresh checkout of master branch for spring-security and tried to build it but some unit tests failed. My java home is set to /Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/

    The unit tests that failed:

    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndNullThenTrue FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:41
    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndNotEmtpyThenFalse FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:35
    org.springframework.security.crypto.password.PasswordEncoderUtilsTests > equalsWhenNullAndEmptyThenFalse FAILED
        java.lang.NullPointerException at PasswordEncoderUtilsTests.java:46

    Command to run the tests: ./gradlew spring-security-crypto:test

    Can anyone please help me build spring security? Also how do I import it properly in intellij? It's not able to figure out the project structure and as a result all the references are broken.

    Hi all,

    In order to build a custom authentication system (similar to a pre-authentication scenario) using Spring Security, is the only required step populating the security context with the current principal in a custom filter?

    Documentation refers to Spring Security 3.0 and Java 5 runtime, which seems to be wrong: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#runtime-environment
    Corneil du Plessis
    Assuming my application managing it's own user profiles and credentials and store passwords encoded with bcrypt password encoder. During a password change operation I don't like the password being in clear text because it may end up in a browser cache or log. Does anyone know if there are bcrypt implementations that are compatible with Spring bcrypt password encoder?
    Shradha Bharti
    i think this code if u will use
    public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
    Andreas Falk

    Documentation refers to Spring Security 3.0 and Java 5 runtime, which seems to be wrong: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#runtime-environment

    @behrangsa I opened a new issue for this: spring-projects/spring-security#7440

    David Martin Rehle

    is it possbile to implement two completely separate chains of oauth/resource servers in one app?

    dom1.com authenticates on /oauth/token1 using userdata from userTable1 and serving only resources from /api1
    dom2.com authenticates on /oauth/token2 using userdata from userTable2 and serving only resources from /api2

    James Howe
    @daveyx yes, but you'll need to configure more beans manually
    David Martin Rehle
    @OrangeDog i can not find something on google what covers this case, do you have any hint how to start?
    James Howe
    do it for one path, then do it for the other
    David Martin Rehle
    do i need implementations of the follwoing twice?
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    do it for one path, then do it for the other

    on the way...

    David Martin Rehle

    when i provide a second AuthorizationServerConfig, i get:

    The bean 'authenticationManagerBean', defined in class path resource [.../security2/SecurityConfig2.class], could not be registered. A bean with that name has already been defined in class path resource [.../security/SecurityConfig.class] and overriding is disabled.
    Consider renaming one of the beans or enabling overriding by setting spring.main.allow-bean-definition-overriding=true

    this happens in line 47 here:

    when providing a AuthenticationManager

    Rajas Gujarathi
    I am new to this forum and by reading articles on internet came to know that Spring Cloud Gateway with OAuth2 was not supported until December 2018, however, wanted to know if it is still not supported? Because I have spent sufficient time to get it working but no luck so far.
    David Martin Rehle
    can i have multiple AuthenticationManagers ?
    David Martin Rehle
    obviously i can have only one AuthenticationManager

    i've provided now a second config for
    SecurityConfig extends WebSecurityConfigurerAdapter
    AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
    ResourceServerConfig extends ResourceServerConfigurerAdapter


    if i comment out the second config, i get a token with the config 1

    if i activate the second config, something seems to be messed up with the httpbasic-auth:

    try config 1 with

    curl -X POST http://localhost:8080/oauth1/token -H 'Authorization: Basic dGVzdGp3dGNsaWVudGlkOlhZN2ttem9OemwxMDA' --data "username=user&password=password&grant_type=password"

    results in "Forbidden","path":"/oauth1/token"

    try config 2 with

    curl -X POST http://localhost:8080/oauth2/token -H 'Authorization: Basic dGVzdGp3dGNsaWVudGlkMjpYWTdrbXpvTnpsMTAwMg==' --data "username=user2&password=password2&grant_type=password"

    results in "error":"invalid_grant","error_description":"Bad credentials"

    David Martin Rehle

    i didnt get it working with two WebSecurityConfigurerAdapter, so i started with only one WebSecurityConfigurerAdapter and only one AuthorizationServerConfigurerAdapter, but two UserDetailsServices


    i can get a token with both client ids

    the downside is that i have only one authentication endpoint, but this is not a big problem

    i've provided two AuthenticationProviders, each connected to a different UserDetailsService

    The behaviour is now that both UserDetailsServices are tested if they can find the user, i see it as a downside too

    what i want to have is:
    case a) user with clientid X triggers only UserDetailsService1
    case b) user with clientid Y triggers only UserDetailsService2

    in case a) user has only access to resources of /api1
    in case b) user has only access to resources of /api2

    how can i achieve that?

