spring-security

问题 I'm new to the Spring Framework and I'm trying to set up my application with Spring Security using Azure AD authentication. I have the basics set up and my application correctly authenticates to Azure AD. The question I have involves bypassing the default "/login" page that gets generated. Instead of landing on the default "/login" page (or creating my own custom one) when authentication is required, I would like the application to automatically redirect to Microsoft's login page. My

问题 New to spring boot and I'm working on an application that already had some Oauth2 authentication done for signing in with azure. I was tasked with setting up some auth for another API and now I have two registrations(client id/secret/grant-type) in my application-local.properties . spring.security.oauth2.resource.jwk.key-set-uri=xxxxxxxx spring.security.oauth2.client.registration.azure.client-secret=xxxx spring.security.auth2.client.registration.azure.client-id=xxxxx spring.security.oauth2

问题 I have web applicatoin who use spring boot, spring security and spring data. it is stateless. I would like to avoid to alway call db for user acess. So i thinking using SpringCacheBasedUserCache. @Configuration @EnableCaching public class CacheConfig { @Bean CacheManager cacheManager() { SimpleCacheManager cacheManager = new SimpleCacheManager(); cacheManager.setCaches(Arrays.asList(new ConcurrentMapCache("city"), new ConcurrentMapCache("userCache"))); return cacheManager; } @Bean public

问题 CSRF protection is used so that any requests made from other websites cannot affect my website to cause harm. It is said in the spring security csrf documentation that csrf is applied for put post patch delete requests. But according to my understanding, login/signup forms do not need csrf protection, as they already require credentials in the form of username and password and even if such a request is made from another website, there will be no harm as the user will just get logged in. But

问题 I write app in Spring Boot, Spring Security with Thymeleaf and I try to get access my static resource file... This is my project structure... . ├── mvnw ├── mvnw.cmd ├── nb-configuration.xml ├── pom.xml ├── src │ ├── main │ │ ├── java │ │ │ └── com │ │ ├── resources │ │ │ ├── application.properties │ │ │ ├── static | | | | |---------------------------------this is image.jpg │ │ │ ├── templates │ │ │ └── ValidationMessages.properties │ │ └── wro │ │ ├── css │ │ ├── fonts │ │ ├── js │ │ ├──

问题 I've a requirement to integrate SAML authentication with rest API, so that I can make my rest services stateless, the approach which I've taken is as follows Developed an authentication service behind zuul proxy which is running behind AWS ALB User tries to generate token via endpoint https://my-domain/as/auth/login Since user is not logged in, so he gets redirected to IDP where he authenticate After authentication the IDP redirect user back to my service i.e. at URL https://my-domain/as/auth

问题 In the latest Spring Security which leverages WebFlux, the security config works like below, SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.authorizeExchange().pathMatchers("/**") .... Before there is a method hasIpAddress("xxx.xxx.xxx.xxx") we can use to config IP whitelist, now it's gone. How to specify IP whitelist for new Spring Security Webflux? Based on idea from @özkan pakdil below, here is my code, but IP filter does not work - The request from IP

问题 For my project I am trying to make a simple service which can do POST, GET and DELETE requests. I'm not interested in the extra security layer added by CSRF, so I want it turned off. I know that by default it should be off, but it does not seem to behave. Every time I make a post request, it gives me the following output: /users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' o.s.security.web.FilterChainProxy : /users/insert at position

问题 External OAuth2 Provider doesn't have public JwkUri, so I tried too override default behavior using following code snippet: @EnableWebSecurity public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("**/oauth2/code/esia**", "**/code/esia**", "**esia**").permitAll() .antMatchers("/user").fullyAuthenticated() .anyRequest().authenticated() .and() .csrf().disable

问题 External OAuth2 Provider doesn't have public JwkUri, so I tried too override default behavior using following code snippet: @EnableWebSecurity public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("**/oauth2/code/esia**", "**/code/esia**", "**esia**").permitAll() .antMatchers("/user").fullyAuthenticated() .anyRequest().authenticated() .and() .csrf().disable