spring-security – Page 3

Spring Security Token based Authentication

December 16, 2023 by Tarik

Here is how I was able to implement token based authentication and basic authentication SpringSecurityConfig.java @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(this.participantService).passwordEncoder(this.passwordEncoder()); } @Override protected void configure(final HttpSecurity http) throws Exception { //Implementing Token based authentication in this filter final TokenAuthenticationFilter tokenFilter = new … Read more

How do I use custom roles/authorities in Spring Security?

December 12, 2023 by Tarik

You are using the default configuration which expects that roles starts with the “ROLE_” prefix. You will have to add a custom security configuration and set rolePrefix to “”; http://forum.springsource.org/archive/index.php/t-53485.html

Spring Security 3.1.3 request querystring stripped

December 7, 2023 by Tarik

U can get it from SuccessHandler SecurityConfiguration class @Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired SuccessHandler getSuccessHandler; @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(“/dashboard/**”, “/feedback/**” ).access(“hasRole(‘ROLE_SYSTEM_ADMIN’) or hasRole(‘ROLE_COMPANY_ADMIN’)”) .and().formLogin().loginPage(“/login”).successHandler(getSuccessHandler) .loginProcessingUrl(“/login”).usernameParameter(“ssoId”).passwordParameter(“password”) .and().csrf() .and().exceptionHandling().accessDeniedPage(“/Access_Denied”) .and() .sessionManagement().invalidSessionUrl(“/login”).maximumSessions(1).expiredUrl(“/login”).and().sessionAuthenticationErrorUrl(“/login”).sessionFixation().migrateSession() .sessionCreationPolicy(SessionCreationPolicy.ALWAYS); //always, IF_REQUIRED,never ,stateless http.logout() .logoutUrl(“/logout”) .logoutSuccessUrl(“/login”) .invalidateHttpSession(true) .permitAll(); } @Override public void configure(WebSecurity web) throws … Read more

Using multiple WebSecurityConfigurerAdapter in spring boot

December 5, 2023 by Tarik

Define a special interface public interface ServiceWebSecurityConfigurer { void configure(HttpSecurity http) throws Exception; } Then have just one ConfigurerAdapter: public class MyConfigurerAdapter extends WebSecurityConfigurerAdapter { @Autowired(required = false) ServiceWebSecurityConfigurer serviceSecConfig; public void configure(HttpSecurity http) throws Exception { http.authorizeRequests(). // whatever if (serviceSecConfig != null) serviceSecConfig.configure(http); http.authorizeRequests(). // whatever } } and then just implement ServiceWebSecurityConfigurer … Read more

Getting error org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named ‘springSecurityFilterChain’ is defined

December 4, 2023 by Tarik

From the DelegatingFilterProxy docs: Notice that the filter is actually a DelegatingFilterProxy, and not the class that will actually implement the logic of the filter. What DelegatingFilterProxy does is delegate the Filter’s methods through to a bean which is obtained from the Spring application context. This enables the bean to benefit from the Spring web … Read more

Spring Security @PreAuthorization pass enums in directly

December 4, 2023 by Tarik

Indeed you can implement a custom strongly typed security annotation, though this is rather bothersome. Declare your annotation enum Permission { USER_LIST, USER_EDIT, USER_ADD, USER_ROLE_EDIT } @Target(ElementType.METHOD) @Retention(RetentionPolicy.RUNTIME) @interface Permissions { Permission[] value(); } Declare the custom implementation of org.springframework.security.access.ConfigAttribute to be used by security pipeline class SecurityAttribute implements ConfigAttribute { private final List<Permission> permissions; … Read more

How can I prevent spring-security from appending ;jsessionid=XXX to login redirects?

December 4, 2023 by Tarik

In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting=”true” in the <http> namespace. See if that helps. Also see this feature request.

In Spring-Security with Java Config, why does httpBasic POST want csrf token?

December 3, 2023 by Tarik

CSRF protection is enabled by default with Java configuration. To disable it: @Configuration public class RestSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() …; } }

Spring security. How to log out user (revoke oauth2 token)

December 2, 2023 by Tarik

Here’s my implementation (Spring OAuth2): @Controller public class OAuthController { @Autowired private TokenStore tokenStore; @RequestMapping(value = “/oauth/revoke-token”, method = RequestMethod.GET) @ResponseStatus(HttpStatus.OK) public void logout(HttpServletRequest request) { String authHeader = request.getHeader(“Authorization”); if (authHeader != null) { String tokenValue = authHeader.replace(“Bearer”, “”).trim(); OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue); tokenStore.removeAccessToken(accessToken); } } } For testing: curl -X GET -H “Authorization: … Read more