spring-security

问题 I need to implement authorization with a specific header (say "sessionId") and secure all uri's except one. I extended OncePerRequestFilter and implemented custom AuthenticationProvider to check if sessionId is valid (as well as custom Token class etc). How it works now: for any uri it immediately jumps to AuthSessionAuthenticationProvider 's authenticate method right after AuthSessionFilter is applied and returns 403 if header sessionId isn't specified. But I want some uri's to allow access

问题 I have gone a good distance in spring-security-core-2.0-RC5 (SSC) with Grails 2.5, but still a lot to cover. I am wondering how to achieve two tasks. So far and after integrating SSC in my project, I built a dispatcher that takes care of routing users to different landing pages according to their roles. This link shows how I do it. What I am wondering how others are doing is these two tasks: How to customize the landing page. For example, instead of the typical "Please Login", I need to say

问题 The official Spring Github Repo's Readme reads: The application is almost finished functionally. The last thing we need to do is implement the logout feature that we sketched in the home page. If the user is authenticated then we show a "logout" link and hook it to a logout() function in the AppComponent. Remember, it sends an HTTP POST to "/logout" which we now need to implement on the server. This is straightforward because it is added for us already by Spring Security (i.e. we don’t need

问题 I'm developing a webapp with Spring MVC, I use Spring Security and have already written the code for username/password login and it works. Now I have to write the code to allow users to log in with a certificate... I read data from a cardreader and process it and then I create a UserDetails object, then a UsernamePasswordAuthenticationToken and load it to Spring security context like this: UserDetails userDetails = myUserDetailsService.loadUserByUsername(usuario.getCodUsuario());

问题 I have a single WAR that runs two servlets. One provides AMF remoting to Flex clients and other SOAP/HTTP to web service clients. I currently have Spring Security configured to authenticate the Flex clients using DaoAuthenticationProvider. However, I'd like to use a different authentication provide for the SOAP/HTTP. Possibly basic authentication or some other form. Is it possible? or do I need two WARs? 回答1: I think you'll run into problems issues with instantiating two security filter

问题 I would like to parse standard security expressions like hasRole etc. to get their value in a variable (in a JSP). How can I do that? SpelExpressionParser is the standard EL parser, but I don't think it will parse the security expression. 回答1: The simpliest approach is to use a <sec:authorize> tag and modify a desired variable inside its body. If you actually want to evaluate expressions manually, look at the source of AuthorizeTag - it gets the first bean of type WebSecurtyExpressionHandler

问题 I am using Spring 3.1 version. I have implemented spring security for login to my web portal. It works fine except for one issue. I have set session timeout to 2 min. Once timeout happpens and then user click any URL, It gets redirected to logout page. But when user re autheticates, user directly lands on the home page which is default target URL instead of last access page. Like if user is accessed /home/editproduct then after timeout & when he again reautenticate he should be accessed to

问题 I've exhausted every SO post and blog entry I could find trying to figure out what I've done wrong. So, now I'm asking for your help. I'm building a Spring Boot app and leveraging Spring Security for user management/authentication. I think I've set everything up correctly, but during login Spring Security redirects to the login failure URL (/login?error) every time, throwing the error: Your login attempt was not successful, try again. Reason: Bad credentials There is nothing telling or useful

问题 I am trying to use Spring Websocket with Sockjs and STOMPjs . As mentioned Spring Websocket Documentation, after the /info request, client send protocol upgrade request to /websocket . HTTP Status 101 expected from client. In my application, Spring Websocket returns Http 101 as expected, however within 10 second. Spring Websocket logs; 2018-04-12 14:27:50.219 DEBUG 24509 --- [nio-8080-exec-6] s.w.s.h.LoggingWebSocketHandlerDecorator : WebSocketServerSockJsSession[id=z52e0a20] closed with

问题 I'm getting the error 403 Forbidden for the POST endpoint, the others endpoints are working as expected. I have 4 endpoints and I need to reproduce the authentication behavior: GET \users - no authentication GET \details\1 - needs authentication GET \users\1 needs authentication POST \users\1 needs authentication My configuration class: @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws