Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    James Howe
    @OrangeDog
    In this particular case, it was SimpleGrantedAuthority that changed serialVersionUIDand broke everything.
    Phil Clay
    @philsttr

    Is it expected that @EnableGlobalMethodSecurity cannot be used at the same time as @EnableReactiveMethodSecurity within the same application? They both declare a bean named methodSecurityInterceptor, so spring boot startup fails with:

    The bean 'methodSecurityInterceptor', defined in class path resource [org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityConfiguration.class], could not be registered. A bean with that name has already been defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class] and overriding is disabled.

    I know that the former pulls the SecurityContext from SecurityContextHolder and the latter pulls it from ReactiveSecurityContextHolder. However, if I have code that manages propagation of the SecurityContext between SecurityContextHolder and ReactiveSecurityContextHolder, it seems like I should be able to use both @EnableGlobalMethodSecurity and @EnableReactiveMethodSecurity

    Filip Hanik
    @fhanik
    @philsttr using both would imply that you are trying to use a reactive container and a servlet container at the same time. if you're not using a servlet container, use the reactive components to achieve what you need.
    Phil Clay
    @philsttr
    Consider a WebFlux application that dispatches some requests to some "older" synchronous code (on the proper Scheduler) in some situations. The synchronous code uses @PreAuthorize sporadically. When the dispatch occurs, I copy the SecurityContextfrom ReactiveSecurityContextHolder to SecurityContextHolder. Ideally, this would allow @PreAuthorize to continue to work in the old code
    Phil Clay
    @philsttr
    So it doesn't necessarily imply that I'm running a servlet container. But it does imply that I'm running some synchronous code. And it would be super awesome if @PreAuthorize worked in that old synchronous code.
    Choubani Amir
    @amirensit
    Hello. I have a simple question
    why spring security jwt is not mentioned in the documentation ?
    why there is no documentation part like ldap and saml ect ?
    Phil Clay
    @philsttr
    @amirensit , JWT support is mentioned throughout the spring security reference documentation.. particularly in the OAuth2 Resource Server sections
    https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#oauth2resourceserver
    Choubani Amir
    @amirensit
    @philsttr :thumbsup:
    James Howe
    @OrangeDog
    Perhaps you were looking at an older one, where JWT was the only thing supported, so perhaps was assumed.
    Ramon Pires da Silva
    @ramonPires
    Hi, I have a resource server that use oauth2 with https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java to store the tokens, with spring-security-ouath2 version 2.0.8.RELEASE, and the application use spring boot 1.5.4.RELEASE and java 8. My team with to upgrade the application to spring boot 2.1.9 and java 11 and the last version of spring-security-ouath2 version, but they have some concerns about it, because in our business we can't let our customers loose their session, sou we gave then 1 year to expire their token. If we try to update our application, it's possible to keep the same objects stored at our redis, without need to ask to our customers to login again? The current implementation of the RedisTokenStore use JdkSerializationStrategy https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java , so we don't know if an object stored with jdk 8 will be able to be deserialized with jdk 11 and the last version of spring-security-ouath2.
    James Howe
    @OrangeDog

    @ramonPires it works across JDK versions, but it will fail with the spring-security upgrade

    SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 510, local class serialVersionUID = 520

    I had the exact same problem and tried to find another serialisation format, but the objects involved are not designed as beans, so things like Jackson don't work.
    Choubani Amir
    @amirensit

    Hello.
    Going deeper understanding features in Spring Security. Here mentioned that UserDetailsService will be used if

    the AuthenticationManagerBuilder has not been populated.

    What is meant by populated ?
    Does it mean create a bean of that type ?
    Injecting the AuthenticationManagerBuilder does it mean populating it ?

