spring-security

HttpSecurity, WebSecurity and AuthenticationManagerBuilder

by

configure(AuthenticationManagerBuilder) is used to establish an authentication mechanism by allowing AuthenticationProviders to be added easily: e.g. The following defines the in-memory authentication with the in-built ‘user’ and ‘admin’ logins. public void configure(AuthenticationManagerBuilder auth) { auth .inMemoryAuthentication() .withUser(“user”) .password(“password”) .roles(“USER”) .and() .withUser(“admin”) .password(“password”) .roles(“ADMIN”,”USER”); } configure(HttpSecurity) allows configuration of web based security at a resource level, … Read more

How to configure CORS in a Spring Boot + Spring Security application?

by

Spring Security can now leverage Spring MVC CORS support described in this blog post I wrote. To make it work, you need to explicitly enable CORS support at Spring Security level as following, otherwise CORS enabled requests may be blocked by Spring Security before reaching Spring MVC. If you are using controller level @CrossOrigin annotations, … Read more

How to disable spring security for particular url

by

When using permitAll it means every authenticated user, however you disabled anonymous access so that won’t work. What you want is to ignore certain URLs for this override the configure method that takes WebSecurity object and ignore the pattern. @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers(“/api/v1/signup”); } And remove that line from the … Read more

Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized

by

Spring Security Documentation mentions the reason for blocking // in the request. For example, it could contain path-traversal sequences (like /../) or multiple forward slashes (//) which could also cause pattern-matches to fail. Some containers normalize these out before performing the servlet mapping, but others don’t. To protect against issues like these, FilterChainProxy uses an … Read more

Spring boot Security Disable security

by

In case you have spring-boot-actuator in your package, you should add the following @EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class}) With older Spring-boot, the class was called ManagementSecurityAutoConfiguration. In newer versions this has changed to @SpringBootApplication(exclude = { org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class} ) UPDATE If for reactive application you are having the same issue, you can exclude the following … Read more

How to manually set an authenticated user in Spring Security / SpringMVC

by

I couldn’t find any other full solutions so I thought I would post mine. This may be a bit of a hack, but it resolved the issue to the above problem: public void login(HttpServletRequest request, String userName, String password) { UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(userName, password); // Authenticate the user Authentication authentication = authenticationManager.authenticate(authRequest); SecurityContext … Read more

What’s the point of Spring MVC’s DelegatingFilterProxy?

by

There’s some kind of magic here, but at the end, everything is a deterministic program. The DelegatingFilterProxy is a Filter as it was explained above, whose goal is “delegating to a Spring-managed bean that implements the Filter interface“, that is, it finds a bean (“target bean” or “delegate”) in your Spring application context and invokes … Read more

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)