!tyUkzuxcwjMphNuxek:matrix.org

spring-security

111 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security2 Servers

Load older messages


SenderMessageTime
29 Mar 2021
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) * What is the preferred library for validating JWS tokens when using Boot with Security? Looks like the convention fight is between auth0/java-jwt and jjwt, but I found a security package (org.springframework.security.oauth2.jwt) that seems to include support for it, based on nimbus implementation. I am a bit confused. Where can I find that library? Why is not in the security core? Should I use it in a microservice that does use JWT but not OAUTH? And why thisJWT/JWS implementation preferred over the other 2? (Apologies for that many questions). I feel like a library like that should come built-in, and even autoconfigured so maybe auth0/java-jwt would be the default implementation if the other are not on classpath, provided it seems like the one designed from experts with security in mind, and the widest used with a quickly google search, but I am not proficient on this so I would like to understand the reasons behind current distribution 22:01:38
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) By "core" I meant the security-core library, but I guess it makes no sense to embed these feature into the package, 22:01:39
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) Amazing thanks! 22:09:09
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) I am really sorry for being that overwhelming :p but there are things I cannot find on the documentation. My last question I hope.. I am using the oauth2-resource-server boot starter. What is exactly the difference between BearerTokenAuthentication and JwtTokenAuthentication? Why do their respective converters (at least the Bearer one) not set DefaultOidcUser/DefaultOauth2User as Principal? 22:13:34
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) * I am really sorry for being that overwhelming :p but there are things I cannot find on the documentation. My last question I hope.. I am using the oauth2-resource-server boot starter. What is exactly the difference between BearerTokenAuthentication and JwtTokenAuthentication? Why does their respective converters (at least the Bearer one) not set DefaultOidcUser/DefaultOauth2User as Principal? 22:14:03
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) * I am really sorry for being that overwhelming :p but there are things I cannot find on the documentation. My last question I hope.. I am using the oauth2-resource-server boot starter. What is exactly the difference between BearerTokenAuthentication and JwtTokenAuthentication? Why do their respective converters (at least the Bearer one) not set DefaultOidcUser/DefaultOauth2User as Principal? 22:14:18
30 Mar 2021
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) * I am really sorry for being that overwhelming :p but there are things I cannot find on the documentation. My last question I hope.. I am using the oauth2-resource-server boot starter. What is exactly the difference between BearerTokenAuthentication and JwtTokenAuthentication? Why do their respective converters (at least the Bearer one) not set DefaultOidcUser/DefaultOauth2User as Principal? 17:18:15
@sudhakarbetha-5c5873b7d73408ce4fb6db0f:gitter.imsudhakarbetha (Sudhakar) joined the room.17:18:16
@sudhakarbetha-5c5873b7d73408ce4fb6db0f:gitter.imsudhakarbetha (Sudhakar)

May be a thorough reading of this will help
https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#oauth2resourceserver

https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#oauth2resourceserver-jwt-architecture

17:18:16
@sudhakarbetha-5c5873b7d73408ce4fb6db0f:gitter.imsudhakarbetha (Sudhakar) *

May be a thorough reading of this will help
https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#oauth2resourceserver

https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#oauth2resourceserver-jwt-architecture

