spring-security

问题 I updated an already existing application from Spring Boot 1.3 to 2.0.1. This application makes use of the Actuator and exposes a REST-style API. In Boot 1.3 the API could be used without authentication and the actuator endpoint was configured to be password protected: security.user.name=foo security.user.password=bar security-user.role=ADMIN I updated this like documented in the configuration changelog and renamed the entries from security.user.name to spring.security.user.name and alike.

问题 I am building a server side REST service application. I have a problem with the JWT authentication token. I can get the token easily after sign in (Here I use Postman ). But when I am trying to authenticate a request to access a protected REST controller using the same token, I get the following error: io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. at io.jsonwebtoken.impl.DefaultJwtParser

问题 I've just added Spring Security in my Spring Boot project classpath. I did no Java Configuration or XML configuration. The problem is that when I send a request to my resource localhost:8080/users , my first request gets authenticated (via Basic Authentication) normally, but the subsequent requests do not need any authentication header. Even if I restart my server, the requests are still being authenticated without entering any credentials. I would like to turn this "cache" off. I tried with

问题 There are many tutorials where is shown how to disable csrf, csrf().disable() (and other possibilities like .properties , .yml , etc.) but nowhere explained why they do this? So my questions are: What is the real-life reason to disable it? Is it improves performance? 回答1: What is the real-life reason to disable it? The Spring documentation suggests: Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a

问题 I'm using keycloak 3.4 and spring boot to develop a web app. I'm using the Active Directory as User Federeation to retrieve all users information. But to use those information inside my web app I think I have to save them inside the "local-webapp" database. So after the users are logged, how can I save them inside my database? I'm thinking about a scenario like: "I have an object A which it refers to the user B, so I have to put a relation between them. So I add a foreign key." In that case I

问题 I'm using keycloak 3.4 and spring boot to develop a web app. I'm using the Active Directory as User Federeation to retrieve all users information. But to use those information inside my web app I think I have to save them inside the "local-webapp" database. So after the users are logged, how can I save them inside my database? I'm thinking about a scenario like: "I have an object A which it refers to the user B, so I have to put a relation between them. So I add a foreign key." In that case I

问题 I'm using keycloak 3.4 and spring boot to develop a web app. I'm using the Active Directory as User Federeation to retrieve all users information. But to use those information inside my web app I think I have to save them inside the "local-webapp" database. So after the users are logged, how can I save them inside my database? I'm thinking about a scenario like: "I have an object A which it refers to the user B, so I have to put a relation between them. So I add a foreign key." In that case I

问题 I want to apply specific security rules to 2 URLs on my Spring Boot app. I want to use AccessDecisionVoter feature to manage that. All works good... event too good. My new rules apply, on my 2 specific URL, but unfortunately on all my URLs . My AccessDecisionManager declaration: @Bean public AccessDecisionManager playerResourceDecisionManager() { List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays.asList( new AuthenticatedVoter(), hashSerialSecurityVoter ); return new

问题 I work on Spring Boot 2.1. I want all my default endpoints allowed either if they're rightly authenticated either if they pass on specific authentication rules I've implemented and named * hashSerialSecurityVoter*. My Code : SecurityConfig.java protected void configure(HttpSecurity http) throws Exception { http.csrf() .disable().cors().and().exceptionHandling() /* [...] */ .anyRequest() .authenticated(); .accessDecisionManager(playerResourceDecisionManager()); } @Bean public

问题 I have a following tables User table -username -password -mobile OTP -mobile -otpCode -expiry WebSecurityConfig http.authorizeRequests().anyRequest().hasAnyRole("ADMIN", "USER") .and() .authorizeRequests().antMatchers("/login**").permitAll() .and() .formLogin().loginPage("/login").loginProcessingUrl("/loginAction").permitAll() .and() .logout().logoutSuccessUrl("/login").permitAll() .and() .csrf().disable(); When I attempt login. Spring Security checks User table for username and password . My