i do a rest server with spring boot 2.7.1 then added spring security to control access to the service..
this is my SecurityConfiguration :
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.mvcMatchers("/api/v1/svr40/info").permitAll()
.mvcMatchers("/api/v1/svr40/initService").permitAll()
.mvcMatchers("/api/v1/svr40/getServiceID").permitAll()
//.anyRequest().permitAll() // for testing
.mvcMatchers("/api/v1/svr40/**").denyAll();
return http.build();
}
}
now i want to limit requests only from a certain host:port ..
i tried with hasIpAddress(...) without success..
.mvcMatchers("/api/v1/svr40/info").hasIpAddress("127.0.0.1:8081")
Related
Since WebSecurityConfigurerAdapter has been deprecated, I have updated my SecurityConfig class with defining SecurityFilterChain as a bean in my config class but none of the config is working and spring still generates Security Password!
Here's my new WebSecurityConfig:
#Configuration
#EnableWebSecurity
public class SecurityConfig {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeHttpRequests()
.requestMatchers("/auth/**").permitAll()
.requestMatchers("/role1/**").hasAnyRole("admin")
.requestMatchers("/role2/**").hasAnyRole("admin")
.requestMatchers("/role3/**").hasAnyRole("admin")
.anyRequest()
.permitAll();
return http.build();
}
}
Spring still generates password:
Using generated security password: ******-****-****-****-**********
This generated password is for development use only. Your security configuration must be updated before running your application in production.
I have tried excluding SecurityAutoConfiguration class from the main application but it did not work.
You can either remove the UserDetailsServiceAutoConfiguration by doing:
#SpringBootApplication(excludes = UserDetailsServiceAutoConfiguration.class) or you can provide a UserDetailsService of your own:
#Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager();
}
I am using a Spring Boot application with the latest stable versions of Spring Boot and Sprign Security. I am doing authentication with an ADFS IDP using SAML2.
That works fine for all GET requests. Now I need to use PUT and POST and therfore I'd like to disable csrf.
With this pease of code I tried to disable csrf:
#Configuration
#EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().and().cors().disable();
}
}
But when doing this the complete SAML Authentication gets lost and no Single-Sign-On and so on is performed.
I am using SAML2 by configuration:
spring:
security:
saml2:
relyingparty:
registration:
DemoApp:
entity-id: urn:id:demo-app
identityprovider:
entity-id: "http://adfs.local/adfs/services/trust"
metadata-uri: "https://adfs.local/FederationMetadata/2007-06/FederationMetadata.xml"
singlesignon:
url: "https://adfs.local/adfs/ls"
sign-request: true
How do I disable csrf and keep the SAML2 things working?
WebSecurityConfigurerAdapter is deprecated. Use a SecurityFilterChain Bean to configure HttpSecurity or a WebSecurityCustomizer Bean to configure WebSecurity. Try this
#Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.csrf().disable()
.cors().disable();
return http.build();
}
The Java configuration below will disable CSRF protection in Spring security 5.7
#Configuration
#EnableWebSecurity
public class WebSecurityConfig {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable());
return http.build();
}
}
For more details follow the link below
https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf-configure-disable
Like the question said, how we can configure Spring Security to have form authentication for the Thymeleaf web page part of the project, and JWT authentication for the REST API part of the project?, because we like to have both projects on the same container and not to have to resource to external Tomcat Application Server to have the same Security Config (SSL, Ciphers, Certificates, ETC.).
So far we don't found how to do it, but if you can have a Thymeleaf and REST API on the same project i think it is possible to configure Spring Security to have to ways of authentication on the project.
You can have this behavior by adding two WebSecurityConfigurerAdapter beans as follows:
#Order(1) - /api/** protected by basic auth, in your case JWT
authentication.
#Order(2) - /website/** protected by form login, in your case
Thymeleaf login.
View docs for Spring Boot and sample code here.
#EnableWebSecurity
public class SecurityConfig {
#Configuration
#Order(1)
public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().hasRole("API_USER")
.and()
.httpBasic();
}
}
#Configuration
#Order(2)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/website/**").hasRole("ADMIN")
.and()
.formLogin()
.and()
.logout().permitAll()
;
}
}
}
I literally can't figure this out and have been through a dozen answers and none of them work. What exactly is the configuration to stop the redirect to login? I'd prefer to leave my actuator endpoints behind security but I honestly don't care either way at this point because I need this application to be usable.
There’s an example of the configuration that is required in Spring Boot’s reference documentation:
#Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.anyRequest().permitAll();
}
}
Security configuration for a Spring Webflux service to allow access to actuator endpoints:
#Configuration
public class SecurityConfig {
#Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http.authorizeExchange()
// .pathMatchers("/actuator/**").permitAll()
.anyExchange().permitAll()
.and().csrf().disable().build();
}
}
When securing a Spring Data REST application with keycloak the spring security allows to secure REST endpoints by making a configuration class extending KeycloakWebSecurityConfigurerAdapter and overriding configure(HttpSecurity) as follows:
#Configuration
#EnableWebSecurity
#ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/customers/**").hasRole("view-customers")
.antMatchers(HttpMethod.POST, "/customers/**").hasRole("create-customers")
.antMatchers(HttpMethod.PATCH, "/customers/**").hasRole("edit-customers")
.anyRequest().authenticated();
}
}
But hard coding it like this makes difficult for future changes. Is there a better way to do this?