Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    James Howe
    @OrangeDog
    Perhaps you were looking at an older one, where JWT was the only thing supported, so perhaps was assumed.
    Ramon Pires da Silva
    @ramonPires
    Hi, I have a resource server that use oauth2 with https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java to store the tokens, with spring-security-ouath2 version 2.0.8.RELEASE, and the application use spring boot 1.5.4.RELEASE and java 8. My team with to upgrade the application to spring boot 2.1.9 and java 11 and the last version of spring-security-ouath2 version, but they have some concerns about it, because in our business we can't let our customers loose their session, sou we gave then 1 year to expire their token. If we try to update our application, it's possible to keep the same objects stored at our redis, without need to ask to our customers to login again? The current implementation of the RedisTokenStore use JdkSerializationStrategy https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java , so we don't know if an object stored with jdk 8 will be able to be deserialized with jdk 11 and the last version of spring-security-ouath2.
    James Howe
    @OrangeDog

    @ramonPires it works across JDK versions, but it will fail with the spring-security upgrade

    SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 510, local class serialVersionUID = 520

    I had the exact same problem and tried to find another serialisation format, but the objects involved are not designed as beans, so things like Jackson don't work.
    Choubani Amir
    @amirensit

    Hello.
    Going deeper understanding features in Spring Security. Here mentioned that UserDetailsService will be used if

    the AuthenticationManagerBuilder has not been populated.

    What is meant by populated ?
    Does it mean create a bean of that type ?
    Injecting the AuthenticationManagerBuilder does it mean populating it ?

    James Howe
    @OrangeDog
    it means overriding WebSecurityConfigurerAdapter#configure(AuthenticationManagerBuilder)
    Choubani Amir
    @amirensit
    populating means that ?
    Choubani Amir
    @amirensit
    @OrangeDog But there is a AuthenticationManagerBuilder#userDetailsService(UserDetailsService) method .
    James Howe
    @OrangeDog
    yes, that's where you set your own one
    Choubani Amir
    @amirensit
    @OrangeDog :thumbsup:
    Ramon Pires da Silva
    @ramonPires
    @OrangeDog
    I also got this error:
    2019-11-07 09:37:11.896 ERROR 6933 --- [ XNIO-1 task-63] o.s.s.o.provider.endpoint.TokenEndpoint  : Handling error: SerializationFailedException, Failed to deserialize payload; nested exception is java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 510
    
    org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload; nested exception is java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 510
    @OrangeDog do you think there is another alternative, maybe override this version, or just ignore it?
    James Howe
    @OrangeDog
    I don't see any solution. If the developers changed the serialVersionUID it means the classes are not compatible. It is very disappointing to discover these frequent breaking changes with no migration path.
    Ramon Pires da Silva
    @ramonPires
    @OrangeDog how did you proceeded with this situation? Do you have a migration strategy?
    James Howe
    @OrangeDog
    No, I just had to invalidate all tokens
    Ramon Pires da Silva
    @ramonPires
    I found this issue spring-projects/spring-security-oauth#662 , but without any tip to help us to migrate to the new version. I'm thinking about a strategy that I can create 2 services, one that read the old version and return the OAuth2Authentication, and other service that just write the old version in another redis instance with the new serialVersionUID , but I don't know if it will be possible because the objects from the old version might be incompatible with the new version.
    Petar Tahchiev
    @ptahchiev
    Hey @rwinch we are working on a project for a big telecom in Bulgaria and we are using spring security. But now the client wants to use multi-factor authentication with some hardware dongels. I was reading at this issue: spring-projects/spring-security#2603 and from what I understand this is still in the TODO list. To me this looks like a very fundamental issue and I was hoping you could share some thoughts on whether it is expected any time soon.
    CH4:D
    @chad_d_stud_twitter
    what’s the webflux equivalent of this implementation?
    public class AuthenticationFilter extends OncePerRequestFilter {
    
