it's a confusing problem but suffered me several days.
Firstly, I got to know that the new spring security oauth2 is changed, then I come to learn:https://docs.spring.io/spring-security-oauth2-boot/docs/2.5.2/reference/html5/.
However, when I try to add the annotation #EnableAuthorizationServer to the "main method", the Intellij throws it's deprecated".
Then, I tried to check the version: springframework.boot:2.5.2 , spring-security-oauth2:2.5.1.RELEASE, spring-security-oauth2-autoconfigure:2.5.2.
It means all the dependencies are new, and the doc is new too.
Then why the Intellij says the annotation is deprecated? I just wanna follow the new trend. Please tell me what to do?
thanks a lot.
As the documentation to which you have linked states, the project is in maintenance mode. Where possible, it should not be used and the equivalent features in Spring Security 5.x should be used instead.
The deprecation message on EnableAuthorizationServer links to a migration guide. From there you can learn about the Spring Authorization Server project which you may want to use.
Related
Update
this issue is now assigned to CVE-2022-22965. Other than below nice answers, please do check Spring Framework RCE: Early Announcement as it is the most reliable and up-to-date site for this issue.
According to different source, seems we got a serious security issue when using Spring Core library.
https://securityboulevard.com/2022/03/new-spring4shell-zero-day-vulnerability-confirmed-what-it-is-and-how-to-be-prepared/
Quoting from above link, we are in risk if:
You use a Spring app (up to and including version 5.3.17)
Your app runs on Java 9+
You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
You don’t use an allowlist –OR– you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
The link suggested to some solution but doesn't seems easy to implement/reliable.
What should we do to fix this issue, in easiest and most reliable way?
According to the Spring Framework RCE: Early Announcement, upgrading to Spring Framework 5.3.18 or 5.2.20 will fix the RCE.
If you use Spring Boot, Spring Boot 2.5.12 and Spring Boot 2.6.6 fixes the vulnerability.
If you're unable to update:
You can choose to only upgrade Tomcat. The Apache Tomcat team has released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side.
If you can't do any of the above, the RCE announcement blog post suggests a workaround: Set disallowedFields on WebDataBinder through an #ControllerAdvice:
#ControllerAdvice
#Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
#InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}
This quick fix will not work if a controller sets disallowedFields locally through its own #InitBinder method, which overrides the global setting. Also, more generally, the workaround will not have an effect if you use alternate REST frameworks such as Jersey (however, it has not yet been demonstrated that such configurations are impacted).
Note: Spring upgrade is needed later on as vulnerability is not in Tomcat
Temporary Workaround is Upgrade tomcat to 10.0.20, 9.0.62, and 8.5.78
Spring Reference
When creating a new Spring Boot project using Spring Initializr and adding Azure Support, it adds a dependency to com.microsoft.azure:azure-spring-boot-starter.
implementation 'com.microsoft.azure:azure-spring-boot-starter'
The spring cloud documentation says:
The Azure Support entry contains auto-configuration support for Azure
managed services [...]
Now I'd like to send and receive messages from Azure Service Bus and the documentation wants me to add a dependency to azure-servicebus.
implementation 'com.microsoft.azure:azure-spring-boot-starter'
implementation 'com.microsoft.azure:azure-servicebus'
Okay fine. When I now switch over to Microsoft and read the documentation about Service Bus there, it mentions two libraries, where Microsoft states the second one is dated and legacy.
azure-messaging-servicebus (latest) implementation 'com.azure:azure-messaging-servicebus:7.0.0'
azure-servicebus (legacy) 'com.microsoft.azure:azure-servicebus'
Question
Is the Spring Boot documentation just outdated?
I have read somewhere that libraries in com.microsoft.com are for managing the resource itself, while libraries in com.azure are for managing the data. Is this true?
What is meant by auto-configuration support?
As you can see I am very confused which dependencies I need to add. Also I don't get the difference between packages from com.azure and com.microsoft.azure.
Can someone please shed some light on this?
I was trying to create a new Spring Boot project using start.spring.io. Searching for dependencies, I found that there was no AspectJ starter available. Has this dependency removed/deprecated from Spring Boot starters? Here is a screen shot:
I, however, was able to find the dependency on maven repositories website:
It was removed indeed. #jwenting explained in a nutshell why. This starer is required if you want to create your own aspect or if you want to use some advanced AOP mode.
