Sender | Message | Time |
---|---|---|
17 Jan 2023 | ||
You can provide the following bean:
See Configuration Authorization Server Settings in the reference. | 20:24:30 | |
I'm glad you got it working. I think some context is missing. @sjohnr mentioned that you can publish a bean, which seems straightforward, yet you are saying "should not be this difficult". Did publishing a bean not work? Happy to help figure out if it's a bug or if there is something else getting in the way. | 22:41:40 | |
18 Jan 2023 | ||
17:35:56 | ||
Redacted or Malformed Event | 17:36:18 | |
Redacted or Malformed Event | 17:36:45 | |
Redacted or Malformed Event | 17:42:33 | |
Redacted or Malformed Event | 18:27:23 | |
Redacted or Malformed Event | 18:28:51 | |
19 Jan 2023 | ||
10:33:57 | ||
Hey! I just wanted to have a look into the upcoming features & the current progress on zenhub but I'm not allowed to access the board. What do I have to do to access the board? | 10:33:58 | |
* Hey! I just wanted to have a look into the upcoming features & the current progress (spring authorization server) on zenhub but I'm not allowed to access the board. What do I have to do to access the board? | 10:34:41 | |
20 Jan 2023 | ||
13:20:32 | ||
Hi! I am updating an application with custom spel methods from spring security 5.7 to 6. The custom spel method was implemented using these classes:
When updating to spring security 6 i replaced the CustomSecurityExpressionRoot with a custom AuthorizationManager. | 13:20:33 | |
This is a good question, and one that perhaps would be worth reiterating on StackOverflow if we find a good answer for you (assuming it hasn't already been asked/answered). First, I would recommend considering a thorough review of the 5.8 migration guide, specifically the authorization section. Often, it is easier to take a 5.7 release, upgrade it to 5.8, and only work on migrating one aspect of your application at a time using the steps outlined in the guide. The 5.8 release was designed specifically for helping you migrate to 6.0 one piece at a time. It sounds like you aren't struggling with this, but I thought I'd mention it in case you weren't aware. Second, check out the Customizing Authorization section of the Method Security chapter. After enabling method security (
Note: Per the docs, the | 17:31:52 | |
23 Jan 2023 | ||
Hi @sjohnr, thanks for your reply. I think my question wasn't worded very precisely. As mentioned, i already implemented a custom MethodSecurityExpressionHandler and i can use the custom method in spel in annotations. But i wonder if there is a way or an implementation advice to reuse the implementation of the AuthorizationManager for method security annotations? Otherwise i have a lot of boilerplate code to support custom methods for spel, that can be used in annoations or in the security config via static helper methods. | 11:57:34 | |
I see @marbon87. Just below in the chapter I linked in the reference docs, you see Custom Authorization Managers which does talk about this topic. In this case, you would have two different types of I could be wrong, but I think supporting a custom | 17:14:32 | |
17:24:47 | ||
Redacted or Malformed Event | 17:24:47 | |
24 Jan 2023 | ||
HttpSecurity provides convenient methods for applying configurers like HttpBasicConfigurer, OAuth2ClientConfigurer and so on. I have a pre-authenticated scenario where the already existing class RequestHeaderAuthenticationFilter fits very well. But I wondered why there is no official convenient configurer for this (common?) scenario. So I would be happy to implement it. Do you think this is a good idea and it would be well received by the community, so its worth the effort? In this case, do you have any comments on where I should start and what to look for? I would be very happy to contribute. Kind regards! | 09:58:49 | |
25 Jan 2023 | ||
Thanks for your willingness to contribute! We add things into the DSL reluctantly because we are aware of its learning curve. Unless something is a lot easier to configure with the DSL, then we leave it out. It seems to me that | 00:55:01 | |
10:15:39 | ||
I was looking at @wimdeblauwe 's new blog post https://www.wimdeblauwe.com/blog/2023/01/24/using-google-login-with-spring-boot-3-and-thymeleaf/ and I couldn't find straight forward resources on how this works under the covers. How does Spring security handle oauth token refreshes? How are the Thymeleaf sessions and the tokens correlated? I assume adding security makes my thymeleaf application stateful, how do I handle scaling my application? .. I might be completely missing the ball on the mental model I've created in my head, I apologise if I'm on the wrong track. | 10:15:39 | |
@jzheaux Thanks for the reply! Actually I had a hard time to create this filter, because it has the mandatory requirement for the AuthenticationManager, but the WebSecurityConfigurerAdapter is @Deprecated. So it's a little more than just two setters. The only way I could solve the problem was to implement a Configurer, for which I hat to dive into the source code of similar configurers. Another downside is that you cannot simply implement the AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> as @Bean, it is not automatically picked up by the PreAuthenticatedAuthenticationProvider. So from my point of view (based on my recent first experience in using this feature) is that it's quite fiddly without HttpSecurity providing an implementation. | 11:04:59 | |
* @jzheaux Thanks for the reply! Actually I had a hard time to create this filter, because it has the mandatory requirement for the AuthenticationManager, but the WebSecurityConfigurerAdapter is deprecated. So it's a little more than just two setters. The only way I could solve the problem was to implement a Configurer, for which I hat to dive into the source code of similar configurers. Another downside is that you cannot simply implement the AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> as Bean, it is not automatically picked up by the PreAuthenticatedAuthenticationProvider. So from my point of view (based on my recent first experience in using this feature) is that it's quite fiddly without HttpSecurity providing an implementation. | 11:05:22 | |
* @jzheaux Thanks for the reply! Actually I had a hard time to create this filter, because it has the mandatory requirement for the AuthenticationManager, but the WebSecurityConfigurerAdapter is deprecated. So it's a little more than just two setters. The only way I could solve the problem was to implement a Configurer, for which I had to dive into the source code of similar configurers. Another downside is that you cannot simply implement the AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> as Bean, it is not automatically picked up by the PreAuthenticatedAuthenticationProvider. So from my point of view (based on my recent first experience in using this feature) is that it's quite fiddly without HttpSecurity providing an implementation. | 11:05:41 | |
26 Jan 2023 | ||
Hi @marbon87, I think the discussion in this ticket might help you as well spring-projects/spring-security#12331 | 14:26:25 | |
Hi, a good read on the OAuth2 Login section in Spring Security docs might give you an idea of how it works. After the reading you can ask more specific questions that are easier to explain here https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html | 14:29:46 | |
Thanks for answering. I understand how oauth works in a stateless setup. I'm trying to figure out how this correlates to session ids and how to handle scaling in this context with Thymeleaf. | 23:14:08 | |
28 Jan 2023 | ||
09:57:00 | ||
30 Jan 2023 | ||
My guess is that you should use Spring Session (https://docs.spring.io/spring-session/reference/index.html) if you want handle scaling. But I have not used it myself yet. | 09:20:52 |