    James Howe
    @OrangeDog
    it means overriding WebSecurityConfigurerAdapter#configure(AuthenticationManagerBuilder)
    Choubani Amir
    @amirensit
    populating means that ?
    Choubani Amir
    @amirensit
    @OrangeDog But there is a AuthenticationManagerBuilder#userDetailsService(UserDetailsService) method .
    James Howe
    @OrangeDog
    yes, that's where you set your own one
    Choubani Amir
    @amirensit
    @OrangeDog :thumbsup:
    Ramon Pires da Silva
    @ramonPires
    @OrangeDog
    I also got this error:
    2019-11-07 09:37:11.896 ERROR 6933 --- [ XNIO-1 task-63] o.s.s.o.provider.endpoint.TokenEndpoint  : Handling error: SerializationFailedException, Failed to deserialize payload; nested exception is java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 510
    
    org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload; nested exception is java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 510
    @OrangeDog do you think there is another alternative, maybe override this version, or just ignore it?
    James Howe
    @OrangeDog
    I don't see any solution. If the developers changed the serialVersionUID it means the classes are not compatible. It is very disappointing to discover these frequent breaking changes with no migration path.
    Ramon Pires da Silva
    @ramonPires
    @OrangeDog how did you proceeded with this situation? Do you have a migration strategy?
    James Howe
    @OrangeDog
    No, I just had to invalidate all tokens
    Ramon Pires da Silva
    @ramonPires
    I found this issue spring-projects/spring-security-oauth#662 , but without any tip to help us to migrate to the new version. I'm thinking about a strategy that I can create 2 services, one that read the old version and return the OAuth2Authentication, and other service that just write the old version in another redis instance with the new serialVersionUID , but I don't know if it will be possible because the objects from the old version might be incompatible with the new version.
    Petar Tahchiev
    @ptahchiev
    Hey @rwinch we are working on a project for a big telecom in Bulgaria and we are using spring security. But now the client wants to use multi-factor authentication with some hardware dongels. I was reading at this issue: spring-projects/spring-security#2603 and from what I understand this is still in the TODO list. To me this looks like a very fundamental issue and I was hoping you could share some thoughts on whether it is expected any time soon.
    CH4:D
    @chad_d_stud_twitter
    what’s the webflux equivalent of this implementation?
    public class AuthenticationFilter extends OncePerRequestFilter {
    
        @Override
        protected void doFilterInternal(HttpServletRequest request,
                                        HttpServletResponse response,
                                        FilterChain filterChain) throws ServletException, IOException {
    }
    this won’t work anymore on webflux since it doesn’t have a servlet object
    Omid Dehghan
    @odchan1_twitter
    Hi, Can someone help me here please? I'm newbie to Spring-Security and just for warm-up I decided to do a little example. The problem in the code below is that, when I'm trying to pass the "right username and password" to the login page, it direct me to a page which says access forbidden code 403 .
    Here is the code:
    @org.springframework.context.annotation.Configuration
    @EnableWebSecurity
    public class Configuration extends WebSecurityConfigurerAdapter {
    
        @Override
        public  void configure (AuthenticationManagerBuilder auth) throws Exception {
            PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
            auth.inMemoryAuthentication()
                    .withUser("Ian").roles("user").password(encoder.encode("password"))
                    .and()
                    .withUser("Charlize").password(encoder.encode("password")).roles("admin","user");
        }
    
        @Override
        public void configure(HttpSecurity http) throws Exception{
            http.authorizeRequests()
                    .antMatchers("/dir","/dir/*").access("hasRole('user')")
                    .antMatchers("/","/*").permitAll()
                    .and().formLogin().loginPage("/login/form").permitAll()
                    .loginProcessingUrl("/login")
                    .usernameParameter("userParam")
                    .passwordParameter("passParam");
        }
    
    }
    This is how the form looks like:
    <form method="post" action="/login" >
        Username:<br>
        <input type="text" name="userParam" id="userParam" value="Mickey">
        <br>
        Password:<br>
        <input type="password" name="passParam" id="passParam" value="Mouse">
        <br><br>
        <input type="submit" value="Submit">
    </form>
    Omid Dehghan
    @odchan1_twitter
    In case anyone was interested in the problem above, the problem was about the way I set the action of the form page.
    I'm using thymeleaf and the form-action should be defined like this: th:action="@{/test}"
    CH4:D
    @chad_d_stud_twitter
    Question, does the sequence of the ServerHttpSecurity matter?
    I’m trying to convert the following from an existing non-reactive code:
     @Bean
        SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
            // Spaces show where the old code use to be separated.
            return http
                    .csrf()
                    .disable()
    
