!tyUkzuxcwjMphNuxek:matrix.org

spring-security

207 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security3 Servers

Load older messages


SenderMessageTime
19 May 2022
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) I believe you'll want to be using Spring Boot 2.7.0 to upgrade to the latest version of Spring Security. 22:15:51
20 May 2022
@secretx33-61fffd0c6da03739848fd3e3:gitter.imSecretX33 (SecretX33)

I saw that WebSecurityConfigurerAdapter was deprecated in Spring v2.7.0, and along side with it, the class HttpRequestResponseHolder, which was used in SecurityContextRepository.

After those changes, how can I respond to a request inside from a ;SecurityContextRepository(which was done previously by getting theresponse object from inside the request response holder)? I was using that to issue to clients a custom response when their token wasn't valid, or it was expired, etc.

03:35:12
@secretx33-61fffd0c6da03739848fd3e3:gitter.imSecretX33 (SecretX33) *

I saw that WebSecurityConfigurerAdapter was deprecated in Spring v2.7.0, and along side with it, the class HttpRequestResponseHolder, which was used in SecurityContextRepository.

After those changes, how can I respond to a request inside from a SecurityContextRepository (which was done previously by getting the response object from inside the request response holder)? I was using that to issue to clients a custom response when their token wasn't valid, or it was expired, etc.

03:36:21
@secretx33-61fffd0c6da03739848fd3e3:gitter.imSecretX33 (SecretX33) *

I saw that WebSecurityConfigurerAdapter was deprecated in Spring v2.7.0, and along side with it, the class HttpRequestResponseHolder , which was used in SecurityContextRepository.

After those changes, how can I respond to a request inside from a SecurityContextRepository (which was done previously by getting the response object from inside the request response holder)? I was using that to issue to clients a custom response when their token wasn't valid, or it was expired, etc.

03:39:22
@secretx33-61fffd0c6da03739848fd3e3:gitter.imSecretX33 (SecretX33) *

I saw that WebSecurityConfigurerAdapter was deprecated in Spring v2.7.0, and along side with it, the class HttpRequestResponseHolder , which was used in SecurityContextRepository.

After those changes, how can I respond to a request inside from a SecurityContextRepository (which was done previously by getting the response object from inside the request response holder)? I was using that to issue to clients a custom response when their token wasn't valid, or it was expired, etc.

03:41:17
@rots:matrix.orgrots joined the room.05:47:11
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) Thanks for you help! Based on your feedback, I’m going with keeping the user session active and implementing the features needed to make that work (such as destroying the session when the user changes their password). 07:09:53
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) *

Hello! I would like to avoid leaving a form login session open after an OAuth2 authorization code (spring-authorization-server) has been issued. Can I somehow hook into the /oauth2/authorize endpoint before it redirects back to the resource server and delete the session?

And is there a way to make this work with stateless session management? I’ve toyed with CookieRequestCache to keep track of where to go next, but I think I would need to call or do some sort of internal redirect back to spring-authorization-server within an authentication success handler so as to not lose track of the authentication?

So the chain would be:

GET /oauth2/authorize -> redirect to /login
GET /login
POST /login -> redirect to callback

rather than what's currently happening:

GET /oauth2/authorize -> redirect to /login)
GET /login
POST /login -> redirect to /oauth2/authorize (authentication lost)
GET /oauth2/authorize -> 401 (callback never happens)

Any pointers would be much appreciated :).

07:09:53
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) *

Hello! I would like to avoid leaving a form login session open after an OAuth2 authorization code (spring-authorization-server) has been issued. Can I somehow hook into the /oauth2/authorize endpoint before it redirects back to the resource server and delete the session?

And is there a way to make this work with stateless session management? I’ve toyed with CookieRequestCache to keep track of where to go next, but I think I would need to call or do some sort of internal redirect back to spring-authorization-server within an authentication success handler so as to not lose track of the authentication?

So the chain would be:

GET /oauth2/authorize -> redirect to /login
GET /login
POST /login -> redirect to callback

rather than what's currently happening:

GET /oauth2/authorize -> redirect to /login)
GET /login
POST /login -> redirect to /oauth2/authorize (authentication lost)
GET /oauth2/authorize -> 401 (callback never happens)

Any pointers would be much appreciated :).

