Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    tlann
    @tlann
    Does anyone know how to set a AuthenticationEventPublisher in the newer version of WebSecurityConfigurerAdapter
    miha-
    @miha-
    Hello, can some one help me understand this:
    i need to sign en encrypt soap request
    The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
    The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
    so for this only in policy has to be added, other things are the same
    @Bean
        public KeyStoreCallbackHandler callback() throws Exception{
            KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
    
    
            callbackHandler.setPrivateKeyPassword("t_passwordo");
            callbackHandler.setDefaultAlias("snet");
            callbackHandler.setKeyStore(keyStoreFactoryBean());
            callbackHandler.setTrustStore(TrustFactoryBean());
    
            return callbackHandler;
        }
    signeture works ok
    but for encrypt i get
    2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
    2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
    tnx
    Jukka Siivonen
    @jukkasi
    Hello, I'm having problem configuring custom filter using http.addFilter(myFilter()), if myFilter() function uses @Bean then this filter is also registered as Spring filter which I do not want. If myFilter() returns FilterRegistrationBean with enabled = false then I don't know how to access initialized filter bean instance for http.addFilter() because it seems that myFilter().filter returns filter bean without dependencies set in this case
    tlann
    @tlann
    @rwinch Rob are Spring Security Developers still answering questions on gitter?
    Jukka Siivonen
    @jukkasi
    When HTTP sessions are used is there a way disable session creation for requests that ultimately fail because of AccessDeniedException / AuthenticationException? Or if session needs to exist, remove it at the end of filter chain. It seems that in my case session is created by ExceptionTranslationFilter requestCache.saveRequest(request, response); I believe removing session would only make sense for AccessDeniedException if there was no valid authentication at all
    miha-
    @miha-

    can someone help me pls with this:
    @miha-
    Hello, can some one help me understand this:
    i need to sign en encrypt soap request
    https://docs.spring.io/spring-ws/site/reference/html/security.html
    The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
    The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
    so for this only in policy has to be added, other things are the same

    @Bean
        public KeyStoreCallbackHandler callback() throws Exception{
            KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
    
    
            callbackHandler.setPrivateKeyPassword("t_passwordo");
            callbackHandler.setDefaultAlias("snet");
            callbackHandler.setKeyStore(keyStoreFactoryBean());
            callbackHandler.setTrustStore(TrustFactoryBean());
    
            return callbackHandler;
        }

    signeture works ok
    but for encrypt i get
    2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
    2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
    tnx

    Jukka Siivonen
    @jukkasi
    To answer my previous question, what I'm probably looking for is HttpSessionRequestCache.setCreateSessionAllowed(false)
    James Howe
    @OrangeDog
    Where is a good place to communicate what I'm using from spring-security-saml that I'd want in the future core implementation? And same thing for spring-security-oauth.
    Choubani Amir
    @amirensit
    hello.
    Any idea please why code example in spring security doc are in xml ?
    Giovanni Lovato
    @heruan
    Hello! I’m using the BindAuthenticator to authenticate users against LDAP. When the user provides the correct password, it gets correctly authenticated; the problem is when the user provides a wrong password: the authentication takes a very long time and then it fails with a timeout exception.
    Why so? If the password is wrong, it should fail immediately.
    Shradha Bharti
    @bharti.shradha_gitlab
    can anybody help me with this issue ,I am stuck from a very long time
    James Howe
    @OrangeDog
    That's deliberate, and I don't ever recall 1.x giving the error details either. It is more secure to hide them.
    Shradha Bharti
    @bharti.shradha_gitlab
    oh ok
    Ramon Pires da Silva
    @ramonPires

    Hi, I have the following code, it's a MDCFilter.

    import org.slf4j.MDC;
    import org.springframework.security.oauth2.provider.OAuth2Authentication;
    import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
    import org.springframework.web.server.ServerWebExchange;
    import org.springframework.web.server.WebFilter;
    import org.springframework.web.server.WebFilterChain;
    import reactor.core.publisher.Mono;
    
    public class NettyMDCFilter implements WebFilter {
    
        public static final String USER_AND_APPLICATION_KEY = "user";
        public static final String APPLICATION_KEY = "application";
        public static final String USERNAME_KEY = "username";
    
