spring-projects/spring-security

Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security

miha-

@miha-

2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate

tnx

Jukka Siivonen

@jukkasi

Hello, I'm having problem configuring custom filter using http.addFilter(myFilter()), if myFilter() function uses @Bean then this filter is also registered as Spring filter which I do not want. If myFilter() returns FilterRegistrationBean with enabled = false then I don't know how to access initialized filter bean instance for http.addFilter() because it seems that myFilter().filter returns filter bean without dependencies set in this case

tlann

@tlann

@rwinch Rob are Spring Security Developers still answering questions on gitter?

Jukka Siivonen

@jukkasi

When HTTP sessions are used is there a way disable session creation for requests that ultimately fail because of AccessDeniedException / AuthenticationException? Or if session needs to exist, remove it at the end of filter chain. It seems that in my case session is created by ExceptionTranslationFilter requestCache.saveRequest(request, response); I believe removing session would only make sense for AccessDeniedException if there was no valid authentication at all

miha-

@miha-

can someone help me pls with this:
@miha-
Hello, can some one help me understand this:
i need to sign en encrypt soap request
https://docs.spring.io/spring-ws/site/reference/html/security.html
The XwsSecurityInterceptor will fire a SignatureKeyCallback to the registered handlers. Within Spring-WS, there are is one class which handles this particular callback: the KeyStoreCallbackHandler.
The XwsSecurityInterceptor will fire a EncryptionKeyCallback to the registered handlers in order to retrieve the encryption information. Within Spring-WS, there is one class which handled this particular callback: the KeyStoreCallbackHandler.
so for this only in policy has to be added, other things are the same

@Bean
    public KeyStoreCallbackHandler callback() throws Exception{
        KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();


        callbackHandler.setPrivateKeyPassword("t_passwordo");
        callbackHandler.setDefaultAlias("snet");
        callbackHandler.setKeyStore(keyStoreFactoryBean());
        callbackHandler.setTrustStore(TrustFactoryBean());

        return callbackHandler;
    }

signeture works ok
but for encrypt i get
2019-10-16 09:41:01.902 ERROR 21412 --- [nio-8080-exec-2] j.e.resource.xml.webservices.security : WSS0221: Unable to locate matching certificate for Key Encryption using Callback Handler.
2019-10-16 09:41:01.906 ERROR 21412 --- [nio-8080-exec-2] com.sun.xml.wss.logging.impl.filter : WSS1413: Error extracting certificate
tnx

Jukka Siivonen

@jukkasi

To answer my previous question, what I'm probably looking for is HttpSessionRequestCache.setCreateSessionAllowed(false)

James Howe

@OrangeDog

Where is a good place to communicate what I'm using from spring-security-saml that I'd want in the future core implementation? And same thing for spring-security-oauth.

Choubani Amir

@amirensit

hello.
Any idea please why code example in spring security doc are in xml ?

Giovanni Lovato

@heruan

Hello! I’m using the BindAuthenticator to authenticate users against LDAP. When the user provides the correct password, it gets correctly authenticated; the problem is when the user provides a wrong password: the authentication takes a very long time and then it fails with a timeout exception.

Why so? If the password is wrong, it should fail immediately.

Shradha Bharti

@bharti.shradha_gitlab

can anybody help me with this issue ,I am stuck from a very long time

spring-projects/spring-security#7542

James Howe

@OrangeDog

That's deliberate, and I don't ever recall 1.x giving the error details either. It is more secure to hide them.

