Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    James Howe
    @OrangeDog
    Ah yeah, and then I need to apply all the same config to it :(
    Perhaps an aspect is a better idea
    springroll12
    @springroll12
    It seems that exceptions not being handed to authenticationEntryPoint/accessDeniedHandler is caused by them being caught by a global exception handler per this issue: spring-projects/spring-security#6908
    jeff
    @jikramer_gitlab
    Looking to port a Spring security SAML application in Grails to a Spring security SAML application in Java. NetIQ is the IDP. Can anyone point me in the right direction pls
    Filip Hanik
    @fhanik
    @jikramer_gitlab Hi Jeff, what functionality are you looking for? We've started building out authentication in the 5.2.x release train. https://docs.spring.io/spring-security/site/docs/5.2.0.RELEASE/reference/htmlsingle/#saml2
    James Howe
    @OrangeDog
    @jikramer_gitlab if that's not sufficient, the older library is https://projects.spring.io/spring-security-saml/
    Pontus Enmark
    @penmark
    Hi I'm having trouble using an oauth2 resource with an oauth2 client (both reactive): https://stackoverflow.com/q/58595062/329065. Is it a spring security bug or am I missing something?
    switchYello
    @switchYello
    i find the code
    I find the code repeated Base64 Decoder in 
    org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    
protected String[] decodeCookie(String cookieValue) throws InvalidCookieException {
        for (int j = 0; j < cookieValue.length() % 4; j++) {
            cookieValue = cookieValue + "=";
        }

        //here
        try {
            Base64.getDecoder().decode(cookieValue.getBytes());
        }
        catch (IllegalArgumentException e) {
            throw new InvalidCookieException(
                    "Cookie token was not Base64 encoded; value was '" + cookieValue
                            + "'");
        }

        //here
        String cookieAsPlainText = new String(Base64.getDecoder().decode(cookieValue.getBytes()));
    Brian Devins-Suresh
    @devinsba
    Is there a way to use the new OAuth 2 clients in a non server environment? IE: in a batch job. I'm trying to not use the maintainance mode starter if I don't have to but can't figure out a way to get the token automatically into webclient/resttemplate
    Using client_credentials grant
    Donald F Coffin
    @dfcoffin
    @devinsba Did you look at the Spring Security OAuth Client code or just the Spring Security Resource Server code?
    Brian Devins-Suresh
    @devinsba
    Yeah, I've only been digging in client. All the ClientCredentials classes seem to require a security context that it seems would only come from a servlet/webflux request
    AH, maybe AuthorizedClientServiceOAuth2AuthorizedClientManager is what I'm looking for
    Brian Devins-Suresh
    @devinsba
    Though I still don't see a way to create a OAuth2AuthorizeRequest without an existing web request
    Artjom Kalita
    @artjomka

    Will copy question from spring-boot room here

    Hello, after updating spring boot 2.1.4 to 2.2.0 I encountered a problem on starting application Caused by: java.lang.IllegalStateException: Can't configure antMatchers after anyRequest
    nothing changed in code except spring boot version and configuration file where that IllegalStateException pointing on looks like that 

    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/something/**")
                .csrf().disable()
                .authorizeRequests().anyRequest().hasRole(ROLE)
                .antMatchers(PUT, "/api/**").hasRole(ROLE)
                .and().httpBasic();
    }

    As I understand spring-security was updated to version 5.2 in boot 2.2.0, maybe I missed something there ?
    Also maybe that related to that this project have several security configuration files with @Order annotation ?

    James Howe
    @OrangeDog
    I was having a look trying to find an alternative to Java object serialization for authentication objects and such, so they're not as sensitive to version changes. It seems like Jackson wouldn't really work because they're not beany enough.
    James Howe
    @OrangeDog
    In this particular case, it was SimpleGrantedAuthority that changed serialVersionUIDand broke everything.
    Phil Clay
    @philsttr

    Is it expected that @EnableGlobalMethodSecurity cannot be used at the same time as @EnableReactiveMethodSecurity within the same application? They both declare a bean named methodSecurityInterceptor, so spring boot startup fails with:

    The bean 'methodSecurityInterceptor', defined in class path resource [org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class] and overriding is disabled.

