spring-security

问题 Just want to see whether I'm interpreting the answer to this question the right way. If we only need to secure one path like this: http.antMatcher("/api/**").authorizeRequests().... Then use antMatcher() . If we need to secure multiple URL paths like this: http .authorizeRequests() .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER') .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2') ... Then use antMatchers() . There are two answers in this question, but the example

问题 I am writing a spring boot application in which I am registering a URL to a bean via the SimpleUrlHandlerMapping configuration. Why am I not using the @Controller or @RequestMapping classes to do this ?!! Because I want to dynamically register URL's during runtime. I am using the following code to register a simple URL to a controller @Bean public SimpleUrlHandlerMapping sampleServletMapping() { SimpleUrlHandlerMapping mapping = new SimpleUrlHandlerMapping(); mapping.setOrder(Integer.MAX

问题 I am writing a spring boot application in which I am registering a URL to a bean via the SimpleUrlHandlerMapping configuration. Why am I not using the @Controller or @RequestMapping classes to do this ?!! Because I want to dynamically register URL's during runtime. I am using the following code to register a simple URL to a controller @Bean public SimpleUrlHandlerMapping sampleServletMapping() { SimpleUrlHandlerMapping mapping = new SimpleUrlHandlerMapping(); mapping.setOrder(Integer.MAX

问题 I cannot access the java.security.Principal authenticated by my CAS authentication system. serverWebExchange.getPrincipal() is allways empty. In fact this is the implementation of DefaultServerWebExchange : @Override public <T extends Principal> Mono<T> getPrincipal() { return Mono.empty(); } Another implementation of ServerWebExchange is ServerWebExchangeDecorator and its documentation says: Note: if the purpose for using a decorator is to override properties like getPrincipal() , consider

问题 I want to write unit tests for my spring controller. I'm using keycloak's openid flow to secure my endpoints. In my tests I'm using the @WithMockUser annotation to mock an authenticated user. My problem is that I'm reading the userId from the token of the principal. My unit test now fails because the userId I read from the token is null; if (principal instanceof KeycloakAuthenticationToken) { KeycloakAuthenticationToken authenticationToken = (KeycloakAuthenticationToken) principal;

问题 Closed . This question is opinion-based. It is not currently accepting answers. Want to improve this question? Update the question so it can be answered with facts and citations by editing this post. Closed last month . Improve this question I am recently learning about OAuth2. Basically I am using Angular client side, and Backend Spring Boot Rest API. I am having some little confusion regarding login form. Normally when we use 3rd party REST Api like Facebook or Google Rest API, these APIs

问题 I created a Spring boot project with the Spring initializer and only have the starter code so far. The sample code @SpringBootApplication public class EcommerceApplication { public static void main(String[] args) { SpringApplication.run(EcommerceApplication.class, args); } } @Controller @RequestMapping(value = "/") public class HomeController { @GetMapping public String index() { return "index"; } } I expect it to return the index.html page from the templates folder. Instead, I'm redirected

问题 I have 2 JHipster apps running each on one subdomain (app1.domain.tld & app2.domain.tld). In both apps, users login through Keycloak. The sequence is as such : Angular app sends /authenticate request with credentials to Keycloak In case of successful response returns a authentication cookie POST request is is sent to Jhipster backend app that generates JSessionID cookie JSessionID is then used for every request to backed app. What would be the best way to automatically login user (without

问题 I have 2 JHipster apps running each on one subdomain (app1.domain.tld & app2.domain.tld). In both apps, users login through Keycloak. The sequence is as such : Angular app sends /authenticate request with credentials to Keycloak In case of successful response returns a authentication cookie POST request is is sent to Jhipster backend app that generates JSessionID cookie JSessionID is then used for every request to backed app. What would be the best way to automatically login user (without

问题 The following line doesn't let me visit GET: /api/topics without a bearer token. It works if I apply a token. Am I missing something? Isn't permitAll supposed to do that? .antMatchers("/api/topics/**").permitAll() By the way, I tried with /api/topics** and it didn't work as well. Error: { "error": "unauthorized", "error_description": "Full authentication is required to access this resource" } Result without a token (the broken part). I want it to let me through. Result with a token. It works