spring-security

问题 I'm using Grails (2.2.2) on a project and my application issues undesirable http redirects instead of https redirects. We currently have an F5 load balancer in front of Oracle Weblogic. The F5 is offloading our SSL from Weblogic. The F5 only accepts https requests and Weblogic only accepts http requests. My Grails project uses the Spring Security and Spring Security CAS plugin. The problem typically occurs on a successful CAS login. Grails seems to always issue an HTTP redirect. My serverURL

问题 I'm using Grails (2.2.2) on a project and my application issues undesirable http redirects instead of https redirects. We currently have an F5 load balancer in front of Oracle Weblogic. The F5 is offloading our SSL from Weblogic. The F5 only accepts https requests and Weblogic only accepts http requests. My Grails project uses the Spring Security and Spring Security CAS plugin. The problem typically occurs on a successful CAS login. Grails seems to always issue an HTTP redirect. My serverURL

问题 I know this has been asked already, but I am not able to get it to work. Here is what I would like to get accomplished: I am using Spring Security 3.2 to secure a REST-like service. No server side sessions. I am not using basic auth, because that would mean that I need to store the user's password in a cookie on client side. Otherwise the user would need to login with each page refresh/ change. Storing a token is I guess the lesser evil. A web client (browser, mobile app) calls a REST-like

问题 Is there a way to "ask" spring security if the current request is secure? Because even if I am authenticated I want to detect if I am in a secure protected URL or in a anonymous / public page Thanks in advance! 回答1: Spring Security provides JSP tag support for this. For example: <sec:authorize url="/admin"> This content will only be visible to users who are authorized to access the "/admin" URL. </sec:authorize> Thymeleaf provides a Spring Security Dialect that has direct support for checking

问题 I'm having an issue with spring security 3 while trying to implement my own Customauthentication. Following this page steps I wrote this class: public class CustomAuth implements AuthenticationManager { @Override public Authentication authenticate(Authentication auth) throws AuthenticationException { UserService service = new UserService(); User user = service.login((String) auth.getPrincipal(), new String( DigestUtils.sha256((String) auth.getCredentials()))); LinkedList<GrantedAuthority>

问题 Spring security (2.0.x) http namespace, form-login definition automatically uses AuthenticationProcessingFilter. <form-login login-page='/logon.jsp' default-target-url='/home.jsp' always-use-default-target='true' /> I also know that If I set auto-config="false" I can customise authentication by providing custom bean definition. I have CustomAuthenticationProcessingFilter that extends AuthenticationProcessingFilter overrides obtainUsername and uses custom logic to get username than the one

问题 Good day, I have a spring-boot 1.1.4.RELEASE app,that is using spring-security included as dependencies such as: compile("org.springframework.boot:spring-boot-starter-security") compile("org.springframework.security:spring-security-web:4.0.0.M1") compile("org.springframework.security:spring-security-config:4.0.0.M1") compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE') I have two types of roles: "User" and "Admin". The latter has everything the former, but also

问题 I have a Spring based application that exposes 3 authentication choices for the user. Form based, Facebook Connect and a single-sign on from an external application. I'm not sure of the proper way to authenticate the last option. Application A (Spring Security based) Application B (non-spring based legacy app) Security Flow: -when a secured resource in application A is requested and the user is not authenticated, application A will redirect to application B where the user will be prompted

问题 I am trying to add a secondary ldap contextSource to spring security in a split domain environment and I seem to be coming up short. I realize similar questions have been asked before but this is for two separate domains logging into the same application. My first step was to add the secondary context source to my security-config xml file like so: <beans:bean id="secondaryContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <beans:constructor-arg value=

问题 In my Spring application in spring security configuration file when csrf is enable (<security:csrf/>) and try to submit login form then Access denied page 403 appear (or) (Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.) exception (when access-denied-handler not present) "But if I don't enable CSRF in spring security configuration file then everything work perfectly." Here my codes when CSRF enable pom.xml (all the versions) <properties> <spring