Develop Reference

Spring Security CORS

I have tried to create endpoints and access those of them that don't need a role, but my Spring Security configuration wouldn't allow me to use it because of CORS.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.
csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/register").permitAll()
.antMatchers("/getChecks").hasAuthority(Permission.USERS_READ.getPermission())
.antMatchers("/addCheck").hasAuthority(Permission.USERS_ADD_DOTES.getPermission())
.anyRequest()
.authenticated()
.and()
.apply(jwtConfigurer);
}
Should I add some additional configuration in SecurityConfig.java?
I want to access the endpoint.

Try adding cors().and() to the configuration before csrf().disable()

Disable Basic Authentication(Spring Security) for one request and leave for all any

How can i disable basic authentication for one request and leave it for all any requests.
I try do it, but these not work for mi.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/registration").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated().and().httpBasic();
}
Basic authentication still work for "/registration".

I assume the /registration is a web page which you have created. Then it should be
http.csrf()
.disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET,"/registration")
.permitAll()
.anyRequest()
.authenticated()
You should use HttpMethod.POST if it is an API endpoint and not a webpage, or for some reason if you have a POST request for the /registration as well then remove the HttpMethod.GET all together and just leave /registration in the antMatchers

How to disable multiple logins for same user account while JWT Tokens with Spring boot

How to disable multiple logins for same user account while JWT Tokens with Spring boot. How to achieve this in JHIPSTER app.
I'm using Jhipster 3.12.2.

In spring security you can configure session management and control the maximum number of sessions for a single user in this way:
sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
maximumSessions controls the maximum number of sessions for a user. The default is to allow any number of users.
maxSessionsPreventsLogin if sets to true, prevents a user from authenticating when the maximumSessions has been reached.
So in jhipster app you can config to prevent multiple logins for same user in the SecurityConfiguration file like this:
#Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(problemSupport)
.accessDeniedHandler(problemSupport)
.and()
.headers()
.frameOptions()
.disable()
.and()
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/activate").permitAll()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/account/reset-password/init").permitAll()
.antMatchers("/api/account/reset-password/finish").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/websocket/**").permitAll()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/rest/**").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.and()
.apply(securityConfigurerAdapter())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
}

Spring boot security add parameter to login

I've a problem, I use spring boot and there I've implemented security. In securityConfig class (below method source code) I've provided username and password parameters to be checked during login process. I need also to check if account is activated, in db I've a column 'activated' with boolean value. And how to provide my own parameter with account activated to login process ?
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/investors/**").hasAnyRole("ADMIN")
.antMatchers("/search**").authenticated()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login")
.usernameParameter("username") < -
.passwordParameter("password") < -
.permitAll()
.and()
.logout()
Thanks for help

Spring Security applies filter to all paths, not only "/api**"

I am struggling to get my Spring Security config done properly.
I have JWT security set up, but I want it to work only on /api** and I can't get it right... Even when I try to hit localhost:8080 I am getting error from JWTFilter.
This is my config:
public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/api/**";
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class)
.exceptionHandling()
.authenticationEntryPoint(this.restAuthEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "**").permitAll()
.antMatchers(FORM_BASED_REGISTRATION_ENTRY_POINT).permitAll()
.antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll()
.and()
.authorizeRequests()
.antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated()
.and()
.addFilterBefore(buildJWTLoginFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(buildJWTAuthFilter(), UsernamePasswordAuthenticationFilter.class);
}
Theoretically it should apply filters only on API, but it somehow applies them on all paths.
Can someone help to make it working as it should work, so only /api** will be secured and I can freely access all paths outside /api ?

Add and().antMatchers("/**").permitAll()