17:18:29
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) * I am really sorry for being that overwhelming :p but there are things I cannot find on the documentation. My last question I hope.. I am using the oauth2-resource-server boot starter. What is exactly the difference between BearerTokenAuthentication and JwtTokenAuthentication? Why do their respective converters (at least the Bearer one) not set DefaultOidcUser/DefaultOauth2User as Principal? 21:16:43
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) wow thanks! couldnt find itthrough google,and as spring documentation works by unfolding a ctrl+f is not useful either! 21:16:43
31 Mar 2021
@siva2018:matrix.orgsiva2018 joined the room.17:47:35
1 Apr 2021
@francis-a-5739a97ac43b8c60197329d9:gitter.imfrancis-a (Francis) joined the room.07:05:50
@francis-a-5739a97ac43b8c60197329d9:gitter.imfrancis-a (Francis) hey everyone, I'm working through a Spring Security 5 OAuth2 migration. I'm wondering if there is a replacement for the now removed OAuth2ExceptionRenderer or if there is any other kind of guide related to what kind of exception handlers I should be registering as a replacement 07:05:51
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) I threw this question: https://stackoverflow.com/questions/66896149/does-oauth-and-oidc-make-sense-in-a-scenario-when-you-need-single-sign-on-on-a-m#66909848, because spring-boot-starter-oauth2-resource-server totally fits my needs but somehow I feel lick tricking OAUTH protocol. Would it make sense to split the funcntionality of aforementioned starter into CAS + OAUTH starters? I mean, the whole JWT decoding autconfig thing is really useful evenif one is not using pure OAUTH 22:16:24
@nightswimmings-596546bed73408ce4f6cb2db:gitter.imnightswimmings (nightswimmings) * I threw this question: https://stackoverflow.com/questions/66896149/does-oauth-and-oidc-make-sense-in-a-scenario-when-you-need-single-sign-on-on-a-m#66909848, because spring-boot-starter-oauth2-resource-server totally fits my needs but somehow I feel lick tricking OAUTH protocol. Would it make sense to split the funcntionality of aforementioned starter into CAS + OAUTH starters? I mean, the whole JWT decoding autconfig thing is really useful evenif one is not using pure OAUTH 22:16:53
3 Apr 2021
@zak905-57c1d2d040f3a6eec061a234:gitter.imzak905 (Zakaria Amine) joined the room.14:14:03
@zak905-57c1d2d040f3a6eec061a234:gitter.imzak905 (Zakaria Amine) Hello everyone, in Expression-Based Access Control, is it possible to refer to the request body as an expression argument ? I know it's possible to refer to the path variable, but there is nothing that mentions the request body 14:14:04
@zak905-57c1d2d040f3a6eec061a234:gitter.imzak905 (Zakaria Amine) I ended up using @PreAuthorize which allows the access to the controller method args, it's also possible to use access in HttpSecurity and give the the HttpServletRequest as an argument. I did not want to read the body from the HttpServletRequest which seems like a tedious thing to do 16:51:24
6 Apr 2021
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) joined the room.00:22:26
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler)

Hey everyone,
I've been working on creating an OTP/2FA solution for spring boot projects. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this.

At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:

protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .cors().disable()
                .twoFactorLogin()
                .sendStrategy(new AwsEmailSendStrategy())
                .loginPage("/login").permitAll()
                .codeService()
                    .inMemoryRepository(cache)
                    .generationStrategy(new SixDigitAuthCodeGenerationStrategy())
                    .expirationTime(45000)
                    .and()
                .twoFactorRedirectUrl("/2FA")
                .twoFactorProcessingUrl("/2FA/authenticate")
                .failureUrl("/login?error=true")
                .twoFactorFailureUrl("/2FA?error=true")
                .defaultSuccessUrl("/")
                .userDetailsService(userDetailService)
                .and()
                .logout().permitAll()
                .and()
                .authorizeRequests()
                .anyRequest().authenticated();
}
00:22:27
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) *

Hey everyone, I've been working on creating an OTP/2FA solution in a spring boot project. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this. At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:
`protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()

            .twoFactorLogin()
            .sendStrategy(new AwsEmailSendStrategy())
            .loginPage("/login").permitAll()
            .codeService()
                .inMemoryRepository(cache)
                .generationStrategy(new SixDigitAuthCodeGenerationStrategy())
                .expirationTime(45000)
                .and()
            .twoFactorRedirectUrl("/2FA")
            .twoFactorProcessingUrl("/2FA/authenticate")
            .failureUrl("/login?error=true")
            .twoFactorFailureUrl("/2FA?error=true")
            .defaultSuccessUrl("/")
            .userDetailsService(userDetailService)
            .and()
            .logout().permitAll()

            .and()
            .authorizeRequests()
            .anyRequest().authenticated();

