!tyUkzuxcwjMphNuxek:matrix.org

spring-security

269 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security3 Servers

Load older messages


SenderMessageTime
31 Aug 2022
@hamzaelouni-62ced6c16da037398499fdf4:gitter.imhamzaelouni (hamzaelouni)Redacted or Malformed Event09:54:19
@hamzaelouni-62ced6c16da037398499fdf4:gitter.imhamzaelouni (hamzaelouni) *

Hello , i want to configure multiple HttpSecurity instances.
The first HttpSecurity will only be applicable to URLs that start with /api/v1
and the second for the rest.
My code :

` @Bean
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {

    http
            .authorizeRequests()
            .mvcMatchers(AUTH_WHITELIST).permitAll() // no authorization needed
            .mvcMatchers("/api/v1/ping").permitAll() // no authorization needed
            .mvcMatchers("/api/v1/healthcheck").permitAll()
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .antMatchers("/api/v1/**").authenticated()
            .and()
            .csrf().disable()// Only because we are in API
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .oauth2ResourceServer()
            .jwt().decoder(createDecoder()).jwtAuthenticationConverter(this::convert);

    return http.build();
}
@Bean
@Order(1)
public SecurityFilterChain loginPasswordFilterChain(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/redis").authenticated().and().httpBasic();
    return http.build();
}

`

09:54:34
@hamzaelouni-62ced6c16da037398499fdf4:gitter.imhamzaelouni (hamzaelouni) *

Hello , i want to configure multiple HttpSecurity instances.
The first HttpSecurity will only be applicable to URLs that start with /redis using basic auth
and the second for the /api/v1/** will use Oauth .
My code :

` @Bean
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {

    http
            .authorizeRequests()
            .mvcMatchers(AUTH_WHITELIST).permitAll() // no authorization needed
            .mvcMatchers("/api/v1/ping").permitAll() // no authorization needed
            .mvcMatchers("/api/v1/healthcheck").permitAll()
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .antMatchers("/api/v1/**").authenticated()
            .and()
            .csrf().disable()// Only because we are in API
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .oauth2ResourceServer()
            .jwt().decoder(createDecoder()).jwtAuthenticationConverter(this::convert);

    return http.build();
}
@Bean
@Order(1)
public SecurityFilterChain loginPasswordFilterChain(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/redis").authenticated().and().httpBasic();
    return http.build();
}

`

09:55:37
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Hi @mado89! I'm not 100% clear on what you're specifically asking about. Would you be able to provide some code or a minimal sample? 21:50:19
1 Sep 2022
@cruzatadelacruzc-5f21e62dd73408ce4feae035:gitter.imcruzatadelacruzc (Cesar Manuel Cruzata De la Cruz) How can I update the user profile changes like name, locale and more after Spring Security's OidcUserService has fetched it in the Idp KeyCloak when the End User completes the authentication and authorization flow, i.e. I have updated the user profile attributes and data in OidcUser were not updated because a request was not made to the /userinfo endpoint. 10:35:50
6 Sep 2022
@gel-hidden-630624ae6da03739849bb8c5:gitter.imgel-hidden (gel-hidden) joined the room.10:53:58
@gel-hidden-630624ae6da03739849bb8c5:gitter.imgel-hidden (gel-hidden)

Hi guys,

Is it strange to use AbstractAuthenticationProcessingFilter to process a JWT token for every request? I had OncePerRequestFilter before, but made some changes and converted it.

10:53:59
@gel-hidden-630624ae6da03739849bb8c5:gitter.imgel-hidden (gel-hidden) *

Hi guys,

Is it strange to use AbstractAuthenticationProcessingFilter to process a JWT token for every request? I had OncePerRequestFilter before, but made some changes and converted it. Or rather, is it a valid use case? It seems that other implementation of this uses some in memory stuff, for example UsernamePasswordAuthenticationFilter is only activated on /login requests. But the server is currently stateless.

10:55:31
@philsttr-5cdf4624d73408ce4fc09e38:gitter.imphilsttr (Phil Clay) Ah ok. That makes sense. FWIW, that use case doesn't apply in our apps, since our apps always require a security context, so there's no need to defer. But I can see how that would be beneficial in other apps 16:20:19
@philsttr-5cdf4624d73408ce4fc09e38:gitter.imphilsttr (Phil Clay) * Anybody know why the spring security context is stored inside the reactor subscriber context as a Mono<SecurtiyContext> rather than just a SecurityContext. I haven't seen any other libraries store publishers in the reactor subscriber context. And when spring security actually populates the subscriber context, it usually does so with a Mono.just(securityContext) (examples here, here, here). The only place where something other than Mono.just is used to populate the reactive security context is here, but that could easily be changed a bit to put the SecurityContext directly in the reactor context.
So, I don't understand why the Mono is needed inside the reactor context.
I'm asking because frequently code that operates on values within the reactor subscriber context is doing so synchronously, and the Mono embedded in the Context is troublesome.
16:20:19
9 Sep 2022
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Hi @gel-hidden. Take a look at JWT support in Spring Security OAuth2. Note that you don't need to use OAuth to use bearer tokens. The BearerTokenAuthenticationFilter is currently a OncePerRequestFilter. 20:33:56
@gel-hidden-630624ae6da03739849bb8c5:gitter.imgel-hidden (gel-hidden) *

Hi guys,

Is it strange to use AbstractAuthenticationProcessingFilter to process a JWT token for every request? I had OncePerRequestFilter before, but made some changes and converted it. Or rather, is it a valid use case? It seems that other implementation of this uses some in memory stuff, for example UsernamePasswordAuthenticationFilter is only activated on /login requests. But the server is currently stateless.