    Andreas Schilling
    Hi all! We're currently facing the issue, that the Set-Cookie header with the JSESSIONID triggers a firewall rule. Does anyone know whether any update in Spring Security or Spring Boot might be the reason that this header is set now? Other services that use the same setup don't have this header set in their responses. Unfortunately tracking down why this header is set now is difficult, because the service that shows this behaviour is the result of two services being merged, so there was quite some change going on. The underlying setup as such however didn't change, it's based on Spring Boot 2.1.6 (and we're using a custom, but shared Resource Server Setup in all our services)
    James Howe
    JSESSIONID is managed by the application server (tomcat, jetty, undertow). You can usually disable it in Spring Security with http.sessionManagement().sessionCreationPolicy(STATELESS)
    Hey everyone, I have a pull request I made and got stuck a little. First of all, this is my first time ever contributing to projects other than the ones I'm working on at work, or on my own. I think the issue is really annoying and common as well, but the solution is not necessarily all that trivial, without messing up the flow of the project
    Filip Hanik

    Hi @rolaca11, thank you for wanting to contribute. The best thing you can do to explain your use case is start with a test that shows how a request fails in one commit. Then add a second commit that makes the test pass.

    This will give whoever reviews your PR a great deal of information on what you are trying to accomplish, and that it actually works in the code.

    Commit 1 - a test case that fails, but you believe it should pass 
    Commit 2 - fixes the code, causes the test in Commit 1 to pass
    Clifford Garvis

    Hello, I just bumped Spring Boot version from 2.2.0.M4 -> 2.2.0.M6. As a result Spring Security version went from 5.2.0.M3 -> 5.2.0.RC1. With this change my previous OAuth2 resource server security configuration fails at startup with an exception java.lang.IllegalArgumentException: An AuthenticationManager is required. In version 5.2.0.M3 a default manager with JwtAuthenticationProvider would be created. It appears this issue only occurs when I disable anonymous and have an authorizeRequests section in my HttpSecurity configuration as in the example below.

      protected void configure(HttpSecurity http) throws Exception {

    Do I need to provide an authentication manager rather than relying on the default in this case?

    @clifforous Have you tried overriding the authenticationManagerBean() method in your WebSecurityConfigurerAdapter? Don't forget to annotate it with @Bean
    hi to all , i want ask question , how should we deal with access_token after expired when using spring cloud gateway or zuul
    Mohamed Barrouh
    Hi All,
    Could you please let me know how i can disable the filters below using xml config:
    Thank you in advance
    Clifford Garvis
    @rolaca11 Yes and that works for a single WebSecurityConfigurationAdapter. In my setup I have a different WebSecurityConfigurationAdapter for my Actuator endpoints and different profiles. Right now I provide those via bean and profile annotations. If I override the one of those adapters authenticationManagerBean() method it doesn't take effect. I guess I could declare them as components rather than just creating beans so the bean gets picked up... My question is it expected that disabling anonymous access cause no default AuthenticationManager for oauth2resourceserver?
    Alwyn Schoeman

    Hi All,

    My question is about setting timeouts for Oauth2 Resource Server in a Webflux environment (Spring Cloud Gateway).

    Is there a reactive equivalent to using NimbusJwtDecoderJwkSupport and RestOperations?

    can some one suggest any website to learn about spring security + SAML
    Knut Schleßelmann
    Is there now some improved OAuth2 test support with 5.2? We somehow need to test our service (resource server and client) without running infrastructure … some test configuration with a "just valid" token would be nice for example?
    Knut Schleßelmann
    Let's see :-)
    @styx_hcr_twitter Hm … maybe our problem is that we use @AutoConfigureWebTestClient which expects a working security configuration in order to start the context at all? Maybe we can solve it with your suggestions …
    Dennis Melzer
    Hey, i try to disable the JSESSIONID cookie for every response. The SessionCreationPolicy is set to STATLESS and noch tracking mode is set.
    But the sessions id is always set
    Was wondering if it is okay to put in a PR for
    Hello. I would like to use both @PreAuthorize annotations and the global antmatchers functionality (WebMvcConfigurerAdapter) to apply authorization rules. Is it possible to combine these?
    I am also using a custom AuthenticationProvider
    This is required to do something like protect actuator endpoints while still using @PreAuthorize in controllers.
    Also, is it possible to disable spring security via application.properties (or application.yml)? It would be handy to be able to disable or stub this out for testing purposes.