Shradha Bharti

@bharti.shradha_gitlab

oh ok

Ramon Pires da Silva

@ramonPires

Hi, I have the following code, it's a MDCFilter.

import org.slf4j.MDC;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

public class NettyMDCFilter implements WebFilter {

    public static final String USER_AND_APPLICATION_KEY = "user";
    public static final String APPLICATION_KEY = "application";
    public static final String USERNAME_KEY = "username";

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        return exchange.<OAuth2Authentication>getPrincipal()
            .doOnNext(this::logWithContext)
            .map(auth -> exchange)
            .switchIfEmpty(Mono.just(exchange))
            .flatMap(chain::filter)
            .doFinally(signalType -> removeMDCKeys());
    }

    private void logWithContext(OAuth2Authentication authentication) {
        MDC.put(USER_AND_APPLICATION_KEY, userKey(authentication));
        if (authentication.isClientOnly()) {
            MDC.put(APPLICATION_KEY, authentication.getName());
        } else {
            MDC.put(APPLICATION_KEY, authentication.getOAuth2Request().getClientId());
            MDC.put(USERNAME_KEY, authentication.getName());
        }
    }

    private void removeMDCKeys() {
        MDC.remove(USER_AND_APPLICATION_KEY);
        MDC.remove(USERNAME_KEY);
        MDC.remove(APPLICATION_KEY);
    }

    private String userKey(OAuth2Authentication authentication) {
        if (authentication.isClientOnly()) {
            return authentication.getName();
        } else {
            return String.format("%s:%s", authentication.getOAuth2Request().getClientId(), authentication.getName());
        }
    }
}

In the previous implementation was implemented using the class OAuth2Authentication, that belongs to the project the project spring-security-oauth, but this project now is under maintance mode , as you can see here . In my code, I want to check in the filter if the token belongs to a client application or to an user, but I don't have any idea about how could I do this in the new version of spring-security , even reading the documentation it's not clear for me what I should do, because there isn't a migration tutorial to migrate from spring-security-oauth2 project to the spring security project new version with built-in support to oauth2. I googled, but couldn't find a concrete tutorial to help me with this problem.

Donald F Coffin

@dfcoffin

@ramonPires This is the open issue referencing the Spring Security OAuth 2.0 Migration Guidance spring-projects/spring-security#6733

@ramonPires You can find it under the Spring Security 5.2.x Milestone

Ramon Pires da Silva

@ramonPires

My problem specifically is because I want to use netty, in my application I also need to propagate the token to a webclient request, the older implementation with servlets using spring-security-oauth2 was using threadlocal to hold the reference of the token, via SecurityContextHolder, but for me it's the worst solution, and I don't know how to create a better this solution within a webflux and servlet solution. Using webflux with netty seems to be a more thread safe solution, because of webfilters with Mono.subscriberContext(), an example can be found here, thats why I want to use netty, specifically of WebFilter support wich is only supported using reactor-netty. If I use spring-security-oauth2, I can't use netty, because of this dependency with the servlet api.

miha-

@miha-

HI
my error:
WSS1205: Unable to initialize XML Cipher
java.security.NoSuchAlgorithmException: Null or empty transformation

i guess it is something with my policy, if someone can help me what i am missing

<xwss:Sign includeTimestamp="true">
      <xwss:X509Token certificateAlias="softnet"></xwss:X509Token>
      <xwss:SignatureTarget type="xpath"
                            value="/SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsu:Timestamp">
          <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
          <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <xwss:AlgorithmParameter name="CanonicalizationMethod"
                                       value="http://www.w3.org/2001/10/xml-exc-c14n#" />

          </xwss:Transform>

      </xwss:SignatureTarget>
  </xwss:Sign>

    <xwss:Encrypt>
        <xwss:SymmetricKey keyAlias="syn" />
        <xwss:DataEncryptionMethod
                algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
        <xwss:EncryptionTarget type="XPATH" value="//env:Body">
            <xwss:Transform algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </xwss:Transform>
        </xwss:EncryptionTarget>
    </xwss:Encrypt>

Ramon Pires da Silva

@ramonPires

Anyone here had the same problem? It's not seems to be an unusual situation in a microservices environment. If anyone here could share a solution using the servlet api, for me it's not a problem, I just don't want to use the threadlocal solution again.