                    .addFilterBefore(new AuthenticationWebFilter(), SecurityWebFiltersOrder.HTTP_BASIC)
                    .authorizeExchange()
                    .pathMatchers("/v1/**")
                    .authenticated()
                    .and()
    
                    .exceptionHandling()
                    .authenticationEntryPoint(authenticationExceptionHandler)
                    .accessDeniedHandler(customAccessDeniedHandler)
    
                    // This used to be part of configure() in SecurityConfiguration()
                    .and()
                    .authenticationManager(customAuthenticationProvider)
    
                    .cors()
                    .and()
                    .build();
        }
    James Howe
    @OrangeDog
    Where can I give feedback on this? Raise a github issue?
    https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix
    Andreas Falk
    @andifalk
    @OrangeDog what Feedback do you have here?
    James Howe
    @OrangeDog
    Primarily that it appears to have a narrow definition of "opaque token" as implemented in Spring Security of "arbitrary string that you make a web request to the auth server to get the details of" instead of what Spring Security OAuth has also implemented - "arbitrary string that can be looked up via any method, in particular a JDBC, Redis or in-memory database shared with the auth server"
    James Howe
    @OrangeDog
    More generally, it doesn't capture what SSO allows you to customise and extend at a single point, but which SS perhaps doesn't. Going by what I'm using, that's the aforementioned TokenStore, but also the TokenGranter, RequestFactory, RequestValidator, and ConsumerTokenServices.
    I've got lots of bits put together so I could build a page to view and revoke the access that you've granted.
    James Howe
    @OrangeDog
    Basically, I'm concerned everything I'm using is going to be left out from the "feature parity"
    Andreas Falk
    @andifalk
    @OrangeDog Spring Security 5 implementation is more strict to what the OAuth 2.0 and OpenID Connect specs define. Regarding opaque tokens, the OAuth 2.0 standard only defines an introspection endpoint (https://tools.ietf.org/html/rfc7662) to validate such a token. Additionally, the OpenID Connect specification defines a user info endpoint (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) to ask for more user details using an access token. All other means like "arbitrary string that can be looked up via any method, in particular, a JDBC, Redis or in-memory database shared with the auth server" are not according to the standard and bear security risks. Especially the database of the auth server should be used exclusively by the auth server and must not be shared with any other party!
    In case you want to persist tokens in your OAuth2/OIDC client then you have to implement the interface "OAuth2AuthorizedClientRepository" yourself to store data it into a database (e.g. Redis). The default implementation just stores the data in the HTTP session.
    James Howe
    @OrangeDog
    As I feared. There are no specific standards for other opaque token implementations, because they don't require different systems to talk to each other, so there's no need to define any public communication protocols. It is very common that the auth server and the resource server are the same party, even implemented in the same process.
    The core OAuth 2.0 spec says you can implement bearer and authorisation tokens however you please.
    I'm not maintaining a client, I'm maintaining a web service that allows other developers to use its api.
    Andreas Falk
    @andifalk
    So what you are implementing is a resource server.
    James Howe
    @OrangeDog
    and an auth server
    Andreas Falk
    @andifalk
    In OAuth2 you have a clear separation of concerns: Auth Server, Client and Resource Server. That is basically the basic idea of OAuth2.
    James Howe
    @OrangeDog
    I know that. And my application as a whole includes both an auth server and a resource server.
    And in a minimal deployment, they're the same process.
    Just like every web service that both has its own accounts and offers api access
    But Spring Security seems to be taking a very narrow view of what OAuth is and completely cutting out this use case, that was amply served by Spring Security OAuth