Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Andreas Schilling
    Hi all! We're currently facing the issue, that the Set-Cookie header with the JSESSIONID triggers a firewall rule. Does anyone know whether any update in Spring Security or Spring Boot might be the reason that this header is set now? Other services that use the same setup don't have this header set in their responses. Unfortunately tracking down why this header is set now is difficult, because the service that shows this behaviour is the result of two services being merged, so there was quite some change going on. The underlying setup as such however didn't change, it's based on Spring Boot 2.1.6 (and we're using a custom, but shared Resource Server Setup in all our services)
    James Howe
    JSESSIONID is managed by the application server (tomcat, jetty, undertow). You can usually disable it in Spring Security with http.sessionManagement().sessionCreationPolicy(STATELESS)
    Hey everyone, I have a pull request I made and got stuck a little. First of all, this is my first time ever contributing to projects other than the ones I'm working on at work, or on my own. I think the issue is really annoying and common as well, but the solution is not necessarily all that trivial, without messing up the flow of the project
    Filip Hanik

    Hi @rolaca11, thank you for wanting to contribute. The best thing you can do to explain your use case is start with a test that shows how a request fails in one commit. Then add a second commit that makes the test pass.

    This will give whoever reviews your PR a great deal of information on what you are trying to accomplish, and that it actually works in the code.

    Commit 1 - a test case that fails, but you believe it should pass 
    Commit 2 - fixes the code, causes the test in Commit 1 to pass
    Clifford Garvis

    Hello, I just bumped Spring Boot version from 2.2.0.M4 -> 2.2.0.M6. As a result Spring Security version went from 5.2.0.M3 -> 5.2.0.RC1. With this change my previous OAuth2 resource server security configuration fails at startup with an exception java.lang.IllegalArgumentException: An AuthenticationManager is required. In version 5.2.0.M3 a default manager with JwtAuthenticationProvider would be created. It appears this issue only occurs when I disable anonymous and have an authorizeRequests section in my HttpSecurity configuration as in the example below.

      protected void configure(HttpSecurity http) throws Exception {

    Do I need to provide an authentication manager rather than relying on the default in this case?

    @clifforous Have you tried overriding the authenticationManagerBean() method in your WebSecurityConfigurerAdapter? Don't forget to annotate it with @Bean
    hi to all , i want ask question , how should we deal with access_token after expired when using spring cloud gateway or zuul
    Mohamed Barrouh
    Hi All,
    Could you please let me know how i can disable the filters below using xml config:
    Thank you in advance
    Clifford Garvis
    @rolaca11 Yes and that works for a single WebSecurityConfigurationAdapter. In my setup I have a different WebSecurityConfigurationAdapter for my Actuator endpoints and different profiles. Right now I provide those via bean and profile annotations. If I override the one of those adapters authenticationManagerBean() method it doesn't take effect. I guess I could declare them as components rather than just creating beans so the bean gets picked up... My question is it expected that disabling anonymous access cause no default AuthenticationManager for oauth2resourceserver?
    Alwyn Schoeman

    Hi All,

    My question is about setting timeouts for Oauth2 Resource Server in a Webflux environment (Spring Cloud Gateway).

    Is there a reactive equivalent to using NimbusJwtDecoderJwkSupport and RestOperations?

    can some one suggest any website to learn about spring security + SAML
    Knut Schleßelmann
    Is there now some improved OAuth2 test support with 5.2? We somehow need to test our service (resource server and client) without running infrastructure … some test configuration with a "just valid" token would be nice for example?
    Knut Schleßelmann
    Let's see :-)
    @styx_hcr_twitter Hm … maybe our problem is that we use @AutoConfigureWebTestClient which expects a working security configuration in order to start the context at all? Maybe we can solve it with your suggestions …
    Dennis Melzer
    Hey, i try to disable the JSESSIONID cookie for every response. The SessionCreationPolicy is set to STATLESS and noch tracking mode is set.
    But the sessions id is always set
    Was wondering if it is okay to put in a PR for
    Hello. I would like to use both @PreAuthorize annotations and the global antmatchers functionality (WebMvcConfigurerAdapter) to apply authorization rules. Is it possible to combine these?
    I am also using a custom AuthenticationProvider
    This is required to do something like protect actuator endpoints while still using @PreAuthorize in controllers.
    Also, is it possible to disable spring security via application.properties (or application.yml)? It would be handy to be able to disable or stub this out for testing purposes.
    Choubani Amir
    Any idea why the session attribute SPRING_SECURITY_CONTEXT is not mentioned in spring security doc in order to get the Security context ?
    James Howe
    probably because you're supposed to use SecurityContextHolder
    Vadim Bryksin

