Dynamic Spring Security update - spring

I faced issue trying to get my roles updated from DB. Is it possible to programmatically add configuration to spring security. e.g.
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN");
Can i add a new configuration say .antMatchers("/user-service/**").hasRole("USER_DRIVER"); programmatically?
I tried adding a scheduled job using spring boot to refresh the configuration. However, they are not accepted.
Help appreciated.
Many thanks.

Related

How to handle security.enable-csrf in Spring Boot 2?

I'm migrating an application from Spring Boot 1.5 to 2.0.5.
I have a property set as security.enable-csrf=true in 1.5 version which is not available in 2.0 version of Spring Boot.
I read the documents and it is said that in Spring Boot 2.0:
CSRF protection is enabled by default in the Java configuration.
So by default it is enabled ok fine, but there is also one class created which extends WebSecurityConfigurerAdapter this means Spring Boot default security configuration has been turned off. Is this also means security.enable-csrf is disabled now?
If yes how do I enable it like I had it in the application for 1.5 version.
I didn't get any document which gives a clear confirmation on how to handle security.enable-csrf property in Spring Boot 2.0 and while declaring the WebSecurityConfigurerAdapter.
Does anyone know about it? Also any document link which I have missed to read about this would be great help.
In order to have backward compatibility with the property already been set in you application, security.enable-csrf=true, you can use the following code:
#EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
#Value("${security.enable-csrf}")
private boolean csrfEnabled;
#Override
protected void configure(HttpSecurity http) throws Exception {
if (!csrfEnabled) {
http.csrf().disable();
}
}
}
As you might guess the magic comes from http.csrf().disable(); that
in the above code you can control enabling/disabling it by the
property you have set in you application.properties file.
More Info:
For more details you can also refer to the spring documents:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf
WebSecurityConfigurerAdapter is an abstract class, when you create a class which extends WebSecurityConfigurerAdapter, you will override void configure(HttpSecurity http) method.
You can disable csrf in this method, like that;
http.csrf().disable();
You can read this comment on top of the csrf() method (in HttpSecurity class).
Adds CSRF support. This is activated by default when using
WebSecurityConfigurerAdapter's default constructor. You can disable it ...."
This comment says that, when you extends this class, default constructor of WebSecurityConfigurerAdapter works and csrf is activated.

Spring Boot 2 http.httpBasic().disable(); not working

I recently upgraded from Spring Boot 1.x to Spring Boot 2.0.3 and I am trying to disable basic auth with no success.
#Configuration
#EnableWebSecurity(debug=true)
#EnableGlobalMethodSecurity(securedEnabled = true)
public class CustomSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.httpBasic().disable();
// the rest of my config
}
}
What hidden gem am I missing to just simply turn off basic auth?
Why does turning things off in Spring need to be so difficult now?
I was reading this:
https://github.com/spring-projects/spring-boot/issues/10306
and I have to agree that it should be much easier and a clearer explanation should be provided on how to turn this off.
EDIT
This link https://spring.io/blog/2017/09/15/security-changes-in-spring-boot-2-0-m4 talks about how the property was removed but doesn't say anything about how to continue to use the configuration as it exists in current application that utilize it.

Spring/Springboot OAuth2 - Integrate custom ClientDetailsUserDetailsService

I have successfully configured my application to support both Basic, form-based and OAuth2 authentication, but ran into a bit of a snag trying to customize the ClientDetailsUserDetailsService in OAuth. The behavior I'm noticing is that the Spring OAuth ClientDetailsUserDetailsService is always being used despite my attempts to inject a new custom implementation.
The reason I want to customize this class is to return a custom User Details object similar to what I use for the Basic Auth and Form authentication.
I've read multiple posts on the site related to this same topic, but was not able to resolve the issue with the suggested approaches (ie: Previous post)
Spring's AuthorizationServerSecurityConfigurer class seems to always use the ClientDetailsUserDetailsService regardless of what you inject.
Thing(s) I've tried:
Create an #Bean referencing my custom user details impl and set the custom user details in the AuthorizationServerEndpointsConfigurer.userDetailsService.
Set the user details in the GlobalAuthenticationConfigurerAdapter
#Configuration
#Order(Ordered.HIGHEST_PRECEDENCE)
public class AuthenticationManagerConfiguration
extends GlobalAuthenticationConfigurerAdapter {
#Autowired
private UserDetailsService userService;
#Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(clientDetailsUserDetailsService());// Inject custom
}
}
Created a custom WebSecurityConfigurerAdapter and set the user details service in the HttpSecurity object ie:
#Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/oauth/**")
.requestMatchers().antMatchers("/api-token/**")
.authorizeRequests()
.anyRequest().authenticated();
http.userDetailsService(clientDetailsUserService());
http.authenticationProvider(oauthDaoAuthenticationProvider(encryptionService));
}
Create a new DaoAuthenticationProvider Bean and manually set my custom user details service for oauth requests.
Any advice or help is greatly appreciated and again, I do have OAuth working, but would like to tweak the implementation a bit without having to hack into the Spring classes to achieve it. Thanks!

Spring Boot Security - Open access for / with restricted /admin access?

So i have a simple spring boot app with out-of-the-box security configuration. In my 'dev' profile I've open access to all URLS with these properties
# dev
security.basic.enabled=false
management.security.enabled=false
and I can enable authentication for all URL's in my 'production' profile by changing the values to
# production
security.basic.enabled=true
management.security.enabled=true
The real security requirement for the application is that it has two pages
The '/' index page should be public to all.
The '/admin' page should be restricted.
I know from countless other stackoverflow questions in spring-boot-security and spring-security that I can override the default spring-boot security config by using the #EnableWebSecurity and then defining custom rules
#EnableWebSecurity
public class WebMvcConfig extends WebMvcConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()....
}
I'm wondering is there not a simpler way which configures spring-boot only, and which doesn't involve the customisation of the spring-security to achieve this requirement?
There's a difference between overriding and configuring. By using #EnableWebSecurity, you're still just configuring Spring Security to work the way you want it to work. So to answer your question, no, there is not a "simpler way". This is how you do it and it isn't difficult.
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.and()
.authorizeRequests()
.antMatchers("/admin/**").authenticated();
}
}
Something like that is more or less all you need based on your requirements.

Using http-basic-authentication with spring webservices

I followed https://spring.io/guides/gs/producing-web-service/ to implement simple webservice using Spring. Everything works like expected. Now I am trying to add http basic authentication to it using javaconfig. How should I proceed? I found some links where #EnableWebSecurity was used however nothing seems to work... Service responds without authentication...
Just create a Spring Security config file like this:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("ROLE_USER");
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
Here's a notice tutorial to follow up: http://www.mkyong.com/spring-security/spring-security-hello-world-annotation-example/
Based on the tags you added to the question I see you are exposing the SOAP service using Spring Boot. In that case just add the spring-boot-starter-security Spring Boot starter project as a dependency. This will include Spring Security and by default ‘basic’ authentication is added on all HTTP endpoints (including your SOAP service).
By default a random password is generated at startup but you can configure your own user name/password using Spring Boot security properties.
If would like more information, I created a blog post which illustrates how to setup Spring WS basic authentication using Spring Boot.

Resources