Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Assume that I have the server started on http://localhost:8080/
How can I configure in order to skip authorization on http://localhost:8080/aaaa
#EnableWebSecurity
#Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/aaaa").permitAll()
.anyRequest().authenticated();
}
}
Related
This question already has an answer here:
Spring get instance of AuthenticationManager complicated since WebSecurityConfigurerAdapter deprecated
(1 answer)
Closed 5 months ago.
In Spring Boot 2.7.4, the WebSecurityConfigurerAdapterclass which contains the authenticationManagerBean function is deprecated
What is the alternative?
I have been facing the same problem as you these days, the only solution found is this
#Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
But this is causing me an exception in testing.
I posted a spring-boot issue on GitHub. Take a look to keep up to date.
https://github.com/spring-projects/spring-framework/issues/29215
It could be a bug
I found that the alternative is the getAuthenticationManager function in the AuthenticationConfiguration class
#Bean
protected SecurityFilterChain configure(final HttpSecurity http,
final AuthenticationManagerBuilder auth,
final AuthenticationConfiguration authenticationConfiguration) throws Exception {
// set the authentication provider
auth.authenticationProvider(daoAuthenticationProvider());
// set the authorization and authentication rules
return http
.csrf().disable()
// Make sure that the session is stateless because we are using JWT
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// Add the JWT filter (my custom filter)
.addFilter(new JwtFilter(authenticationConfiguration.getAuthenticationManager()))
.build();
}
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 months ago.
Improve this question
I wanted to check to see if I hadn't missed another option for logging.
I want to be able to add logging of HTTP input requests and HTTP output requests without having to add explicit logging constructs just before/after each call. AOP seems to be a way of doing this. Is there another fashion? I was also looking at wiretap/global channel interceptors but this would not appear to apply to inbound-endpoints and outbound-endpoints. Thanks for any pointers.
You could log inbound requests and outbound responses with a javax.servlet.Filter implementing class.
#WebFilter(urlPatterns = {"/*"})
public class logFilter implements Filter {
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
System.out.println("Inbound request " + httpServletRequest.getRequestURI());
filterChain.doFilter(servletRequest, servletResponse);
System.out.println("Outbound response " + httpServletResponse.getStatus());
}
}
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I am working on a SOAP webservice with spring boot and spring security with basic authentication. The authentication works, but I would like to authorize anonymous user to access at many endpoints. I don't know how to do.
I think to create 2 wsdl, one for endpoints with authentication and another for endpoints without authentication. Is it possible ?
Else is it possible to annotate an endpoint with something like #PreAuthorize(permitAll) or customize spring security ?
What is the proper way to do and how ?
Thanks in advance.
I tried this :
#PayloadRoot(namespace = NAMESPACE_URI, localPart = "createAuthorRequest")
#ResponsePayload
#PreAuthorize("permitAll()")
public CreateAuthorResponse createAuthor(
#RequestPayload CreateAuthorRequest request
) throws WSException {
return authorService.createAuthor(request);
}
or customize spring security :
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.httpBasic()
.and()
.authorizeRequests().antMatchers(HttpMethod.POST, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
.antMatchers(HttpMethod.GET, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
.antMatchers(HttpMethod.PUT, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable().headers().frameOptions().disable();
But it doesn't change. With SOAP, I don't know how to get the name of endpoint called. Here the log of spring security :
2019-05-29 22:49:39.060 INFO 8228 --- [io-8080-exec-10] Spring Security Debugger :
************************************************************
Request received for POST '/ws':
org.apache.catalina.connector.RequestFacade#7445a104
servletPath:/ws
pathInfo:null
headers:
accept-encoding: gzip,deflate
content-type: text/xml;charset=UTF-8
soapaction: ""
content-length: 516
host: localhost:8080
connection: Keep-Alive
user-agent: Apache-HttpClient/4.1.1 (java 1.5)
is it possible to annotate an endpoint with something like
#PreAuthorize(permitAll)
if you are using #PreAuthorize in your controllers, you can just add #PreAuthorize("permitAll()").
or customize spring security ?
In you custom security config., add all the endpoints that you want to be available in public or with no authorization in antMatchers then set it to permitAll.
Sample:
#Configuration
#EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// permit all access to these endpoints.
.antMatchers("/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
// any other request needs to be authenticated
.anyRequest().authenticated();
}
}
You may also specify the httpmethod to that you want to permit by adding the method as parameter before the list endpoints.
.antMatchers(HttpMethod.GET, "/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.PUT, "/endpoint1", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.POST, "endpoint3/**").permitAll()
This question already has answers here:
Spring Security Login Page
(2 answers)
How to use Spring Security to custom login page?
(3 answers)
Closed 4 years ago.
Currently Spring Security is displaying this default login screen:
How can I configure Spring boot security so that I can use my own template so that I can customize it?
You can do something like:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
// other security settings...
.formLogin()
.loginPage("/login.html")
;
}
}
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 5 years ago.
Improve this question
I'm not understanding how this code works especially the OncePerRequestFilter class what's the purpose of this class I''ve pasted the code available to me.
public class AuthenticationFilter extends OncePerRequestFilter{
private final LoginService loginService;
private static final Logger logger = Logger.getLogger(AuthenticationFilter.class);
public AuthenticationFilter(final LoginService loginService) {
super();
this.loginService = loginService;
}
#Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain)
throws ServletException, IOException {
final String xAuth = request.getHeader("X-Authorization");
Authenticate and Authorization are two different terms.
1. Authenticate : you are the one who you are claiming.
2. Authorization : What are you allowed to do.
Assumption : your question is for authorize : " I want to authorize specific user based on rest api's".
configure http.authorizeRequests().antMatchers("/products").access("hasRole('ROLE_ADMIN')")
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/products").access("hasRole('ROLE_ADMIN')").anyRequest().permitAll().and().authorizeRequests().antMatchers("/hello").access("hasRole('ROLE_ADMIN')").anyRequest().permitAll().and()
.formLogin().loginPage("/login").usernameParameter("username").passwordParameter("password").and()
.logout().logoutSuccessUrl("/login?logout").and().exceptionHandling().accessDeniedPage("/403").and()
.csrf();
}
refer for full code : https://github.com/Roshanmutha/SpringSecurityJDBC/blob/master/src/main/java/com/roshantest/WebSecurityConfig.java