!tyUkzuxcwjMphNuxek:matrix.org

spring-security

289 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security4 Servers

Load older messages


SenderMessageTime
17 Jan 2023
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg)

You can provide the following bean:

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder()
                .tokenEndpoint("/whatever/oauth2/token")
                .build();
    }

See Configuration Authorization Server Settings in the reference.

20:24:30
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) I'm glad you got it working. I think some context is missing. @sjohnr mentioned that you can publish a bean, which seems straightforward, yet you are saying "should not be this difficult". Did publishing a bean not work? Happy to help figure out if it's a bug or if there is something else getting in the way. 22:41:40
18 Jan 2023
@brlafreniere-57bfb3ad40f3a6eec06164ae:gitter.imbrlafreniere (Blaine Lafreniere) joined the room.17:35:56
@brlafreniere-57bfb3ad40f3a6eec06164ae:gitter.imbrlafreniere (Blaine Lafreniere)Redacted or Malformed Event17:36:18
@brlafreniere-57bfb3ad40f3a6eec06164ae:gitter.imbrlafreniere (Blaine Lafreniere)Redacted or Malformed Event17:36:45
@brlafreniere-57bfb3ad40f3a6eec06164ae:gitter.imbrlafreniere (Blaine Lafreniere)Redacted or Malformed Event17:42:33
@brlafreniere-57bfb3ad40f3a6eec06164ae:gitter.imbrlafreniere (Blaine Lafreniere)Redacted or Malformed Event18:27:23
@brlafreniere-57bfb3ad40f3a6eec06164ae:gitter.imbrlafreniere (Blaine Lafreniere)Redacted or Malformed Event18:28:51
19 Jan 2023
@chr3is-5d1b222bd73408ce4fc50add:gitter.imChr3is (Chr3is) joined the room.10:33:57
@chr3is-5d1b222bd73408ce4fc50add:gitter.imChr3is (Chr3is) Hey! I just wanted to have a look into the upcoming features & the current progress on zenhub but I'm not allowed to access the board. What do I have to do to access the board? 10:33:58
@chr3is-5d1b222bd73408ce4fc50add:gitter.imChr3is (Chr3is) * Hey! I just wanted to have a look into the upcoming features & the current progress (spring authorization server) on zenhub but I'm not allowed to access the board. What do I have to do to access the board? 10:34:41
20 Jan 2023
@marbon87-5622625a16b6c7089cb756db:gitter.immarbon87 (Mark Bonnekessel) joined the room.13:20:32
@marbon87-5622625a16b6c7089cb756db:gitter.immarbon87 (Mark Bonnekessel)

Hi! I am updating an application with custom spel methods from spring security 5.7 to 6.
The custom method is used in annoations (@PreAuthorize) and in the security config with .antMatcher(...).access(...)

The custom spel method was implemented using these classes:

  • CustomSecurityExpressionRoot extends WebSecurityExpressionRoot
  • CustomWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler
  • SecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler

When updating to spring security 6 i replaced the CustomSecurityExpressionRoot with a custom AuthorizationManager.
I can use this using static helper methods in the security config. But what has to be done to make it usable in spel string in @PreAuthorize?

13:20:33
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg)

This is a good question, and one that perhaps would be worth reiterating on StackOverflow if we find a good answer for you (assuming it hasn't already been asked/answered).

First, I would recommend considering a thorough review of the 5.8 migration guide, specifically the authorization section. Often, it is easier to take a 5.7 release, upgrade it to 5.8, and only work on migrating one aspect of your application at a time using the steps outlined in the guide. The 5.8 release was designed specifically for helping you migrate to 6.0 one piece at a time. It sounds like you aren't struggling with this, but I thought I'd mention it in case you weren't aware.

Second, check out the Customizing Authorization section of the Method Security chapter. After enabling method security (@EnableMethodSecurity), you can register your MethodSecurityExpressionHandler as an @Bean, as in:

@Bean
static MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
    // ...
}

Note: Per the docs, the static is important for ordering.

17:31:52
23 Jan 2023
@marbon87-5622625a16b6c7089cb756db:gitter.immarbon87 (Mark Bonnekessel)

Hi @sjohnr,

thanks for your reply. I think my question wasn't worded very precisely.

As mentioned, i already implemented a custom MethodSecurityExpressionHandler and i can use the custom method in spel in annotations.

But i wonder if there is a way or an implementation advice to reuse the implementation of the AuthorizationManager for method security annotations? Otherwise i have a lot of boilerplate code to support custom methods for spel, that can be used in annoations or in the security config via static helper methods.

11:57:34
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg)

I see @marbon87. Just below in the chapter I linked in the reference docs, you see Custom Authorization Managers which does talk about this topic.

In this case, you would have two different types of AuthorizationManagers, one for requests, another for method security. They take different parameters since the method security one operates on a MethodInvocation. Additionally, replacing the @PreAuthorize handling would disable SpEL support, unless you work to support it AND your custom implementation. So while it's possible, I think it has tradeoffs to consider.

I could be wrong, but I think supporting a custom MethodSecurityExpressionHandler is still worthwhile if you plan to use @PreAuthorize often. Hopefully, I'm not missing any detail here.