    Could someone help me please? I'm getting empty username parameter in findByUsername(String username) in ReactiveUserDetailsService

    In my security config I defined this:

        .authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))

    where authService is Autowired ReactiveUserDetailsService

    I'm sending POST request to /login with parameters:

        "username": "<some_username>",
        "password": "<some_password>"

    There is not controller implementing /login Spring security somehow itslef managing it, so I'm getting hit straight into ReactiveUserDetailsService but obviously request params were not properly mapped, I'm definitely missing something

    Vadim Bryksin
    I might assume that it can successfully get username only from Authentication object,
    so if I'll replace .authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))
    with custom ReactiveAuthenticationManager with implementation of authenticate(Authentication authentication)
    the authentication parameter is also empty, and I'm not sure where do I get request body content to return proper Authentication object with username and password
    Nathanael Law
    Hello All, I’m wondering if there a recommended resource that gives the default order for filters as created by HttpSecurity in a WebSecurityConfigurerAdapter. Usually I just create a breakpoint in a filter than I know is being hit the inspect the filter list.
    Our site's oauth endpoint is being flagged as 'Unsafe. Tries to trick visitors into sharing personal info' by Google's Safe Browsing and so big red warnings in Chrome and Firefox. They provide little info on what has caused it to be flagged. The only thing publicly accessible is the /login/oauth2/code endpoint which 302s to https://accounts.google.com/o/oauth2/v2/auth which seems correct. Domain and SSL cert are matching/correct.
    Choubani Amir
    Hi all. Any idea if there is really a protocol when we use session basic authentication ( like the saml and oauth2 and ldap) ?
    Is their a way to register an AuthenticationEventPublisher with the Spring OAuth2 Filter for logging purposes? I have a stackoverflow question about it here.
    Marcin Zięba
    Hello, that is my first time in OSS. I would like to propose pull request for hasAnyIpAddress(String[] ipAddresses) expression to be an extension to current hasIpAddress(String ipAddress). Context: I had to to allow some endpoints to be used only by specified machines that could not be described as normal ip range expression (eg. ""). To accomplish that I had to use some weird string based expression ("hasIpAddress('...') or hasIpAddress('...')") which was dynamically generated. What do you think about that?
    I use AccessDecisionManager and AbstractSecurityInterceptor to access control, it works well with zuul, but now changed to spring cloud gateway which use webflux, and i don't know how to implement AbstractSecurityInterceptor with webflux version
    Shradha Bharti
    HI All,
    I recently did upgrade of spring boot 2.1.7 and suddently I was not getting and error message ..I found some idea with the below issue
    so to fix this ..i have given this
    but now I m getting the error messgae but message are coming different
    so previously before upgrade when i was putting wrong username/pwd ...the response was
    "timestamp": 1571049553776,
    "status": 401,
    "error": "Unauthorized",
    "message": "Authentication Failed: {\"errorCode\":\"52e\",\"adminMail\":\"System Administrator\",\"role\":[]}",
    "path": "/login/auth"
    and now after upgrade
    "timestamp": "2019-10-14T10:40:37.651+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "Unauthorized",
    "path": "/login/auth"
    this is the response
    Let me know if somebody can help me for this
    Alexey Stepanov

    Hi all,

    I need help with the next case:

    https://gist.github.com/SteelAlex/ac129a8099c9518e50f6815b3c2bfe1f - I configured Spring Security + Spring Session. I use custom header for session. And I can't change session timeout, I always logout after default 15 minutes of inactivity. I tried to set spring.session.timeout and/or server.servlet.session.timeout, but it doesn't work.

    I am sure I am doing something wrong, but I have no ideas what.

    Does anyone know how to set a AuthenticationEventPublisher in the newer version of WebSecurityConfigurerAdapter
    Hello, can some one help me understand this:
    i need to sign en encrypt soap request