spring-security

问题 How do I set up CSRF protection between an AngularJS front end and a Spring Boot REST backend? Let's take the http.post("/send-pin", JSONobject)... call from the code below as an example. I am getting the following error in the server logs when I try to call a Spring Boot REST service at the /send-pin url pattern from an AngularJS front end method using http.post("/send-pin", JSONobject)... : Invalid CSRF token found for http://localhost:9000/send-pin I read this other posting, which states

问题 I have been having some trouble logging in when typing the credentials in the login page. For some reason, I am typing a wrong password even though I have checked the correct one in the database. So I thought of printing in the console the password that I type. How can I do that? 回答1: I wrote up an approach at http://burtbeckwith.com/blog/?p=2029 - this is a followup to this earlier post: http://burtbeckwith.com/blog/?p=2003 As I mention in the post, since this will print cleartext passwords

问题 I am creating a dynamic menu, all info of the menu I am getting from mysql database. In my 'menu' database, there's a column called "role_access", where I can manipulate the roles. My intention is to fill this column in the database for each rule I have, then using the code below I could show/hide the menus depending if the client is USER or ADMIN. <sec:authorize access="hasRole('{{roleAccess}}')"> <li class="menu-dropdown classic-menu-dropdown "><a data-hover="megamenu-dropdown" data-close

问题 I use Spring 3.1 with Spring Mvc and Spring Security. <security:http auto-config="true" use-expressions="true" access-denied-page="/views/not-authorized.jsp"> <security:form-login login-page="/login.html" login-processing-url="/j_spring_security_check" default-target-url="/main.html" always-use-default-target="false" authentication-failure-url="/login.html?error=true" /> <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login.html"/> <

问题 I'm using Spring Security via Spring Boot 1.59 and am having an issue securing URLs dynamically Below is my configure method: @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() //.antMatchers("/home").access("hasAnyRole('ROLE_USER','ROLE_ADMIN')") //.antMatchers("/home3").access("hasRole('ROLE_ADMIN')") .and() .formLogin().loginPage("/login").permitAll() .loginProcessingUrl("/myLogin") .usernameParameter("my_username").passwordParameter("my

问题 I want to test protected endpoints in my application and I would like login before each test, get token and use this token in next tests. @ContextConfiguration @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) @Stepwise class IntegrationSpec extends Specification { @Autowired private TestRestTemplate rest @Autowired private String token @Shared private HttpEntity request def setup() { UserData userData = new UserData("Username", "Password"); def response = rest

问题 I created userinfo endpoint in my authorization server. @GetMapping("/userinfo") public Principal me(Principal principal) { return principal; } It returns this JSON: { ... "userAuthentication": { ... "principal": { "id": 2, "username": "xyz", "password": "......", "accountNonExpired": true, "accountNonLocked": true, "credentialsNonExpired": true, "enabled": true, "authorities": [ { "authority": "ROLE_DONOR" } ], "createdAt": "2019-11-08T20:50:46" }, ... "name": "xyz" }, ... "principal": { "id

问题 By using Keycloack springboot adapter (with spring security), when defining the typical SecurityConfig (which extends from KeycloakWebSecurityConfigurerAdapter ), and overriding the "configure" method, I run into a problem when defining access roles for an endpoint, like follows: // typically access is defined something like this: http .authorizeRequests() .antMatchers(GET, "/SOME_ENDPOINT").hasRole("SOME_ROLE") .... This works for me, but when I change GET for POST, suddenly my API responds

问题 I'm adding Spring security to an internal website. I've been asked to have the authentication be tied to tomcat-users.xml, so that we can cut down on the number of passwords to change/remember. From what I've been able to Google up, this isn't very straighforward, if at all possible. Things are working fine, for now, with a user + role hardcoded in springSecurity.xml. 回答1: You can treat container security as a pre-authenticated scenario. There's a sample app in the codebase which uses this

问题 I am trying to use Spring security default login mechanism and this is what I have configured in security.xml file <http pattern="/customer/**" auto-config="true" use-expressions="true" authentication-manager-ref="customerAuthenticationManager"> <intercept-url pattern="/customer" access="hasRole('AUTH_CUSTOMER')" /> <intercept-url pattern="/customer/" access="hasRole('AUTH_CUSTOMER')" /> <intercept-url pattern="/customer/*.html" access="hasRole('AUTH_CUSTOMER')" /> <intercept-url pattern="