spring-security

问题 My project consists exposes two different parts, a JSF admin panel and a RESTfull service. I am trying to setup spring security to use different authentication methods depending on the URL the user navigates. The requirements are Users navigating to the JSF page get a login screen where they authentication using form authentication. Users navigating to the REST service use OAuth2 implicit authentication with basic authentication for the token granting. The seperate configurations work by

问题 After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object. This is the spring security config: <http pattern="/login.jsp" security="none"/> <http> <intercept-url pattern="/**" access="ROLE_USER"/> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1" default-target-url="/index.jsp"/> <logout/> <csrf /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="test" password="test" authorities=

问题 When a user fails authentication, I want the username and password to be returned to the form. I'm using the spring security core plugin with Grails and Spring Security LDAP. I've searched around for a while and have come up with zip. Any ideas? 回答1: From UsernamePasswordAuthenticationFilter javadoc: If you want to retain the username, cache it in a customized AuthenticationFailureHandler As for password there is no point to cache it, because it cannot be put back to form password field for

问题 Right now, the load balancers handle https and then pass along that https to my web servers. So dealing with https double for each request. What I want to do is completely offload https so my web servers don't have to deal with it. How do I configure Spring Security and JSP pages given that the web servers think all requests are http? Obviously I'll have to modify the <intercept-url> elements of my configuration to have their requires-channel attribute always be http or any . In my JSP pages

问题 I am working in a project using Spring, Spring Data JPA, Spring Security, Primefaces... I was following this tutorial about dynamic datasource routing with spring. In this tutorial, you can only achieve dynamic datasource switching between a pre-defined datasources. Here is a snippet of my code : springContext-jpa.xml <bean id="dsCgWeb1" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="${jdbc.driverClassName.Cargest_web}"></property> <property name="url

问题 I want to use Spring Security for JWT authentication. But it comes with default authentication. I am trying to disable it, but the old approach of doing this - disabling it through application.properties - is deprecated in 2.0. This is what I tried: @Configuration public class StackWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().disable(); // http.authorizeRequests().anyRequest()

问题 Assuming that my Spring Security and properties are configured properly, I would like to use role name from property like @PreAuthorize("hasRole('${role.rolename}')") public void method() {} I have tried like in above code sample but it does not work (it takes '${role.rolename}' String as role to compare) If I switch to @PreAuthorize("hasRole('ROLE_ADMIN')") public void method() {} it works just fine. My motivation to such usage is better flexibility in application tests on various

问题 Ok, I want my web app to be able to use HTTP sessions on multiple web servers. I can't use sticky sessions or session replication either! What is the best practice for Spring Security to handle since Spring Security handles HTTP sessions already? Does Spring provide anything OOTB? Or does it have an option to store the session info to the database? SecurityContextPersistenceFilter ? 回答1: You can configure your container to persist session to database using JDBC. If you use tomcat you can

问题 I am trying to secure a web application using Spring Security java configuration. This is how the configuration looks:- @Configuration @EnableWebMvcSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { private String googleClientSecret; @Autowired private CustomUserService customUserService; /* * (non-Javadoc) * * @see org.springframework.security.config.annotation.web.configuration. * WebSecurityConfigurerAdapter * #configure(org.springframework.security.config *

问题 I wonder how to filter users' access to my web app by their IP using Spring Security. Should I extend AbstractAuthenticationProcessingFilter or something like that and override it's methods in my own way? If so, could you give an example of such extending and example of filter description in web.xml ? Thanks in advance. P.S. In my app I also have Spring Security support (using default org.springframework.web.filter.DelegatingFilterProxy ), but I want it to check not only user credentials, but