spring-security – Page 2

Cross-Origin Resource Sharing with Spring Security

January 2, 2024 by Tarik

I was able to do this by extending UsernamePasswordAuthenticationFilter… my code is in Groovy, hope that’s OK: public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter { static final String ORIGIN = ‘Origin’ @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){ if (request.getHeader(ORIGIN)) { String origin = request.getHeader(ORIGIN) response.addHeader(‘Access-Control-Allow-Origin’, origin) response.addHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE’) response.addHeader(‘Access-Control-Allow-Credentials’, ‘true’) response.addHeader(‘Access-Control-Allow-Headers’, request.getHeader(‘Access-Control-Request-Headers’)) } … Read more

Spring Security, Method Security annotation (@Secured ) is not working (java config)

December 29, 2023 by Tarik

Kindly add this @EnableGlobalMethodSecurity(securedEnabled = true) This element is used to enable annotation-based security in your application (by setting the appropriate attributes on the element), and also to group together security pointcut declarations which will be applied across your entire application context specifically for @Secured. Hence your code should look like this @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled … Read more

Authentication and authorization in Spring Data REST

December 28, 2023 by Tarik

The best bet for you is Spring Security. That would help you achieve authorization is much simpler manner. Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically. Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my … Read more

Spring oauth2 scope vs authorities(roles)

December 28, 2023 by Tarik

I noticed a client has both scope and authorities The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn’t explain specific usage of scope. Consider this, a user authorizes Twitter to post a user’s tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. … Read more

Spring Boot + Oauth2 client credentials

December 27, 2023 by Tarik

We have REST services protected with Oauth2 Client credentials scheme. The Resource and authorization service are running in the same app, but can be split into different apps. @Configuration public class SecurityConfig { @Configuration @EnableResourceServer protected static class ResourceServer extends ResourceServerConfigurerAdapter { // Identifies this resource server. Usefull if the AuthorisationServer authorises multiple Resource servers … Read more

Spring Security LDAP and Remember Me

December 26, 2023 by Tarik

There are two issues to configuration of the RememberMe features with LDAP: selection of the correct RememberMe implementation (Tokens vs. PersistentTokens) its configuration using Spring’s Java Configuration I’ll take these step by step. The Token-based remember me feature (TokenBasedRememberMeServices) works in the following way during authentication: user gets authenticated (agaisnt AD) and we currently know … Read more

How to enable secured-annotations with Java based configuration?

December 25, 2023 by Tarik

You need to use the @EnableGlobalMethodSecurity(securedEnabled = true) annotation, as defined in the docs.

Custom Authentication Manager with Spring Security and Java Configuration

December 23, 2023 by Tarik

Take a look at my sample below. You have to return an UsernamePasswordAuthenticationToken. It contains the principal and the GrantedAuthorities. Hope I could help 🙂 public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = authentication.getPrincipal() + “”; String password = authentication.getCredentials() + “”; User user = userRepo.findOne(username); if (user == null) { throw new … Read more

Property ‘security.basic.enabled’ is Deprecated: The security auto-configuration is no longer customizable

December 23, 2023 by Tarik

Spring Boot 2.0 changed its auto configuration (including some properties) and has now a single behavior that backs off as soon as you add your own WebSecurityConfigurerAdapter. The default configuration looks like protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .and() .httpBasic(); } A single user with a generated password is … Read more

Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns

December 17, 2023 by Tarik

To use multiple WebsecurityConfigurerAdapter, you need restrict them to specific URL patterns using RequestMatcher. In your case you can set a higher priority for ActuatorSecurityConfig and limit it only to actuator endpoints: @Order(-1) @Configuration public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .requestMatchers().antMatchers(“/actuator/**”) .and() .authorizeRequests().anyRequest().hasRole(“ADMIN”) .and() .httpBasic(); } … Read more