07:10:00
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) I’ve accepted and upvoted your SO answer. 07:10:00
@hubertlapsa-627916bc6da0373984962b5a:gitter.imhubertlapsa (hubertlapsa) I can't use this because i'm using webclient instead of resttemplate. 08:01:44
@theexiile1305:matrix.orgtheexiile1305
In reply to @sjohnr-621e97856da0373984914e8a:gitter.im
I believe you'll want to be using Spring Boot 2.7.0 to upgrade to the latest version of Spring Security.
Thank you very much. It helps!
08:44:41
@jernejcvek_gitlab-5efdb71cd73408ce4fe88178:gitter.imjernejcvek_gitlab (Jernej Cvek) joined the room.13:27:18
@jernejcvek_gitlab-5efdb71cd73408ce4fe88178:gitter.imjernejcvek_gitlab (Jernej Cvek) I noticed that in February, the Keycloak team announced they are deprecating most Keycloak adapters, including Spring Security and Spring Boot adapters. So it means that keycloak-spring-security-adapter, which is also used by keycloak-spring-boot-starter, is being deprecated by the end of 2022. What are the best alternatives? To continue using newer versions of Keycloak with your own integration or move to other solutions, for example Spring Authorization Server? In the latter case, is it ready for use in production? Thanks in advance. 13:27:19
@psevestre:matrix.orgpsevestreI've been using the standard oidc/OAuth spring security modules with keycloack without issues13:51:31
@californiato22:matrix.orgcaliforniato22 joined the room.14:03:56
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Sorry about that, I didn't realize. Here's the same chapter using the reactive APIs https://docs.spring.io/spring-security/reference/reactive/oauth2/client/authorization-grants.html#_refreshing_an_access_token 14:54:02
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) And you can scroll down a bit or here's a link to the section on customizing WebClient: https://docs.spring.io/spring-security/reference/reactive/oauth2/client/authorization-grants.html#_customizing_the_webclient_2 14:55:43
21 May 2022
@sfgvieira-619cde796da03739848b226f:gitter.imsfgvieira (sfgvieira) joined the room.22:03:42
@sfgvieira-619cde796da03739848b226f:gitter.imsfgvieira (sfgvieira) Hi,
I have a project where I don't explicitly create a bean for ReactiveJwtDecoder and instead make use of the default one provided by spring boot which uses the configuration I set in my properties file. Since I upgraded to the latest spring boot version (2.7.0) I noticed that in another class where I am using @Autowired ReactiveJwtDecoder, Intellij tells me that it can't find any bean for autowire. From what I could make sense of, in the new version the default bean seems to be lazily initialized by SupplierReactiveJwtDecoder. Everything still works as fine at runtime but I was wondering, does this change means that it is recommended to explicitly declare a bean for the ReactiveJwtDecoder instead of making use of the default one?
22:03:43
@diem-vu-628965c96da037398496ddc7:gitter.imDiem-Vu (Diem-Vu) joined the room.22:22:56
@diem-vu-628965c96da037398496ddc7:gitter.imDiem-Vu (Diem-Vu) 22:22:56
@diem-vu-628965c96da037398496ddc7:gitter.imDiem-Vu (Diem-Vu)Redacted or Malformed Event22:23:33
@diem-vu-628965c96da037398496ddc7:gitter.imDiem-Vu (Diem-Vu) I always got "Bad Credential". Can some give me a solution? 22:25:50
22 May 2022
@thuc28_twitter-628a3eb86da037398496e512:gitter.imthuc28_twitter (Thuc Le) joined the room.13:57:27
@thuc28_twitter-628a3eb86da037398496e512:gitter.imthuc28_twitter (Thuc Le) do you use the default spring login page or your custom one? 13:57:29
23 May 2022
@hubertlapsa-627916bc6da0373984962b5a:gitter.imhubertlapsa (hubertlapsa) Thanks for reply, It looks good :) 06:59:03
@chaluparska40:midov.pl@chaluparska40:midov.pl joined the room.11:18:28
@chaluparska40:midov.pl@chaluparska40:midov.plHello is there a general spring room?11:18:40
@chaluparska40:midov.pl@chaluparska40:midov.pl left the room.17:20:09

There are no newer messages yet.


Back to Room List