}`

00:22:54
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) * Hey everyone, I've been working on creating an OTP/2FA solution in a spring boot project. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this. At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:
protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .cors().disable() .twoFactorLogin() .sendStrategy(new AwsEmailSendStrategy()) .loginPage("/login").permitAll() .codeService() .inMemoryRepository(cache) .generationStrategy(new SixDigitAuthCodeGenerationStrategy()) .expirationTime(45000) .and() .twoFactorRedirectUrl("/2FA") .twoFactorProcessingUrl("/2FA/authenticate") .failureUrl("/login?error=true") .twoFactorFailureUrl("/2FA?error=true") .defaultSuccessUrl("/") .userDetailsService(userDetailService) .and() .logout().permitAll() .and() .authorizeRequests() .anyRequest().authenticated(); }
00:23:09
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) * Hey everyone, I've been working on creating an OTP/2FA solution in a spring boot project. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this. At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.twoFactorLogin()
.sendStrategy(new AwsEmailSendStrategy())
.loginPage("/login").permitAll()
.codeService()
.inMemoryRepository(cache)
.generationStrategy(new SixDigitAuthCodeGenerationStrategy())
.expirationTime(45000)
.and()
.twoFactorRedirectUrl("/2FA")
.twoFactorProcessingUrl("/2FA/authenticate")
.failureUrl("/login?error=true")
.twoFactorFailureUrl("/2FA?error=true")
.defaultSuccessUrl("/")
.userDetailsService(userDetailService)
.and()
.logout().permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
00:23:18
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) * Hey everyone, I've been working on creating an OTP/2FA solution in a spring boot project. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this. At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:
protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .cors().disable() .twoFactorLogin() .sendStrategy(new AwsEmailSendStrategy()) .loginPage("/login").permitAll() .codeService() .inMemoryRepository(cache) .generationStrategy(new SixDigitAuthCodeGenerationStrategy()) .expirationTime(45000) .and() .twoFactorRedirectUrl("/2FA") .twoFactorProcessingUrl("/2FA/authenticate") .failureUrl("/login?error=true") .twoFactorFailureUrl("/2FA?error=true") .defaultSuccessUrl("/") .userDetailsService(userDetailService) .and() .logout().permitAll() .and() .authorizeRequests() .anyRequest().authenticated(); }
00:23:40
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) * Hey everyone, I've been working on creating an OTP/2FA solution in a spring boot project. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this. At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:
protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .cors().disable()
                .twoFactorLogin()
                .sendStrategy(new AwsEmailSendStrategy())
                .loginPage("/login").permitAll()
                .codeService()
                    .inMemoryRepository(cache)
                    .generationStrategy(new SixDigitAuthCodeGenerationStrategy())
                    .expirationTime(45000)
                    .and()
                .twoFactorRedirectUrl("/2FA")
                .twoFactorProcessingUrl("/2FA/authenticate")
                .failureUrl("/login?error=true")
                .twoFactorFailureUrl("/2FA?error=true")
                .defaultSuccessUrl("/")
                .userDetailsService(userDetailService)
                .and()
                .logout().permitAll()
                .and()
                .authorizeRequests()
                .anyRequest().authenticated();
}
00:23:53
@bs321_gitlab-606ba7a36da0373984795e2d:gitter.imbs321_gitlab (Ben Siegler) *

Hey everyone,
I've been working on creating an OTP/2FA solution for spring boot projects. I've been putting some thought into it and think I have a pretty good structure, but before I keep working I think some input from others would be good. I'm also wondering how much of a demand there is for something like this.

At this point I've got a 2FA filter (a child of AbstractAuthenticationProcessingFilter) down and a configuration looking something like this:

protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .cors().disable()
                .twoFactorLogin()
                .sendStrategy(new AwsEmailSendStrategy())
                .loginPage("/login").permitAll()
                .codeService()
                    .inMemoryRepository(cache)
                    .generationStrategy(new SixDigitAuthCodeGenerationStrategy())
                    .expirationTime(45000)
                    .and()
                .twoFactorRedirectUrl("/2FA")
                .twoFactorProcessingUrl("/2FA/authenticate")
                .failureUrl("/login?error=true")
                .twoFactorFailureUrl("/2FA?error=true")
                .defaultSuccessUrl("/")
                .userDetailsService(userDetailService)
                .and()
                .logout().permitAll()
                .and()
                .authorizeRequests()
                .anyRequest().authenticated();
}
00:25:13
8 Apr 2021
@naturzukunft:matrix.orgnaturzukunft joined the room.13:08:36
@naturzukunft:matrix.orgnaturzukunft

Hi all, i try to find a simple working example for testing with WebTestClient. My test is working now, with a very basic securitySetting, but without authentication. No i've to test if the principal is existing and ...

Therefore in my controller i get the principal with:

ReactiveSecurityContextHolder.getContext()
		.map(SecurityContext::getAuthentication)
		.map(Principal::getName)

I found that https://docs.spring.io/spring-security/site/docs/current/reference/html5/#test-webtestclient

@Before
    public void setup() {
        this.rest = WebTestClient
            .bindToApplicationContext(this.context)
            // add Spring Security test Support
            .apply(springSecurity())
            .configureClient()
            .filter(basicAuthentication())
            .build();
    }

and i found out that i am very annoyed when i find code examples with static imports, but the imports are not included in the example.
Searching again... and found: SecurityMockMvcConfigurers.springSecurity()but i didn't test Mvc, so this seems to be wrong. And my apply Method anyway didn't accept SecurityMockMvcConfigurers.springSecurity()

So please redeem me with a beautiful example ;-)
Thanks a lot

13:19:10

There are no newer messages yet.


Back to Room List