Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Budlee
    @Budlee
    Was wondering if it is okay to put in a PR for
    spring-projects/spring-security#7391
    springroll12
    @springroll12
    Hello. I would like to use both @PreAuthorize annotations and the global antmatchers functionality (WebMvcConfigurerAdapter) to apply authorization rules. Is it possible to combine these?
    I am also using a custom AuthenticationProvider
    springroll12
    @springroll12
    This is required to do something like protect actuator endpoints while still using @PreAuthorize in controllers.
    springroll12
    @springroll12
    Also, is it possible to disable spring security via application.properties (or application.yml)? It would be handy to be able to disable or stub this out for testing purposes.
    Choubani Amir
    @amirensit
    Hello.
    Any idea why the session attribute SPRING_SECURITY_CONTEXT is not mentioned in spring security doc in order to get the Security context ?
    James Howe
    @OrangeDog
    probably because you're supposed to use SecurityContextHolder
    Vadim Bryksin
    @Bryksin

    Hi
    Could someone help me please? I'm getting empty username parameter in findByUsername(String username) in ReactiveUserDetailsService

    In my security config I defined this:

    .formLogin()
    .loginPage("/login")
    .authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))

    where authService is Autowired ReactiveUserDetailsService

    I'm sending POST request to /login with parameters:

    {
    "username": "<some_username>",
    "password": "<some_password>"
}

    There is not controller implementing /login Spring security somehow itslef managing it, so I'm getting hit straight into ReactiveUserDetailsService but obviously request params were not properly mapped, I'm definitely missing something

    Vadim Bryksin
    @Bryksin
    I might assume that it can successfully get username only from Authentication object,
    so if I'll replace .authenticationManager(new UserDetailsRepositoryReactiveAuthenticationManager(authService))
    with custom ReactiveAuthenticationManager with implementation of authenticate(Authentication authentication)
    the authentication parameter is also empty, and I'm not sure where do I get request body content to return proper Authentication object with username and password
    Nathanael Law
    @njlaw
    Hello All, I’m wondering if there a recommended resource that gives the default order for filters as created by HttpSecurity in a WebSecurityConfigurerAdapter. Usually I just create a breakpoint in a filter than I know is being hit the inspect the filter list.
    molexx
    @molexx
    Our site's oauth endpoint is being flagged as 'Unsafe. Tries to trick visitors into sharing personal info' by Google's Safe Browsing and so big red warnings in Chrome and Firefox. They provide little info on what has caused it to be flagged. The only thing publicly accessible is the /login/oauth2/code endpoint which 302s to https://accounts.google.com/o/oauth2/v2/auth which seems correct. Domain and SSL cert are matching/correct.
    Choubani Amir
    @amirensit
    Hi all. Any idea if there is really a protocol when we use session basic authentication ( like the saml and oauth2 and ldap) ?
    tlann
    @tlann
    Is their a way to register an AuthenticationEventPublisher with the Spring OAuth2 Filter for logging purposes? I have a stackoverflow question about it here.
    https://stackoverflow.com/questions/58327875/setting-a-defaultauthenticationeventpublisher-in-websecurityconfigureradapter-fo
    Marcin Zięba
    @ziebamarcin
    Hello, that is my first time in OSS. I would like to propose pull request for hasAnyIpAddress(String[] ipAddresses) expression to be an extension to current hasIpAddress(String ipAddress). Context: I had to to allow some endpoints to be used only by specified machines that could not be described as normal ip range expression (eg. "192.168.1.1/24"). To accomplish that I had to use some weird string based expression ("hasIpAddress('...') or hasIpAddress('...')") which was dynamically generated. What do you think about that?
    dailin
    @dailin
    I use AccessDecisionManager and AbstractSecurityInterceptor to access control, it works well with zuul, but now changed to spring cloud gateway which use webflux, and i don't know how to implement AbstractSecurityInterceptor with webflux version
    Shradha Bharti
    @bharti.shradha_gitlab
    HI All,
    I recently did upgrade of spring boot 2.1.7 and suddently I was not getting and error message ..I found some idea with the below issue
    spring-projects/spring-security#4467
    so to fix this ..i have given this
    antMatchers("/error").permitAll()
    but now I m getting the error messgae but message are coming different
    so previously before upgrade when i was putting wrong username/pwd ...the response was
    {
    "timestamp": 1571049553776,
    "status": 401,
    "error": "Unauthorized",
    "message": "Authentication Failed: {\"errorCode\":\"52e\",\"adminMail\":\"System Administrator\",\"role\":[]}",
    "path": "/login/auth"
    }
    and now after upgrade
    {
    "timestamp": "2019-10-14T10:40:37.651+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "Unauthorized",
    "path": "/login/auth"
    }
    this is the response
    Let me know if somebody can help me for this
    Alexey Stepanov
    @SteelAlex

    Hi all,

    I need help with the next case:

    https://gist.github.com/SteelAlex/ac129a8099c9518e50f6815b3c2bfe1f - I configured Spring Security + Spring Session. I use custom header for session. And I can't change session timeout, I always logout after default 15 minutes of inactivity. I tried to set spring.session.timeout and/or server.servlet.session.timeout, but it doesn't work.

