I noticed a client has both scope and authorities The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn’t explain specific usage of scope. Consider this, a user authorizes Twitter to post a user’s tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. … Read more
I had a similar problem on a JHipster-generated web application. Finally I decided to go with the SocialAuthenticationFilter option from Spring Social (via the SpringSocialConfigurer). After a successful social login, the server automatically generates and returns the “own” access token via redirection to the client app. Here’s my try: @Configuration @EnableResourceServer protected static class ResourceServerConfiguration … Read more
Define a special interface public interface ServiceWebSecurityConfigurer { void configure(HttpSecurity http) throws Exception; } Then have just one ConfigurerAdapter: public class MyConfigurerAdapter extends WebSecurityConfigurerAdapter { @Autowired(required = false) ServiceWebSecurityConfigurer serviceSecConfig; public void configure(HttpSecurity http) throws Exception { http.authorizeRequests(). // whatever if (serviceSecConfig != null) serviceSecConfig.configure(http); http.authorizeRequests(). // whatever } } and then just implement ServiceWebSecurityConfigurer … Read more
In spring security 3.1.x the use of filters=”none” is deprecated. Instead you use multiple <http> tags like this: <http pattern=”/nonsecure/**” security=”none”/> http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic
“It depends” :). If your application has a service layer through which all your business logic is applied then that is usually a clean place to apply your security constraints and be certain that you haven’t missed out any corner cases. Web code is generally messier, there’s more of it, it changes more rapidly and … Read more
I suggest this solution below. public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; final String val = request.getHeader(FOO_TOKEN) if (val == null || !val.equals(“FOO”)) { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED, “The token is not valid.”); } else { chain.doFilter(req, res); } }
Assuming 100% TLS for all communication – both during and at all times after login – authenticating with username/password via basic authentication and receiving a JWT in exchange is a valid use case. This is almost exactly how one of OAuth 2’s flows (‘password grant’) works. The idea is that the end user is authenticated … Read more
You can specify as many providers as you want. They will be checked in the same order you declared them inside the authentication-manager tag. Once a successful authentication is made, it will stop polling the providers. If any provider throws an AccountStatusException it will also break the polling.
In case you have spring-boot-actuator in your package, you should add the following @EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class}) With older Spring-boot, the class was called ManagementSecurityAutoConfiguration. In newer versions this has changed to @SpringBootApplication(exclude = { org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class} ) UPDATE If for reactive application you are having the same issue, you can exclude the following … Read more
The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can: Access methods and properties of SecurityExpressionRoot. Access method arguments (requires compilation with debug info or custom ParameterNameDiscoverer): @PreAuthorize(“#contact.name == principal.name”) public void doSomething(Contact contact) (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler … /></…>).