userApprovalHandler: if you only have one client in your system, I agree the users should not have to approve it accessing their data. oauthAuthenticationEntryPoint: Normally, if authentication fails, the response type is JSON. Documentation says “If authentication fails and the caller has asked for a specific content type response, this entry point can send one, … Read more
After playing a bit with various scenarios, here is the one way how can one achieve what was asked with minimal interventions to the main code Refactor your controller to use a parameter for thirdparty server address: @RestController public class HelloController { @Value(“${api_host}”) private String apiHost; @RequestMapping(“/hello_to_facebook”) public String hello_to_facebook() { // Ask facebook about … Read more
A migration occurred due to vulnerability CVE-2023-34035. In the event that you get an error like the following: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher). You should use a complete RequestMatcher. For example, if … Read more
Author: https://github.com/wilkinsona @Bean public SecurityFilterChain configure(HttpSecurity http) throws Exception { http .authorizeHttpRequests(requests -> requests .requestMatchers(new AntPathRequestMatcher(“/openapi/openapi.yml”)).permitAll() .anyRequest().authenticated()) .httpBasic(); return http.build(); } Source: https://github.com/spring-projects/spring-boot/issues/33357#issuecomment-1327301183 I recommend you use Spring Boot 3.0.0 (GA) right now, not RC version.
You can use now: @EnableMethodSecurity Check the documentation Note that you can avoid using prePostEnabled = true, because by default is true. boolean prePostEnabled() default true; boolean jsr250Enabled() default false; boolean proxyTargetClass() default false;
In Spring Security 6.0, antMatchers() as well as other configuration methods for securing requests (namely mvcMatchers() and regexMatchers()) have been removed from the API. An overloaded method requestMatchers() was introduced as a uniform mean for securing requests. The flavors of requestMatchers() facilitate all the ways of restricting requests that were supported by the removed methods. … Read more
Spring Boot docs on error handling: http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-error-handling. One way you can control the JSON is by adding a @Bean of type ErrorAttributes. @Bean ErrorAttributes errorAttributes() { return new MyErrorAttributes(); }
Have you looked at Spring Session: HttpSession & RestfulAPI which uses HTTP headers instead of cookies. See the REST sample projects in REST Sample.
As the WebSecurityConfigurerAdapter uses an imperative approach you can inject the value of the security.enable-csrf variable and disable CSRF when it be false. You are right, I think this should work out of the box. @Configuration public class AuthConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Value(“${security.enable-csrf}”) private boolean csrfEnabled; @Override protected void configure(AuthenticationManagerBuilder auth) … Read more
EDIT: deleted old answer, misunderstood the question. Here’s the new one: User.withDefaultPasswordEncoder() can still be used for demos, you don’t have to worry if that’s what you’re doing – even if it’s deprecated – but in production, you shouldn’t have a plain text password in your source code. What you should be doing instead of … Read more