spring-security

问题 I have a Spring Boot web application exposing few rest endpoints. I wanted to know how we can enable basic authentication only for selected rest endpoints. Let's say I want only /employee/{id} request to be authenticated and ignore all the other rest endpoints. I am using the following code. My question is will the antMatcher only authenticate the request specified? Currently its enabling authentication for all rest endpoints: @Configuration @EnableWebSecurity public class WebSecurityConfig

问题 I have a Spring Boot web application exposing few rest endpoints. I wanted to know how we can enable basic authentication only for selected rest endpoints. Let's say I want only /employee/{id} request to be authenticated and ignore all the other rest endpoints. I am using the following code. My question is will the antMatcher only authenticate the request specified? Currently its enabling authentication for all rest endpoints: @Configuration @EnableWebSecurity public class WebSecurityConfig

问题 I've got an AbstractAuthenticationProcessingFilter that I'm using to handle POST requests at path /sign-in . CORS preflight requests are coming back 404 because there is no path that matches. This makes sense to me. What I would like to know is if there is a way to inform Spring that there is a filter handling the POST (rather than a controller), so that Spring can dispatch the OPTIONS in the same way it would if a controller were handling the POST. Would it be bad practice to write a

问题 I've got an AbstractAuthenticationProcessingFilter that I'm using to handle POST requests at path /sign-in . CORS preflight requests are coming back 404 because there is no path that matches. This makes sense to me. What I would like to know is if there is a way to inform Spring that there is a filter handling the POST (rather than a controller), so that Spring can dispatch the OPTIONS in the same way it would if a controller were handling the POST. Would it be bad practice to write a

问题 In my Application, We are capturing User details of each transaction from SecurityContextHolder Authentication object. But it gives wrong UserID it seems. Below are the code snippet for your reference. SecurityContext.xml spring-security-3.2 -- <security:http auto-config="true"> <!-- Restrict URLs based on role --> <security:headers> <security:cache-control/> <security:content-type-options/> <security:frame-options policy="DENY"/> <security:xss-protection/> </security:headers> <security

问题 I'm learning Spring Security and I have few quick questions respect UserDetailsService : 1- When loadUserByUsername is actually called or invoked? After authentication? Only once per login? 2- After login, will Spring put the actual logged user into httpSession? 3- Which is the recommended way to populate the collection of <GrantedAuthority> of UserDetails ? Eagle fetch them so when loadUserByUsername is called, the returned user already has it's "ROLES" Implement another custom filter like

问题 I'm learning Spring Security and I have few quick questions respect UserDetailsService : 1- When loadUserByUsername is actually called or invoked? After authentication? Only once per login? 2- After login, will Spring put the actual logged user into httpSession? 3- Which is the recommended way to populate the collection of <GrantedAuthority> of UserDetails ? Eagle fetch them so when loadUserByUsername is called, the returned user already has it's "ROLES" Implement another custom filter like

问题 assuming a working hello world example of spring security and spring mvc. when i take a trace with wireshark i see the following flags on the http request X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly i would like to add

问题 assuming a working hello world example of spring security and spring mvc. when i take a trace with wireshark i see the following flags on the http request X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly i would like to add

问题 assuming a working hello world example of spring security and spring mvc. when i take a trace with wireshark i see the following flags on the http request X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; Secure; HttpOnly i would like to add