I have a backend developed using micro service architecture which used Spring Security older version where we can use #EnableResourceServer, ResourceServerConfigurerAdapter and
public void configure(ResourceServerSecurityConfigurer config) {
config.resourceId(resourceId);
}
As you all know these features have been deprecated in later versions (5.7.x) and resource id feature is kind of important when it comes to micro services.
I am in a process of upgrading services with later versions. However I was unable to find exact solution to replace above. Can anyone guide me for new way of doing this or any other way to do this?
Technologies: Java 17, Spring Boot 5.7.2, Spring Security 5.7.2
Related
I am facing an issue while using springfox 3.0 version with updated version of tomcat 9.0.56.
Already added the url patterns in WebSecurityConfigurerAdapter to bypass the spring security.
While the springfox version is working fine with older version of tomcat, the new version is actually changing the url for the springfox .css and .js file causing the 401 unauthorised error. While hitting the correct url via postman or chrome(GET) url is working fine.
Any suggestion on how to resolve it?
Please note, its an enterprise application and i cannot share much details. So a generic query to get any ideas to resolve the same
I know this does not solve your problem directly, but consider moving to springdoc. Springfox is so buggy at this point that is a pain to use. I've moved to springdoc 2 years ago because of its Spring WebFlux support and I am very happy about it. Additionally, it also supports Kotlin Coroutines, which I am not sure Springfox does.
If you decide to migrate, springdoc even has a migration guide.
are these part of your WebSecurityConfigurerAdapter configuration?
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/swagger-ui/**", "/swagger-resources/**", "/v2/api-docs", "/v3/api-docs");
}
our application currently uses JBoss Portal with JAAS as the authentication/authorization mechanism. The version of Spring we are currently using is 3.2.14. For various reasons we are unable to upgrade Spring right now.
We are going to be migrating to Spring Security shortly and are wondering if Spring Security 4.2.2 will be compatible with Spring 3.2.14. My thoughts are that since Spring Security is a separate project it should be OK?
I can't seem to find any information on the compatibility issues between major versions of Spring and major versions of Spring Security.
For Spring Security 4.2.2, the minimum recommended Spring version is 4.3.5.
This is stated in the SpringSecurityCoreVersion class which is located in the org.springframework.security.core package.
I use Spring Boot - 1.5.3.Release Version for my project. Simply tested my demo application with Actuator and Dev-tools plugin from spring boot initializer site. (Hence I no longer needed to share my POM, as it is default).When I launch my application and try to hit the metrics End Point URL, I get this 401 Unauthorized status (image given below).
Following Options Tried to Bypass this exception
I excluded the SecurityAutoConfiguration on my main Class.
#SpringBootApplication
#EnableAutoConfiguration(exclude= {org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class})
public class MainConfig {
But the above option didn't work.
When I downgrade my Spring-Boot - 1.4.6.RELEASE Version, I didn't get the UnAuthorized Exception. My Application worked like a charm :-)
Questions
Is there any Specific Security Enhancements have been made in the latest release of Spring-Boot (1.5.3.RELEASE Version)?
If at all any enhancements made, let know the community on how to bypass such kind of exceptions?
I also, noticed that when using Spring-boot (1.5.3.RELEASE) it doesn't show any exceptions on startup, even though I have multiple main program in my IDE build path. Is that also an enhancement is spring-boot (1.5.3.RELEASE) version?
Kindly clarify.
From the Spring Boot 1.5 Release Notes:
If you’re upgrading a Spring Boot 1.4 application that doesn’t have dependency on Spring Security and you wish to retain open access to your sensitive endpoints you’ll need to set management.security.enabled to false.
What will be the problem if I come to use Spring-beans namespace 3.0 and Spring security namespace version 3.2 ?
There will be no problem with the namespaces.
The only concern is that, the underlying frameworks (Spring and Spring Security) must been compatible.
In some cases it is wise to use the namespace that matches the underlying framework versions. But in most cases newer frameworks can handle older namespaces
the new Spring versions are almost compatible to namespace 3.0
in Spring Security they often invented new features so sometimes you need the matching namespace to configure the required features))
And Spring Security this is from Spring Security 3.2 Reference:
Spring Security builds against Spring Framework 3.2.13.RELEASE, but is
also tested against Spring Framework 4.1.6.RELEASE. This means you can
use Spring Security 3.2.10.CI-SNAPSHOT with Spring Framework
4.1.6.RELEASE. The problem that many users will have is that Spring Security’s transitive dependencies resolve Spring Framework
3.2.13.RELEASE causing all sorts of strange classpath problems.
I am developing Spring Based multitenant application. I was refering to an article # http://www.ibm.com/developerworks/library/j-saas/index.html
It shows how to implement Multitenant application using Spring Security + LDAP. But it seems that article is written in 2008 and is applicable to Spring Security 2.0.1. whereas I am using latest version of Spring Security (3.1.3).
In latest Version, I am not able to locate SpringSecurityContextSource class.
Any suggestion on how to achieve same functionality?
I have just removed references of SpringSecurityContextSource. Still application is working as expected.