Does anybody know how to 'hide' popup message from basic authentication without removing possibility to login in the next way: 'http://username:password#example.com/'
Configure your spring like that.
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.exceptionHandling()
.and()
.rememberMe()
.and()
.formLogin()
.loginProcessingUrl("/user") // rest api
//.usernameParameter("username")
//.passwordParameter("password")
.permitAll()
.and()
.logout()
//.logoutUrl("/api/logout")
//.deleteCookies("JSESSIONID", "CSRF-TOKEN")
.permitAll()
.and()
.headers()
.frameOptions()
.disable()
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/#/dashboard/home").permitAll()
;
}
In fact, the browser popup logon message if WWW-Authenticate was send by the server. Remove this header from your server that popup will not appear.
Related
I am trying to migrate and adapt Baeldung's Spring Security Registration project to use latest Spring Boot 3.0.2. The SecSecurityConfig.java uses sessionFixation().none().
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(PUBLIC_PATHS).permitAll()
.antMatchers("/invalidSession*").anonymous()
.antMatchers("/user/updatePassword*").hasAuthority("CHANGE_PASSWORD_PRIVILEGE")
.anyRequest().hasAuthority("READ_PRIVILEGE")
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/homepage.html")
.failureUrl("/login?error=true")
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.authenticationDetailsSource(authenticationDetailsSource)
.permitAll()
.and()
.sessionManagement()
.invalidSessionUrl("/invalidSession.html")
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
.and()
.sessionFixation() // <---- This part here
.none() // <---- This part here
.and()
.logout()
.logoutSuccessHandler(myLogoutSuccessHandler)
.invalidateHttpSession(true)
.logoutSuccessUrl("/logout.html?logSucc=true")
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.rememberMe()
.rememberMeServices(rememberMeServices())
.key("theKey");
return http.build();
}
While this format works, I kind of find it difficult to follow the configuration setup, and hence I transformed it to use the overloaded Customizer methods instead. Here is how it turned out to be.
#Bean
public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
return http
.csrf(request -> request.disable())
.authorizeHttpRequests(request ->
request
.requestMatchers(PUBLIC_PATHS).permitAll()
.requestMatchers("/invalidSession*").anonymous()
.requestMatchers("/user/updatePassword*").hasAuthority("CHANGE_PASSWORD_PRIVILEGE")
.anyRequest().hasAuthority("READ_PRIVILEGE")
)
.formLogin(request ->
request
.loginPage("/login")
.defaultSuccessUrl("/homepage.html")
.failureUrl("/login?error=true")
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.authenticationDetailsSource(authenticationDetailsSource)
.permitAll()
)
.sessionManagement(request ->
request
.invalidSessionUrl("/invalidSession.html")
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
)
// sessionFixation.none ??? <---- How this can be configured
.logout(request ->
request
.logoutSuccessHandler(myLogoutSuccessHandler)
.invalidateHttpSession(true)
.logoutSuccessUrl("/logout.html?logSucc=true")
.deleteCookies("JSESSIONID")
.permitAll()
)
.rememberMe(request ->
request
.rememberMeServices(rememberMeServices())
.key("theKey")
)
.build()
;
}
The only part that I am unable to configure is the sessionFixation part with the Customizer setup. Can somebody point me out how to configure it?
As pointed out by #toerktumlare, you can set the sessionFixation in two ways.
.sessionManagement(config ->
config
.sessionFixation().none() // <---- Here
.invalidSessionUrl("/invalidSession.html")
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
)
or add a and() and then configure the sessionFixation()
.sessionManagement(config ->
config
.invalidSessionUrl("/invalidSession.html")
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
.and()
.sessionFixation().none() // <---- Here
)
I was working with Spring boot OAuth2 Facebook login, but I encountered the error:
JSON parse error: Cannot deserialize instance of java.lang.String out
of START_OBJECT token
The same code is working for Google and login works as expected. I am following this code on Github(https://github.com/callicoder/spring-boot-react-oauth2-social-login-demo).
Can you please guide me to solve this issue?
Below is the SecurityConfig details
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable()
.formLogin()
.disable()
.httpBasic()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/","/public/**",
"/login",
"/register",
"/error",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/fonts/*.*",
"/webfonts/*.*",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/auth/**", "/oauth2/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository
(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/oauth2/callback/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
// Add our custom Token based authentication filter
http.addFilterBefore(tokenAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
Facebook successfully authenticates the login but when it callbacks my application this error appears.
This issue has been fixed in 5.3.0 RELEASE.
You can write custom access token requests and custom message converters. Spring reference has a detailed guide on how to extend the existing functionality.
....
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.formLogin()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/",
"/error",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/auth/oauth2/**","/login","/signup")
.permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.tokenEndpoint()
.accessTokenResponseClient(authorizationCodeTokenResponseClient())
.and()
.redirectionEndpoint()
.baseUri("/oauth2/callback/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
http.logout()
.logoutSuccessUrl("https://../auth/logout");
// Add our custom Token based authentication filter
http.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> authorizationCodeTokenResponseClient() {
OAuth2AccessTokenResponseHttpMessageConverter tokenResponseHttpMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
tokenResponseHttpMessageConverter.setTokenResponseConverter(new CustomAccessTokenResponseConverter());
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(), tokenResponseHttpMessageConverter));
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
DefaultAuthorizationCodeTokenResponseClient tokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
tokenResponseClient.setRestOperations(restTemplate);
return tokenResponseClient;
}
I did the tutorial and I also had the same problem the error is in the properties you must delete this and it will work
https://github.com/callicoder/spring-boot-react-oauth2-social-login-demo/blob/master/spring-social/src/main/resources/application.yml
the error is this remove this properties or commit it
spring.security.oauth2.client.provider.facebook.tokenUri= https://graph.facebook.com/v10.0/oauth/access_token
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors()
.and()
.httpBasic()
.and()
.csrf().disable()
.authorizeRequests()
//cia apsirasau tuos endpointus kuriuos leidziu neprisijungus:
.antMatchers("/admin/login", "/admin/register","/teams").permitAll()
.anyRequest().authenticated()
.and()
.exceptionHandling().authenticationEntryPoint(unauthorizedHabdler)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtauthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
This is mys configure method, the problem is that I want lets say allow to access /teams endpoint for everyone, but when I start my program and go to /teams endpoint it asks for authentification. Where is the problem?
For some reason I can't access my CSS and JS files. What's going on?
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll().and().authorizeRequests().antMatchers("/static/**").permitAll();
}
Try to use:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/static/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
Order matters. All permissions must be before the .anyRequest().authenticated()
i want to stay in the same page after login but spring oblige u to redirect to defaultSuccessUrl
my code is like this
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/css/**","/fonts/**","/js/**","/app/**","/images/**","/partials/**").permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/index.html")
.failureUrl("/login?error=true")
.permitAll()
.and().logout().logoutSuccessUrl("/login?logout")
.and().exceptionHandling().accessDeniedPage("/pages/303.html");
}
Set
always-use-default-target="true"
which will force spring-security to go to /index.html
I think you should add an authentication success handler
#Override
protected void configure(HttpSecurity http) throws Exception {
SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setUseReferer(true);//redirect to the previous page
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/css/**","/fonts/**","/js/**","/app/**","/images/**","/partials/**").permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/index.html")
.failureUrl("/login?error=true")
.permitAll()
.successHandler(successHandler)//enable success handler
.and().logout().logoutSuccessUrl("/login?logout")
.and().exceptionHandling().accessDeniedPage("/pages/303.html");
}