Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security
Hello! I’m using the
BindAuthenticator to authenticate users against LDAP. When the user provides the correct password, it gets correctly authenticated; the problem is when the user provides a wrong password: the authentication takes a very long time and then it fails with a timeout exception.
Why so? If the password is wrong, it should fail immediately.
Hi, I have the following code, it's a MDCFilter.
import org.slf4j.MDC;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class NettyMDCFilter implements WebFilter {
public static final String USER_AND_APPLICATION_KEY = "user";
public static final String APPLICATION_KEY = "application";
public static final String USERNAME_KEY = "username";
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return exchange.<OAuth2Authentication>getPrincipal()
.doOnNext(this::logWithContext)
.map(auth -> exchange)
.switchIfEmpty(Mono.just(exchange))
.flatMap(chain::filter)
.doFinally(signalType -> removeMDCKeys());
}
private void logWithContext(OAuth2Authentication authentication) {
MDC.put(USER_AND_APPLICATION_KEY, userKey(authentication));
if (authentication.isClientOnly()) {
MDC.put(APPLICATION_KEY, authentication.getName());
} else {
MDC.put(APPLICATION_KEY, authentication.getOAuth2Request().getClientId());
MDC.put(USERNAME_KEY, authentication.getName());
}
}
private void removeMDCKeys() {
MDC.remove(USER_AND_APPLICATION_KEY);
MDC.remove(USERNAME_KEY);
MDC.remove(APPLICATION_KEY);
}
private String userKey(OAuth2Authentication authentication) {
if (authentication.isClientOnly()) {
return authentication.getName();
} else {
return String.format("%s:%s", authentication.getOAuth2Request().getClientId(), authentication.getName());
}
}
}In the previous implementation was implemented using the class OAuth2Authentication, that belongs to the project the project spring-security-oauth, but this project now is under maintance mode , as you can see here . In my code, I want to check in the filter if the token belongs to a client application or to an user, but I don't have any idea about how could I do this in the new version of spring-security , even reading the documentation it's not clear for me what I should do, because there isn't a migration tutorial to migrate from spring-security-oauth2 project to the spring security project new version with built-in support to oauth2. I googled, but couldn't find a concrete tutorial to help me with this problem.
@ramonPires This is the open issue referencing the Spring Security OAuth 2.0 Migration Guidance spring-projects/spring-security#6733
@ramonPires You can find it under the Spring Security 5.2.x Milestone
My problem specifically is because I want to use netty, in my application I also need to propagate the token to a webclient request, the older implementation with servlets using spring-security-oauth2 was using threadlocal to hold the reference of the token, via SecurityContextHolder, but for me it's the worst solution, and I don't know how to create a better this solution within a webflux and servlet solution. Using webflux with netty seems to be a more thread safe solution, because of webfilters with Mono.subscriberContext(), an example can be found here, thats why I want to use netty, specifically of WebFilter support wich is only supported using reactor-netty. If I use spring-security-oauth2, I can't use netty, because of this dependency with the servlet api.
HI
my error:
WSS1205: Unable to initialize XML Cipher
java.security.NoSuchAlgorithmException: Null or empty transformation
i guess it is something with my policy, if someone can help me what i am missing
<xwss:Sign includeTimestamp="true">
<xwss:X509Token certificateAlias="softnet"></xwss:X509Token>
<xwss:SignatureTarget type="xpath"
value="/SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsu:Timestamp">
<xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<xwss:AlgorithmParameter name="CanonicalizationMethod"
value="http://www.w3.org/2001/10/xml-exc-c14n#" />
</xwss:Transform>
</xwss:SignatureTarget>
</xwss:Sign>
<xwss:Encrypt>
<xwss:SymmetricKey keyAlias="syn" />
<xwss:DataEncryptionMethod
algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<xwss:EncryptionTarget type="XPATH" value="//env:Body">
<xwss:Transform algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
<xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</xwss:Transform>
</xwss:EncryptionTarget>
</xwss:Encrypt>public class MyFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
OAuth2Authentication authentication = (OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();
String id = Oauth2AuthenticationUtils.getId(httpRequest, authentication;
MyContextHolder.setId(id);
filterChain.doFilter(servletRequest, servletResponse);
MyContextHolder.clearContext();
}
@Override
public void destroy() {}
}public class MyContextHolder {
private static final ThreadLocal<String> MY_THREAD_LOCAL = new InheritableThreadLocal<>();
public static String getId() {
return MY_THREAD_LOCAL.get();
}
protected static void setId(String ID) {
MY_THREAD_LOCAL.set(organizationId);
}
public static void clearContext() {
MY_THREAD_LOCAL.remove();
}
}
I found this solution https://www.baeldung.com/spring-security-async-principal-propagation , but I still think that it's not a thread safe solution.
