Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 4 years ago.
Improve this question
I'm putting in place a Spring web server and I want my API to be secured with Oauth2 Password Flow. Everything seems to be working fine for the AuthorizationServer part (No problem authenticating and getting an access token) but on the ResourceServer part I keep getting the following error :
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
Am I right in assuming that since any Oauth2 configuration is by nature split between the authorization server which grants the access token and the resource server which will check for this token validity, any access token granted by the AuthorizationServer to a client will be seen as some sort of pre-authentication by the Resource Server, and thus making it look for a provider able to support this kind of Authentication ?
If it is the case, what would be the best way to provide one ? I'm struggling to find any concrete example.
Or is my assumption wrong and the problem is coming from my setup being incorrect somewhere else ? Maybe I missed the part where I should make such a Provider available.
Thanks in advance !
I ended up solved my problem by starting over from a fresh configuration. It works well now, no more PreAuthentication related error. I am not sure exactly what I did wrong the first time but my configuration is simpler now than it was before, so I guess I disabled something I shouldn't have by trying too hard to give Spring something I thought was missing.
Anyway thanks for trying to help me #dur.
Related
There's a Keycloak (KC) server in my company, and I'm working on some app.
The Backend is Spring Boot 2.6.6, Front-end is AngularJs.
When user presses 'Log In' button, user gets redirected to KeyCloak login page and enters
credentials. This part is implemented already and working fine.
But then comes a tricky part: I need to return to front-end JWT token with some granted authorities, and those authorities will depend of what application gets from it's DB for every particular user. All other endpoints will have #PreAuthorize with needed authority.
So, I can't get JWT from KC, because KC doesn't know anything about app's vision to user's granted authorities.
Can you please help with some ideas how to achieve this? Because I'm trying to implement this and getting doubts about possibility to achieve this.
One of the errors I'm getting is:
Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.
Thank you
Keycloak is OAuth2 and OpenID Connect(OIDC) protocol complaint. Which means you can use already defined patterns of authorization flows in OAuth2.
Auth2 has implementation of a step by step authorization logic called Authorization Code Flow -which is one of many but I believe is the most suitable one for your use case-. RFC docs of this flow explain it pretty well and you can find them here. You should also look at how Keycloak implementations are done.
Learning and implementing this flow on your project will provide an industry standard solution.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 10 months ago.
This post was edited and submitted for review 10 months ago and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
Currently, we have a spring boot REST application connecting to a mysql database in which we have a table named "User" with several fields. Among them, the field "email" and the field "password" stored as sha256(email + plain_password).
We also have an endpoint named "login" that receives 2 strings: email & password. If a user with such an email exists, we proceed to calculate sha256(email + plain_password) and then compare against the one we have in the database. If the strings are equal, the identity is verified and a signed "token" (with expire time and more user related data) is issued and returned to the client.
Now, every time we need to "secure" any endpoint, we ask for a "token" in the request header of the http call. An Interceptor reads every header for every call and in case one of those headers is the issued "token", we verify the signature, the expiration time and the name for whom it was issued.
The "secured" endpoint also has a custom annotation that indicates which role is allowed to invoke it. So if the interceptor verifies the token and the token belongs to a user with the role annotated, then we proceed with the normal flow of the endpoint. Otherwise, we throw an UnauthorizedException.
Question: Does Spring Security provides "out of the box" a token generation / verification mechanism like the one described above?
You have implemented custom security model for authentication and authorization. If someone else is to look at your code, they would be able to eventually figure it out but they would have many questions. Spring security based implementation is easier to understand and extend. Spring security also provides support for testing.
If you were to switch to an oauth based auth model, you would have to do it yourself. Spring security would make this transition mush faster.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 2 years ago.
Improve this question
Auth::check() return false in custom middleware, What's wrong?
If you are using the default authentication setup that would be using sessions. You defined the middleware that you created to be a global middleware. These run before the route middleware. The web group of middleware provides the session support for authentication to work. This is a group of route middleware and is running after your global middleware so you don't have access to the session, hence authentication yet.
Since this middleware is only there to check something based on authentication that requires the session, this should be appended to your web group of middleware in $middlewareGroups instead so it will run in the appropriate order.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Previously I was using md5 for decryption but then later on I switched on to BCrypt which is a better alternative.
So Let's say I developed an API and in that there is a service for User Log In. I try to call this service using postman and by passing the required parameters i.e username and password.
Now, I don't know if its possible or not but what If some hacker intercepts my requests? If he can intercept it then that means he can see the plain password which I've sent in the request param, right?
What's the best thing to do here if it's possible? Do I have to pass in password encrypted in Bcrypt in the API?
P.s. I use JWT based authentication for my API's.
Use HTTPS instead of HTTP for your API requests. Then it is difficult or impossible for man in the middle attacks.
Always use post method instead of get or any other method to send confidential data
"Implementing the use of TLS and HTTPS would provide effective encryption and authentication of transmitted data to protect the website from Man-in-the-Middle attacks. This effectively obstructs the decryption of confidential data like authentication keys" << Read More.....
I'm not looking for opinion here, I realize how easily this question could get off topic, so let me explain.
I'm trying to figure out why we would use Basic HTTP Authentication at all if the username and password are simply passed as base64 encoded parameters from an AJAX request.
I understand the difference between Authentication and Authorization, but I'm not sure I see why we would even have the Authentication step in place for HTTP if it would take 10 seconds for a user to find it and then simply replicate the parameters in every API request from then on?
I've not found any good answers to this question in my research. I only find how to use Basic authentication.