Most users don't need it and whenever a library requires it, its starter brings it automatically. Having a dedicated entry was confusing as we saw a very large amount of users picking this up for no good reason.
Also, please keep in mind that start.spring.io is not an exhaustive list of what you can do with Spring. We're focusing on the getting started experience only and avoiding cases that could lead to confusion. This one is a good example of the latter.
it's an implicit dependency, meaning you don't have to include it because it's automatically pulled in by anything that needs it.
You can still add it explicitly, but there's no need to (and afaik it's never been needed).
I am trying to implement cache mechanism provide by Spring Data GemFire. Has anyone implemented a solution? I need to check on performance and ease to implement it.
Sonal-
First, you can find plenty of examples in the Spring User Guides, here, for example...
Accessing Data with GemFire,
Caching Data with GemFire, and ...
Accessing GemFire Data with REST
Additionally, there is a Spring GemFire Examples project here.
I have also started work on building a "Reference Implementation" (RI) for Spring Data GemFire/Geode, here. I have much work to do with this project yet, like documentation (READMEs) in the Repo, but I do plan to keep it up-to-date with my latest developments since I use the code as a basis for all my conference talks. Anyway, there is plenty of code examples and tests in this GitHub project to keep you busy for awhile.
Then, the Spring Data GemFire and Spring Data Geode GitHub projects themselves, have plenty of tests to show you how to address different application concerns (Configuration, Data Access, Function Execution, etc, etc).
Of particular interests might be the new Annotation-based configuration model for SDG^2 that I am working on. This is currently a WIP and I am also working on User Guide documentation for this feature/functionality, but it is established and even inspired by the auto-configuration features and Annotations provided by Spring and Spring Boot (e.g. #EnableXYZ).
Users have even started using the Annotation-based configuration model without significant documentation in place since it builds on concepts already available and familiar in Spring Boot. In fact combining these SDG specific Annotations with Spring Boot makes for a very powerful combination while preserving simple/easy nature to get started, 1 of my primary goals.
Given the lack of documentation yet, you can find more out in the Spring IO blog, where I first blogged about it here. Then I expanded on this article in a second blog, talking specifically about security.
And if you are really curious, you can follow the latest developments of the Annotation configuration model in my testing efforts.
Finally, of course, as I have already alluded to, as any good developer knows, getting started is as easy following the examples and reviewing Spring Data GemFire Reference Guide and Javadoc.
Don't forget to familiarize yourself with Pivotal GemFire as well! Javadoc here.
Hope this helps!
-John
I have been searching for an example Spring Webservice which is being protected using oauth 2.0..
Looking around I found https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 but there some files seems to be missing from the project.
Two things that I am looking for is :
When user authenticates, user name and password goes to /login.do , now I can not understand how this Servlet is being configured, if its not controller. web.xml is missing.
When I try to see how beans configured then applicationContext.xml is also missing. I am not able to find those files in order to see how things are configured.
Help Required :
Should I use annotation in order to configure my web service or xml configuration. I am willing to use the latest version, and leverage advanced configurations, for better security.
I have another Single page application ( HTML5 ) , which accesses data from this spring web service, which is being hosted on Google App Engine. My ultimate objective is to create a chrome plugin of (html5) pages and use my service from there..
Please suggest a better path so that I can achieve my objectives.
Best regards,
Shashank Pratap
Apologize for late reply.
1) Regarding Oauth2.0 implementation : Since GAE does not support Servlet 3.0 therefore, developer is restricted to servlet 2.5. Therefore I found that we are restricted to 1.0.5.RELEASE. I was able to configure it successfully.
Best Practice on GAE : Rather than following this approach, I would suggest others to use Google Endpoints. As it supports oauth2.0 as well as we can develop REST API relatively quickly.
Scale ability and Response time : Since I was using Spring dependency injection along with spring security, application responded slower than the combination of Google Endpoints and Google Juice, as juice does injection just in time, where as spring prepares everything as soon as new instance starts, which created problem for me.
2) Chrome Plugin is completely different story. :-)
Please correct if I am wrong.
Thanks,
Shashank Pratap