Try putting the PermissionEvaluator in a separate @Configuration class. You appear to be forcing it to be instantiated before the ServletContext is ready (Spring Security filters have to be created super early so this can happen).
You can create a custom annotation to validate many roles and conditions. P.e.: @Retention(RetentionPolicy.RUNTIME) @PreAuthorize(“hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_AGENT) ” + “|| hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_ADMIN)” + “|| (hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_CUSTOMER) && #userId == principal.username)”) public @interface IsAuthenticatedAsAgentOrCustomerIsUserId { } Then, you can use this annotation as below: @IsAuthenticatedAsAgentOrCustomerIsUserId Folder findByUserIdAndType(@Param(“userId”) String userId, @Param(“typeId”) FolderType id); This annotation validate that user logged as role … Read more
Well. This is I think by far is the best i have seen so far! http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html
In any @Controller, @RestController annotated bean you can use Principal directly as a method argument. @RequestMapping(“/users/{user_id}”) public String getUserInfo(@PathVariable(“user_id”) Long userId, Principal principal){ // test if userId is current principal or principal is an ADMIN …. } If you don’t want the security checks in your Controllers you could use Spring EL expressions. You probably … Read more
You can obtain the CSRF using the request attribute named _csrf as outlined in the reference. To add the CSRF to an HTML page, you will need to use JavaScript to obtain the token that needs to be included in the requests. It is safer to return the token as a header than in the … Read more
This makes Spring searching login data in both – parameters and body. I wish to disable searching those parameters in the url. I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself. HttpServletRequest.getParameter doc states: Returns the value of a request parameter as a String, or null … Read more
If you need to dynamically update a logged in user’s authorities (when these have changed, for whatever reason), without having to log out and log in of course, you just need to reset the Authentication object (security token) in the Spring SecurityContextHolder. Example: Authentication auth = SecurityContextHolder.getContext().getAuthentication(); List<GrantedAuthority> updatedAuthorities = new ArrayList<>(auth.getAuthorities()); updatedAuthorities.add(…); //add your … Read more
To test resource server security effectively, both with MockMvc and a RestTemplate it helps to configure an AuthorizationServer under src/test/java: AuthorizationServer @Configuration @EnableAuthorizationServer @SuppressWarnings(“static-method”) class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { @Bean public JwtAccessTokenConverter accessTokenConverter() throws Exception { JwtAccessTokenConverter jwt = new JwtAccessTokenConverter(); jwt.setSigningKey(SecurityConfig.key(“rsa”)); jwt.setVerifierKey(SecurityConfig.key(“rsa.pub”)); jwt.afterPropertiesSet(); return jwt; } @Autowired private AuthenticationManager authenticationManager; @Override public void configure(final … Read more
In spring-security-core:5.0.0.RC1, the default PasswordEncoder is built as a DelegatingPasswordEncoder. When you store the users in memory, you are providing the passwords in plain text and when trying to retrieve the encoder from the DelegatingPasswordEncoder to validate the password it can’t find one that matches the way in which these passwords were stored. Use this … Read more
You can download the code sample from : https://github.com/ozgengunay/FBSpringSocialRESTAuth We have been looking for a “Spring” solution which secures our REST backends using Facebook OAuth Token that REST clients already have in hand. For example: You have a mobile app with Facebook Connect SDK implemented in the app itself and on the other hand , … Read more