spring-security

问题 I have created the Spring Authorization Server which issues JWT-s and a Resource Server which checks the JWT, its claims and permissions on the Authorization Server. To do so, I have followed this article. My question is why I need to send the Authorization header with HTTP Basic authorization and Base64 encoded username/password (ClientId:ClientSecret) in get token request? I have seen JWT implementations where only username and password are required. 回答1: It is part of the specification,

问题 I am building a mobile web app that has the option to login via facebook/twitter. I want the app to remember the login via Spring security's remember me functionality so that the user need to have to login frequently. I have the parts that will call out to facebook and get the access_token that will identify the user. I can login the user using SecurityContextHolder.getContext().setAuthentication( new UsernamePasswordAuthenticationToken(principal, credentials, authorities)); I am trying to

问题 I am trying to filter some url pattern to caching. What I have attempted is put some codes into WebSecurityConfigurerAdapter implementation. @Override protected void configure(HttpSecurity http) throws Exception { initSecurityConfigService(); // For cache http.headers().defaultsDisabled() .cacheControl() .and().frameOptions(); securityConfigService.configure(http,this); } However this code will effect all of the web application. How can I apply this to certain URL or Content-Type like images

问题 I am upgrading my Spring Security from 3.1.0 to 3.1.3 and ran into a change that is breaking my setup. I had been using a custom SecurityExpressionRoot to expose a method for use with intercept-url entries. <http entry-point-ref="forbiddenAccessEntryPoint" use-expressions="true" create-session="never" access-decision-manager-ref="webAccessDecisionManager"> <intercept-url pattern="/licenses*" access="hasProjectAuthority('LICENSES')"/> the SecurityExpressionRoot is injected through a custom

问题 I am upgrading my Spring Security from 3.1.0 to 3.1.3 and ran into a change that is breaking my setup. I had been using a custom SecurityExpressionRoot to expose a method for use with intercept-url entries. <http entry-point-ref="forbiddenAccessEntryPoint" use-expressions="true" create-session="never" access-decision-manager-ref="webAccessDecisionManager"> <intercept-url pattern="/licenses*" access="hasProjectAuthority('LICENSES')"/> the SecurityExpressionRoot is injected through a custom

问题 In reference to this SO question Add request parameter to SAML request using Spring Security SAML I am wanting to replace the default HTTPRedirectDeflateBinding bean with my own that has a custom HTTPRedirectDeflateEncoder to add query params to my SAML request. I'm trying to achieve this with the Spring Boot @Bean auto-configuration annotation and being new to the Java environment I can't seem to get it working right. I can see that my bean is registering on startup but the outbound HTTP

问题 I need to programmatically login users that were authenticated through Facebook API. The reason for that is that there are number of items that are associated to each user (for example shopping cart), therefore once user is authenticated using Facebook API, I need to log the user in using spring security as well to be able to access his/her shopping cart. Based on my research, there are many methods to implement it but I could not deploy any of them as I am sending log-in request from my code

问题 Currently I'm learning the Spring framework, mainly focusing on it's Security Module. I've watched some guides in connection with registration and login. I saw this common usage of transient keyword or @Transient annotation on the password field in the User class. My dummy app is using Spring Boot + Spring MVC + Spring Security + MySQL. I know that Java's transient keyword is used to denote that a field is not to be serialized. JPA's @Transient annotation ... ...specifies that the property or

问题 Currently I'm learning the Spring framework, mainly focusing on it's Security Module. I've watched some guides in connection with registration and login. I saw this common usage of transient keyword or @Transient annotation on the password field in the User class. My dummy app is using Spring Boot + Spring MVC + Spring Security + MySQL. I know that Java's transient keyword is used to denote that a field is not to be serialized. JPA's @Transient annotation ... ...specifies that the property or

问题 In order to fetch metadata from a remote source, I defined an ExtendedMetadataDelegate bean as follows: @Bean @Qualifier("replyMeta") public ExtendedMetadataDelegate replyMetadataProvider() throws MetadataProviderException { String metadataURL = "https://ststest.mydomain.it/FederationMetadata/2007-06/FederationMetadata.xml"; final Timer backgroundTaskTimer = new Timer(true); HTTPMetadataProvider provider = new HTTPMetadataProvider( backgroundTaskTimer, httpClient(), metadataURL); provider