spring-security

问题 I am using Spring Security 4. Everything works fine until I decided to turn on CSRF to keep website security. But I am getting confused after reading lots of relevant documents. Here is the question: I have back-end services with Spring MVC and Spring Security running on Computer A , on Computer B I have all the front-end HTML. New I want to login in from webpages in Computer B , it always says Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. I

问题 I have a spring boot application which is using Oauth with OneLogin as the authorisation server. Now, I want to implement role based authorisation to expose certain APIs only to users with certain privileges. I have users belonging to groups. Say user A belongs to "admin" group and user B does not belong to the admin group. My question is how can I use these groups to enable only user A to access certain APIs. This is the information about the authenticated user for reference: authorities 0

问题 I have a spring boot application which is using Oauth with OneLogin as the authorisation server. Now, I want to implement role based authorisation to expose certain APIs only to users with certain privileges. I have users belonging to groups. Say user A belongs to "admin" group and user B does not belong to the admin group. My question is how can I use these groups to enable only user A to access certain APIs. This is the information about the authenticated user for reference: authorities 0

问题 So, I'm working on a web application using angular on frontend, JWT tokens, and Spring Boot microservices on the backend, and to Reset password with sending the email I found a tuto it worked for me but when migrating to my project it didn't work (in the Controller) cause it's with ModelandView and I'm working with ResponseEntity. So How can i change ModelandView to ResponseEntity in controller /** * Display the forgot password page and form */ @RequestMapping(value="/forgot-password", method

问题 I have an auth-cas library that provides authentication to my spring boot project. In this auth-cas library there is a class that extends WebSecurityConfigurerAdapter with following configure function @Override @ConditionalOnProperty(value = "ugent.cas.serviceUrl", matchIfMissing = true) @ConditionalOnClass(Cas.class) protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint()); if (basicAuthenticationProviders

问题 I have an auth-cas library that provides authentication to my spring boot project. In this auth-cas library there is a class that extends WebSecurityConfigurerAdapter with following configure function @Override @ConditionalOnProperty(value = "ugent.cas.serviceUrl", matchIfMissing = true) @ConditionalOnClass(Cas.class) protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint()); if (basicAuthenticationProviders

问题 I am building a REST API that uses Spring Security (and it's filter chain) to authenticate the user via JWT. Now, if such a JWT is missing, expired or similar, I would like to return a nicely formatted error message to the API consumer, instead of the default whitelabel error response. The API error messages returned out of the Spring Security filter should look identical to the ones returned in case of business logic failure. In case of business logic failure, my Spring REST controllers

问题 There is a Spring-boot REST API, that needs to be secured by Keycloak, the application is using Keycloak-Spring-Security adapter (6.0.1). A call to an API endpoint, carries along the bearer token, obtained from Keycloak (currently through postman). I'm able to perform a successful REST endpoint call, but other thing is troubling me - should I explicitly verify the token against the public key? 1 - Is the adapter performing verification of the token against the public key, or should I

问题 There is a Spring-boot REST API, that needs to be secured by Keycloak, the application is using Keycloak-Spring-Security adapter (6.0.1). A call to an API endpoint, carries along the bearer token, obtained from Keycloak (currently through postman). I'm able to perform a successful REST endpoint call, but other thing is troubling me - should I explicitly verify the token against the public key? 1 - Is the adapter performing verification of the token against the public key, or should I

问题 There is a Spring-boot REST API, that needs to be secured by Keycloak, the application is using Keycloak-Spring-Security adapter (6.0.1). A call to an API endpoint, carries along the bearer token, obtained from Keycloak (currently through postman). I'm able to perform a successful REST endpoint call, but other thing is troubling me - should I explicitly verify the token against the public key? 1 - Is the adapter performing verification of the token against the public key, or should I