    I know that the former pulls the SecurityContext from SecurityContextHolder and the latter pulls it from ReactiveSecurityContextHolder. However, if I have code that manages propagation of the SecurityContext between SecurityContextHolder and ReactiveSecurityContextHolder, it seems like I should be able to use both @EnableGlobalMethodSecurity and @EnableReactiveMethodSecurity

    Filip Hanik
    @fhanik
    @philsttr using both would imply that you are trying to use a reactive container and a servlet container at the same time. if you're not using a servlet container, use the reactive components to achieve what you need.
    Phil Clay
    @philsttr
    Consider a WebFlux application that dispatches some requests to some "older" synchronous code (on the proper Scheduler) in some situations. The synchronous code uses @PreAuthorize sporadically. When the dispatch occurs, I copy the SecurityContextfrom ReactiveSecurityContextHolder to SecurityContextHolder. Ideally, this would allow @PreAuthorize to continue to work in the old code
    Phil Clay
    @philsttr
    So it doesn't necessarily imply that I'm running a servlet container. But it does imply that I'm running some synchronous code. And it would be super awesome if @PreAuthorize worked in that old synchronous code.
    Choubani Amir
    @amirensit
    Hello. I have a simple question
    why spring security jwt is not mentioned in the documentation ?
    why there is no documentation part like ldap and saml ect ?
    Phil Clay
    @philsttr
    @amirensit , JWT support is mentioned throughout the spring security reference documentation.. particularly in the OAuth2 Resource Server sections
    https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#oauth2resourceserver
    Choubani Amir
    @amirensit
    @philsttr :thumbsup:
    James Howe
    @OrangeDog
    Perhaps you were looking at an older one, where JWT was the only thing supported, so perhaps was assumed.
    Ramon Pires da Silva
    @ramonPires
    Hi, I have a resource server that use oauth2 with https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java to store the tokens, with spring-security-ouath2 version 2.0.8.RELEASE, and the application use spring boot 1.5.4.RELEASE and java 8. My team with to upgrade the application to spring boot 2.1.9 and java 11 and the last version of spring-security-ouath2 version, but they have some concerns about it, because in our business we can't let our customers loose their session, sou we gave then 1 year to expire their token. If we try to update our application, it's possible to keep the same objects stored at our redis, without need to ask to our customers to login again? The current implementation of the RedisTokenStore use JdkSerializationStrategy https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java , so we don't know if an object stored with jdk 8 will be able to be deserialized with jdk 11 and the last version of spring-security-ouath2.
    James Howe
    @OrangeDog

    @ramonPires it works across JDK versions, but it will fail with the spring-security upgrade

    SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 510, local class serialVersionUID = 520

    I had the exact same problem and tried to find another serialisation format, but the objects involved are not designed as beans, so things like Jackson don't work.
    Choubani Amir
    @amirensit

    Hello.
    Going deeper understanding features in Spring Security. Here mentioned that UserDetailsService will be used if

    the AuthenticationManagerBuilder has not been populated.

    What is meant by populated ?
    Does it mean create a bean of that type ?
    Injecting the AuthenticationManagerBuilder does it mean populating it ?

    James Howe
    @OrangeDog
    it means overriding WebSecurityConfigurerAdapter#configure(AuthenticationManagerBuilder)
    Choubani Amir
    @amirensit
    populating means that ?
    Choubani Amir
    @amirensit
    @OrangeDog But there is a AuthenticationManagerBuilder#userDetailsService(UserDetailsService) method .
    James Howe
    @OrangeDog
    yes, that's where you set your own one
    Choubani Amir
    @amirensit
    @OrangeDog :thumbsup:
    Ramon Pires da Silva
    @ramonPires
    @OrangeDog
    I also got this error: 
    2019-11-07 09:37:11.896 ERROR 6933 --- [ XNIO-1 task-63] o.s.s.o.provider.endpoint.TokenEndpoint  : Handling error: SerializationFailedException, Failed to deserialize payload; nested exception is java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 510

