spring-security

问题 Im already authenticating access to my API using a Firebase Auth token (JWT) which is passed inside the Http Authorization Header as Bearer token. This works fine using auto configuration. Now I want to map from the authentication to a user record in my DB. How do I need to adapt the security filter chain? This configuration is automatically applied by spring boot according to the docs and can be overridden: @Override protected void configure(HttpSecurity http) throws Exception { http

问题 I implemented the UserDetailsService interface and override the loadUserByUsername method. I thought that, inside loadUserByUsername , I could get username and password, to check if they match username and password on the DB. But I can't understand how to get the password typed by the user, provided that it is possibile. Probably, I'm implementing the wrong interface. Is UserDetailsService enough to do what I want to or I have to implement or extend something else? 回答1: The UserDetailsService

问题 I have implemented 'Remember Me' functionality in my Spring MVC application using Spring Security 3.1 My security-context.xml looks like this : <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 9 months ago . Improve this question I'm looking forward to deploying my Spring Application on a production environment and i'd like to include some basic and solid security measures. First things first, i extended WebSecurityConfigurerAdapter into my SecurityConfiguration.java

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 9 months ago . Improve this question I'm looking forward to deploying my Spring Application on a production environment and i'd like to include some basic and solid security measures. First things first, i extended WebSecurityConfigurerAdapter into my SecurityConfiguration.java

问题 I was wondering if there is a way for authorizing incrementally with Spring Security (as mentioned here) By default spring security provides basic profile access when using Google sign OAuth verification. That flow is correct. I would however want to request for additional scopes (Gmail Read, Calendar read etc) on certain URL endpoints. I have already tried using the @PreAuthorize property on the endpoint along with enabling @EnableGlobalMethodSecurity(prePostEnabled = true) as in the code.

问题 I'm writing my own implementation of TokenStore (org.springframework.security.oauth2.provider.token.TokenStore) using MongoDB. There seems to be some problem with converting/mapping of the object in the database back to Java object. Anyone have a clue how I could solve this? org.springframework.data.mapping.model.MappingInstantiationException: Failed to instantiate org.springframework.security.authentication.UsernamePasswordAuthenticationToken using constructor NO_CONSTRUCTOR with arguments

问题 I have 2 Spring Security WebSecurityConfigurerAdapter configs. I want to filter all requests to path /filter1 with filter 1, excluding /filter1/filter2 path. The latter one I want to filter with filter 2. How can I achieve it? Filter 1 config: @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("filter1/filter2/**").permitAll() .and(

问题 Our application used to have only one possibility to log in: username and password. Once a new user logged into the application, their session would appear in Spring Security's SessionRegistry . Now I'm implementing SAML support with the help of Spring SAML. I oriented the setup heavily towards the sample application's configuration. It all works fine. However I noticed that users that log in via SAML don't get their session added to the SessionRegistry . The usual context file for form based

问题 The title might be a bit misleading and might give you the impression this is an easy one so I will elaborate. I have a set of endpoints (REST services) that I want to secure without using the regular login way that Spring security provides. Usually you would first aim to the login endpoint (j_pring_security_check by default), authenticate and then send the request to the service endpoint along with the JSESSIONID. In this case i want to work without redirections. From the client-side I want