20:33:56
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Sorry for the delay on an answer, @cruzatadelacruzc. Unfortunately, I don't believe there's a "refresh" mechanism. The easiest way would be to cause the user to go back through the authorization_code flow to re-establish the OidcUser. Otherwise, you'll have to resort to calling OidcUserService.loadUser yourself and setting up/saving a new SecurityContext with the updated user. Depending on your use case, you might also need to re-persist the OAuth2AuthorizedClient in OAuth2AuthorizedClientRepository (though that may be unnecessary). 20:58:53
14 Sep 2022
@dapudovkin:matrix.orgDanil Pudovkin joined the room.06:10:40
@dapudovkin:matrix.orgDanil Pudovkin set a profile picture.06:11:00
15 Sep 2022
@kylooh-5da12fe5d73408ce4fcd9ccf:gitter.imkylooh (70) joined the room.06:11:59
@kylooh-5da12fe5d73408ce4fcd9ccf:gitter.imkylooh (70) Hi, everyone. 06:11:59
@kylooh-5da12fe5d73408ce4fcd9ccf:gitter.imkylooh (70) I have a problems about github's sample. I noticed there is a class named AuthorizationServerSettings in the default-authorizationserver's config class. But I can't find this class in dependency of org.springframework.security:spring-security-oauth2-authorization-server:0.3.1. Did I used wrong dependency, or wrong version? 06:15:00
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Classes are being changed/renamed in main in preparation for 1.0 in an effort to reduce the need for breaking changes for future versions. In 0.3.1 the class is called ProviderSettings. Take a look at the docs for more info about the current released version. 22:14:07
18 Sep 2022
@aaniketweb_twitter-5ee3797dd73408ce4fe6b64e:gitter.imaaniketweb_twitter (Aniket Kalamkar) joined the room.04:22:01
@aaniketweb_twitter-5ee3797dd73408ce4fe6b64e:gitter.imaaniketweb_twitter (Aniket Kalamkar) I want to implement Attribute based Access Control for my application which is similar to AWS IAM. I read about XACML and WSO2 implementation of the same. I use spring boot with spring security in my application and we currently have RBAC and trying to move to ABAC since we want to manage the policies in better and in granular way. I tried to find a lot about XACML implementation with Spring security but couldn't find much over Internet. Is this something someone implemented and have some references to read. pls let me know. 04:22:02
@cruzatadelacruzc-5f21e62dd73408ce4feae035:gitter.imcruzatadelacruzc (Cesar Manuel Cruzata De la Cruz)Redacted or Malformed Event11:24:19
@cruzatadelacruzc-5f21e62dd73408ce4feae035:gitter.imcruzatadelacruzc (Cesar Manuel Cruzata De la Cruz) "The easiest way would be to cause the user to go back through the authorization_code flow to re-establish the OidcUser" Does it mean to log out the user and start the login flow? 11:32:00
20 Sep 2022
@shehanmaduwantha-5f96a416d73408ce4ff27cd9:gitter.imShehanMaduwantha (ShehanMaduwantha) joined the room.10:03:32
@shehanmaduwantha-5f96a416d73408ce4ff27cd9:gitter.imShehanMaduwantha (ShehanMaduwantha)

Hello,
I have a little question regarding Spring Security WebFlux formLogin(). I'm building a REST API. I need to authenticate a user via a POST request. I want to remove the default login page, and make it more like a REST API ( HTTP status codes instead of redirects ). What would be the best way to do this? if this isn't the best way, how should I try to authenticate users with a POST request ?.

Thank you very much !

10:03:32
21 Sep 2022
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) @cruzatadelacruzc, you can navigate the browser to the authorization request base uri to initiate the flow again. For example, if your {registrationId} is keycloak, redirect the user to /oauth2/authorization/keycloak. 17:01:24
22 Sep 2022
@yneth-58f07861d73408ce4f585169:gitter.imYneth (Anthony Bondarenko) joined the room.10:41:04
@yneth-58f07861d73408ce4f585169:gitter.imYneth (Anthony Bondarenko) hi everyone, I'd like to contribute to spring-authorizatoin-server, but I am not able to access zenhub dashboard?
are there any issues for contributors to take?
10:41:04
23 Sep 2022
@brankoiliccc-5697dad0e610378809bc57f7:gitter.imbrankoiliccc (Branko Ilic) @aaniketweb_twitter i have implemented something similar. Implement XACML was way too complicated for my use case (even though my use case was not simple). System was built on top of @PerAuthorize. Example of usage is @PreAuthorize("hasPermission(#id, 'SUPPLIER', 'Supplier::ViewDetails')") 10:59:45
@brankoiliccc-5697dad0e610378809bc57f7:gitter.imbrankoiliccc (Branko Ilic) * @aaniketweb_twitter i have implemented something similar. XACML was way too complicated for my use case (even though my use case was not simple). System was built on top of @PerAuthorize. Example of usage is @PreAuthorize("hasPermission(#id, 'SUPPLIER', 'Supplier::ViewDetails')") 11:00:09

Show newer messages


Back to Room List