!tyUkzuxcwjMphNuxek:matrix.org

spring-security

249 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security4 Servers

Load older messages


SenderMessageTime
23 Sep 2022
@brankoiliccc-5697dad0e610378809bc57f7:gitter.imbrankoiliccc (Branko Ilic) Then you need to implement PermissionEvaluator interface and hook it in to MethodSecurityExpressionHandler like this 11:01:26
@brankoiliccc-5697dad0e610378809bc57f7:gitter.imbrankoiliccc (Branko Ilic)

@Configuration
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

private final ABACPermissionEvaluator abacPermissionEvaluator;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
    // set custom permission evaluator for hasPermission expressions
    DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
    handler.setPermissionEvaluator(abacPermissionEvaluator);
    return handler;
}

}

11:01:32
@mrpubnight_gitlab-5c45e6a9d73408ce4fb57727:gitter.immrpubnight_gitlab (Stephan R) joined the room.13:53:54
@mrpubnight_gitlab-5c45e6a9d73408ce4fb57727:gitter.immrpubnight_gitlab (Stephan R)

Apologies for the cross post but struggling to find an answer:

Wondering if it is possible to "mix" multiple OAuth flows on the same Gateway for different routes. Specifically I was wondering if we could use the authorization flow for interactive users (human) and resource server flow for service-to-service interactions on API routes?

13:53:55
@poklakni-6313ac166da03739849c326a:gitter.impoklakni (Dominik Kovács) joined the room.15:29:34
@poklakni-6313ac166da03739849c326a:gitter.impoklakni (Dominik Kovács) after upgrade from springboot 3.0.0-M4 to M5 (includes promotion of spring security to 6.0.0-M7) my app fails with the error 'package com.nimbusds.jose.shaded.json does not exist.' I believe It was included in org.springframework.security:spring-security-oauth2-jose. Can you help me resolve this? I couldn't find any mention in release notes about this. 15:29:34
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) You may also be interested in looking into support enabled via @EnableMethodSecurity which was added in 5.6. With it, you can use the AuthorizationManager interface to more easily customize authorization. 21:09:33
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg)

We don't currently have a guide for how to do this, but there are a number of approaches. I would recommend starting small and simply creating a custom endpoint in a @RestController to do this. You can publish an @Bean of type AuthenticationManager and configure a DaoAuthenticationProvider with a UserDetailsService and PasswordEncoder like this:

@Bean
public AuthenticationManager authenticationManager(
        UserDetailsService userDetailsService,
        PasswordEncoder passwordEncoder) {
    DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
    authenticationProvider.setUserDetailsService(userDetailsService);
    authenticationProvider.setPasswordEncoder(passwordEncoder);

    return new ProviderManager(authenticationProvider);
}

Which can be used like this:

authenticationManager.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));

You may also be interested in the AuthenticationFilter, which is very flexible, and can be added as a filter via:

http.addFilterAfter(new AuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)
21:21:50
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Hi @Yneth! We're currently working on the Spring Security 6.0 release in November as well as Spring Authorization Server 1.0. SAS is looking pretty good in terms of features. The most important thing you could do to help right now is pull in the last milestone (1.0.0-M2) and try using it in a project. Always make sure to start from a known working project though. See the samples. If you find any genuine bugs, let us know! 21:33:37
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Also, you can find links to each version of the docs here. 21:34:37
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) We spring-projects/spring-security@fee1ffa when upgrading. I believe you can simply change your imports as in the above commit. 21:37:58
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) * We spring-projects/spring-security@fee1ffa when upgrading. I believe you can simply change your imports as in the above commit. 21:38:25
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) * We ran into the same thing (spring-projects/spring-security@fee1ffa) when upgrading. I believe you can simply change your imports as in the above commit. 21:38:38
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) See the docs for Multiple filter chains for an example of how to configure different security requirements for different paths/url-patterns. You would just define an api path, e.g. /api/** for your resource server configuration, and everything else would be your user configuration. 21:44:08
24 Sep 2022
@yneth-58f07861d73408ce4f585169:gitter.imYneth (Anthony Bondarenko)

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

  • add session initiation on /oauth/token but before token creation
    as of right now I have to create session in OAuthTokenGenerator

  • add custom validation on pre/post login
    for example I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

08:08:45
@yneth-58f07861d73408ce4f585169:gitter.imYneth (Anthony Bondarenko) *

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

  • add session initiation on /oauth/token but before token creation
    as of right now I have to create session in OAuthTokenGenerator

  • add custom validation on pre/post login
    for example I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

08:08:59
@yneth-58f07861d73408ce4f585169:gitter.imYneth (Anthony Bondarenko) *

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

  • add session initiation on /oauth/token but before token creation
    as of right now I have to create session in OAuthTokenGenerator

  • add custom validation on pre/post login
    for example I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

08:09:09
@yneth-58f07861d73408ce4f585169:gitter.imYneth (Anthony Bondarenko) *

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

  • add session initiation on /oauth/token but before token creation.
    as of right now I have to create session in OAuthTokenGenerator

  • add custom validation on pre/post login.
    for example: I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

08:09:34
@poklakni-6313ac166da03739849c326a:gitter.impoklakni (Dominik Kovács) perfect, thanks 16:59:53
25 Sep 2022
@shehanmaduwantha-5f96a416d73408ce4ff27cd9:gitter.imShehanMaduwantha (ShehanMaduwantha) Thank you very much for the reply !.
I managed to customize form login to return HTTP Status responses and to accept POST requests. I'll try to add the code below
07:47:10
@shehanmaduwantha-5f96a416d73408ce4ff27cd9:gitter.imShehanMaduwantha (ShehanMaduwantha)
@Bean
    public SecurityWebFilterChain webFilterChain(ServerHttpSecurity http) {
        return http
                .csrf(csrf -> csrf.disable())
                .authorizeExchange(authorize -> authorize
                                                .pathMatchers("/signup").permitAll()
                                                .anyExchange().authenticated())

