spring-security

问题 I'm using Postman to test a simple OAuth2 API I'm creating in Spring Boot 2.2.6 with Spring Security. I successfully receive a JWT when requesting new user credentials, but all of my endpoints return a 403 Forbidden error when I attempt to access them with this token in my headers. My classes are as follows: My server security configuration: @Configuration @EnableWebSecurity @Order(1) @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) class ServerSecurityConfiguration

问题 I'm using Postman to test a simple OAuth2 API I'm creating in Spring Boot 2.2.6 with Spring Security. I successfully receive a JWT when requesting new user credentials, but all of my endpoints return a 403 Forbidden error when I attempt to access them with this token in my headers. My classes are as follows: My server security configuration: @Configuration @EnableWebSecurity @Order(1) @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) class ServerSecurityConfiguration

问题 I'm using Postman to test a simple OAuth2 API I'm creating in Spring Boot 2.2.6 with Spring Security. I successfully receive a JWT when requesting new user credentials, but all of my endpoints return a 403 Forbidden error when I attempt to access them with this token in my headers. My classes are as follows: My server security configuration: @Configuration @EnableWebSecurity @Order(1) @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) class ServerSecurityConfiguration

问题 I'm using Postman to test a simple OAuth2 API I'm creating in Spring Boot 2.2.6 with Spring Security. I successfully receive a JWT when requesting new user credentials, but all of my endpoints return a 403 Forbidden error when I attempt to access them with this token in my headers. My classes are as follows: My server security configuration: @Configuration @EnableWebSecurity @Order(1) @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) class ServerSecurityConfiguration

问题 I need to disable the cache control headers in my Spring Security conf. According to the documentation a simple http.headers.disable() should do it, but I still see the Cache-Control:no-cache, no-store, max-age=0, must-revalidate Expires:0 Pragma:no-cache headers in responses. My current security config is: http.antMatcher("/myPath/**") // "myPath" is of course not the real path .headers().disable() .authorizeRequests() // ... abbreviated .anyRequest().authenticated(); Things I've tried so

问题 I am trying to secure my application using keycloak. I use angular for my frontend and spring boot for my backend. Using only http, everything works fine, the problem is, if I want to use HTTPS along side HTTP, I am having a problem with the backend throwing an error like: o.k.a.BearerTokenRequestAuthenticator : Failed to verify token org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://myDomain/auth/realms/realmName', but was 'https://myDomain/auth/realms

问题 When CSRF is enabled and a web page has multiple forms, will all the forms have the same csrf token or each form has a unique csrf token? If this is framework dependent, then how does it work in the context of spring security? 回答1: CSRF is not associated with form or something but to associated with each request. Each individual request contains new csrf token. 来源： https://stackoverflow.com/questions/64422918/csrf-token-on-a-web-page-with-multiple-forms

问题 I Introduce the problem: when I launch the application and I enter the url "/home". The home page is displayed but not correctly (the template is not well organized) and I receive an exception TemplateInputException . After a while, If I refresh the home page and the other pages It comes back to normal but if I go to "/login", and I logout which redirects me to the home view the same issue comes back again. The Stacktrace Console: org.thymeleaf.exceptions.TemplateInputException: An error

问题 After signing-in, the websockets cannot find the current user by session.getPrincipal() (it returns null). Here is the Java code for WebSockets: @Configuration @EnableWebSocketMessageBroker public class WebSocketConfiguration extends AbstractWebSocketMessageBrokerConfigurer { @Override public void configureMessageBroker(MessageBrokerRegistry config) { config.enableSimpleBroker("/queue", "/topic"); config.setApplicationDestinationPrefixes("/socket"); config.setUserDestinationPrefix("/user"); }

问题 After signing-in, the websockets cannot find the current user by session.getPrincipal() (it returns null). Here is the Java code for WebSockets: @Configuration @EnableWebSocketMessageBroker public class WebSocketConfiguration extends AbstractWebSocketMessageBrokerConfigurer { @Override public void configureMessageBroker(MessageBrokerRegistry config) { config.enableSimpleBroker("/queue", "/topic"); config.setApplicationDestinationPrefixes("/socket"); config.setUserDestinationPrefix("/user"); }