spring-security

问题 I had a Spring Boot 1.5.9 authorization server that uses BCrypt for password storage. I am attempting to migrate to 2.0 However, I am not no longer able to retrieve a token for authorization. The response from the server is: "timestamp": "2018-03-09T15:22:06.576+0000", "status": 401, "error": "Unauthorized", "message": "Unauthorized", "path": "/oauth/token" } with the console outputting the following: 2018-03-09 09:22:06.553 WARN 20976 --- [nio-8090-exec-1] o.s.s.c.bcrypt

问题 I have built a Spring-Boot application that works with jwt authentication. <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.diplie</groupId> <artifactId>rest-api</artifactId> <version>1.0.0</version> <packaging>war</packaging> <parent> <groupId>org

问题 I'm using spring's PreAuthorize annotation as follows: @PreAuthorize("hasRole('role')"); However, I already have 'role' defined as a static String on another class. If I try to use this value: @PreAuthorize("hasRole(OtherClass.ROLE)"); I get an error: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 14): Field or property 'OtherClass' cannot be found on object of type 'org.springframework.security.access.expression.method.MethodSecurityExpressionRoot' Is there a way

问题 I aim to use both security in my Spring Boot app. I already done the API side with JWT, but I don't know how to implement the session for the WEB side. I have already done that in another project but I don't know how to make them work together. Here is my SecurityConfig : @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers("/api/**") .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and()

问题 I am using Spring Security 3.0.4. I have a bunch of web service which are protected by Spring Security. When I access them as an unauthenticated user, Spring Security redirects to login page. Instead of that, I want to return HTTP 403 error. How can I achieve that? Here is my security config: <http auto-config="false" use-expressions="true" > <intercept-url pattern="/authorization.jsp" access="permitAll"/> <intercept-url pattern="/registration.jsp" access="permitAll"/> <intercept-url pattern=

问题 For logging purposes, I'd like to create a logger that automatically adds the current session's ID to logged lines. For logged in users this isn't a problem: ((WebAuthenticationDetails) SecurityContextHolder.getContext().getAuthentication().getDetails()) .getSessionId() The problem is, before the user has logged in getAuthentication() returns null . Is there another way for getting the session ID without having a reference to the current response or anything of that sort? 回答1: You may use

问题 I'm using Spring Framework 4.1.5, Spring Security 4.0.0.RC2, Spring Webflow 2.4.0.RELEASE and Tomcat 8.0.15. I followed the example in the webflow documentation, but I can't get the file in my form bean. The form <form:form action="${flowExecutionUrl}" method="post" commandName="fileForm" enctype="multipart/form-data"> <form:input type="file" value="" path="multipartFileUpload"/> <button type="submit" name="_eventId_forward"><spring:message code="signup.forward"/></button> <sec:csrfInput/> <

问题 In my Spring Boot application I have RESTful API and MVC web dashboard for administration. Is it possible to have both - Spring Security OAuth2 authentication/authorization(token based, stateless) for RESTful API and FormLogin(stateful) for Spring MVC web dashboard in a one application ? How to properly configure it with Spring Boot ? 回答1: You need to configure your web security for form based login and Resource Server Security form REST Endpoints Here is a working configuration that uses

问题 I am using role hierarchy in Spring Security. <beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> <beans:constructor-arg ref="roleHierarchy" /> </beans:bean> <beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <beans:property name="hierarchy"> <beans:value> ROLE_USER > ROLE_GUEST </beans:value> </beans:property> </beans:bean> I am securing methods using protect-pointcut <global-method

问题 I want to add object to HttpSession after successful user authentication. Please don't suggest solution with SavedRequestAwareAuthenticationSuccessHandler because in this app for some reason application are ingnoring original request. public class AuthenticationSuccessListener implements ApplicationListener<InteractiveAuthenticationSuccessEvent> { @Override public void onApplicationEvent(InteractiveAuthenticationSuccessEvent e) { //adding object to HttpSession } } 回答1: As far as I am aware,