        @Override
        public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
            return exchange.<OAuth2Authentication>getPrincipal()
                .doOnNext(this::logWithContext)
                .map(auth -> exchange)
                .switchIfEmpty(Mono.just(exchange))
                .flatMap(chain::filter)
                .doFinally(signalType -> removeMDCKeys());
        }
    
        private void logWithContext(OAuth2Authentication authentication) {
            MDC.put(USER_AND_APPLICATION_KEY, userKey(authentication));
            if (authentication.isClientOnly()) {
                MDC.put(APPLICATION_KEY, authentication.getName());
            } else {
                MDC.put(APPLICATION_KEY, authentication.getOAuth2Request().getClientId());
                MDC.put(USERNAME_KEY, authentication.getName());
            }
        }
    
        private void removeMDCKeys() {
            MDC.remove(USER_AND_APPLICATION_KEY);
            MDC.remove(USERNAME_KEY);
            MDC.remove(APPLICATION_KEY);
        }
    
        private String userKey(OAuth2Authentication authentication) {
            if (authentication.isClientOnly()) {
                return authentication.getName();
            } else {
                return String.format("%s:%s", authentication.getOAuth2Request().getClientId(), authentication.getName());
            }
        }
    }

    In the previous implementation was implemented using the class OAuth2Authentication, that belongs to the project the project spring-security-oauth, but this project now is under maintance mode , as you can see here . In my code, I want to check in the filter if the token belongs to a client application or to an user, but I don't have any idea about how could I do this in the new version of spring-security , even reading the documentation it's not clear for me what I should do, because there isn't a migration tutorial to migrate from spring-security-oauth2 project to the spring security project new version with built-in support to oauth2. I googled, but couldn't find a concrete tutorial to help me with this problem.

    Donald F Coffin
    @dfcoffin
    @ramonPires This is the open issue referencing the Spring Security OAuth 2.0 Migration Guidance spring-projects/spring-security#6733
    @ramonPires You can find it under the Spring Security 5.2.x Milestone
    Ramon Pires da Silva
    @ramonPires
    My problem specifically is because I want to use netty, in my application I also need to propagate the token to a webclient request, the older implementation with servlets using spring-security-oauth2 was using threadlocal to hold the reference of the token, via SecurityContextHolder, but for me it's the worst solution, and I don't know how to create a better this solution within a webflux and servlet solution. Using webflux with netty seems to be a more thread safe solution, because of webfilters with Mono.subscriberContext(), an example can be found here, thats why I want to use netty, specifically of WebFilter support wich is only supported using reactor-netty. If I use spring-security-oauth2, I can't use netty, because of this dependency with the servlet api.
    miha-
    @miha-

    HI
    my error:
    WSS1205: Unable to initialize XML Cipher
    java.security.NoSuchAlgorithmException: Null or empty transformation

    i guess it is something with my policy, if someone can help me what i am missing

    <xwss:Sign includeTimestamp="true">
          <xwss:X509Token certificateAlias="softnet"></xwss:X509Token>
          <xwss:SignatureTarget type="xpath"
                                value="/SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsu:Timestamp">
              <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
              <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <xwss:AlgorithmParameter name="CanonicalizationMethod"
                                           value="http://www.w3.org/2001/10/xml-exc-c14n#" />
    
              </xwss:Transform>
    
          </xwss:SignatureTarget>
      </xwss:Sign>
    
        <xwss:Encrypt>
            <xwss:SymmetricKey keyAlias="syn" />
            <xwss:DataEncryptionMethod
                    algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <xwss:EncryptionTarget type="XPATH" value="//env:Body">
                <xwss:Transform algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
                    <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </xwss:Transform>
            </xwss:EncryptionTarget>
        </xwss:Encrypt>
    Ramon Pires da Silva
    @ramonPires
    Anyone here had the same problem? It's not seems to be an unusual situation in a microservices environment. If anyone here could share a solution using the servlet api, for me it's not a problem, I just don't want to use the threadlocal solution again.
    Ramon Pires da Silva
    @ramonPires
    public class MyFilter implements Filter {
    
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {}
    
        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
            OAuth2Authentication authentication = (OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();
    
            String id  = Oauth2AuthenticationUtils.getId(httpRequest, authentication;
            MyContextHolder.setId(id);
    
            filterChain.doFilter(servletRequest, servletResponse);
    