Ramon Pires da Silva

@ramonPires

public class MyFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        OAuth2Authentication authentication = (OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();

        String id  = Oauth2AuthenticationUtils.getId(httpRequest, authentication;
        MyContextHolder.setId(id);

        filterChain.doFilter(servletRequest, servletResponse);

        MyContextHolder.clearContext();
    }

    @Override
    public void destroy() {}
}

And the example of the implementation using ThreadLocal:

public class MyContextHolder {

    private static final ThreadLocal<String> MY_THREAD_LOCAL = new InheritableThreadLocal<>();

    public static String getId() {
        return MY_THREAD_LOCAL.get();
    }

    protected static void setId(String ID) {
        MY_THREAD_LOCAL.set(organizationId);
    }

    public static void clearContext() {
        MY_THREAD_LOCAL.remove();
    }
}

I found this solution https://www.baeldung.com/spring-security-async-principal-propagation , but I still think that it's not a thread safe solution.

Giovanni Lovato

@heruan

Hi! Any feedback about this? spring-projects/spring-security#7543

springroll12

@springroll12

Hello. I am very confused about how to catch AccessDeniedExceptions in spring boot 2. I've set up an addFilterBefore clause to my global method security settings, but it seems that this prevents either the authenticationEntryPoint or accessDeniedHandlers from taking effect. For example the AccessDeniedException is thrown and caught by an @ControllerAdvice class I have, instead of the accessDeniedHandler. The AccessDeniedHandler has worked fine in the past (I was previously using addFilterAfter) so I'm not sure what's up. Here's my config:

http                                                                                                                                                                                                   
                .addFilterBefore(new AuthZFilter(), SecurityContextHolderAwareRequestFilter.class)                                                                                                                 
                .authorizeRequests()                                                                                                                                                                               
                .antMatchers(<MATCHERS>).access(<RULES>)
                .anyRequest().permitAll();

            // Ignore sessions.                                                                                                                                                                                    
            http                                                                                                                                                                                                   
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);                                                                                                                       

            // Set error 403/401 response payloads to Custom ?? Not working with addFilterBefore ???                                                                                                                                               
            http                                                                                                                                                                                                   
                .csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);

James Howe

@OrangeDog

spring-security-oauth2 - the RedirectView it uses to return a code to the client doesn't seem to work correctly if the uri uses a custom schema. Also no content is returned with it so the browser stays on the approval page (and submitting again fails because the session ended). Unfortunately, I don't see a nice way to replace it because there are a lot of private methods involved in AuthorizationEndpoint.

James Howe

@OrangeDog

I'm going to try extending AuthorizationEndpoint and wrap the super calls, but I don't see where to configue using a custom endpoint controller?

Ah yeah, and then I need to apply all the same config to it :(

Perhaps an aspect is a better idea

springroll12

@springroll12

It seems that exceptions not being handed to authenticationEntryPoint/accessDeniedHandler is caused by them being caught by a global exception handler per this issue: spring-projects/spring-security#6908

jeff

@jikramer_gitlab

Looking to port a Spring security SAML application in Grails to a Spring security SAML application in Java. NetIQ is the IDP. Can anyone point me in the right direction pls

Filip Hanik

@fhanik

@jikramer_gitlab Hi Jeff, what functionality are you looking for? We've started building out authentication in the 5.2.x release train. https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/htmlsingle/#saml2

James Howe

@OrangeDog

@jikramer_gitlab if that's not sufficient, the older library is https://projects.spring.io/spring-security-saml/

Pontus Enmark

@penmark

Hi I'm having trouble using an oauth2 resource with an oauth2 client (both reactive): https://stackoverflow.com/q/58595062/329065. Is it a spring security bug or am I missing something?

switchYello

@switchYello

i find the code

I find the code repeated Base64 Decoder in

org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices


protected String[] decodeCookie(String cookieValue) throws InvalidCookieException {
        for (int j = 0; j < cookieValue.length() % 4; j++) {
            cookieValue = cookieValue + "=";
        }

