!tyUkzuxcwjMphNuxek:matrix.org

spring-security

2140 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security8 Servers

Load older messages


SenderMessageTime
18 Dec 2020
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) If cognitoConfig gives you the issuer, you can instead toJwtValidators.createDefaultWithIssuer(cognitoConfig.issuerUrl)`, and that will give you issuer validation as well. 15:48:09
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) If `cognitoConfig gives ... => If `cognitoConfig` gives ... 15:48:17
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... instead to `JwtValidators.createDefaultWithIssuer(cognitoConfig.issuerUrl)`, ... => ... instead do `JwtValidators.createDefaultWithIssuer(cognitoConfig.issuerUrl)`, ... 15:49:23
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) Your RSocketSecurity.JwtSpec config would then change to
jwt { }
15:50:23
@gitter_braffolk:matrix.orgBraffolk (Gitter) (edited) ... separate issues. => ... separate issues. 15:50:23
@gitter_braffolk:matrix.orgBraffolk (Gitter) (edited) ... separate issues. => ... separate issues. 15:52:24
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) Regarding the sample, I was able to get it to work with some tweaks to the client code. I submitted a pull request, and we can chat over there if you like: Braffolk/spring-rsocket-stream-security-issue#1 15:52:24
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) Regarding the sample, I was able to get it to work with some tweaks to the client code. I submitted a pull request, and we can chat over there if you like: https://github.com/Braffolk/spring-rsocket-stream-security-issue/pull/1 => @guibernardi I wonder if the right component for you is `OAuth2UserService`, which is intended for OAuth 2.0 UserInfo endpoints. 21:56:15
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter) You're right about that, my resource server will use oauth2-client.
I create some tests here based on sample for migration, but I'm having trouble to how to configure my clientRepository to everytime my Resource Server receives a request with a Bearer Token I call the "fake auth-server" to validate the token and return.
21:56:15
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 21:57:35
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter)

I'm trying to search, but I didn't find how could I do this.

My resource server is always calling the authorization-uri and I didn't find in this fake auth-server how could I return the user date and catch.

21:57:35
19 Dec 2020
@gitter_marzelwidmer:matrix.orgMarcel Widmer (Gitter) joined the room.12:55:55
@gitter_marzelwidmer:matrix.orgMarcel Widmer (Gitter)

Hello I am searching for a sample for best practice about just JWT Validation and basic Security Configuration... without Oauth2ResourceServer server at the moment we don't have any Resource Server on place... I'm not sure if this realy the smallest way... ```
@Configuration
@EnableConfigurationProperties(JwtSecurityProperties::class, SecurityProperties::class)
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true)
class SecurityConfiguration(
private val jwtSecurityProperties: JwtSecurityProperties,
private val securityProperties: SecurityProperties
) : WebSecurityConfigurerAdapter() {

companion object {
    private val API_DOCUMENT = "/api/document/**"
    private val API_SALARY = "/api/salary/**"
    private val FAKE_TOKEN = "/faketoken/**"
}

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL)

    http
        // disable default security
        .httpBasic().and()
        .formLogin().disable()
        .logout().disable()
        .csrf().disable()
        .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java)
        .sessionManagement().sessionCreationPolicy(STATELESS).and()
        .securityContext().disable()
        .authorizeRequests()
        .antMatchers(FAKE_TOKEN).permitAll()
        .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER)
        .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN)

        .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray())

}

private fun getAdminRoles(securityProperties: SecurityProperties) =
    if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR)