org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload; nested exception is java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 510
    @OrangeDog do you think there is another alternative, maybe override this version, or just ignore it?
    James Howe
    @OrangeDog
    I don't see any solution. If the developers changed the serialVersionUID it means the classes are not compatible. It is very disappointing to discover these frequent breaking changes with no migration path.
    Ramon Pires da Silva
    @ramonPires
    @OrangeDog how did you proceeded with this situation? Do you have a migration strategy?
    James Howe
    @OrangeDog
    No, I just had to invalidate all tokens
    Ramon Pires da Silva
    @ramonPires
    I found this issue spring-projects/spring-security-oauth#662 , but without any tip to help us to migrate to the new version. I'm thinking about a strategy that I can create 2 services, one that read the old version and return the OAuth2Authentication, and other service that just write the old version in another redis instance with the new serialVersionUID , but I don't know if it will be possible because the objects from the old version might be incompatible with the new version.
    Petar Tahchiev
    @ptahchiev
    Hey @rwinch we are working on a project for a big telecom in Bulgaria and we are using spring security. But now the client wants to use multi-factor authentication with some hardware dongels. I was reading at this issue: spring-projects/spring-security#2603 and from what I understand this is still in the TODO list. To me this looks like a very fundamental issue and I was hoping you could share some thoughts on whether it is expected any time soon.
    CH4:D
    @chad_d_stud_twitter
    what’s the webflux equivalent of this implementation?
    public class AuthenticationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
}
    this won’t work anymore on webflux since it doesn’t have a servlet object
    Omid Dehghan
    @odchan1_twitter
    Hi, Can someone help me here please? I'm newbie to Spring-Security and just for warm-up I decided to do a little example. The problem in the code below is that, when I'm trying to pass the "right username and password" to the login page, it direct me to a page which says access forbidden code 403 .
    Here is the code: 
    @org.springframework.context.annotation.Configuration
@EnableWebSecurity
public class Configuration extends WebSecurityConfigurerAdapter {

    @Override
    public  void configure (AuthenticationManagerBuilder auth) throws Exception {
        PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
        auth.inMemoryAuthentication()
                .withUser("Ian").roles("user").password(encoder.encode("password"))
                .and()
                .withUser("Charlize").password(encoder.encode("password")).roles("admin","user");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception{
        http.authorizeRequests()
                .antMatchers("/dir","/dir/*").access("hasRole('user')")
                .antMatchers("/","/*").permitAll()
                .and().formLogin().loginPage("/login/form").permitAll()
                .loginProcessingUrl("/login")
                .usernameParameter("userParam")
                .passwordParameter("passParam");
    }

}
    This is how the form looks like: 
    <form method="post" action="/login" >
    Username:<br>
    <input type="text" name="userParam" id="userParam" value="Mickey">
    <br>
    Password:<br>
    <input type="password" name="passParam" id="passParam" value="Mouse">
    <br><br>
    <input type="submit" value="Submit">
</form>
    Omid Dehghan
    @odchan1_twitter
    In case anyone was interested in the problem above, the problem was about the way I set the action of the form page.
    I'm using thymeleaf and the form-action should be defined like this: th:action="@{/test}"
    CH4:D
    @chad_d_stud_twitter
    Question, does the sequence of the ServerHttpSecurity matter?
    I’m trying to convert the following from an existing non-reactive code:
     @Bean
    SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
        // Spaces show where the old code use to be separated.
        return http
                .csrf()
                .disable()

                .addFilterBefore(new AuthenticationWebFilter(), SecurityWebFiltersOrder.HTTP_BASIC)
                .authorizeExchange()
                .pathMatchers("/v1/**")
                .authenticated()
                .and()

                .exceptionHandling()
                .authenticationEntryPoint(authenticationExceptionHandler)
                .accessDeniedHandler(customAccessDeniedHandler)

                // This used to be part of configure() in SecurityConfiguration()
                .and()
                .authenticationManager(customAuthenticationProvider)

                .cors()
                .and()
                .build();
    }