spring-security

问题 Is it possible to configure CSRF protection in grails3 app using spring-security plugin, I can't find anything except useToken attribute for grails form and then call withForm inside controller. But this is actually not a very flexible solution. I like approach with filter like here 回答1: For csrf protection I reused org.springframework.security.web.csrf.CsrfFilter . You need to define new bean in grails resouces.groovy (See snipet below - csrfFilter bean). You can define your own

问题 The multi tenant SAML application I'm working on uses spring-security-saml and contains two service providers and one IDP (Active Directory Federation Services). The developer who worked SSO into this application chose to make it multi tenant because it is a dual-purpose application with two different interfaces - essentially two applications in one. It is designed to be used in a browser with two tabs open, so one interface runs in the first tab and the other interface runs in the second tab

问题 Hy, Is not enough securizing urls? Is there a way a user could call a url without the neeeded credentials and this is the reason to secure methods? A real example why secure methods is neccesary and not just urls? Thanks 回答1: It is usually enough to secure only URLs in simple cases. Think about method level security as an addition to URL level security. For example a simple check that a user has a particular role to access some URL in your app can be achieved with the aid of URL level

问题 I have a Spring MVC project with Thymeleaf and in memory authentication. In my html I want to display the current user that is logged in and diplay the logout button only when somebody is logged in. Here is a simple html that should display the username, but is always displays Bob and a text that should only be displayed when somebody is logged in, but it's always displayed. Any idea what I'm doing wrong? Here is my pom.xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven

问题 I have sprint security setup like this: http.authorizeRequests() .antMatchers("/MyAccount").authenticated() .antMatchers("/additem").authenticated() .anyRequest().permitAll() .and() .formLogin() .loginPage("/login") .successHandler(authenticationSuccessHandler) .and().csrf().disable(); When I start on page Foo and click to /additem (not logged in) it redirects me (302) to /login. When I submit the login form REFERER is set to the login page not FOO or /additem. Thus I'm brought back to the

问题 I am using AngulaJS as a javascript client side and spring mvc as a rest backend. In AngulaJS i am using ui-router. Here is config.js file function config($stateProvider, $urlRouterProvider) { $urlRouterProvider.otherwise("/index"); $stateProvider .state('trains', { url: "/trains", templateUrl: "views/pages/trains.html", data: { pageTitle: 'Trains' } }) Below is html file (left-sliderbar.html <li ui-sref-active="active"> <a href="javascript:;" ui-sref="trains" title="the trains">Trains </a> <

问题 I have a Spring Boot (1.5.6) application that is using the "pre-authenticated" authentication scenario (SiteMinder) from Spring Security. I have a need to expose the actuator "health" endpoint anonymously meaning the requests to that endpoint will not go through SiteMinder and as a result, the SM_USER header will not be present in the HTTP Request Header. The problem I'm facing is that no matter how I try to configure the "health" endpoint, the framework is throwing an org.springframework

问题 I have a security configuration for my application that authenticates the user via LDAP . This works out pretty fine, but now I'd like to add another AuthenticationProvider that does some more checks on the user that tries authenticate. So I tried to add a DbAuthenticationProvider that (for testing purposes) always denies the access. So when I am trying to log in with my domain account (that works for the activeDirectoryLdapAuthenticationProvider ) I am not able to access the page because the

问题 I am having problems with redirecting to access token entry point /oauth/token which will detail bellow. I am hoping someone could give me some light to it as I took a lot of time implementing this. Also, interesting is the fact that I cannot test with with SoapUI 5.0 community edition even following their instructions. It gest the authorization code but fails later as you need to set the redirect URI as "urn:ietf:wg:oauth:2.0:oob". Since Spring-Security-Oauth2 lacks a lot of good

问题 With the security configuration below, making a post request to /j_spring_security_check throws a 404 error. Could someone help me point out what I'm doing wrong? security.xml <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema