Questions tagged [spring-security]

1

votes
0

answer
6

Views

Different handling of basic authentication in rest client and web app in browser

I have angular frontend and spring backend. I'm using spring security to hande http basic authentication. I noticed strange difference in behaviour using advanced rest client(or any other) and angular web app. For tests I disabled my httpInterceptor so it is not including 'Authorisation: Basic fooba...
skoomi
1

votes
0

answer
13

Views

Spring Boot 2 - Session Issues

My security config reads like this: protected void configure(HttpSecurity http) throws Exception { http .antMatcher('/**') .authorizeRequests() .antMatchers('/*.js', '/*.ico', '/*.png', '/*.css').permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage('/login') .loginProcessingUrl('...
Magd Kudama
1

votes
2

answer
280

Views

How to extend the Spring Security's @Preauthorize with custom validating rule?

Spring Security provides some convinent method-control annotations: @PreAuthorize('hasRole('ADMIN')') @PreAuthorize('hasAuthority('ROLE_ADMIN')') @PreAuthorize('hasPermission('ADD')') I want to extend it with some custom method like @PreAuthorize('hasCompany('XX')') and its validation data should...
rellocs wood
1

votes
1

answer
435

Views

Does Spring Security OAuth2 support Authorization Code Flow with PKCE for browser (Angular) clients?

Browser applications auth used to be managed using the Implicit grant of the Authorization Server. I successfully implemented this using Spring Security Oauth. This approach has several drawbacks: Refresh tokens are not supported, so when the token expires we need to reauthenticate with the Authoriz...
codependent
1

votes
1

answer
69

Views

Does sprint security JWT implementation deal with alg:none attack? [closed]

JWT implementations might be exposed to different attacks, one of them is the 'alg:none' attack (see more details here). I'm using 'spring-security-jwt' dependency in my pom.xml file, and was not able to find out whether this implementation deals with the 'alg:none' attack. Is this attack mitigated...
omer
1

votes
0

answer
5

Views

Securing the application with authentication and resolving user name from the request header on class level

I have a web application with 10 controllers. Each controller represents an endpoint. Each controller has various API operations. I have used basic authentication for the API methods. I have used @RequestHeader in these methods to get the header and resolver username from it. I was wondering if I ca...
computatma
1

votes
2

answer
6.1k

Views

How to make the refresh token life long valid and issue a new refresh token each time a new refresh_token grant_type comes in spring security oauth2

I am using spring security oauth2 for authentication for my android application clients.When the client request comes with grant_type as password the server issues the access token and refresh token.If the access token expires i can issue a new access token by sending a request with grant_type as re...
KJEjava48
1

votes
2

answer
2k

Views

username parameter is empty in loadUserByUsername(String username) - spring boot

This is my UserDetailService: public class StockUserDetailService implements UserDetailsService { @Autowired private UserRepository userRepository; private static final Logger logger = Logger.getLogger(StockUserDetailService.class); @Override public UserDetails loadUserByUsername(String username) th...
Ashwin
1

votes
1

answer
525

Views

Spring MockMvc redirect not working

I am trying to mock a post request using the below code . I am testing a spring security login request. MockMvc mvc = MockMvcBuilders.webAppContextSetup(context).addFilter(springSecurityFilterChain) .apply(springSecurity()) .build(); MvcResult mvcResult = mvc.perform(post('/j_spring_security_check...
lives
0

votes
0

answer
10

Views

AuthenticationManagerBuilder is not recoginizing my datasource, which doesnt allow me to log in, what is the approach to do this with spring-boot?

I am trying to authenticate my user through the database with dataSource. @Configuration @PropertySource(value = { 'classpath:application.properties' }) public class FormAppConfig { @Autowired Environment env; @Bean public DataSource securityDataSource() { BasicDataSource dataSource = new BasicDataS...
Adwait Uprety
1

votes
2

answer
2.2k

Views

How to use Spring security without password encoding?

I'm trying to learn Spring security currently. I used BCryptPasswordEncoder to encode user password before persisting into a database Code: @Override public void saveUser(User user) { user.setPassword(bCryptPasswordEncoder.encode(user.getPassword())); user.setActive(1); Role userRole = roleRepositor...
Arjun
1

votes
2

answer
403

Views

Spring Boot & Keycloak - only working for get method

The following is working fine: @GetMapping(path = '/onlyforAdmins') @Secured('ROLE_ADMIN') public ResponseEntity secureHello(Principal principal) { return new ResponseEntity('hello ' + principal.getName(), HttpStatus.OK); } However, I am always getting 403 when I try the following: @RequestMapping(...
-1

votes
0

answer
14

Views

Class file for org.springframework.transaction.annotation.Transactional not found - not using @Transactional