17:14:32
@bjoernebner-63cebf206da0373984bd655c:gitter.imbjoernebner (bjoernebner) joined the room.17:24:47
@bjoernebner-63cebf206da0373984bd655c:gitter.imbjoernebner (bjoernebner)Redacted or Malformed Event17:24:47
24 Jan 2023
@bjoernebner-63cebf206da0373984bd655c:gitter.imbjoernebner (bjoernebner) HttpSecurity provides convenient methods for applying configurers like HttpBasicConfigurer, OAuth2ClientConfigurer and so on. I have a pre-authenticated scenario where the already existing class RequestHeaderAuthenticationFilter fits very well. But I wondered why there is no official convenient configurer for this (common?) scenario. So I would be happy to implement it. Do you think this is a good idea and it would be well received by the community, so its worth the effort? In this case, do you have any comments on where I should start and what to look for? I would be very happy to contribute. Kind regards! 09:58:49
25 Jan 2023
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings)

Thanks for your willingness to contribute!

We add things into the DSL reluctantly because we are aware of its learning curve. Unless something is a lot easier to configure with the DSL, then we leave it out. It seems to me that RequestHeaderAuthenticationFilter has two setters and otherwise is pretty easy to drop into .addFilterAt, so I'd personally lean against adding it.

00:55:01
@stevenvanophem_twitter-63d0ffe76da0373984bd7440:gitter.imstevenvanophem_twitter (Steven Van Ophem) joined the room.10:15:39
@stevenvanophem_twitter-63d0ffe76da0373984bd7440:gitter.imstevenvanophem_twitter (Steven Van Ophem) I was looking at @wimdeblauwe 's new blog post https://www.wimdeblauwe.com/blog/2023/01/24/using-google-login-with-spring-boot-3-and-thymeleaf/ and I couldn't find straight forward resources on how this works under the covers. How does Spring security handle oauth token refreshes? How are the Thymeleaf sessions and the tokens correlated? I assume adding security makes my thymeleaf application stateful, how do I handle scaling my application? .. I might be completely missing the ball on the mental model I've created in my head, I apologise if I'm on the wrong track. 10:15:39
@bjoernebner-63cebf206da0373984bd655c:gitter.imbjoernebner (bjoernebner) @jzheaux Thanks for the reply! Actually I had a hard time to create this filter, because it has the mandatory requirement for the AuthenticationManager, but the WebSecurityConfigurerAdapter is @Deprecated. So it's a little more than just two setters. The only way I could solve the problem was to implement a Configurer, for which I hat to dive into the source code of similar configurers. Another downside is that you cannot simply implement the AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> as @Bean, it is not automatically picked up by the PreAuthenticatedAuthenticationProvider. So from my point of view (based on my recent first experience in using this feature) is that it's quite fiddly without HttpSecurity providing an implementation. 11:04:59
@bjoernebner-63cebf206da0373984bd655c:gitter.imbjoernebner (bjoernebner) * @jzheaux Thanks for the reply! Actually I had a hard time to create this filter, because it has the mandatory requirement for the AuthenticationManager, but the WebSecurityConfigurerAdapter is deprecated. So it's a little more than just two setters. The only way I could solve the problem was to implement a Configurer, for which I hat to dive into the source code of similar configurers. Another downside is that you cannot simply implement the AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> as Bean, it is not automatically picked up by the PreAuthenticatedAuthenticationProvider. So from my point of view (based on my recent first experience in using this feature) is that it's quite fiddly without HttpSecurity providing an implementation. 11:05:22
@bjoernebner-63cebf206da0373984bd655c:gitter.imbjoernebner (bjoernebner) * @jzheaux Thanks for the reply! Actually I had a hard time to create this filter, because it has the mandatory requirement for the AuthenticationManager, but the WebSecurityConfigurerAdapter is deprecated. So it's a little more than just two setters. The only way I could solve the problem was to implement a Configurer, for which I had to dive into the source code of similar configurers. Another downside is that you cannot simply implement the AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> as Bean, it is not automatically picked up by the PreAuthenticatedAuthenticationProvider. So from my point of view (based on my recent first experience in using this feature) is that it's quite fiddly without HttpSecurity providing an implementation. 11:05:41
26 Jan 2023
@marcusdacoregio-570e9e8b187bb6f0eadf4f14:gitter.immarcusdacoregio (Marcus Hert Da Corégio) Hi @marbon87, I think the discussion in this ticket might help you as well spring-projects/spring-security#12331 14:26:25
@marcusdacoregio-570e9e8b187bb6f0eadf4f14:gitter.immarcusdacoregio (Marcus Hert Da Corégio) Hi, a good read on the OAuth2 Login section in Spring Security docs might give you an idea of how it works. After the reading you can ask more specific questions that are easier to explain here https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html 14:29:46
@stevenvanophem_twitter-63d0ffe76da0373984bd7440:gitter.imstevenvanophem_twitter (Steven Van Ophem) Thanks for answering. I understand how oauth works in a stateless setup. I'm trying to figure out how this correlates to session ids and how to handle scaling in this context with Thymeleaf. 23:14:08
28 Jan 2023
@playback2396:matrix.orgplayback2396 joined the room.09:57:00
30 Jan 2023
@wimdeblauwe-548aeac9db8155e6700de6cc:gitter.imwimdeblauwe (Wim Deblauwe) My guess is that you should use Spring Session (https://docs.spring.io/spring-session/reference/index.html) if you want handle scaling. But I have not used it myself yet. 09:20:52

There are no newer messages yet.


Back to Room List