        //here
        try {
            Base64.getDecoder().decode(cookieValue.getBytes());
        }
        catch (IllegalArgumentException e) {
            throw new InvalidCookieException(
                    "Cookie token was not Base64 encoded; value was '" + cookieValue
                            + "'");
        }

        //here
        String cookieAsPlainText = new String(Base64.getDecoder().decode(cookieValue.getBytes()));

Brian Devins-Suresh

@devinsba

Is there a way to use the new OAuth 2 clients in a non server environment? IE: in a batch job. I'm trying to not use the maintainance mode starter if I don't have to but can't figure out a way to get the token automatically into webclient/resttemplate

Using client_credentials grant

Donald F Coffin

@dfcoffin

@devinsba Did you look at the Spring Security OAuth Client code or just the Spring Security Resource Server code?

Brian Devins-Suresh

@devinsba

Yeah, I've only been digging in client. All the ClientCredentials classes seem to require a security context that it seems would only come from a servlet/webflux request

AH, maybe AuthorizedClientServiceOAuth2AuthorizedClientManager is what I'm looking for

Brian Devins-Suresh

@devinsba

Though I still don't see a way to create a OAuth2AuthorizeRequest without an existing web request

Artjom Kalita

@artjomka

Will copy question from spring-boot room here

Hello, after updating spring boot 2.1.4 to 2.2.0 I encountered a problem on starting application Caused by: java.lang.IllegalStateException: Can't configure antMatchers after anyRequest
nothing changed in code except spring boot version and configuration file where that IllegalStateException pointing on looks like that


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/something/**")
                .csrf().disable()
                .authorizeRequests().anyRequest().hasRole(ROLE)
                .antMatchers(PUT, "/api/**").hasRole(ROLE)
                .and().httpBasic();
    }

As I understand spring-security was updated to version 5.2 in boot 2.2.0, maybe I missed something there ?
Also maybe that related to that this project have several security configuration files with @Order annotation ?

James Howe

@OrangeDog

I was having a look trying to find an alternative to Java object serialization for authentication objects and such, so they're not as sensitive to version changes. It seems like Jackson wouldn't really work because they're not beany enough.

James Howe

@OrangeDog

In this particular case, it was SimpleGrantedAuthority that changed serialVersionUIDand broke everything.

Phil Clay

@philsttr

Is it expected that @EnableGlobalMethodSecurity cannot be used at the same time as @EnableReactiveMethodSecurity within the same application? They both declare a bean named methodSecurityInterceptor, so spring boot startup fails with:

The bean 'methodSecurityInterceptor', defined in class path resource [org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class] and overriding is disabled.

I know that the former pulls the SecurityContext from SecurityContextHolder and the latter pulls it from ReactiveSecurityContextHolder. However, if I have code that manages propagation of the SecurityContext between SecurityContextHolder and ReactiveSecurityContextHolder, it seems like I should be able to use both @EnableGlobalMethodSecurity and @EnableReactiveMethodSecurity

Filip Hanik

@fhanik

@philsttr using both would imply that you are trying to use a reactive container and a servlet container at the same time. if you're not using a servlet container, use the reactive components to achieve what you need.

Phil Clay

@philsttr

Consider a WebFlux application that dispatches some requests to some "older" synchronous code (on the proper Scheduler) in some situations. The synchronous code uses @PreAuthorize sporadically. When the dispatch occurs, I copy the SecurityContextfrom ReactiveSecurityContextHolder to SecurityContextHolder. Ideally, this would allow @PreAuthorize to continue to work in the old code

Phil Clay

@philsttr

So it doesn't necessarily imply that I'm running a servlet container. But it does imply that I'm running some synchronous code. And it would be super awesome if @PreAuthorize worked in that old synchronous code.

Choubani Amir

@amirensit

Hello. I have a simple question

Where communities thrive

People

Repo info

Activity