            MyContextHolder.clearContext();
        }
    
        @Override
        public void destroy() {}
    }
    And the example of the implementation using ThreadLocal:
    public class MyContextHolder {
    
        private static final ThreadLocal<String> MY_THREAD_LOCAL = new InheritableThreadLocal<>();
    
        public static String getId() {
            return MY_THREAD_LOCAL.get();
        }
    
        protected static void setId(String ID) {
            MY_THREAD_LOCAL.set(organizationId);
        }
    
        public static void clearContext() {
            MY_THREAD_LOCAL.remove();
        }
    }
    I found this solution https://www.baeldung.com/spring-security-async-principal-propagation , but I still think that it's not a thread safe solution.
    Giovanni Lovato
    @heruan
    Hi! Any feedback about this? spring-projects/spring-security#7543
    springroll12
    @springroll12
    Hello. I am very confused about how to catch AccessDeniedExceptions in spring boot 2. I've set up an addFilterBefore clause to my global method security settings, but it seems that this prevents either the authenticationEntryPoint or accessDeniedHandlers from taking effect. For example the AccessDeniedException is thrown and caught by an @ControllerAdvice class I have, instead of the accessDeniedHandler. The AccessDeniedHandler has worked fine in the past (I was previously using addFilterAfter) so I'm not sure what's up. Here's my config:
    http                                                                                                                                                                                                   
                    .addFilterBefore(new AuthZFilter(), SecurityContextHolderAwareRequestFilter.class)                                                                                                                 
                    .authorizeRequests()                                                                                                                                                                               
                    .antMatchers(<MATCHERS>).access(<RULES>)
                    .anyRequest().permitAll();
    
                // Ignore sessions.                                                                                                                                                                                    
                http                                                                                                                                                                                                   
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);                                                                                                                       
    
                // Set error 403/401 response payloads to Custom ?? Not working with addFilterBefore ???                                                                                                                                               
                http                                                                                                                                                                                                   
                    .csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);
    James Howe
    @OrangeDog
    spring-security-oauth2 - the RedirectView it uses to return a code to the client doesn't seem to work correctly if the uri uses a custom schema. Also no content is returned with it so the browser stays on the approval page (and submitting again fails because the session ended). Unfortunately, I don't see a nice way to replace it because there are a lot of private methods involved in AuthorizationEndpoint.
    James Howe
    @OrangeDog
    I'm going to try extending AuthorizationEndpoint and wrap the super calls, but I don't see where to configue using a custom endpoint controller?
    Ah yeah, and then I need to apply all the same config to it :(
    Perhaps an aspect is a better idea
    springroll12
    @springroll12
    It seems that exceptions not being handed to authenticationEntryPoint/accessDeniedHandler is caused by them being caught by a global exception handler per this issue: spring-projects/spring-security#6908
    jeff
    @jikramer_gitlab
    Looking to port a Spring security SAML application in Grails to a Spring security SAML application in Java. NetIQ is the IDP. Can anyone point me in the right direction pls
    Filip Hanik
    @fhanik
    @jikramer_gitlab Hi Jeff, what functionality are you looking for? We've started building out authentication in the 5.2.x release train. https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/htmlsingle/#saml2
    James Howe
    @OrangeDog
    @jikramer_gitlab if that's not sufficient, the older library is https://projects.spring.io/spring-security-saml/
    Pontus Enmark
    @penmark
    Hi I'm having trouble using an oauth2 resource with an oauth2 client (both reactive): https://stackoverflow.com/q/58595062/329065. Is it a spring security bug or am I missing something?
    switchYello
    @switchYello
    i find the code
    I find the code repeated Base64 Decoder in
    org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    
    protected String[] decodeCookie(String cookieValue) throws InvalidCookieException {
            for (int j = 0; j < cookieValue.length() % 4; j++) {
                cookieValue = cookieValue + "=";
            }
    
            //here
            try {
                Base64.getDecoder().decode(cookieValue.getBytes());
            }
            catch (IllegalArgumentException e) {
                throw new InvalidCookieException(
                        "Cookie token was not Base64 encoded; value was '" + cookieValue
                                + "'");
            }
    
            //here
            String cookieAsPlainText = new String(Base64.getDecoder().decode(cookieValue.getBytes()));
    Brian Devins-Suresh
    @devinsba
    Is there a way to use the new OAuth 2 clients in a non server environment? IE: in a batch job. I'm trying to not use the maintainance mode starter if I don't have to but can't figure out a way to get the token automatically into webclient/resttemplate
    Using client_credentials grant
    Donald F Coffin
    @dfcoffin
    @devinsba Did you look at the Spring Security OAuth Client code or just the Spring Security Resource Server code?
    Brian Devins-Suresh
    @devinsba
    Yeah, I've only been digging in client. All the ClientCredentials classes seem to require a security context that it seems would only come from a servlet/webflux request