Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Jukka Siivonen
    @jukkasi
    To answer my previous question, what I'm probably looking for is HttpSessionRequestCache.setCreateSessionAllowed(false)
    James Howe
    @OrangeDog
    Where is a good place to communicate what I'm using from spring-security-saml that I'd want in the future core implementation? And same thing for spring-security-oauth.
    Choubani Amir
    @amirensit
    hello.
    Any idea please why code example in spring security doc are in xml ?
    Giovanni Lovato
    @heruan
    Hello! I’m using the BindAuthenticator to authenticate users against LDAP. When the user provides the correct password, it gets correctly authenticated; the problem is when the user provides a wrong password: the authentication takes a very long time and then it fails with a timeout exception.
    Why so? If the password is wrong, it should fail immediately.
    Shradha Bharti
    @bharti.shradha_gitlab
    can anybody help me with this issue ,I am stuck from a very long time
    James Howe
    @OrangeDog
    That's deliberate, and I don't ever recall 1.x giving the error details either. It is more secure to hide them.
    Shradha Bharti
    @bharti.shradha_gitlab
    oh ok
    Ramon Pires da Silva
    @ramonPires

    Hi, I have the following code, it's a MDCFilter.

    import org.slf4j.MDC;
    import org.springframework.security.oauth2.provider.OAuth2Authentication;
    import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
    import org.springframework.web.server.ServerWebExchange;
    import org.springframework.web.server.WebFilter;
    import org.springframework.web.server.WebFilterChain;
    import reactor.core.publisher.Mono;
    
    public class NettyMDCFilter implements WebFilter {
    
        public static final String USER_AND_APPLICATION_KEY = "user";
        public static final String APPLICATION_KEY = "application";
        public static final String USERNAME_KEY = "username";
    
        @Override
        public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
            return exchange.<OAuth2Authentication>getPrincipal()
                .doOnNext(this::logWithContext)
                .map(auth -> exchange)
                .switchIfEmpty(Mono.just(exchange))
                .flatMap(chain::filter)
                .doFinally(signalType -> removeMDCKeys());
        }
    
        private void logWithContext(OAuth2Authentication authentication) {
            MDC.put(USER_AND_APPLICATION_KEY, userKey(authentication));
            if (authentication.isClientOnly()) {
                MDC.put(APPLICATION_KEY, authentication.getName());
            } else {
                MDC.put(APPLICATION_KEY, authentication.getOAuth2Request().getClientId());
                MDC.put(USERNAME_KEY, authentication.getName());
            }
        }
    
        private void removeMDCKeys() {
            MDC.remove(USER_AND_APPLICATION_KEY);
            MDC.remove(USERNAME_KEY);
            MDC.remove(APPLICATION_KEY);
        }
    
        private String userKey(OAuth2Authentication authentication) {
            if (authentication.isClientOnly()) {
                return authentication.getName();
            } else {
                return String.format("%s:%s", authentication.getOAuth2Request().getClientId(), authentication.getName());
            }
        }
    }

    In the previous implementation was implemented using the class OAuth2Authentication, that belongs to the project the project spring-security-oauth, but this project now is under maintance mode , as you can see here . In my code, I want to check in the filter if the token belongs to a client application or to an user, but I don't have any idea about how could I do this in the new version of spring-security , even reading the documentation it's not clear for me what I should do, because there isn't a migration tutorial to migrate from spring-security-oauth2 project to the spring security project new version with built-in support to oauth2. I googled, but couldn't find a concrete tutorial to help me with this problem.

    Donald F Coffin
    @dfcoffin
    @ramonPires This is the open issue referencing the Spring Security OAuth 2.0 Migration Guidance spring-projects/spring-security#6733
    @ramonPires You can find it under the Spring Security 5.2.x Milestone
    Ramon Pires da Silva
    @ramonPires
    My problem specifically is because I want to use netty, in my application I also need to propagate the token to a webclient request, the older implementation with servlets using spring-security-oauth2 was using threadlocal to hold the reference of the token, via SecurityContextHolder, but for me it's the worst solution, and I don't know how to create a better this solution within a webflux and servlet solution. Using webflux with netty seems to be a more thread safe solution, because of webfilters with Mono.subscriberContext(), an example can be found here, thats why I want to use netty, specifically of WebFilter support wich is only supported using reactor-netty. If I use spring-security-oauth2, I can't use netty, because of this dependency with the servlet api.
    miha-
    @miha-

    HI
    my error:
    WSS1205: Unable to initialize XML Cipher
    java.security.NoSuchAlgorithmException: Null or empty transformation

    i guess it is something with my policy, if someone can help me what i am missing

    <xwss:Sign includeTimestamp="true">
          <xwss:X509Token certificateAlias="softnet"></xwss:X509Token>
          <xwss:SignatureTarget type="xpath"
                                value="/SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsu:Timestamp">
              <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
              <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <xwss:AlgorithmParameter name="CanonicalizationMethod"
                                           value="http://www.w3.org/2001/10/xml-exc-c14n#" />
    