        @Override
        protected void doFilterInternal(HttpServletRequest request,
                                        HttpServletResponse response,
                                        FilterChain filterChain) throws ServletException, IOException {
    }
    this won’t work anymore on webflux since it doesn’t have a servlet object
    Omid Dehghan
    @odchan1_twitter
    Hi, Can someone help me here please? I'm newbie to Spring-Security and just for warm-up I decided to do a little example. The problem in the code below is that, when I'm trying to pass the "right username and password" to the login page, it direct me to a page which says access forbidden code 403 .
    Here is the code:
    @org.springframework.context.annotation.Configuration
    @EnableWebSecurity
    public class Configuration extends WebSecurityConfigurerAdapter {
    
        @Override
        public  void configure (AuthenticationManagerBuilder auth) throws Exception {
            PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
            auth.inMemoryAuthentication()
                    .withUser("Ian").roles("user").password(encoder.encode("password"))
                    .and()
                    .withUser("Charlize").password(encoder.encode("password")).roles("admin","user");
        }
    
        @Override
        public void configure(HttpSecurity http) throws Exception{
            http.authorizeRequests()
                    .antMatchers("/dir","/dir/*").access("hasRole('user')")
                    .antMatchers("/","/*").permitAll()
                    .and().formLogin().loginPage("/login/form").permitAll()
                    .loginProcessingUrl("/login")
                    .usernameParameter("userParam")
                    .passwordParameter("passParam");
        }
    
    }
    This is how the form looks like:
    <form method="post" action="/login" >
        Username:<br>
        <input type="text" name="userParam" id="userParam" value="Mickey">
        <br>
        Password:<br>
        <input type="password" name="passParam" id="passParam" value="Mouse">
        <br><br>
        <input type="submit" value="Submit">
    </form>
    Omid Dehghan
    @odchan1_twitter
    In case anyone was interested in the problem above, the problem was about the way I set the action of the form page.
    I'm using thymeleaf and the form-action should be defined like this: th:action="@{/test}"
    CH4:D
    @chad_d_stud_twitter
    Question, does the sequence of the ServerHttpSecurity matter?
    I’m trying to convert the following from an existing non-reactive code:
     @Bean
        SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
            // Spaces show where the old code use to be separated.
            return http
                    .csrf()
                    .disable()
    
                    .addFilterBefore(new AuthenticationWebFilter(), SecurityWebFiltersOrder.HTTP_BASIC)
                    .authorizeExchange()
                    .pathMatchers("/v1/**")
                    .authenticated()
                    .and()
    
                    .exceptionHandling()
                    .authenticationEntryPoint(authenticationExceptionHandler)
                    .accessDeniedHandler(customAccessDeniedHandler)
    
                    // This used to be part of configure() in SecurityConfiguration()
                    .and()
                    .authenticationManager(customAuthenticationProvider)
    
