You can’t usually invalidate a user session(s) immediately you change their account information without resorting to a container specific API, since the only way to access the HttpSession is through the HttpServletRequest object. Instead you can cache the username in an in-memory store and consult it either in a filter or a custom AccessDecisionVoter. Using … Read more
Use security.ignored property: security.ignored=/** security.basic.enable: false will just disable some part of the security auto-configurations but your WebSecurityConfig still will be registered. There is a default security password generated at startup Try to Autowired the AuthenticationManagerBuilder: @Override @Autowired protected void configure(AuthenticationManagerBuilder auth) throws Exception { … }
Auto-answer T_T Two days of hitting my head against the code for this… Looks like it is not a problem of the code. I was using Weblogic with it and Weblogic captures the requests with the “authorization” header, so it doesn’t get to my authentication-manager. I tried it with glassfish, and it works perfectly. Searching … Read more
Your for loop results in following configuration: @SuppressWarnings(“ALL”) @Configuration @EnableWebSecurity public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(“/admin/**”).access(“hasRole(‘admin’) and hasIpAddress(‘127.0.0.1’)”) .antMatchers(“/admin/**”).access(“hasRole(‘admin’) and hasIpAddress(‘192.168.1.0/24’)”) .antMatchers(“/admin/**”).access(“hasRole(‘admin’) and hasIpAddress(‘0:0:0:0:0:0:0:1’)”); } //some other configurations } So for URL: http://localhost:9595/admin/checkappeals/211 only the first matcher is considered, see HttpSecurity#authorizeRequests: Note that the … Read more
Previous answer is for tomcat only, so adding mine as well. You can disable the method cross-container by, for example, using a standard servlet filter: import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; @Component public class MethodFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, … Read more
Try to remove ” signs: @PreAuthorize(“hasRole(${role.rolename})”) public void method() {} EDIT. I am sure that there is a better way, but as a workaround you can call some method on some bean: @Component(“appVariablesHolder”) public class AppVariablesHolder { @Value(“${role.rolename}”) private String someRole; public String getSomeRole() { return this.someRole; } } @PreAuthorize(“hasRole(@appVariablesHolder.getSomeRole())”) public void method() {}
CSRF stands for Cross Site Request Forgery It is one kind of token that is sent with the request to prevent the attacks. In order to use the Spring Security CSRF protection, we’ll first need to make sure we use the proper HTTP methods for anything that modifies the state (PATCH, POST, PUT, and DELETE … Read more
If you want to switch to a more secure password encoding mechanism, then I would recommend you use BCrypt. I would use something like this to migrate your users: // Implement the old PasswordEncoder interface public class MigrateUsersPasswordEncoder implements PasswordEncoder { @Autowired ShaPasswordEncoder legacyEncoder; @Autowired JdbcTemplate template; BCryptPasswordEncoder bcryptEncoder = new BCryptPasswordEncoder(); @Override public String … Read more
In Spring Security 4.x login URL has changed to login instead of j_spring_security_check, see Migrating from Spring Security 3.x to 4.x (XML Configuration). <form name=”f”action=”login” method=’POST’> <input type=”hidden” name=”${_csrf.parameterName}” value=”${_csrf.token}” /> <table> <tbody> <tr> <td>User Name</td> <td><input type=”text” name=”username” size=”30″ /></td> </tr> <tr> <td>Password</td> <td><input type=”password” name=”password” size=”30″ /></td> </tr> <tr> <td></td> <td><input type=”submit” value=”login” … Read more
Here’s a code sample in Java config that uses UserDetailsService and has different security configurations for different URL endpoints: @Configuration @EnableWebMvcSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserDetailsService userDetailsService; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); } @Configuration @Order(1) public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity … Read more