I am testing my Spring Security application using PostMan client. When I change the password and update the request and fire the request, I am not getting 401 error. Spring security does not call the UserDetailsService. Only when I change the username to some wrong username, the UserDetailsService is getting called and I start seeing expected results. This might be a security issue. Is there something I am missing here.
I was able to solve the error. Setting the sessionCreationPolicy to Stateless resolved the issue. This link talks about the issue - Link
Related
I have a Spring Cloud Gateway, where I have ignored a set of URLs and authenticate a set of Authorized URLs. I have added SecurityContextRepository and AuthenticationManager which validates the token, now the issue is because it checks the token for every coming request so in case if I have an expired token coming in the header for an open endpoint it gives me an error that the token is expired.
Which I do not want because I have kept the endpoint open.
How can I resolved this, Does adding addFilterBefore or addFilterafter would work?
Please suggest something for this.
Thanks in advance.
I've been creating an OAuth2 Login application with Spring Security and have been making good progress, The Identity Provider I am working with requires that their /authorization endpoint be triggered with an HTTP POST.
I've been doing some testing and it seems that Spring Security triggers the /authorization endpoint by a GET request.
From looking at the OAuth RFC documentation, I see the following.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.
So before I implement anything custom to trigger a POST request to the authorization server I am integrating with, I was just curious if anyone knew of a way to get Spring Security to trigger a POST for the /authorization instead of a /GET.
Curious if I'm missing where that functionality is supported, if at all.
Thanks for your time.
You can use springsecurity and oauth2server to configure your login model and through this interface to login
POST:
http://your_ip:port/auth/oauth/token?grant_type=password&username=username&password=password&client_id=yourclientid&client_secret=yoursecret
I'm using Spring security OAuth 2.0 authorization in a Spring Boot REST API. It works as expected in Postman tests but I don't succeed to make it working from Swagger "Try out". I'm using this post here: How to configure oAuth2 with password flow with Swagger ui in spring boot rest application. This is supposed to work but it doesn't in my case. I just need some clarification on the following method:
private SecurityContext securityContext() {
return SecurityContext.builder().securityReferences(defaultAuth()).forPaths(PathSelectors.ant("/user/**"))
.build();
}
What the /user/** URL stands for ? Does it means that the defined security context should apply on all URL matching the pattern ? Or does it mean that this URL shall be called to get the user details ?
My code is exactly as the one in the post, however, after I fill in the dialog box with the user credentials and scopes, etc. I get "Auth ErrorTypeError: Failed to fetch" and whatever I do I can't get any usefull log message.
It might have something to do with CORS as the HTTP filters, which are called when I'm doing Postman tests, aren't called in this case.
Any suggestion please ?
Many thanks in advance.
Kind regards,
Nicolas
I confirm that the code mentioned in the article works as expected. I was mistaken while performing tests with wrong URLs, etc. Sorry for the smalltalk.
Kind regards,
Nicolas
Hi everyone i am not able to proceed with following settings. your small pointers are appreciated.
problem statement
i am trying to use custom authorization server provided by spring cloud security and OAuth2 with my web application so that it can propagate access token to micro services in back end.
i can able to see my authorization server can able to provide access token and when try to ingest access token for invoking endpoints for for back end micro service it work as per expectation
problem faced
when i provide following configuration in spring boot web client(which will call my back end micro service)
in application.properties
security.oauth2.client.clientId=myclient
security.oauth2.client.clientSecret=abcsecret
security.oauth2.client.access-token-uri=http://localhost:9000/services/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:9000/services/oauth/authorize
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.resource.user-info-uri=http://localhost:9000/services/user
security.oauth2.resource.prefer-token-info=true
and i provide
http://localhost:8080
in my browser. it asks for credentials. i provide credentials as present with authorization server.
once valid credentials provided authorization server asks for valid scopes.
but one important thing i observe when my web client routed to authorization server it has redirect_uri
http://localhost:8080/login
(not ok since initially i entered http://localhost:8080)
i am also getting HTTP 401 error
I've been attempting to set up Swagger Spring-MVC and Swagger UI using the latest version of the SpringMVC implementation here : Swagger Spring-MVC
I've been able to get the initial setup working, but when I introduce the entry-point-ref for authentication to http for returning customer error response incase of Authentication or Authorization error, I get an error saying that it can't access my api. When I look in firebug, it says that it's getting a 401 Unauthorized.
In my initial setup first navigate to the SwaggerUI URL, a dialog pops up for me to enter my user-name and password. I know it's correct because I can manually use my resources with the same credentials.
But after adding that entry-point-ref for customAuthenticationEntryPoint, it started failing with 401 Unauthoized.
Does anyone know what my solution would be? Thanks in advance.