I'm currently working on a Oauth2 implementation with Spring Security, and I found many documentations that use ResourceServerConfigurerAdapter along with the WebSecurityConfigurerAdapter.
I hope someone can tell me the differences between the two configurations because I really get confused in which configure(HttpSecurity http) method to use since both classes offer one.
I've found some similar questions here in stackoverflow but there are not clearly answered.
From reading the JavaDocs I think the only purpose it's to separate the concerns for OAuth2 Resources authentication from the WebSecurityConfigurerAdapters which contains all sorts of security filters.
Additionally it seems like you should add #EnableResourceServer annotation and provide a #Bean of type ResourceServerConfigurer via ResourceServerConfigurerAdapter. The annotation will basically create another WebSecurityConfigurerAdapters with an hard-coded order of 3.
So to summarise you will have 2 or more WebSecurityConfigurerAdapters but one is specific to OAuth2 authentications.
Related
in my Spring Boot app I am implementing the social login using Spring Social (1.1.4.RELEASE), I have following configuration class:
#Configuration
#EnableSocial
public class SocialConfig extends SocialConfigurerAdapter {
I see that #EnableSocial calls #Import(SocialConfiguration.class), but when I remove annotation #EnableSocial the social login works the same and SocialConfiguration is used anyway.
It's difficult to say without knowing more about your code, but even if you don't use #EnableSocial, Spring Boot will still assume you mean to use it if you provide sufficient social information (I'll use Facebook as an example here):
Your project depends on org.springframework.social:spring-social-facebook directly or transitively through for example org.springframework.boot:spring-boot-starter-social-facebook.
You specify information that the app can use to connect to the social network site. To figure out exactly what you need for Spring Boot to automatically configure it, you should check out the AutoConfiguration class for the social site in question, for example FacebookAutoConfiguration.
By the way, here's an example on how to get it working without #EnableSocial. Does it look similar to your setup? https://spring.io/guides/gs/accessing-facebook/
What is the difference between WebSecurityConfigurerAdapter and ResourceServerConfigurerAdapter and which should have higher precedence?
I don't really see difference if I am both resource owner and the client. I can configureHttpSecurity in both classes.
EDIT:
Which type of matchers should I add in WebSecurityConfigurerAdapter and which in ResourceServerConfigurerAdapter? I found in some examples that WebSecurityConfigurerAdapter matches pages for login, registration etc. and ResourceServerConfigurerAdapter for the real resource. Is that a correct way of doing it?
ResourceServerConfigurerAdapter for adjust the access rules and paths that are protected by OAuth2 security (Some additional oauth2 filters activated).
WebSecurityConfigurerAdapter for the basic Spring Security customization.
Are #InjectParam (com.sun.jersey.api.core.InjectParam) and #Autowired (org.springframework.beans.factory.annotation.Autowired) same?
In one of the project, I have seen both of these are being used for similar purposes, hence I guess both can do the same job.
I am just wondering if my guess is correct or I am missing some critical catch out there.
I would appreciate if someone can explain the difference and which one to use under what situation?
Thanks.
Both #InjectParam and #Autowired are used for dependecy injection purposes.
According to the documentation, Jersey's #InjectParam is used to annotate fields, methods or parameters that shall be injected with instances obtained from Jersey or registered IoC component provider factories that provide support for Guice, Spring or CDI.
Spring's #Autowired is used to perform injections in the Spring Framework and, as far as I know, it won't work in Jersey resources.
From this post #Autowired not working on jersey resource , it seems #Autowired does not work with Jersey resource in which case we have to use #InjectParam for Jersey resouce.
I want to use SpringSecurity4 in a CDI/EJB environment.
Is this possible? Can SpringSecurity can be used without using Spring?
What I want to do, is to use SpringSecurity with my EJB and CDI components.
Spring Security is basically a filter machine, filtering all the incoming requests. However, plenty of it's functionality is Spring-core dependent. It is possible to utilize Spring in a CDI application, but Spring's core is heavyweight and it's functionality is funny compared to CDI. That would be a downgrade and there would be no point in using CDI.
What you can do is to have a look at some Security projects for JEE world.
Apache DeltaSpike and it's Security module.
Keycloak - The absolute solution. Keycloak goes far, far beyond Spring security's functionality. It is an evolution of old PicketLink libraries developed by JBoss, but those are discontinued and merged into Keycloak instead. An example how simple usage of Keycloak is can be found here.
It is also not that hard to write own security interceptor using #WebFilter and #Inject :), there are several projects on GitHub:
https://github.com/rmpestano/security-interceptor
https://github.com/clairton/security
https://github.com/Rudin-Informatik/cdi-security
https://github.com/rafaelodon/my-security-context
I have no experience with these projects. However, I am always amazed how easily can Spring Security be replaced :)
I am using Spring Security with CDI but I can say it is not very healthy since Spring Security is based on spring and spring is messing with the CDI beans.
Here is what happened to me. I customized the AuthenticationProvider of spring security in order to authenticate users through my authentication server. When implementing this mechanism I used my predefined CDI beans by injecting them using (#Inject) annotation. At this point spring somehow intercepts the injection and creates its own bean, which means you cannot use any of the values you set to the CDI bean previously.
In order to solve this, I did some trick like this:
#Inject
private LoginController loginController;
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//Here, the injected bean is empty, I am requesting my old bean from CDI and assign it back.
LoginController bm = (LoginController) CDI.current().select(LoginController.class).get();
loginController = bm;
I don't know if this is the answer you are looking for but i hope this helps...
I am trying to follow this to incorporate spring security in the framework
http://java.dzone.com/tips/pathway-acegi-spring-security-
i hope to make a basic form based authentication, so i think this would be a great pointer.
if i am using the spring security 3 libraries, would there be any different?
which file is the authentication-manager xml would suppose to be in?
Some time ago I've done a migration from Acegi Security to Spring Security, and I should say that it went pretty smooth, without any significant issues. So I assume that this libraries (in fact Spring Security is a latter version of Acegi) have not too much differences.
You could include you AuthenticationProvider implementation or any configuration related to a security any context configuration file. However, it's generally preferable to keep in separate Spring XML config file, which name is passed as a parameter along with name of main config file when you are creating ApplicationContext instance.
Suppose you have class MyAuthenticationProvider :
...
import org.springframework.security.providers.AuthenticationProvider;
...
public final class MyAuthenticationProvider implements AuthenticationProvider {
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
...
}
}
This class is a regular Spring bean and therefore you can inject there any other bean you need, particularly DAO object which works with 'Users' table. Inside authenticate method you recieve partially initialized Authentication object. It's supposed to contain username and password. Here you could compare user credentials against database records.
also trying this one and succeed. this one is more complete with the included file
http://static.springsource.org/spring-security/site/petclinic-tutorial.html