I am trying to update my application without websecurityconfigureradapter and i need a help here.
saml authentication is failing with below code, can any one help me out here
Please use google search. Many problems already have solutions or have been answered here or elsewhere.
Suggested search: websecurityconfigureradapter deprecated
I have searched it for you, and this was top of the found list: https://www.baeldung.com/spring-deprecated-websecurityconfigureradapter
Related
Update
this issue is now assigned to CVE-2022-22965. Other than below nice answers, please do check Spring Framework RCE: Early Announcement as it is the most reliable and up-to-date site for this issue.
According to different source, seems we got a serious security issue when using Spring Core library.
https://securityboulevard.com/2022/03/new-spring4shell-zero-day-vulnerability-confirmed-what-it-is-and-how-to-be-prepared/
Quoting from above link, we are in risk if:
You use a Spring app (up to and including version 5.3.17)
Your app runs on Java 9+
You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
You don’t use an allowlist –OR– you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
The link suggested to some solution but doesn't seems easy to implement/reliable.
What should we do to fix this issue, in easiest and most reliable way?
According to the Spring Framework RCE: Early Announcement, upgrading to Spring Framework 5.3.18 or 5.2.20 will fix the RCE.
If you use Spring Boot, Spring Boot 2.5.12 and Spring Boot 2.6.6 fixes the vulnerability.
If you're unable to update:
You can choose to only upgrade Tomcat. The Apache Tomcat team has released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side.
If you can't do any of the above, the RCE announcement blog post suggests a workaround: Set disallowedFields on WebDataBinder through an #ControllerAdvice:
#ControllerAdvice
#Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
#InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}
This quick fix will not work if a controller sets disallowedFields locally through its own #InitBinder method, which overrides the global setting. Also, more generally, the workaround will not have an effect if you use alternate REST frameworks such as Jersey (however, it has not yet been demonstrated that such configurations are impacted).
Note: Spring upgrade is needed later on as vulnerability is not in Tomcat
Temporary Workaround is Upgrade tomcat to 10.0.20, 9.0.62, and 8.5.78
Spring Reference
it's a confusing problem but suffered me several days.
Firstly, I got to know that the new spring security oauth2 is changed, then I come to learn:https://docs.spring.io/spring-security-oauth2-boot/docs/2.5.2/reference/html5/.
However, when I try to add the annotation #EnableAuthorizationServer to the "main method", the Intellij throws it's deprecated".
Then, I tried to check the version: springframework.boot:2.5.2 , spring-security-oauth2:2.5.1.RELEASE, spring-security-oauth2-autoconfigure:2.5.2.
It means all the dependencies are new, and the doc is new too.
Then why the Intellij says the annotation is deprecated? I just wanna follow the new trend. Please tell me what to do?
thanks a lot.
As the documentation to which you have linked states, the project is in maintenance mode. Where possible, it should not be used and the equivalent features in Spring Security 5.x should be used instead.
The deprecation message on EnableAuthorizationServer links to a migration guide. From there you can learn about the Spring Authorization Server project which you may want to use.
Is there any springfox implementation available for swagger3 or OpenAPI 3 which support media-type versioning of the endpoint, apart from JAX-RS?
Short answer: no. See 2023 update at end.
There is a pinned issue tracking this in springfox's github: https://github.com/springfox/springfox/issues/3070
Best read that for the latest news, but at the moment the project is lagging both OpenAPI and Spring Boot, and the list of changes needed is quite long. The project owner sounds a bit overwhelmed and has asked for help from the community.
Based on that, I'd say the future of springfox is in doubt. Hopefully this will pass. But given the difficulties they are having it might be worth looking for alternatives.
One is: https://github.com/springdoc/springdoc-openapi
While it certainly doesn't have the documentation, community and stockpile of answered questions that springfox has, the basic functionality works. I've only just started using it so that's all I can say at the moment. :-)
2023 Update: The answer is "no" again. Springfox 3.0 worked again for a while but doesn't seem to be supported for Spring Boot 2.5 or higher. We have now migrated to springdoc-openapi and found that it wasn't difficult to do. See: https://springdoc.org/migrating-from-springfox.html
One small gotcha is you may need to review all places you use #Parameter on a #RequestParam. If the parameter type is a class with multiple fields, you sometimes need to use #ParameterObject instead of #Parameter. That tells Springdoc to document each member of the class as a separate request parameter.
I recently inherited a very old code base (written in 2006) that uses the spring framework. Right now, the goal is to get it semi-functional, which I've almost done. However, there is some code I can't seem to fix that uses the class "FlowAction" from 'org.springframework.webflow.executor.struts.FlowAction'. This used to exist in the spring-webflow-1.0.6.jar, but no longer exists in 2.4.2.
Can anyone give me any hints for how to fix the following code using more recent spring framework code?
<action path="/secure/FRONT/enrollAction"
name="webflowActionForm" scope="request"
type="org.springframework.webflow.executor.struts.FlowAction" />
Please keep in mind that this is an attempt to get this very old code working so telling me it's impossible is fine, but please provide a good reason why (I'm no spring expert). I've googled and searched the spring code to no avail, but I'm hoping it's as simple as using a different library. Thanks for any input!
EDIT
Based on the first comment below, struts is no longer supported. I am offering a bounty for someone who knows how to update this code. I assume an alternative exists, or was offered by the spring framework, for code that was using the old libraries. If anyone knows what that is, I would greatly appreciate it. I just need help on how I would update the specific block of code above and am happy to provide any further information needed.
FlowHandlerMapping
FlowHandler
FlowHandlerAdapter
FlowExecutor
FlowDefinition
FlowRegistry
we can use the following classes for getting struts functionality to your code
My questions is similar to this SO question.
But I am using Spring security 3.1.4 in which following call is deprecated.
(OpenIDAuthenticationToken)exception.getAuthentication()
What is the alternative mechanism to get OpenIDAuthenticationToken in SimpleUrlAuthenticationFailureHandler implementation?
Thanks for your time and help.
If your requirement is to register users who are not already in your system, you can do that in the same way that the sample application does.
If you need more interaction with the user at that point, then the only alternative to the deprecated method that springs to mind would be to use your own custom exception.