I'm following this guide and after adding the JWT Token Store config from Step 3: @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter()...
Ian
1

votes
0

answer
144

Views

Could not connect secured LDAP server from other PC (CentOS)

I have created an LDAP server on my pc which has both secured and non-secured connections created. I have configured my Spring-MVC application to connect to LDAP servers in both secured and non-secured ways. When I try to connect the LDAP server from MY pc it is working fine. But when I try to conn...
VPK
1

votes
1

answer
373

Views

Spring PermissionEvaluator multiple permissions

I have created a customPermissionEvaluator and I'm trying to find the best way of using hasPermission implementation for multiple permissions. I know that If I use the next way: @PreAuthorize('hasPermission(#foo, 'test1') and hasPermission(#foo2, 'test2')') it will call @Override public boolean...
Gal Sosin
1

votes
2

answer
814

Views

How to fix role in Spring Security?

I'm trying to use Spring Security in my project, here is the code: @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // TODO Auto-generated method stub //super.configure(auth); //auth.inMemoryAuthentication().withUser('admin').password('1111').roles('USER'); au...
Abd ELL
1

votes
1

answer
780

Views

OpenId connect Spring security 5 and Spring Boot

I'm trying to implement an authorization server Google like. After a few hour spend searching I'm not able to find the solution. Where can I find a simple example to do that? I'm trying to use the @EnableAuthorizationServer annotation but I don't know it it is the right way.
Luca
1

votes
1

answer
246

Views

How to handle JWT Authentication with Spring when implementing a CQRS pattern?

Using the latest Spring Cloud and Spring Boot, I've got a micro services layout with a Zuul gateway. At the moment when a user sends a get request their JWT token gets added to the request and that goes off to the microservice where they're authenticated and things go as usual. This all works perfec...
Chris Turner
1

votes
1

answer
217

Views

Securing SpringBoot REST endpoints in Google Cloud Platform

I created a SpringBoot application with a couple of REST endpoints and deployed it to Google App Engine Standard. Everything works fine and I am able to hit the endpoints. Now I want to secure these endpoints and allow only users authorized as admin to be able to call one of the endpoints. I tried...
AndoverDev
1

votes
0

answer
380

Views

How to enable CSRF protection in Spring Security 3.0

I'm trying to enable CSRF protection in Spring Security 3.0. All the articles I've found point to using the tag, which doesn't exist in this version of Spring Security and there's no chance of me upgrading to a newer version of Spring any time soon. (Corporate environment) With this in mind, how c...
Beth
1

votes
0

answer
711

Views

How to add roles to Spring Boot security from a Zuul filter

I am developing a Spring Boot REST application that has a custom token authentication system. The token holds the roles for the user as claims. A Zuul proxy routes the traffic to multiple spring boot microservices and I would like to add a filter to the Zuul so that it extracts the roles from the to...
icordoba
1

votes
0

answer
194

Views

Spring Security: Creating multiple http-sections dynamically

Currently, I'm trying to figure out how to block every request, except for some routes secured with basic auth. The information of these routes is stored in a List of my utility object SecurityConstraintInfo (read from some configuration-file), which holds the username/password for the basic auth,...
user871611
1

votes
0

answer
81

Views

how to save value from POST method into parameter of Java class?

I'm new in Java, and currently try to create my own project, but have a problem with displaying information about user in his main page. Now I need to save a value from my JSP page (/login) which use method POST into parameter of my Java class('Controller'). login.jsp Log in with your account Log in...
Junior Java Mike
1

votes
1

answer
497

Views

Getting Spring Boot Security Working with Azure AD

Currently trying to get Azure AD integrated with a Spring Boot application I'm working on. I'm utilizing the azure-active-directory-spring-boot-starter package, and following the example laid out in the official documentation on Microsoft's website. However, when following the example, I'm receiving...
ReservedDeveloper
1

votes
0

answer
162

Views

Spring security “Not logged in or anonymous” or “premission denied” catch 22

I am trying to move my grails 3 app to spring security shiro and I seem to be stuck in a catch 22 regarding user login. If I allow the signIn method outside access in the interceptUrlMap it says anonymous user cannot be logged in and I see that it is trying to login with the following security prin...
JoeyHolloway
1

votes
0

answer
78

Views

Counting success and failed authentication

I use spring boot 2 in a thymeleaf application I created a class config for authentication @Configuration public class AuthenticationConfig { @Bean public AuthenticationSuccessEventListener asel() { return new AuthenticationSuccessEventListener(); } @Bean public AuthenticationFailureListener afel()...
robert trudel
1

