spring-security

Spring Security X.509 authentication without user-service

血红的双手。 提交于 2021-02-19 02:23:30
问题 I'm using Spring Security (v3.1.3) for X.509 authentication in my web-application. Users and roles are stored in the Database, but I don't actually need to do it, as CNs of client certificates conform to "[ROLE] - [USERNAME]" schema, which means I already have username and role from the certificate itself. So how to eliminate the database without too much effort? Should I write my own implementation of user-service, which will populate UserDetails, or is there more graceful method? 回答1: Yes,

How to add headers to requests ignored by Spring Security

狂风中的少年 提交于 2021-02-18 18:48:54
问题 My configuration of Spring Security is @Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/resources/**"); // #3 } Taken from here. The documentation for ignorig says Allows adding RequestMatcher instances that should that Spring Security should ignore. ... Typically the requests that are registered should be that of only static resources. I would like to add some headers to files served from resources. E.g.: Strict-Transport-Security: max-age

How to add headers to requests ignored by Spring Security

China☆狼群 提交于 2021-02-18 18:47:50
问题 My configuration of Spring Security is @Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/resources/**"); // #3 } Taken from here. The documentation for ignorig says Allows adding RequestMatcher instances that should that Spring Security should ignore. ... Typically the requests that are registered should be that of only static resources. I would like to add some headers to files served from resources. E.g.: Strict-Transport-Security: max-age

How can I get a custom Principal object with Spring using OAuth2?

我只是一个虾纸丫 提交于 2021-02-18 12:09:47
问题 I have a Spring Boot application utilizing spring-security-jwt and spring-security-oauth2. I've got a custom User object extending UserDetails and a Custom UserDetailsService returning this object from the loadUserByUsername method. But when I utilize the getPrincipal method of the Authentication object and try to Cast to my custom user object, it fails as the principal is returning a string vs my custom user object. My actual goal is to eliminate the trip to the persistence layer on every

Custom WebSecurityConfigurerAdapter

陌路散爱 提交于 2021-02-17 20:27:20
问题 I have this problem implementing a custom login authentication using SpringBoot and SpringBoot-Security. I made a Bitbucket repository as reference for this thread (within CustomSecuringWeb branch). Before anything else, most of the comments here follows the Securing a Web Application tutorial. The thing is, I was curious as how could the authentication data is now from the database instead of just memory data (which is very common in production line applications). Throughout the process I

After Spring Boot 2 upgade authorization server returns “At least one redirect_uri must be registered with the client.”

核能气质少年 提交于 2021-02-17 05:30:09
问题 I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login. https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4 OAuth Error error="invalid_request", error_description="At least one redirect_uri must be registered with the client." To

Getting Access Token with Spring Cloud Gateway and Spring Security with Keycloak

回眸只為那壹抹淺笑 提交于 2021-02-17 05:17:48
问题 I am using Spring cloud Gateway with Spring security and Keycloak for Access management. I am having an issue getting the access token with spring cloud gateway as the token I am getting doesn't have all the parameters like what I get from the token endpoint in keycloak. When I hit the keycloak token endpoint with all the details: http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token { "exp": 1595310135, "iat": 1595309835, "jti": "0a78d67c-878c-468c-8d03-e003af0350c3", "iss"

Spring security session timeout for spring reactive

泪湿孤枕 提交于 2021-02-16 22:59:37
问题 I have a Reactive Application with Spring Security integrated, it was created by spring initilizer with mainly thre3 packages(spring boot, spring security and webflux). I was trying to configure the session timeout by following configuration in application.properties : spring.session.timeout=1m after starting the application with mvn spring-boot:run , It can be accessed by http://localhost:8080 and it asked me to login(by default security setting). I can use the username user and the password

Replacing the default filter at position SESSION_MANAGEMENT_FILTER

大憨熊 提交于 2021-02-16 15:14:08
问题 I want to replace the default SessionManagementFilter with my own, but I'm running into this 17:31:32,901 ERROR [[/accounts]] Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<accountsSessionManageFilter>' and 'Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=;

Spring Boot security shows Http-Basic-Auth popup after failed login

▼魔方 西西 提交于 2021-02-15 13:38:07
问题 I'm currently creating a simple app for a school project, Spring Boot backend and AngularJS frontend, but have a problem with security that I can't seem to solve. Logging in works perfectly, but when I enter a wrong password the default login popup shows up, which is kind of annoying. I've tried the annotation 'BasicWebSecurity' and putting httpBassic on disabled, but with no result (meaning, that the login procedure doesn't work at all anymore). My security class: package be.italent.security