To get a basic security feature working, I added the following starter package to my pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
And added following two properties to application.properties:
security.user.name=guest
security.user.password=tiger
Now when I hit my homepage, I get the login box and login works as expected.
Now I want to implement the ‘logout’ feature. When the user clicks on a link, he/she gets logged out. I noticed that the login doesn’t add any cookie in my browser. I am assuming Spring Security creates an HttpSession object for the user. Is that true? Do I need to ‘invalidate’ this session and redirect the user to some other page? What’s the best way to implement the ‘logout’ feature in a Spring Boot based application?
Late is better than never. Spring Boot defaults lots of security components for you, including the CSRF protection. One of the things that does is force POST logout, see here: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#csrf-logout
As this suggests you can override this, using something along the lines of:
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().fullyAuthenticated()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
The last line is the important one.
Related
I'm trying to rewrite existing OAuth2 authorization service using Spring Boot 3.0.2 and newly released Spring OAuth2 Authorization Server 1.0.0.
Faced a trouble combing objects from Reactive Security and Standard Security libraries: unable to apply default security to OAuth2AuthorizationServerConfiguration class, because it's not applicable to reactive ServerHttpSecurity.
Code part
#Bean
#Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityWebFilterChain authServerSecurityFilterChain(ServerHttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http
.formLogin()
...;
return http.build();
}
Can't pass HttpSecurity to applyDefaultSecurity() method.
Tried to find any reactive implementations of OAuth2AuthorizationServerConfiguration class but found nothing.
Is there any way to convert ServerHttpSecurity to HttpSecurity? Or Spring OAuth2 Authorization Server is completely incompatible with reactive approach?
Main dependencies of Maven pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>1.0.0</version>
</dependency>
Thanks is advance.
UPD
Searched badly. Seems like it's not supported yet:
https://github.com/spring-projects/spring-authorization-server/issues/152
Or there are still some ways make it work?
Official answer:
We are strictly focusing on a Servlet implementation for the initial set of features that would qualify for a MVP version. We haven't decided whether we'll provide a WebFlux version at this point.
Quite honestly, I'm not convinced it's needed. The client and resource server(s) are the most active, whereas, the authorization server is not as active as it simply issues a token and may validate a token, which is limited activity between the many interactions that follow between a client and resource server after a token is issued.
Either way, I'm going to close this issue as WebFlux is not on the roadmap as of now.
Source - https://github.com/spring-projects/spring-authorization-server/issues/152
Hello I recently received a demand to migrate the ldap authentication service to oauth2 from a jsf project, but I have no idea where to start, from what I've been seeing in the project I have an ldap security domain configured in wildfly where I can make use of some features that comes from FacesContext as:
.login(username, password)
.getUserPrincipal()
.isUserInRole(rule)
.logout()
.invalidateSession()
What I would like to know is if there is a possibility to make my own security domain the same as the configured ldap, where I would implement the methods above, any content where I can start is welcome
I made an implementation of org.jboss.security.auth.spi.UsernamePasswordLoginModule;
My use case is simple but could not find an example. I want to allow all my endpoints excluding only one path which will require basic authentication who has USER role. How to do it with Spring Security's antmatchers? I tried something like below but I get 401 Unauthorized in all requests.
httpSecurity
.authorizeRequests()
.antMatchers("/api/**").hasRole("USER")
.antMatchers("/**").permitAll();
I have been trying to get a grip on spring security and always get confused with the initial configuration. Where in few tutorial I find CSRF disabled and in few I found it enabled.
At some forum it's written as it's good to disable it and in some tutorials few people mention it's not a good practice to disable csrf.
My point is why do we need CSRF? what's the reason behind using CSRF? what if we disable it and why if we shouldn't disable it?
http.csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
and
http.csrf().disable()
.exceptionHandling().and()
.anonymous().and()
.servletApi().and()
.headers().cacheControl().and()
.authorizeRequests()
What's the best configuration if I am using Spring Security with REST? Because in second configuration it's showing me a popup window to login. And in first configuration it's giving me
(Expected CSRF token not found. Has your session expired?)
If CSFR is enabled or not depends on The Spring Security version and type of configuration used.
Before Spring Security 4, when using XML configuration CSFR would be disabled and when using Java based configuration it would be enabled. As of Spring Security 4 CSFR is enabled for both XML and Java based configuration by default.
Do you need CSFR, well if you have a public facing site or API I would say yes. Every security layer you disable makes your application more vulnerable.
What CSFR is is explained on this page
I am trying to secure my Webapplication which is based on a Spring MVC project containing REST controllers and Angular JS pages that get all their data from these controllers.
I am not at all familiar with Spring boot, just with 'classic spring'. I'd like to use the token based authentication which JHipster creates a skeleton for.
What needs to be done to get that security part and migrate it to my current Spring project? I tried copying relevant classes and the Token generation and such works, but the SecurityConfiguration seems to do nothing (no URL's are authenticated while I do say they need to be in the config, the tokenfilter never gets called etc.)
There's possibly some structural/ configurational differences between Spring and Spring boot which cause this?
What needs to be done to get the security mechanism working in a regular Spring application?
What is working:
- token generation
What is not working:
- every REST call goes through no matter if it's behind an .authenticated() URL
- the token filter never checks if there's a token and thus doesn't validate the token
Everything token-wise is okay, everything url-security wise is not at all okay.
(I've been trying to solve this for 3 days now and I just don't see where I'm going wrong.)
All help/ insights/ tips much appreciated as always.