spring-security

问题 I’m working on a spring boot project with GraphQL. I'm using graphql-java-tools and graphql-spring-boot-starter. I managed to configure security and session management with spring security as you can see in the java config files below. Now the “/graphql” path is secured (it can be accessed only sending the “basic http authentication” or a session token ( x-auth-token ) in a http header of the request). Authenticating with “basic http authentication” on any GraphQL operation will start a new

问题 I have set up spring security to intercept correctly and prompt user with custom login page, that then authenticates correctly and adds userdetails to SecurityContextHolder. Supplementary to that I now want to add my own custom User object added to session whenever login is performed; so the code will look like this: public returnwhat? doMySupplementaryLogin() { UserDetails principal = (UserDetails) SecurityContextHolder.getContext() .getAuthentication().getPrincipal(); MyUser user =

问题 I have a simple project that requires the simple following configuration : I have a "password" grant_type, which means I can submit the username/password (that the user enters in my login form), and get an access_token on success. With that access_token, I can request an API and get the user's information. I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE. I can

问题 I have a simple project that requires the simple following configuration : I have a "password" grant_type, which means I can submit the username/password (that the user enters in my login form), and get an access_token on success. With that access_token, I can request an API and get the user's information. I know the URIs of the APIs, I don't want anything huge (I saw the configuration on https://github.com/spring-projects/spring-security-oauth/tree/master/samples) and it seems HUGE. I can

问题 I'm consuming a set of oAuth2 protected services. It currently works like this: the client logs in using their username and password. I exchange these for a token. I keep the token in the session and submit it every time I want to call a service. It works, but the problem is that I do this completely manually, without using much of Spring Security oAuth2 support. Here's how it looks: <!-- Configure Authentication mechanism --> <authentication-manager alias="authenticationManager">

问题 We are securing out REST services using spring security OAuth2. Applications can call into either the /oauth/authorize , /oauth/token or /rest-api endpoints. The token and rest-api endpoints are stateless and do not need a session. Can we invalidate the session after the user is authenticated? If so, what is the best approach. We want the user to sign-in always whenever a call to /oauth/authorize is made. Currently, calls to /oauth/authorize are skipping authentication whenever a session

问题 I am trying to implement DAOs to work with Spring Security database authentication in Hibernate/JPA2. Spring uses following relations and associations in order to represent user & roles: repesented as postgresql create query: CREATE TABLE users ( username character varying(50) NOT NULL, "password" character varying(50) NOT NULL, enabled boolean NOT NULL, CONSTRAINT users_pkey PRIMARY KEY (username) ); CREATE TABLE authorities ( username character varying(50) NOT NULL, authority character

问题 I had enabled deny-by-default feature of security. With this I want to provide anonymous access on some controllers. For that I had enabled Anonymous authentication. If I use antmacher.permitAll() works fine. But if I am using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')") with controllers does not work for me. { "timeStamp": 1488692168652, "success": false, "message": "Full authentication is required to access this resource", "class": "org.springframework.security.authentication

问题 I had enabled deny-by-default feature of security. With this I want to provide anonymous access on some controllers. For that I had enabled Anonymous authentication. If I use antmacher.permitAll() works fine. But if I am using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')") with controllers does not work for me. { "timeStamp": 1488692168652, "success": false, "message": "Full authentication is required to access this resource", "class": "org.springframework.security.authentication

问题 I have some spring-boot application (it exposes rest api). The mentioned REST API is secured by spring-security . Everything is fine, however now I need to set context for servicing request. Setting context is about choosing datasource in depends on user context. The key is that RoutingDataSource need to use this context. (This context must be set directly after authenticating request due to other causes, I have also other thread which use RoutingDataSource, but no invoked by request (no user