According to the new updates in Spring 2.0, if Spring Security is on the classpath, Spring Boot will add @EnableWebSecurity.So adding entries to the application.properties ain’t gonna work (i.e it is no longer customizable that way). For more information visit the official website Security changes in Spring Boot 2.0 Albeit not sure about your requirement … Read more
I believe that the problem is in the order of your rules: .antMatchers(“/admin/**”).hasRole(“ADMIN”) .antMatchers(“/admin/login”).permitAll() The order of the rules matters and the more specific rules should go first. Now everything that starts with /admin will require authenticated user with ADMIN role, even the /admin/login path (because /admin/login is already matched by the /admin/** rule and … Read more
Other users have provide some very useful links above so I am not going to bother with links. I have done a similar research in JAAS for web application and has ran into a “mind roadblock” until I finally realize JAAS is a framework tackling security at a different “layer” then web applications in the … Read more
You override your previous matchers, see HttpSecurity.html#antMatcher: Invoking antMatcher(String) will override previous invocations of mvcMatcher(String)}, requestMatchers(), antMatcher(String), regexMatcher(String), and requestMatcher(RequestMatcher). and HttpSecurity.html#regexMatcher: Invoking regexMatcher(String) will override previous invocations of mvcMatcher(String)}, requestMatchers(), antMatcher(String), regexMatcher(String), and requestMatcher(RequestMatcher). If you want more than one configuration of HttpSecurity, see Spring Security Reference: We can configure multiple HttpSecurity instances just … Read more
I just wanted to update the alternate solution I found for this problem, for completeness. Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4. I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4. … Read more
Both security filter chains are not restricted (default is /**). Spring Security 6 You have to restrict the first one with securityMatcher, see Spring Security Reference: Multiple HttpSecurity Instances We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks in XML. The key is to register multiple SecurityFilterChain @Beans. The following … Read more
I had the feeling I’d need to use an instance of LdapContextSource to make this happen (since it conveniently has a setReferral method), but I struggled a bit with the details. A forum post on spring.io gave me enough to go on, and it looks like I now have things working. It’s not clear to … Read more
Yes, the refresh token is used to obtain a new access token. When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g. grant_type=password&username=user1&passowrd=very_secret when … Read more
In Spring Security to mimic the behavior of multiple <http> elements from XML in Java config create multiple classes for security configuration. In general it is the best/easiest to create a common security configuration with multiple inner classes for the security definition for HttpSecurity. See here for a sample. And here the related section in … Read more
You can achieve this easily by using multiple http configuration as below, this code only explains multiple http configuration. I am assuming that you are well aware of the other essential configurations related to spring security e.g authenticationManger etc. @EnableWebSecurity public class MultiHttpSecurityCustomConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser(“user”).password(“password”).roles(“USER”).and().withUser(“admin”).password(“password”) .roles(“USER”, “ADMIN”); … Read more