}```

12:55:55
@gitter_marzelwidmer:matrix.orgMarcel Widmer (Gitter) (edited) ... way... ``` @Configuration @EnableConfigurationProperties(JwtSecurityProperties::class, SecurityProperties::class) @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true) class SecurityConfiguration( private val jwtSecurityProperties: JwtSecurityProperties, private val securityProperties: SecurityProperties ) : WebSecurityConfigurerAdapter() { companion object { private val API_DOCUMENT = "/api/document/**" private val API_SALARY = "/api/salary/**" private val FAKE_TOKEN = "/faketoken/**" } @Throws(Exception::class) override fun configure(http: HttpSecurity) { SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http // disable default security .httpBasic().and() .formLogin().disable() .logout().disable() .csrf().disable() .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .securityContext().disable() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) }``` => ... way... ``` @Configuration @EnableConfigurationProperties(JwtSecurityProperties::class, SecurityProperties::class) @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true) class SecurityConfiguration( private val jwtSecurityProperties: JwtSecurityProperties, private val securityProperties: SecurityProperties ) : WebSecurityConfigurerAdapter() { companion object { private val API_DOCUMENT = "/api/document/**" private val API_SALARY = "/api/salary/**" private val FAKE_TOKEN = "/faketoken/**" } @Throws(Exception::class) override fun configure(http: HttpSecurity) { SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http // disable default security .httpBasic().and() .formLogin().disable() .logout().disable() .csrf().disable() .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .securityContext().disable() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) }``` 12:56:14
@gitter_marzelwidmer:matrix.orgMarcel Widmer (Gitter) (edited) ... SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http // disable default security .httpBasic().and() .formLogin().disable() .logout().disable() .csrf().disable() .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .securityContext().disable() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) }``` ... => ... SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) http .addFilterBefore(JwtTokenFilter(JwtTokenVerifier(jwtSecurityProperties)), UsernamePasswordAuthenticationFilter::class.java) .sessionManagement().sessionCreationPolicy(STATELESS).and() .authorizeRequests() .antMatchers(FAKE_TOKEN).permitAll() .antMatchers(API_DOCUMENT).hasAnyAuthority(ROLE_USER) .antMatchers(API_SALARY).hasAnyAuthority(ROLE_ADMIN) .requestMatchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAnyRole(*getAdminRoles(securityProperties).toTypedArray()) } private fun getAdminRoles(securityProperties: SecurityProperties) = if (securityProperties.user.roles.isNotEmpty()) securityProperties.user.roles else listOf(ROLE_ACTUATOR) ``` ... 12:58:54
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 16:02:32
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 16:02:34
@gitter_azizkhani:matrix.orgAli Akbar Azizkhani (Gitter) joined the room.16:35:01
@gitter_azizkhani:matrix.orgAli Akbar Azizkhani (Gitter)Hi all , how set my UserDetails to principal in oauth2Login after login succes16:35:02
@gitter_albass18:matrix.orgAlba (Gitter) (edited) ... want that => ... want that 17:00:02
@gitter_albass18:matrix.orgAlba (Gitter)Okey. I will change. Thank you very much. Greetings!17:00:02
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 18:31:06
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter)

I don't know if I misunderstood or I'm doing something wrong, but in my "protected resource" (oauth2-client)

I declare:

        provider:
          delegator:
            user-info-uri: http://localhost:9999/uaa/resource
            authorization-uri: http://localhost:9999/uaa/resource
            token-uri: http://localhost:9999/uaa/foo
18:31:06
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter)

I setup my config as:

        http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .userService(customOAuth2UserService())
                .oidcUserService(oidcUserService())
        .userAuthoritiesMapper(userAuthoritiesMapper());

I tried with both oidc and userService.

18:31:52
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 18:31:52
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 18:32:38
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter) But when I request with a Bearer Token the project always call the authorization-uri instead of user-info-uri 18:32:38
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter) (edited) But when I request with a Bearer Token the project always call the `authorization-uri` instead of `user-info-uri` => I don't know if I misunderstood or I'm doing something wrong, but in my "protected resource" (oauth2-client) I declare: ``` provider: delegator: user-info-uri: http://localhost:9999/uaa/me authorization-uri: http://localhost:9999/uaa/auth token-uri: http://localhost:9999/uaa/foo ``` 18:33:35
@gitter_guibernardi:matrix.orgGuilherme Bernardi (Gitter)What am I missing? I followed the docs to create the WebClientConfig and the custom UserServices.18:35:30
@gitter_jzheaux:matrix.orgJosh Cummings (Gitter) (edited) ... UserInfo endpoints. => ... UserInfo endpoints. 18:35:30

There are no newer messages yet.


Back to Room ListRoom Version: 6