In spring web I can use sessionManagement as show below. However in webflux im not able to find any information on how to do this type of session management.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEWER)
}
My question is how do I do the following setup in webflux???
Related
I have an angular app being served as a static content from a spring boot app. The angular app is inside target/classes/static/index.html of spring boot app. I also have a rest api served from spring boot and it needs to have basic auth enabled. I have configured my security config as below
#Configuration
#EnableWebSecurity
public class SecrityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private AuthenticationEntryPoint authEntryPoint;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("john123").password("password").roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic()
.authenticationEntryPoint(authEntryPoint);
}}
The basic auth is working as expected for the rest endpoint. But when I try to load the angular app from localhost:8080/springbootappname/ it's prompting credentials. When I give the credentials that I have configured, the angular app is being loaded.
So, I need help disabling this basic auth for angular app that is being unpacked into classes/static/
You can manage it couple of way to server static contents.
You can override Security for static content.
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/target/classes/static/**");
}
You can even manage it in http security override with matching antmacher.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/target/classes/static/**").permitAll()
.anyRequest().authenticated()
.and().httpBasic()
.authenticationEntryPoint(authEntryPoint);
}
Better to manage your static content from resources.please see link
https://spring.io/blog/2013/12/19/serving-static-web-content-with-spring-boot
I am quite new to Spring boot OAuth. My application is using OAuth2 integrated with Azure AD. I want to have a URL which will not redirect to Azure AD for authentication. It was quite straight forward with Spring Security, we could configure something like this:
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/someURL");
}
Is there an alternative available for OAuth?
Yes can allow access to everyone by using this
#Override
public void configure(HttpSecurity http) throws Exception {
http.antMatchers("/someURL").permitAll();
}
for details check.
You can avoid specific end point authentication like below
#Override
public void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/url/**").permitAll()
.anyRequest().authenticated();
}
I have a webapplication based on spring boot that should be secured via http basic auth except the request is send from a specific IP address.
I am able to set-up both configurations for themselves but not combined via or.
IP Filter
private String allowedIp = "123.456.789.123/32";
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.anyRequest().hasIpAddress(allowedIp);
or
HTTP Basic Auth
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.anyRequest().authenticated().and().httpBasic().authenticationEntryPoint(cncAuthEntryPoint);
}
How can I combine these two configurations?
I am using
Spring 5.0.4,
Spring Boot 2.0.0, and
Spring Security 5.0.3.
Do you need any addtional information?
How can I prevent my application from this type of errors:
Refused to execute script from 'http://localhost:8091/inline.f65dd8c6e3cb256986d2.bundle.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
It's a Spring Boot app with Angular 4 and when I run first page it throws those errors.
errors
I think it could have connection with Spring Security becuase when I added:
.and().formLogin().loginPage("/")
.loginProcessingUrl("/").permitAll();
It started throwing errors, but I really need this piece of code. The whole method looks:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/resources/static/**/*", "/", "/api/auth").permitAll()
.anyRequest().authenticated()
.and().formLogin().loginPage("/")
.loginProcessingUrl("/").permitAll();
}
Assuming you are extending your security configuration class from WebSecurityConfigurerAdapter then you could make use of overriding protected void configure(WebSecurity web) throws Exception:
#Override
protected void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/inline.**") // or better ending with ".{js,html}" or something
.antMatchers("/resources/static/**/*");
}
This would allow all requests starting with /inline. and /resources/static/....
In Spring Security Java Config
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/guest/**").authenticated;
}
What if I want this same url to be allowed access to a particular principal or a User.
And others Authentication needed. Is it possible?
If you want to completely bypass any security checks for certain URLs, you could do the following:
#Override
public void configure(WebSecurity web) throws Exception {
// configuring here URLs for which security filters
// will be disabled (this is equivalent to using
// security="none")
web
.ignoring()
.antMatchers(
"/guest/**"
)
;
}
This is equivalent to the following XML snippet:
<sec:http security="none" pattern="/guest/**" />
Two approaches; first, use HttpSecurity#not() like this to block anonymous users;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/guest/**")
.not().hasRole("ANONYMOUS");
// more config
}
Or use something like ROLE_VIEW_GUEST_PAGES that gets added depending on the user type from your UserDetailsService. This, IMO gives you better control over who sees guest pages.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/guest/**")
.hasRole("VIEW_GUEST_PAGES");
// more config
}