              </xwss:Transform>
    
          </xwss:SignatureTarget>
      </xwss:Sign>
    
        <xwss:Encrypt>
            <xwss:SymmetricKey keyAlias="syn" />
            <xwss:DataEncryptionMethod
                    algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <xwss:EncryptionTarget type="XPATH" value="//env:Body">
                <xwss:Transform algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
                    <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </xwss:Transform>
            </xwss:EncryptionTarget>
        </xwss:Encrypt>
    Ramon Pires da Silva
    @ramonPires
    Anyone here had the same problem? It's not seems to be an unusual situation in a microservices environment. If anyone here could share a solution using the servlet api, for me it's not a problem, I just don't want to use the threadlocal solution again.
    Ramon Pires da Silva
    @ramonPires
    public class MyFilter implements Filter {
    
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {}
    
        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
            OAuth2Authentication authentication = (OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();
    
            String id  = Oauth2AuthenticationUtils.getId(httpRequest, authentication;
            MyContextHolder.setId(id);
    
            filterChain.doFilter(servletRequest, servletResponse);
    
            MyContextHolder.clearContext();
        }
    
        @Override
        public void destroy() {}
    }
    And the example of the implementation using ThreadLocal:
    public class MyContextHolder {
    
        private static final ThreadLocal<String> MY_THREAD_LOCAL = new InheritableThreadLocal<>();
    
        public static String getId() {
            return MY_THREAD_LOCAL.get();
        }
    
        protected static void setId(String ID) {
            MY_THREAD_LOCAL.set(organizationId);
        }
    
        public static void clearContext() {
            MY_THREAD_LOCAL.remove();
        }
    }
    I found this solution https://www.baeldung.com/spring-security-async-principal-propagation , but I still think that it's not a thread safe solution.
    Giovanni Lovato
    @heruan
    Hi! Any feedback about this? spring-projects/spring-security#7543
    springroll12
    @springroll12
    Hello. I am very confused about how to catch AccessDeniedExceptions in spring boot 2. I've set up an addFilterBefore clause to my global method security settings, but it seems that this prevents either the authenticationEntryPoint or accessDeniedHandlers from taking effect. For example the AccessDeniedException is thrown and caught by an @ControllerAdvice class I have, instead of the accessDeniedHandler. The AccessDeniedHandler has worked fine in the past (I was previously using addFilterAfter) so I'm not sure what's up. Here's my config:
    http                                                                                                                                                                                                   
                    .addFilterBefore(new AuthZFilter(), SecurityContextHolderAwareRequestFilter.class)                                                                                                                 
                    .authorizeRequests()                                                                                                                                                                               
                    .antMatchers(<MATCHERS>).access(<RULES>)
                    .anyRequest().permitAll();
    
                // Ignore sessions.                                                                                                                                                                                    
                http                                                                                                                                                                                                   
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);                                                                                                                       
    
                // Set error 403/401 response payloads to Custom ?? Not working with addFilterBefore ???                                                                                                                                               
                http                                                                                                                                                                                                   
                    .csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);
    James Howe
    @OrangeDog
    spring-security-oauth2 - the RedirectView it uses to return a code to the client doesn't seem to work correctly if the uri uses a custom schema. Also no content is returned with it so the browser stays on the approval page (and submitting again fails because the session ended). Unfortunately, I don't see a nice way to replace it because there are a lot of private methods involved in AuthorizationEndpoint.
    James Howe
    @OrangeDog
    I'm going to try extending AuthorizationEndpoint and wrap the super calls, but I don't see where to configue using a custom endpoint controller?
    Ah yeah, and then I need to apply all the same config to it :(
    Perhaps an aspect is a better idea
    springroll12
    @springroll12
    It seems that exceptions not being handed to authenticationEntryPoint/accessDeniedHandler is caused by them being caught by a global exception handler per this issue: spring-projects/spring-security#6908
    jeff
    @jikramer_gitlab
    Looking to port a Spring security SAML application in Grails to a Spring security SAML application in Java. NetIQ is the IDP. Can anyone point me in the right direction pls
    Filip Hanik
    @fhanik
    @jikramer_gitlab Hi Jeff, what functionality are you looking for? We've started building out authentication in the 5.2.x release train. https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/htmlsingle/#saml2
    James Howe
    @OrangeDog
    @jikramer_gitlab if that's not sufficient, the older library is https://projects.spring.io/spring-security-saml/
    Pontus Enmark
    @penmark
    Hi I'm having trouble using an oauth2 resource with an oauth2 client (both reactive): https://stackoverflow.com/q/58595062/329065. Is it a spring security bug or am I missing something?
    switchYello
    @switchYello
    i find the code
    I find the code repeated Base64 Decoder in
    org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    
    protected String[] decodeCookie(String cookieValue) throws InvalidCookieException {
            for (int j = 0; j < cookieValue.length() % 4; j++) {
                cookieValue = cookieValue + "=";
            }
    
            //here
            try {
                Base64.getDecoder().decode(cookieValue.getBytes());
            }
            catch (IllegalArgumentException e) {
                throw new InvalidCookieException(
                        "Cookie token was not Base64 encoded; value was '" + cookieValue
                                + "'");
            }
    