                    .cors()
                    .and()
                    .build();
        }
    James Howe
    @OrangeDog
    Where can I give feedback on this? Raise a github issue?
    https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix
    Andreas Falk
    @andifalk
    @OrangeDog what Feedback do you have here?
    James Howe
    @OrangeDog
    Primarily that it appears to have a narrow definition of "opaque token" as implemented in Spring Security of "arbitrary string that you make a web request to the auth server to get the details of" instead of what Spring Security OAuth has also implemented - "arbitrary string that can be looked up via any method, in particular a JDBC, Redis or in-memory database shared with the auth server"
    James Howe
    @OrangeDog
    More generally, it doesn't capture what SSO allows you to customise and extend at a single point, but which SS perhaps doesn't. Going by what I'm using, that's the aforementioned TokenStore, but also the TokenGranter, RequestFactory, RequestValidator, and ConsumerTokenServices.
    I've got lots of bits put together so I could build a page to view and revoke the access that you've granted.
    James Howe
    @OrangeDog
    Basically, I'm concerned everything I'm using is going to be left out from the "feature parity"
    Andreas Falk
    @andifalk
    @OrangeDog Spring Security 5 implementation is more strict to what the OAuth 2.0 and OpenID Connect specs define. Regarding opaque tokens, the OAuth 2.0 standard only defines an introspection endpoint (https://tools.ietf.org/html/rfc7662) to validate such a token. Additionally, the OpenID Connect specification defines a user info endpoint (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) to ask for more user details using an access token. All other means like "arbitrary string that can be looked up via any method, in particular, a JDBC, Redis or in-memory database shared with the auth server" are not according to the standard and bear security risks. Especially the database of the auth server should be used exclusively by the auth server and must not be shared with any other party!
    In case you want to persist tokens in your OAuth2/OIDC client then you have to implement the interface "OAuth2AuthorizedClientRepository" yourself to store data it into a database (e.g. Redis). The default implementation just stores the data in the HTTP session.
    James Howe
    @OrangeDog
    As I feared. There are no specific standards for other opaque token implementations, because they don't require different systems to talk to each other, so there's no need to define any public communication protocols. It is very common that the auth server and the resource server are the same party, even implemented in the same process.
    The core OAuth 2.0 spec says you can implement bearer and authorisation tokens however you please.
    I'm not maintaining a client, I'm maintaining a web service that allows other developers to use its api.
    Andreas Falk
    @andifalk
    So what you are implementing is a resource server.
    James Howe
    @OrangeDog
    and an auth server
    Andreas Falk
    @andifalk
    In OAuth2 you have a clear separation of concerns: Auth Server, Client and Resource Server. That is basically the basic idea of OAuth2.
    James Howe
    @OrangeDog
    I know that. And my application as a whole includes both an auth server and a resource server.
    And in a minimal deployment, they're the same process.
    Just like every web service that both has its own accounts and offers api access
    But Spring Security seems to be taking a very narrow view of what OAuth is and completely cutting out this use case, that was amply served by Spring Security OAuth
    Andreas Falk
    @andifalk
    That is what Spring Security OAuth just provided with its "EnableAuthorizationServer"/"EnableResourceServer" annotations. With these, you could implement an AuthServer also providing a user info endpoint (which acted like a resource server). You won't find this with any other OAuth/OIDC provider like Keycloak, Okta etc.
    James Howe
    @OrangeDog
    Obviously not, because those are ID providers. They're not systems like Facebook or Google or Github that have their own accounts and also a developer api.
    OAuth is not just an authentication/ID system.
    Jeff Beck
    @beckje01
    Maybe I missed something (its likely I did) is there a move to deprecate the EnableAuthorizationServer path?
    James Howe
    @OrangeDog
    The entirely of Spring Security OAuth is being deprecated this week
    Jeff Beck
    @beckje01
    OK so yes I'm a bit behind
    James Howe
    @OrangeDog
    but Spring Security does not have feature-parity
    Stephan R
    @mrpubnight_gitlab

    Hoping to get a little help about configuring multiple OAuth2 IDPs in our Spring Boot API Gateway. We are currently using Zuul but are also PoCing Spring Cloud Gateway so either is relevant.

    We'd like to use tenant URLs for our Federated users each using a different IDP for authentication but ultimately have them go through the same gateway. Is there a way to switch OAuth configurations based on the tenant of the URL? A couple considerations; 1) we do not want a login selector screen - we'd like to manage that through different security configurations, 2) the redirect URL should contain the tenanted URL. Is this possible? Easy/Hard?

    James Howe
    @OrangeDog
    and from what Andreas is saying, it sounds like it never will
    Andreas Falk
    @andifalk
    But for Facebook, Google or Github this just the same. They also separate the OAuth2 token retrieval process from using their APIs with such a token.
    Spring Security OAuth has been a bit insecure implementation that is why Spring switched to use Nimbus SDK to do the OAuth2 stuff instead of implementing it themselves.
    @OrangeDog If you are looking for a multi-tenant IDP feature, this has been added in Spring Security 5.2 (https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2resourceserver-multitenancy).