spring-security

问题 I need to add auth to my spring boot (MVC) app. Auth provider is keycloak via OpenID. Both Implicit and Authorization Code grants are disabled, so I am stuck with Resource owner credentials grant. What I want to achieve is basic auth prompt for unauthorized users. Credentials retrieved that way should be used to get token and user information from keycloak for its further usage by spring security. The token should be checked on each request. Most examples I've found are using the redirect

问题 I recently came back to a Spring project I'd been working on and I've run into issues when starting up the app. This question is probably a duplicate, but I haven't been able to find an answer. Here's a snippet from my original SecurityConfig.java: @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserService userService; /** * Global security config to set the user details service etc. * @param auth authentication manager

问题 I have a set of Spring Boot (1.3.3) with Spring Cloud (Brixton.RC2) microservices running behind Zuul and I have issues with my urls being rewritten in redirects. My main issue is that my web app is behind zuul and seems to be unaware of host during redirects even though I should have set all necessary properties. When I go to http://test.example.com/ I expect to be redirected to http://test.example.com/login but I get redirected to http://machinehostname/login... If I go directly to http:/

问题 On most of the JWT (JSON Web Token) tutorial (e.g: this and this) are saying, once validated you can use the incoming token to get client information without validating it from the DB. My question is, how invalid user situation is maintained then? What I mean is, lets say a client just got a JWT token which expires in one week. But for very specific reason lets say we decided to invalidate the user, and don't want the user to access our API. But still that user has a token which is valid and

问题 I have a following controller: @RestController @RequestMapping("/payments") public class PaymentController { @Autowired PaymentService paymentService; @Autowired private Environment env; @PostMapping("/create") @PreAuthorize("isAuthenticated()") public ResponseEntity<String> create(@Valid @RequestBody DownPayment downpayment) { Customer customer; Charge charge; User user = new User(); ............ } } WebSecurity config: @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity

问题 Some additional info is sent from OAuth Authorization Server that is needed inside a custom UserDetails class on Resource Server, and preferably inside SpringSecurity Principal. Current approach is setting a username as Principal and adding additional info as an additional details of Authentication object like this. public class CustomAccessTokenConverter extends JwtAccessTokenConverter{ @Override public OAuth2Authentication extractAuthentication(Map<String, ?> claims) { OAuth2Authentication

问题 Some additional info is sent from OAuth Authorization Server that is needed inside a custom UserDetails class on Resource Server, and preferably inside SpringSecurity Principal. Current approach is setting a username as Principal and adding additional info as an additional details of Authentication object like this. public class CustomAccessTokenConverter extends JwtAccessTokenConverter{ @Override public OAuth2Authentication extractAuthentication(Map<String, ?> claims) { OAuth2Authentication

问题 I am using Spring Security 3.0 in my project and I am restricting user to have maximum one session. Configuration is given below : <security:session-management> <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/> </security:session-management> I want to print the custom message(not default provided by spring) when maximum sessions are reached. Please help. Thanks in advance!! 回答1: Please keep this in your messages.properties ConcurrentSessionControlStrategy

问题 I am using Spring Security 3.0 in my project and I am restricting user to have maximum one session. Configuration is given below : <security:session-management> <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/> </security:session-management> I want to print the custom message(not default provided by spring) when maximum sessions are reached. Please help. Thanks in advance!! 回答1: Please keep this in your messages.properties ConcurrentSessionControlStrategy

问题 I am using Spring Security 3.0 in my project and I am restricting user to have maximum one session. Configuration is given below : <security:session-management> <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/> </security:session-management> I want to print the custom message(not default provided by spring) when maximum sessions are reached. Please help. Thanks in advance!! 回答1: Please keep this in your messages.properties ConcurrentSessionControlStrategy