Hello. I am very confused about how to catch AccessDeniedExceptions in spring boot 2. I've set up an addFilterBefore clause to my global method security settings, but it seems that this prevents either the authenticationEntryPoint or accessDeniedHandlers from taking effect. For example the AccessDeniedException is thrown and caught by an @ControllerAdvice class I have, instead of the accessDeniedHandler. The AccessDeniedHandler has worked fine in the past (I was previously using addFilterAfter) so I'm not sure what's up. Here's my config:
http
.addFilterBefore(new AuthZFilter(), SecurityContextHolderAwareRequestFilter.class)
.authorizeRequests()
.antMatchers(<MATCHERS>).access(<RULES>)
.anyRequest().permitAll();
// Ignore sessions.
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Set error 403/401 response payloads to Custom ?? Not working with addFilterBefore ???
http
.csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).accessDeniedHandler(accessDeniedHandler);
spring-security-oauth2 - the RedirectView it uses to return a code to the client doesn't seem to work correctly if the uri uses a custom schema. Also no content is returned with it so the browser stays on the approval page (and submitting again fails because the session ended). Unfortunately, I don't see a nice way to replace it because there are a lot of private methods involved in
AuthorizationEndpoint.
Ah yeah, and then I need to apply all the same config to it :(
Perhaps an aspect is a better idea
It seems that exceptions not being handed to authenticationEntryPoint/accessDeniedHandler is caused by them being caught by a global exception handler per this issue: spring-projects/spring-security#6908
@jikramer_gitlab Hi Jeff, what functionality are you looking for? We've started building out authentication in the 5.2.x release train. https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/htmlsingle/#saml2
@jikramer_gitlab if that's not sufficient, the older library is https://projects.spring.io/spring-security-saml/
Hi I'm having trouble using an oauth2 resource with an oauth2 client (both reactive): https://stackoverflow.com/q/58595062/329065. Is it a spring security bug or am I missing something?
I find the code repeated Base64 Decoder in
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
protected String[] decodeCookie(String cookieValue) throws InvalidCookieException {
for (int j = 0; j < cookieValue.length() % 4; j++) {
cookieValue = cookieValue + "=";
}
//here
try {
Base64.getDecoder().decode(cookieValue.getBytes());
}
catch (IllegalArgumentException e) {
throw new InvalidCookieException(
"Cookie token was not Base64 encoded; value was '" + cookieValue
+ "'");
}
//here
String cookieAsPlainText = new String(Base64.getDecoder().decode(cookieValue.getBytes()));
Using client_credentials grant
AH, maybe
AuthorizedClientServiceOAuth2AuthorizedClientManager is what I'm looking for
Will copy question from spring-boot room here
Hello, after updating spring boot 2.1.4 to 2.2.0 I encountered a problem on starting application Caused by: java.lang.IllegalStateException: Can't configure antMatchers after anyRequest
nothing changed in code except spring boot version and configuration file where that IllegalStateException pointing on looks like that
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/something/**")
.csrf().disable()
.authorizeRequests().anyRequest().hasRole(ROLE)
.antMatchers(PUT, "/api/**").hasRole(ROLE)
.and().httpBasic();
} As I understand spring-security was updated to version 5.2 in boot 2.2.0, maybe I missed something there ?
Also maybe that related to that this project have several security configuration files with @Order annotation ?
Is it expected that @EnableGlobalMethodSecurity cannot be used at the same time as @EnableReactiveMethodSecurity within the same application? They both declare a bean named methodSecurityInterceptor, so spring boot startup fails with:
The bean 'methodSecurityInterceptor', defined in class path resource [org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class] and overriding is disabled.I know that the former pulls the SecurityContext from SecurityContextHolder and the latter pulls it from ReactiveSecurityContextHolder. However, if I have code that manages propagation of the SecurityContext between SecurityContextHolder and ReactiveSecurityContextHolder, it seems like I should be able to use both @EnableGlobalMethodSecurity and @EnableReactiveMethodSecurity
Consider a WebFlux application that dispatches some requests to some "older" synchronous code (on the proper Scheduler) in some situations. The synchronous code uses @PreAuthorize sporadically. When the dispatch occurs, I copy the
SecurityContextfrom ReactiveSecurityContextHolder to SecurityContextHolder. Ideally, this would allow @PreAuthorize to continue to work in the old code
why spring security jwt is not mentioned in the documentation ?
why there is no documentation part like ldap and saml ect ?
@amirensit , JWT support is mentioned throughout the spring security reference documentation.. particularly in the OAuth2 Resource Server sections
https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#oauth2resourceserver
https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#oauth2resourceserver
Hi, I have a resource server that use oauth2 with https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java to store the tokens, with spring-security-ouath2 version 2.0.8.RELEASE, and the application use spring boot 1.5.4.RELEASE and java 8. My team with to upgrade the application to spring boot 2.1.9 and java 11 and the last version of spring-security-ouath2 version, but they have some concerns about it, because in our business we can't let our customers loose their session, sou we gave then 1 year to expire their token. If we try to update our application, it's possible to keep the same objects stored at our redis, without need to ask to our customers to login again? The current implementation of the RedisTokenStore use JdkSerializationStrategy https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java , so we don't know if an object stored with jdk 8 will be able to be deserialized with jdk 11 and the last version of spring-security-ouath2.
I had the exact same problem and tried to find another serialisation format, but the objects involved are not designed as beans, so things like Jackson don't work.