spring-security - w3toppers.com

Custom Authentication provider with Spring Security and Java Config

The following does what you need (CustomAuthenticationProvider is your implementation which needs to be managed by Spring) @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CustomAuthenticationProvider customAuthenticationProvider; @Override protected void configure(HttpSecurity http) throws Exception { /** * Do your stuff here */ } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(customAuthenticationProvider); } … Read more

How to apply Spring Data projections in a Spring MVC controllers?

No it’s not, especially as projections are usually applied to the result of a query execution on a case by case basis. Thus they’re currently designed to be selectively applied to domain types. As of the latest Spring Data Fowler release train GA release the projection infrastructure can be used programmatically in Spring MVC controllers. … Read more

Cross-Origin Resource Sharing with Spring Security

I was able to do this by extending UsernamePasswordAuthenticationFilter… my code is in Groovy, hope that’s OK: public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter { static final String ORIGIN = ‘Origin’ @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){ if (request.getHeader(ORIGIN)) { String origin = request.getHeader(ORIGIN) response.addHeader(‘Access-Control-Allow-Origin’, origin) response.addHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE’) response.addHeader(‘Access-Control-Allow-Credentials’, ‘true’) response.addHeader(‘Access-Control-Allow-Headers’, request.getHeader(‘Access-Control-Request-Headers’)) } … Read more

Custom Authentication Manager with Spring Security and Java Configuration

Take a look at my sample below. You have to return an UsernamePasswordAuthenticationToken. It contains the principal and the GrantedAuthorities. Hope I could help 🙂 public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = authentication.getPrincipal() + “”; String password = authentication.getCredentials() + “”; User user = userRepo.findOne(username); if (user == null) { throw new … Read more

Why BCryptPasswordEncoder from Spring generate different outputs for same input?

public static void main(String[] args) { // spring 4.0.0 org.springframework.security.crypto.password.PasswordEncoder encoder = new org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder(); // $2a$10$lB6/PKg2/JC4XgdMDXyjs.dLC9jFNAuuNbFkL9udcXe/EBjxSyqxW // true // $2a$10$KbQiHKTa1WIsQFTQWQKCiujoTJJB7MCMSaSgG/imVkKRicMPwgN5i // true // $2a$10$5WfW4uxVb4SIdzcTJI9U7eU4ZwaocrvP.2CKkWJkBDKz1dmCh50J2 // true // $2a$10$0wR/6uaPxU7kGyUIsx/JS.krbAA9429fwsuCyTlEFJG54HgdR10nK // true // $2a$10$gfmnyiTlf8MDmwG7oqKJG.W8rrag8jt6dNW.31ukgr0.quwGujUuO // true for (int i = 0; i < 5; i++) { // “123456” – plain text – user input from user interface … Read more

Multiple Authentication Providers in Spring Security

You can specify as many providers as you want. They will be checked in the same order you declared them inside the authentication-manager tag. Once a successful authentication is made, it will stop polling the providers. If any provider throws an AccountStatusException it will also break the polling.

How to secure REST API with Spring Boot and Spring Security?

Token based authentication – users will provide its credentials and get unique and time limited access token. I would like to manage token creation, checking validity, expiration in my own implementation. Actually, use Filter for token Auth – best way in this case Eventually, you can create CRUD via Spring Data for managing Token’s properties … Read more

Spring Boot Microservices – Spring Security – ServiceTest and ControllerTest for JUnit throwing java.lang.StackOverflowError

The error is most likely caused by declaring the AuthenticationManager as a @Bean. Try this in your test class: @MockBean private AuthenticationManager _authenticationManager; That said, the Spring Security team does not recommend exposing the AuthenticationManager in this way, see the comment in Spring issue #29215

Disabling a filter for only a few paths

In your custom AuthenticationFilter you can define a RequestMatcher and use it before doing your logic, like so: public class AuthenticationFilter extends OncePerRequestFilter { private final RequestMatcher ignoredPaths = new AntPathRequestMatcher(“/swagger-ui”); @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { if (this.ignoredPaths.matches(request)) { filterChain.doFilter(request, response); return; } // do your logic filterChain.doFilter(request, response); } … Read more

I can’t update my webapp to Spring Boot 2.6.0 (2.5.7 works but 2.6.0 doesn’t)

Starting on Spring Boot 2.6, circular dependencies are prohibited by default. you can allow circular references again by setting the following property: spring.main.allow-circular-references = true You can read some more details about this in the Spring Boot 2.6 Release Notes.