I'm trying to setup a new project using Spring Security. When you do so every page is auto redirected to /login/auth. I read that you can disable this and instead explicitly state all controllers/routes. can someone point me in the right direction as far as how to obtain this? been searching forever and cant find it.
I first read about it in answer one of this question :
Grails, Spring Security Core - remove /login/auth from application
Reading the section Pessimistic Lockdown in the documentation will lead you to the fact you can reverse this behavior by using the following configuration:
// Config.groovy
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = true
This should accomplish what you are after. I recommend reading the documentation for this plugin as it is well written and covers a lot of useful information.
Related
I'am currently trying to understand the discovering of JAXRS-Endpoints in Quarkus. My assumption is that they are automatically discovered and there is no need to register them. In addition I tried to import Endpoints from an other module/jar File. It is working to out of the box.
But than I tried to understand the order of discovering endpoints.
I tried to overwrite a jar file provided endpoint in my application, but it is not working. Therfore in my opinion there is a potential security problem, if any third party module can overwrite my endpoints. Has anyone the same problems and can provide me informations how to think about this problem? (My only solution is to write an own extension which removes all endpoints an add only the ones I want to have, but I think this is against the idea)
Thanks in advance!
Duplicate endpoint detection was added to RESTEasy Reactive in https://github.com/quarkusio/quarkus/pull/15037.
This means that from version 2.7.0.CR1 and on, Quarkus will fail the build if duplicate JAX-RS endpoints are defined (assuming you are using quarkus-resteasy-reactive).
I am developing a jsp dynamic web project on eclipse.
I want to create an website with login functionality. I intend to store users' accounts and passwords in MySQL database. Of course, different users have different roles and rights to access different web pages. What is the best approach to implement it?
So far, I know these approaches:
1) Users enter accounts/passwords in login.jsp. LoginServlet then connects to MySQL database to check if it is correct. AuthenticationFilters will make sure only users with rights can access certain pages.
2) Use Role Based Authentication by declaring user roles in web.xml. I find this approach is not flexible, because I need to declare roles in advance.
3) Use HttpServletRequest's login/logout methods. I have not studied it.
Is my understanding correct? Could someone gives me some suggestions? Some clues would be very helpful!
Besides, I know that using POST alone to send passwords is not safe enough. Many websites suggest to use HTTPS connections. So if using HTTPS connections, does it affect the approach I choose to implement the login function?
Thanks!
--
Now, I know I need to use Spring. But Spring seems difficult for me... In Spring website I cant find out the link to download jar files. The user guide says I need to use Gradle or Maven, which I haven't used before, and have no idea why I need them. Besides, there are many Spring projects. Which one should I choose? Spring framework?
--
Have you looked into using Spring Security? It's built for just that. You don't need to be familiar with Spring but it may help.
Here are a couple of tutorials that use database authentication:
1: Spring Security Authentication and Authorization Example with Database Credentials
2: Spring Security Login Example with Database
Edit:
You don't have to Maven or Gradle. You can simply add the jars to your build path and they will work. The only projects you need to implement for the login to work is the Spring Framework and Spring Security.
To use Spring Security without Maven or Gradle:
Download the Spring Framework jars, unzip them, and add them to your project and build path. It's probably a good idea to find a hello world tutorial using Spring to get you started. A quick Google search should turn up many results.
After you have Spring implemented in your project, download the Spring Security jars, unzip those, and add them to your build path. The links to the tutorials that I previously posted will get you started. They may take a little while to go through and you may not understand exactly what is happening behind the scenes, but once you get it set up is works outstanding. I'm also not sure if you are using xml configuration or Java config but I believe those tutorials are for xml.
Spring Security was built so that it could be added to any project and have you up and running with basic configuration in about 15 minutes. After you get the basic login going (it will use the generic login form), you can search for how to implement your own custom login form, add permissions or restrictions to users and url patters, adding custom filters, etc. I encourage you to spend some time learning it as it is highly flexible and customizable.
I am trying to apply spring security to my web application. I am already familiar on the usage of the security:authorize tag for hiding UI elements in my jsp page. I read that starting from spring security 3.1.x you now have spring.security.disableUISecurity property to disable the security:authorize tag which will really help our testing. I tried searching google on how to set this property but I couldn't find a clear way on how to set this property. Does anyone know how to configure this property?
I asked this question over at spring forums and someone was able to help me. You just need to add -Dspring.security.disableUISecurity=true as a jvm parameter
Link to the post at spring
I am considering to utilize Expression-Based Access Control from Spring Security 3.0.
The documentation says: You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.
That means that I have to have debug info left in my production wars and jars to properly use Expression-Based Access Control. For me it seems not very good idea at all.
Please tell me your opinions on this issue, so I can summarize your expirience to deside where I go for it or not.
Thank you in advance!
Max
It is a little strange, but this isn't tied to Spring Security. Spring Web MVC uses it too; e.g., to discover #RequestParam and #PathVariable default values.
In my experience people typically leave debug information in their builds (even production builds) to support troubleshooting (debug level logging is a different story), so Spring takes advantage of this. But it's fair to say that Spring is violating the principle of least surprise here, meaning that one wouldn't expect turning debug info off to turn a working app into a broken app.
Please see Spring security annotations with EL — requires debug information compiled in?
I'd like to learn Spring MVC framework basis.
My personal experience tells clearly that more than reading manuals, docs, howtos only is only one important part of self-training, but to capitalize real experience you need to solve real problems.
May someone suggest a fake-project that I can implement in my free-time, avoiding only-theoretical approaches and at the same time watch at the main issues of Spring programming?
Does a NerdDinner.com-like free-chapter somewhere exists for Spring?
You could go through each of the Spring samples, and attempt to recreate them on your own.
I have found that a very effective method for learning Spring is to go on the Spring JIRA and solve a bug. It forces you to get down and dirty in the code, and you get to see what's really going on behind the scenes.