                .formLogin(customizer -> customizer

                                            .authenticationSuccessHandler(new ServerAuthenticationSuccessHandler() {

                                                @Override
                                                public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
                                                    webFilterExchange.getExchange().getResponse().setStatusCode(HttpStatus.OK);
                                                    return Mono.empty();
                                                }
                                            })

                                            .authenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(new HttpStatusServerEntryPoint(HttpStatus.BAD_REQUEST)))

                                            .authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.NOT_FOUND))                                            
                                            .requiresAuthenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/auth/login", HttpMethod.POST))

                        )
07:49:19
@shehanmaduwantha-5f96a416d73408ce4ff27cd9:gitter.imShehanMaduwantha (ShehanMaduwantha) I think I can improve the onAuthenticationSuccess() implementation further. Let me know if this approach is acceptable 07:50:19
26 Sep 2022
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Apologies, I missed the webflux part of your message. Yes, if you are only interested in customizing responses, you can do something like that. Generally, 400 and 404 are not status codes used for authentication, but the customization options are there for this just as you have in your example. 14:38:02
@shehanmaduwantha-5f96a416d73408ce4ff27cd9:gitter.imShehanMaduwantha (ShehanMaduwantha) Thank you very much for the information. Which status codes should I use for authentication ?. I'm a newbie in making REST APIs 17:10:22
27 Sep 2022
@mrpubnight_gitlab-5c45e6a9d73408ce4fb57727:gitter.immrpubnight_gitlab (Stephan R)

Thanks @sjohnr. I have in fact tried this and it doesn't seem to work for me which I'll attribute to what is likely an error on my side. I think what's happening is that my user configuration is more aggressive and "overriding" the api. Changing the order of my Beans doesn't make a difference as I'm guessing the "anyExchange().authenticated()" is what is preventing the api config from kicking in.

`
@Bean
@Order(2)
fun securityWebFilterChain_Api(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {
http
.authorizeExchange()
.pathMatchers("/api/**").authenticated()
.and()
.oauth2ResourceServer()
.jwt()

    return http.build()
}

@Bean
@Order(1   )
fun securityWebFilterChain_User(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {

    http
            .authorizeExchange()
               .pathMatchers("/management/health").permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .logout()

    return http.build()
}

`

14:36:49
@mrpubnight_gitlab-5c45e6a9d73408ce4fb57727:gitter.immrpubnight_gitlab (Stephan R) *

Thanks @sjohnr. I have in fact tried this and it doesn't seem to work for me which I'll attribute to what is likely an error on my side. I think what's happening is that my user configuration is more aggressive and "overriding" the api. Changing the order of my Beans doesn't make a difference as I'm guessing the "anyExchange().authenticated()" is what is preventing the api config from kicking in.

`
@Bean
@Order(2)
fun securityWebFilterChain_Api(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {
http
.authorizeExchange()
.pathMatchers("/api/**").authenticated()
.and()
.oauth2ResourceServer()
.jwt()

    return http.build()
}

@Bean
@Order(1   )
fun securityWebFilterChain_User(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {

    http
            .authorizeExchange()
               .pathMatchers("/management/health").permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .logout()

    return http.build()
}

`

14:37:09
@mrpubnight_gitlab-5c45e6a9d73408ce4fb57727:gitter.immrpubnight_gitlab (Stephan R) *

Thanks @sjohnr. I have in fact tried this and it doesn't seem to work for me which I'll attribute to what is likely an error on my side. I think what's happening is that my user configuration is more aggressive and "overriding" the api. Changing the order of my Beans doesn't make a difference as I'm guessing the "anyExchange().authenticated()" is what is preventing the api config from kicking in.

`
@Bean
@Order(2)
fun securityWebFilterChain_Api(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {
http
.authorizeExchange()
.pathMatchers("/api/**").authenticated()
.and()
.oauth2ResourceServer()
.jwt()

    return http.build()
}

@Bean
@Order(1   )
fun securityWebFilterChain_User(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {

    http
            .authorizeExchange()
               .pathMatchers("/management/health").permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .logout()

    return http.build()
}

`

14:37:23
@cruzatadelacruzc-5f21e62dd73408ce4feae035:gitter.imcruzatadelacruzc (Cesar Manuel Cruzata De la Cruz)Redacted or Malformed Event18:41:01
@cruzatadelacruzc-5f21e62dd73408ce4feae035:gitter.imcruzatadelacruzc (Cesar Manuel Cruzata De la Cruz)

@cruzatadelacruzc, you can navigate the browser to the authorization request base uri to initiate the flow again. For example, if your {registrationId} is keycloak, redirect the user to /oauth2/authorization/keycloak.

I adjusted your suggestion and worked very well.

18:43:20
@cruzatadelacruzc-5f21e62dd73408ce4feae035:gitter.imcruzatadelacruzc (Cesar Manuel Cruzata De la Cruz) I only set the Base URL parameter [http://base-url-app/oauth2/authorization/login-client] in the Client used by app in the authentication and authorization flow, which allows to show the Back Button back in the profile screen and thus redirect the user to the authorization flow 19:08:17

There are no newer messages yet.


Back to Room List