    I am sure I am doing something wrong, but I have no ideas what.

    tlann
    @tlann
    Does anyone know how to set a AuthenticationEventPublisher in the newer version of WebSecurityConfigurerAdapter
    miha-
    @miha-
    Hello, can some one help me understand this:
    i need to sign en encrypt soap request
    https://docs.spring.io/spring-ws/site/reference/html/security.html
    The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
    The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
    so for this only in policy has to be added, other things are the same 
    @Bean
    public KeyStoreCallbackHandler callback() throws Exception{
        KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();


        callbackHandler.setPrivateKeyPassword("t_passwordo");
        callbackHandler.setDefaultAlias("snet");
        callbackHandler.setKeyStore(keyStoreFactoryBean());
        callbackHandler.setTrustStore(TrustFactoryBean());

        return callbackHandler;
    }
    signeture works ok
    but for encrypt i get
    2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
    2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
    tnx
    Jukka Siivonen
    @jukkasi
    Hello, I'm having problem configuring custom filter using http.addFilter(myFilter()), if myFilter() function uses @Bean then this filter is also registered as Spring filter which I do not want. If myFilter() returns FilterRegistrationBean with enabled = false then I don't know how to access initialized filter bean instance for http.addFilter() because it seems that myFilter().filter returns filter bean without dependencies set in this case
    tlann
    @tlann
    @rwinch Rob are Spring Security Developers still answering questions on gitter?
    Jukka Siivonen
    @jukkasi
    When HTTP sessions are used is there a way disable session creation for requests that ultimately fail because of AccessDeniedException / AuthenticationException? Or if session needs to exist, remove it at the end of filter chain. It seems that in my case session is created by ExceptionTranslationFilter requestCache.saveRequest(request, response); I believe removing session would only make sense for AccessDeniedException if there was no valid authentication at all
    miha-
    @miha-

    can someone help me pls with this:
    @miha-
    Hello, can some one help me understand this:
    i need to sign en encrypt soap request
    https://docs.spring.io/spring-ws/site/reference/html/security.html
    The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
    The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
    so for this only in policy has to be added, other things are the same

    @Bean
    public KeyStoreCallbackHandler callback() throws Exception{
        KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();


        callbackHandler.setPrivateKeyPassword("t_passwordo");
        callbackHandler.setDefaultAlias("snet");
        callbackHandler.setKeyStore(keyStoreFactoryBean());
        callbackHandler.setTrustStore(TrustFactoryBean());

        return callbackHandler;
    }

    signeture works ok
    but for encrypt i get
    2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
    2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
    tnx

    Jukka Siivonen
    @jukkasi
    To answer my previous question, what I'm probably looking for is HttpSessionRequestCache.setCreateSessionAllowed(false)
    James Howe
    @OrangeDog
    Where is a good place to communicate what I'm using from spring-security-saml that I'd want in the future core implementation? And same thing for spring-security-oauth.
    Choubani Amir
    @amirensit
    hello.
    Any idea please why code example in spring security doc are in xml ?
    Giovanni Lovato
    @heruan
    Hello! I’m using the BindAuthenticator to authenticate users against LDAP. When the user provides the correct password, it gets correctly authenticated; the problem is when the user provides a wrong password: the authentication takes a very long time and then it fails with a timeout exception.
    Why so? If the password is wrong, it should fail immediately.
    Shradha Bharti
    @bharti.shradha_gitlab
    can anybody help me with this issue ,I am stuck from a very long time
    spring-projects/spring-security#7542
    James Howe
    @OrangeDog
    That's deliberate, and I don't ever recall 1.x giving the error details either. It is more secure to hide them.
    Shradha Bharti
    @bharti.shradha_gitlab
    oh ok
    Ramon Pires da Silva
    @ramonPires

    Hi, I have the following code, it's a MDCFilter. 

    import org.slf4j.MDC;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

public class NettyMDCFilter implements WebFilter {

    public static final String USER_AND_APPLICATION_KEY = "user";
    public static final String APPLICATION_KEY = "application";
    public static final String USERNAME_KEY = "username";

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        return exchange.<OAuth2Authentication>getPrincipal()
            .doOnNext(this::logWithContext)
            .map(auth -> exchange)
            .switchIfEmpty(Mono.just(exchange))
            .flatMap(chain::filter)
            .doFinally(signalType -> removeMDCKeys());
    }

    private void logWithContext(OAuth2Authentication authentication) {
        MDC.put(USER_AND_APPLICATION_KEY, userKey(authentication));
        if (authentication.isClientOnly()) {
            MDC.put(APPLICATION_KEY, authentication.getName());
        } else {
            MDC.put(APPLICATION_KEY, authentication.getOAuth2Request().getClientId());
            MDC.put(USERNAME_KEY, authentication.getName());
        }
    }

    private void removeMDCKeys() {
        MDC.remove(USER_AND_APPLICATION_KEY);
        MDC.remove(USERNAME_KEY);
        MDC.remove(APPLICATION_KEY);
    }

    private String userKey(OAuth2Authentication authentication) {
        if (authentication.isClientOnly()) {
            return authentication.getName();
        } else {
            return String.format("%s:%s", authentication.getOAuth2Request().getClientId(), authentication.getName());
        }
    }
}

    In the previous implementation was implemented using the class OAuth2Authentication, that belongs to the project the project spring-security-oauth, but this project now is under maintance mode , as you can see here . In my code, I want to check in the filter if the token belongs to a client application or to an user, but I don't have any idea about how could I do this in the new version of spring-security , even reading the documentation it's not clear for me what I should do, because there isn't a migration tutorial to migrate from spring-security-oauth2 project to the spring security project new version with built-in support to oauth2. I googled, but couldn't find a concrete tutorial to help me with this problem.

    Donald F Coffin
    @dfcoffin
    @ramonPires This is the open issue referencing the Spring Security OAuth 2.0 Migration Guidance spring-projects/spring-security#6733