votes
0

answer
243

Views

Spring Boot Security Javascript Post 401 error

I'm currently developing a micro-service architecture application with a Spring boot Authorization Server. When I try to get a new token with a existing account trough postman I get a valid token. Postman request and result - Postman body Now when I try to do the same with a Javascript call I get a...
Kevin Bos
1

votes
0

answer
893

Views

swagger ui with spring security

I need specific role to access swagger ui snippet to access swagger-ui with role 2 ( tried following with no joy) http .csrf() .disable() .authorizeRequests() .antMatchers('/api/**').hasAuthority('ROLE_ROLE1') .antMatchers('/login/**').permitAll() .antMatchers('/info/**').permitAll() .antMatchers( '...
Jagruti Frank
1

votes
0

answer
257

Views

Spring Boot with different security contexts

I have two DispatcherServlets and I want to have different contexts for them. First servlet should be secured with spring security and second servlet should not use security at all. I register servlets as follows: @SpringBootApplication(exclude = {DispatcherServletAutoConfiguration.class}) public c...
Shirru
1

votes
1

answer
539

Views

CSP Header is refusing all scripts Spring Security

I am implementing Content Security Policy on Spring Security project. I want to allow all resources from local server and some other resources(Scripts, stylesheets) from external links. I tried different syntaxes but none of them work as they are blocking all resources and giving the below exception...
UsamaAmjad
1

votes
2

answer
297

Views

Trying to switch the security off for one URL with XML configuration

I checked several blogs / doc / stackoverflow forum entries but I still don't know what I am doing wrong. I want to give access to an URL to anybody. The permitAll doesn't work as I have custom filters. So I thought to create a separate http element and use the security='none' setting but no success...
Viktor
1

votes
0

answer
1.3k

Views

Getting 403 Forbidden when trying to get authorization code using the authorization code grant type

I have resource, authorization written using Spring boot and OAuth2. The resources are going to access by another web server application. So I thought of using the authorization code grant type but I also want to skip the approval screen. I sent the following url to the auth server to get the author...
user9225538
1

votes
0

answer
731

Views

Spring boot security using multiple WebSecurityConfigurerAdapter with different AuthenticationProviders

I am trying to achieve different authentications based on certain http requests, but it appears no matter what the requests are they use the wrong authentications. More specifically, for any manage endpoint, I want to use only authentication A and for any internal or api endpoints I want to use only...
mr nooby noob
1

votes
0

answer
112

Views

SpringSecurity select authentication provider by prefix

I have a Spring REST-API which is secured by SpringSecurity. I have different ways to authenticate in that application. Customer (db) Employees (ldap) Other Applications/Services (inMemory) Each of these are covered by a different authentication provider, which properly assigns the access roles. (Wo...
ST-DDT
1

votes
0

answer
656

Views

Spring Security OAuth2 Could not obtain access token

I have a spring security oauth client which is authenticating against a custom auth0 provider. For getting the UserAuthorizationUri, i need to make a post request to a rest endpoint which is a wrapper on top of auth0. So i have extended OAuth2ClientContextFilter and used a custom redirect strategy.N...
Pradeep S
1

votes
0

answer
317

Views

Spring Framework and encode/decode of public key

I am trying to create a new RsaVerifier to check a public key: JwtHelper.decodeAndVerify(token, verifier); I do believe it's a valid public key. I'm copying it correctly from my browser. It does begin with a return character though. It actually has them in several places: -----BEGIN PUBLIC KEY-----\...
Mike
1

votes
0

answer
247

Views

CAS & spring-security-cas with stateless session

I'm currently working through a spring application which is using stateless session and JWT based mechanism for authentication & authorizations. A new requirement arrived: using CAS v4.0 SSO solution to replace the authentication system. I went through the CAS documentation and the spring security d...
R. G
1

votes
0

answer
1.5k

Views

How to add client authentication filter for spring security oauth2?

I'm getting error at /oauth/token InsufficientAuthenticationException: There is no client authentication. Try adding an appropriate authentication filter I think @EnableAuthorizationServer is supposed to add the client authentication filter automatically. But I guess I may be wrong. I use authorizat...
eugene
1

votes
1

answer
222

Views

Azure IDP metadata loading fails

I am working on a project that re-uses https://github.com/vdenotaris/spring-boot-security-saml-sample to integrate with Azure AD as IDP. The integration went pretty smoothly. The only thing I couldn't fix was metadata trust check. According to https://docs.spring.io/autorepo/docs/spring-security-sam...
Piotr
1

votes
1

answer
455

Views

OAuth2RestTemplate “”Access token denied."

Trying to setup oauth2 authentication with 3rd party provider and it looks like for some reason it is not passing the client_id to the server. @Bean(name = 'oauth2RestTemplate') public OAuth2RestTemplate oauth2RestTemplate() { ArrayList
ramkris

View additional questions