We have a REST API using Spring MVC that doesn't use Spring Security or Spring Boot. The rest API url is {domain}/product/rest/v1/{controller}. We also have a regular web GUI using Struts2 that is just at {domain}/product/{action}.
We're currently researching autogenerating API documentation using Springfox-swagger and springfox-swagger-ui. It was fairly easy to get Swagger to work using minimal configuration, but the problem is that Springfox by default tries to do a CRSF token request, which we don't use in the rest API. I've googled how to disable this, but every article I can find talks about how to disable it using the Spring Security WebSecurityConfigurationManager. We don't use Spring Security and would rather not have to add it.
Is there a way to disable the Springfox Swaggger UI CSRF token check without using Spring Security or Spring Boot?
For disable the csrf () you need to add spring security in your project follows these link how to disable csrf() in spring.
https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
Related
We use Spring Boot for OAUTH2 implementation which is very good in supporting all kinds of grants and follow the standards.
We would to like Refresh token rotation as below to use in Single Page Application
https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation
I know the default spring boot doesn't support it. Is there any way to support this feature with existing Spring security.
I am developing a client application for client_credentials grant type flow in OAUTH2.
I am not able to decide on which dependency to use in my project for this purpose among the following.
spring-boot-starter-oauth2-client
spring-cloud-starter-oauth2
spring-security-oauth2
I referred this documentation from spring-projects in which under client-support section it had a table describing the available options. But I am not able to understand which column is referring to which of the above dependencies.
I want to configure a WebClient or RestTemplate which retrieves the OAUTH2 token from the auth-server automatically before accessing a resource-server.
Please guide me in choosing the right artifact for my project.
If you are using Spring Boot you should choose org.springframework.boot:spring-boot-starter-oauth2-client.
This includes Spring Security's OAuth 2.0 Client support and provides Spring Boot auto-configuration to set up OAuth2/Open ID Connect clients.
You can read about how to configure client in the Spring Boot reference documentation.
You can also find additional details in the Spring Security reference documentation.
If you are not using Spring Boot then you should choose org.springframework.security:spring-security-oauth2-client. This also provides Spring Security's latest OAuth 2.0 Client support, but does not include the Spring Boot auto-configuration.
The corresponding documentation is also the Spring Security reference documentation.
The third dependency you mentioned org.springframework.security.oauth:spring-security-oauth2 should not be used because it is part of the legacy Spring Security OAuth project, which is now deprecated.
The functionality that this library provided has now been moved into Spring Security.
That is what the Migration Guide describes, the migration from the legacy project to the latest Spring Security support.
You should not use the org.springframework.cloud:spring-cloud-starter-oauth2 at this time, because it relies on the legacy OAuth support.
This is likely to change in the future, as the Spring Cloud team updates to the latest Spring Security support.
According to this article, and many others on the web, Spring Boot Actuator provides out of box support for Security Auditing, by using the Actuator endpoint /auditevents and by listening to the AuditApplicationEvents.
Im testing the Spring Boot v2.1.0.RC1 with Spring Security v5.1.1 and the OAuth2 Resource Server for validation of JWT and user authentication, see the code at Github ismarslomic/spring-security-resourceserver-example.
The authentication/authorization part work as expected, with use of Google as IDP. However, AUTHORIZATION_SUCCESS event is never fired from Spring Boot Actuator. The only event fired and caught by LoginAttemptsLogger is the AUTHORIZATION_FAILURE, when I drop adding JWT in Authorization header.
Anything Im missing?
This showed to be a bug in Spring Security, which has been resolved in version 5.1.2 and 5.0.10. See more info at https://github.com/spring-projects/spring-boot/issues/14921
currently am Creating Rest Apis in Spring Boot I want to secure Those Apis Using Okta Wit Oauth.
Can Any one Help On this....
You can use Okta's Spring Boot Starter for this. https://github.com/okta/okta-spring-boot
Warning: there is an issue where you can't use devtools with this starter.
I run my app with Spring Boot using JWT token for authentication. I have a filter checks a token. Also my app provide rest API documentation with Swagger 2. I don't want my rest api will be public
So my question is, how i can provide a security for Swagger access? and can provide basic security for it?