Well i'm building some personal project to learn spring roo 2. Now i'm struggling with spring security. There is little information about spring roo 2 in google and many relatively useful information on spring boot relating to spring roo.
with the command "security setup" you got the "--provider" option.
This is the description that the help gives you:
optional --provider: The Spring Security provider to install. Possible values are: DEFAULT (default Spring Security configuration provided by Spring Boot will be used), and SPRINGLETS_JPA (advanced Spring Security configuration will be included using Springlets JPA Authentication).; default: 'DEFAULT'
I couldn't find the difference between these two options, even on the spring roo M3 reference documentation. Even searching for "Springlets JPA Authentication" gives no information about it.
Anyone has any clue about this?
Thanks
These are the main differences between this two providers:
DEFAULT: Is the default Spring Security auto-configuration provided by Spring Boot when you include the spring-boot-starter-security in your project classpath. This is the default option because Spring Roo always tries to generate applications that use the auto-configuration provided by Spring Boot.
Selecting this provided the following changes will be applied to your project:
spring-boot-starter-security dependency will be included to your pom.xml file
If you want to know more information about this configuration you should check the spring boot reference guide
SPRINGLETS_JPA: If you select this provider, the default Spring Security auto-configuration provided by Spring Boot will be used. In addition, this provider will include the Springlets library to your classpath that provides you some extra starters to auto-configure advanced Spring Security properties. Also, configures the security authentication to use and user from the database instead of the default in-memory authentication provided by Spring Boot auto-configuration. You will be able to manage these configuration using the application.properties file and including the properties springlets.security.auth.in-memory.enabled and springlets.security.auth.in-memory.erase-credentials.
Selecting this provided the following changes will be applied to your project:
springlets-boot-starter-authentication dependency will be included to your pom.xml file
security.enable-csrf=true property will be included to enable CSRF. Know more about CSRF and Spring Security here
To know more about the Springlets Security project check the Springlets project page
Hope it helps,
Related
I am adding Togglz to my existing spring boot 3 application. I can not read the state of the enum constants from application.yml or any other property files. Only way state can be changed is by annotating #EnableByDefault. I followed the link https://www.baeldung.com/spring-togglz for reference implementation.
Has anyone successfully configured Togglz with Spring Boot3?
I inherited Spring Boot application (version 1.5.8). I think it reads external foo.properties file then creates Map object having key/value pair then SpringApplication.setDefaultProperties consumes it.
When I inspected the properties file, it has many ssl related key/value properties
server.ssl.key-alias=<some_value>
server.ssl.key-password=<some_value>
server.ssl.key-store=<some_value>
server.ssl.key-store-type=<some_value>
From its pom.xml file I don't see spring-boot-starter-security as a dependency though. My assumption is it is ok. Although as newbie, when I went through simple tutorial of Spring Boot in regard to ssl, it has aforementioned lib as a dependency.
I plan to add more ssl key/value pairs like:
server.ssl.enabled=<some_value>
server.ssl.ciphers=<some_value>
server.ssl.protocol=<some_value>
My question is do I need spring-boot-starter-security lib as a dependency or not. I am sure I'd find out once I update/execute the application but I decided to ask first if anyone knows in advance. My initial research didn't come up with an answer I was looking for.
Update:
From its pom.xml, I see following added as dependency. Another attempt of research makes me believe spring-boot-starter comes with spring-boot-starter-security but I am not positive about this.
spring-boot-starter
spring-boot-starter-log4j2
spring-boot-starter-web
No, you definitely don't need spring-boot-starter-security to enable SSL/TLS in your Spring Boot application.
As described in the Spring Boot documentation, you can enable SSL declaratively by setting the various server.ssl.* properties, typically in application.properties or application.yml.
Refer to the Ssl class for details of all of the supported properties. You may also consider checking the Spring Boot common application properties (in special the server properties).
No.
Spring Boot does not need security for SSL, it's a Tomcat issue. I recommend you to read this tutorial
I want to create a library (let’s call it common-library) where I need to include classes from Spring Security.
How to include Spring Security as a dependency without triggering auto-configuration?
Idea is that Spring Security will be configured by different library (called secure-library - also includes Spring Security).
If only the common-library is included in an application then Spring security must not be enabled, but if both, common-library and secure-library, libraries are included that Spring Security is enabled and configured by secure-library.
Classes I actually need to include:
org.springframework.security.core.context.SecurityContextHolder;
org.springframework.security.oauth2.provider.OAuth2Authentication;
org.springframework.security.oauth2.provider.OAuth2Request;
BTW: I could not find jar with OAuth2Authentication,
OAuth2Request and without auto configuration.
Spring boot ships with several default logging framework configurations including Log4j2. While there is detailed documentation about logging in the Spring boot reference manual it does not mention how and where exactly the default log pattern is configured, which makes it difficult to override this.
The question is where does Spring Boot configure the default log pattern of for Log4j2?
So far I have looked in the following places of Spring Boot:
AutoConfigurationReportLoggingInitializer
LoggingApplicationListener
SimpleFormatter
LoggingSystem
Log4J2LoggingSystem
It seems the Log4J2 configuration is not done in any Java class so I was looking at the wrong place. Spring Boot ships with two files log4j2.xml and log4j2-file.xml which contain the default configuration and can be found in org.springframework.boot.logging.log4j2.
We're using Grails but with an existing model layer and DAO layer. We have an app written already in Spring MVC, using Spring for IoC and also Security. I'm trying to port the control and view over to Grails as a proof of concept. I have Grails working fine with IoC but am having some trouble getting Grails to work with Spring Security. I'm using 0.5.1 of the Spring security plugin for grails. I have an xml file with all of the spring security settings that work fine with the Spring MVC app, but I'm having trouble getting it to work in Grails. If anyone has any experience using Grails with Spring Security but not using the domain part of the Spring security plugin, then please let me know. Any advice, websites etc would be helpful.
You don't even need the Grails Spring Security Plugin,
You can integrate Spring Security 3 right into Grails as
it all Spring under the hood any way.
You only have to place the Security jars in the lib folder, add two entries into the web.xml and copy over your security applictionContext
This way you can use your existing Spring Security in your grails project
This worked for me.
http://old.nabble.com/Baked-Beans%3A-Securing-Grails-with-Spring-Security-3!-td25339938.html#a25339938
http://blog.jayway.com/2009/11/23/spring-security-for-real-with-grails/comment-page-1
http://knol.google.com/k/grails-with-spring-security#