spring-security

问题 I am trying to build Authorization Server using Spring Security. Code is available on git - https://github.com/bharatnpti/SpringAuthServerSO I have implemented JWT, everything is working fine for example - generation of token, check_token. However the endpoint oauth/token_key is giving error - 404, not found. Have tried the following access for token_key :- tokenKeyAccess("permitAll() || isAnonymous()") tokenKeyAccess("permitAll()") Below are the logs for token_key request :- 2020-12-07 03:22

问题 I am trying to build Authorization Server using Spring Security. Code is available on git - https://github.com/bharatnpti/SpringAuthServerSO I have implemented JWT, everything is working fine for example - generation of token, check_token. However the endpoint oauth/token_key is giving error - 404, not found. Have tried the following access for token_key :- tokenKeyAccess("permitAll() || isAnonymous()") tokenKeyAccess("permitAll()") Below are the logs for token_key request :- 2020-12-07 03:22

问题 This question is not about how CSRF tokens works, but is rather about they are stored on the server side. In short, CSRF tokens are generated by server and injected in to the web page/form. When the form is submitted the csrf token is extracted by the server and compared to the one saved on the server. So far so good. From this earlier posting - CSRF token value when same page is opened in two tabs on same machine? Here's the excellent answer which explains that - The server will create a

问题 In my java server application, I get the following error when trying to authenticate using the password grant flow: TokenEndpoint - Handling error: InvalidClientException, Unauthorized grant type: password I did allow the grant explicitly for the user in question: @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("officialclient") .authorizedGrantTypes("authorization_code, refresh_token, password") .authorities("ROLE

问题 I'm using Spring Boot (2.3.4.RELEASE) to implement a webservice acting as a OAuth2 resource server. So far I'm able to secure all endpoints and ensure that a valid token is present. In the next step I want to use Spring Method Security. The third step would be to populate custom user details (via UserDetailsService ). How to configure Spring Method Security properly? I'm not able to enable Spring Method Security (correctly). I have entities saved in database and also set the permissions via

问题 I'm using Spring Boot (2.3.4.RELEASE) to implement a webservice acting as a OAuth2 resource server. So far I'm able to secure all endpoints and ensure that a valid token is present. In the next step I want to use Spring Method Security. The third step would be to populate custom user details (via UserDetailsService ). How to configure Spring Method Security properly? I'm not able to enable Spring Method Security (correctly). I have entities saved in database and also set the permissions via

问题 So, I have this in my WebSecurityConfigurerAdapter public class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // Use this configuration for endpoints starting with 'api' .antMatcher("/api/**") // Do not secure endpoints receiving callbacks .authorizeRequests().antMatchers(""/api/v1/notification").permitAll() // Allow only users with role "ROLE_API" .anyRequest().hasRole(Users.UserRoles

问题 I am using spring security and Java configurations in my project. The Java configurations for spring security by default have csrf enabled. Is it possible to set the timeout after which the csrf token expires? This was a requirement to specify the timeout for the token based application. After going through some blogs and articles, I noticed that the behavior of csrf token is unpredictable to make it more secured. Here is a sample code for configuring spring security. @Override protected void

问题 I am using spring security and Java configurations in my project. The Java configurations for spring security by default have csrf enabled. Is it possible to set the timeout after which the csrf token expires? This was a requirement to specify the timeout for the token based application. After going through some blogs and articles, I noticed that the behavior of csrf token is unpredictable to make it more secured. Here is a sample code for configuring spring security. @Override protected void

问题 Faced a problem with caching during authorization, I can't figure it out. So that during authorization every time a request is not made to the database, I want to cache the method. At the first request with an empty cache, everything is fine and until the cache is deleted after a time. But while the cache is there, I get 401, because o.s.s.c.bcrypt.BCryptPasswordEncoder: Empty encoded password, the password is empty every time. How to be in such a situation? @Override @Transactional public