Regexmatcher / Antmatcher for url with request param - spring

In Spring, you can configure endpoints to be accessible without the need for authentication.
You can do this via WebIgnoring method or via the configure method and using permitAll(). The problem is for my registration form I have following request url:
http://localhost:9090/users?username=
the username is limited to the regex "^[^-\\s][\\w]{1,19}$". Does anyone know how to make that url anonymous for Spring using an antMatcher or a regexMatcher?

Related

SpringCloud Gateway redirect based on URL and Method

Springboot : 2.0.4.RELEASE
I am using Swagger documentation to create RouteDefincationLocator to redirect my incoming request to appropriate service in Spring.
Now there are some services who has same URL with different http method name. i.e
POST /v1/orders (This is more restricted then other url)
GET /v1/orders?view=single
Now in Spring cloud gateway I want to apply 2 different set of filter on each URL
i.e.
For : POST /v1/orders
Filters
ValidUser
Has Create Permission
For : GET /v1/orders?view=single
Filters
ValidUser
I have implemented RouteDefinitionLocator, and implemented method
public Flux<RouteDefinition> getRouteDefinitions()
I have also set predicates PredicateDefinition but this is only verifying URL Path and not method
There are lots of consumer of these services, so I can not change the URL
Can someone tell me how can I add different filters based on incomming URL+Method
Thanks in advance.

Inspect request body within a spring security filter

Basic Spring Security is great as it comes with WebSecurity (preventing malformed URLs) along with setting up authentication and authorization.
As part of authenticating my web request, the digest of the request body needs to be verified against the digest value passed in the http header. Setting up the Spring Security filter, forces my auth filter to process a firewalled request. The firewalled request doesn't seem to expose the request body to the filter.
What is the correct way to set up the Spring Security filter so that I can inspect the request body?
Thanks!
In Spring Security there are many filter classes built in for to be extended and used for specific purposes. As in my experience most of (or all of them) have methods with overloads which have access to,
HttpServletRequest request, HttpServletResponse response
as method arguments, so that those can be used inside the method.
When the filter class is met with any request, these variables are then populated with related data thus the code inside the methods output as expected.

How to make relative redirect to Authorization Endpoint in Spring OAuth?

I configured a service with oauth2Login.
User is redirected to Authorization Endpoint - /oauth2/authorization/{registrationId} when he/she is not authorized.
I would like to customize redirection in a way that it takes into account path prefix, since application is accessible trough prefix /api/myapp/.
From the source code I can see that there is OAuth2AuthorizationRequestRedirectWebFilter during Spring Security setup and this filter is using DefaultServerRedirectStrategy which decides if location is relative or not. Moreover it uses a contextPath which is hard to set when using Spring Boot.
Unfortunately I don't know how to override default behavior to make redirect relative.
I don't need to modify contextPath. Instead I've registered ForwardedHeaderTransformer as a bean.
This transformer is able to retrieve headers set by proxy (X-Forwarded-Prefix) and sets context path for request correctly.

404 when do logout in Spring Security Rest Plugin for Grails

I'm setting the security system on my project (Grails - Angularjs) with Spring Security Rest Plugin v1.5.4 (using spring security core 2.0.0) for Grails 2.4.4. Doc about this plugin can be found here.
I'm testing the login and logout with postman chrome rest client and I'm able to do a login OK, but I'm getting a 404 when I do logout.
In the documentation clearly says:
The logout filter exposes an endpoint for deleting tokens. It will
read the token from an HTTP header. If found, will delete it from the
storage, sending a 200 response. Otherwise, it will send a 404
response
You can configure it in Config.groovy using this properties:
Config key...................................................................................Default
value
grails.plugin.springsecurity.rest.logout.endpointUrl....................../api/logout
grails.plugin.springsecurity.rest.token.validation.headerName....X-Auth-Token
So, after doing a login successfully, I tried to do a logout to that url (my_host_url/api/logout) with a GET method and sending a header X-Auth-Token with the token I got previously from login.
But I keep getting a 404. See image below
Edit: I'm setting the chain map like this (in order to get a stateless behavior):
grails.plugin.springsecurity.filterChain.chainMap = [
'/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter', // Stateless chain
'/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter' // Traditional chain
]
So. What am I doing wrong here, or what am I missing?
Thanks in advance!
You missed another excerpt from the docs. It's a warning message literally before the chunk you quoted, and says:
Logout is not possible when using JWT tokens (the default strategy), as no state is kept in the server.
If you still want to have logout, you can provide your own implementation by creating a subclass of JwtTokenStorageService and overriding the methods storeToken and removeToken. Then, register your implementation in resources.groovy as tokenStorageService.

grails spring security rest plugin

I'm trying restful spring security rest plugin from https://github.com/dmahapatro/grails-spring-security-rest-sample.git
I upgrade grails to 2.3.7 and spring security rest to 1.3.4. And all running smoothly.
I'm using postman for testing the rest login.
url: http://localhost:8080/grails-spring-security-rest-sample/api/login
form-data: username = user, password = pass
But there's always return error code 400 Bad Request.
Is there something wrong with the config or test?
Thanks,
Didin
This is a POST request with content-type as application/json. Refer dev tool again during the call to /api/login, it should be clear.
This is driven by a setting provided by the plugin as below:
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
If you wish to pass it as url param then switch the above off (in the app). By default setting is to use request url parameter as:
//default is true
grails.plugin.springsecurity.rest.login.useRequestParamsCredentials = true
In that case the request could look like:
http://localhost:8080/grails-spring-security-rest-sample/api/login?username=user&password=pass
Parameter name for username and password can also be customized by these settings:
grails.plugin.springsecurity.rest.login.usernameParameter=customusername
grails.plugin.springsecurity.rest.login.passwordParameter=custompassword

Resources