            //here
            String cookieAsPlainText = new String(Base64.getDecoder().decode(cookieValue.getBytes()));
    Brian Devins-Suresh
    @devinsba
    Is there a way to use the new OAuth 2 clients in a non server environment? IE: in a batch job. I'm trying to not use the maintainance mode starter if I don't have to but can't figure out a way to get the token automatically into webclient/resttemplate
    Using client_credentials grant
    Donald F Coffin
    @dfcoffin
    @devinsba Did you look at the Spring Security OAuth Client code or just the Spring Security Resource Server code?
    Brian Devins-Suresh
    @devinsba
    Yeah, I've only been digging in client. All the ClientCredentials classes seem to require a security context that it seems would only come from a servlet/webflux request
    AH, maybe AuthorizedClientServiceOAuth2AuthorizedClientManager is what I'm looking for
    Brian Devins-Suresh
    @devinsba
    Though I still don't see a way to create a OAuth2AuthorizeRequest without an existing web request
    Artjom Kalita
    @artjomka

    Will copy question from spring-boot room here

    Hello, after updating spring boot 2.1.4 to 2.2.0 I encountered a problem on starting application Caused by: java.lang.IllegalStateException: Can't configure antMatchers after anyRequest
    nothing changed in code except spring boot version and configuration file where that IllegalStateException pointing on looks like that

    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/something/**")
                    .csrf().disable()
                    .authorizeRequests().anyRequest().hasRole(ROLE)
                    .antMatchers(PUT, "/api/**").hasRole(ROLE)
                    .and().httpBasic();
        }

    As I understand spring-security was updated to version 5.2 in boot 2.2.0, maybe I missed something there ?
    Also maybe that related to that this project have several security configuration files with @Order annotation ?

    James Howe
    @OrangeDog
    I was having a look trying to find an alternative to Java object serialization for authentication objects and such, so they're not as sensitive to version changes. It seems like Jackson wouldn't really work because they're not beany enough.
    James Howe
    @OrangeDog
    In this particular case, it was SimpleGrantedAuthority that changed serialVersionUIDand broke everything.
    Phil Clay
    @philsttr

    Is it expected that @EnableGlobalMethodSecurity cannot be used at the same time as @EnableReactiveMethodSecurity within the same application? They both declare a bean named methodSecurityInterceptor, so spring boot startup fails with:

    The bean 'methodSecurityInterceptor', defined in class path resource [org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class] and overriding is disabled.

    I know that the former pulls the SecurityContext from SecurityContextHolder and the latter pulls it from ReactiveSecurityContextHolder. However, if I have code that manages propagation of the SecurityContext between SecurityContextHolder and ReactiveSecurityContextHolder, it seems like I should be able to use both @EnableGlobalMethodSecurity and @EnableReactiveMethodSecurity

    Filip Hanik
    @fhanik
    @philsttr using both would imply that you are trying to use a reactive container and a servlet container at the same time. if you're not using a servlet container, use the reactive components to achieve what you need.
    Phil Clay
    @philsttr
    Consider a WebFlux application that dispatches some requests to some "older" synchronous code (on the proper Scheduler) in some situations. The synchronous code uses @PreAuthorize sporadically. When the dispatch occurs, I copy the SecurityContextfrom ReactiveSecurityContextHolder to SecurityContextHolder. Ideally, this would allow @PreAuthorize to continue to work in the old code
    Phil Clay
    @philsttr
    So it doesn't necessarily imply that I'm running a servlet container. But it does imply that I'm running some synchronous code. And it would be super awesome if @PreAuthorize worked in that old synchronous code.
    Choubani Amir
    @amirensit
    Hello. I have a simple question
    why spring security jwt is not mentioned in the documentation ?
    why there is no documentation part like ldap and saml ect ?
    Phil Clay
    @philsttr
    @amirensit , JWT support is mentioned throughout the spring security reference documentation.. particularly in the OAuth2 Resource Server sections
    https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#oauth2resourceserver
    Choubani Amir
    @amirensit
    @philsttr :thumbsup:
    James Howe
    @OrangeDog
    Perhaps you were looking at an older one, where JWT was the only thing supported, so perhaps was assumed.
    Ramon Pires da Silva
    @ramonPires
    Hi, I have a resource server that use oauth2 with https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java to store the tokens, with spring-security-ouath2 version 2.0.8.RELEASE, and the application use spring boot 1.5.4.RELEASE and java 8. My team with to upgrade the application to spring boot 2.1.9 and java 11 and the last version of spring-security-ouath2 version, but they have some concerns about it, because in our business we can't let our customers loose their session, sou we gave then 1 year to expire their token. If we try to update our application, it's possible to keep the same objects stored at our redis, without need to ask to our customers to login again? The current implementation of the RedisTokenStore use JdkSerializationStrategy https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java , so we don't know if an object stored with jdk 8 will be able to be deserialized with jdk 11 and the last version of spring-security-ouath2.