Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
Thank you in advance
@rolaca11 Yes and that works for a single
WebSecurityConfigurationAdapter. In my setup I have a different WebSecurityConfigurationAdapter for my Actuator endpoints and different profiles. Right now I provide those via bean and profile annotations. If I override the one of those adapters authenticationManagerBean() method it doesn't take effect. I guess I could declare them as components rather than just creating beans so the bean gets picked up... My question is it expected that disabling anonymous access cause no default AuthenticationManager for oauth2resourceserver?
@styx_hcr_twitter Hm … maybe our problem is that we use
@AutoConfigureWebTestClient which expects a working security configuration in order to start the context at all? Maybe we can solve it with your suggestions …
But the sessions id is always set
is there a way to add my own custom oauth2 provider like this https://github.com/spring-projects/spring-security/blob/b93528138e2b2f7ad34d10a040e6b7ac50fc587a/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java in spring security?
Was wondering if it is okay to put in a PR for
I am also using a custom AuthenticationProvider
Hi
Could someone help me please? I'm getting empty username parameter in findByUsername(String username) in ReactiveUserDetailsService
In my security config I defined this:
.formLogin()
.loginPage("/login")
.authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))where authService is Autowired ReactiveUserDetailsService
I'm sending POST request to /login with parameters:
{
"username": "<some_username>",
"password": "<some_password>"
}There is not controller implementing /login Spring security somehow itslef managing it, so I'm getting hit straight into ReactiveUserDetailsService but obviously request params were not properly mapped, I'm definitely missing something
I might assume that it can successfully get
so if I'll replace
with custom
the
username only from Authentication object,so if I'll replace
.authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))with custom
ReactiveAuthenticationManager with implementation of authenticate(Authentication authentication)the
authentication parameter is also empty, and I'm not sure where do I get request body content to return proper Authentication object with username and password
Our site's oauth endpoint is being flagged as 'Unsafe. Tries to trick visitors into sharing personal info' by Google's Safe Browsing and so big red warnings in Chrome and Firefox. They provide little info on what has caused it to be flagged. The only thing publicly accessible is the
/login/oauth2/code endpoint which 302s to https://accounts.google.com/o/oauth2/v2/auth which seems correct. Domain and SSL cert are matching/correct.
Is their a way to register an AuthenticationEventPublisher with the Spring OAuth2 Filter for logging purposes? I have a stackoverflow question about it here.
https://stackoverflow.com/questions/58327875/setting-a-defaultauthenticationeventpublisher-in-websecurityconfigureradapter-fo
https://stackoverflow.com/questions/58327875/setting-a-defaultauthenticationeventpublisher-in-websecurityconfigureradapter-fo
Hello, that is my first time in OSS. I would like to propose pull request for
hasAnyIpAddress(String[] ipAddresses) expression to be an extension to current hasIpAddress(String ipAddress). Context: I had to to allow some endpoints to be used only by specified machines that could not be described as normal ip range expression (eg. "192.168.1.1/24"). To accomplish that I had to use some weird string based expression ("hasIpAddress('...') or hasIpAddress('...')") which was dynamically generated. What do you think about that?
HI All,
I recently did upgrade of spring boot 2.1.7 and suddently I was not getting and error message ..I found some idea with the below issue
spring-projects/spring-security#4467
so to fix this ..i have given this
antMatchers("/error").permitAll()
but now I m getting the error messgae but message are coming different
so previously before upgrade when i was putting wrong username/pwd ...the response was
I recently did upgrade of spring boot 2.1.7 and suddently I was not getting and error message ..I found some idea with the below issue
spring-projects/spring-security#4467
so to fix this ..i have given this
antMatchers("/error").permitAll()
but now I m getting the error messgae but message are coming different
so previously before upgrade when i was putting wrong username/pwd ...the response was
{
"timestamp": 1571049553776,
"status": 401,
"error": "Unauthorized",
"message": "Authentication Failed: {\"errorCode\":\"52e\",\"adminMail\":\"System Administrator\",\"role\":[]}",
"path": "/login/auth"
}
"timestamp": 1571049553776,
"status": 401,
"error": "Unauthorized",
"message": "Authentication Failed: {\"errorCode\":\"52e\",\"adminMail\":\"System Administrator\",\"role\":[]}",
"path": "/login/auth"
}
and now after upgrade
{
"timestamp": "2019-10-14T10:40:37.651+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/login/auth"
}
"timestamp": "2019-10-14T10:40:37.651+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/login/auth"
}
this is the response
Let me know if somebody can help me for this
Hi all,
I need help with the next case:
https://gist.github.com/SteelAlex/ac129a8099c9518e50f6815b3c2bfe1f - I configured Spring Security + Spring Session. I use custom header for session. And I can't change session timeout, I always logout after default 15 minutes of inactivity. I tried to set spring.session.timeout and/or server.servlet.session.timeout, but it doesn't work.
I am sure I am doing something wrong, but I have no ideas what.
i need to sign en encrypt soap request
The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
so for this only in policy has to be added, other things are the same
@Bean
public KeyStoreCallbackHandler callback() throws Exception{
KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
callbackHandler.setPrivateKeyPassword("t_passwordo");
callbackHandler.setDefaultAlias("snet");
callbackHandler.setKeyStore(keyStoreFactoryBean());
callbackHandler.setTrustStore(TrustFactoryBean());
return callbackHandler;
}
signeture works ok
but for encrypt i get
2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
tnx
Hello, I'm having problem configuring custom filter using http.addFilter(myFilter()), if myFilter() function uses @Bean then this filter is also registered as Spring filter which I do not want. If myFilter() returns FilterRegistrationBean with enabled = false then I don't know how to access initialized filter bean instance for http.addFilter() because it seems that myFilter().filter returns filter bean without dependencies set in this case