Spring security 3.1.4 and ShaPasswordEncoder deprecation

If you want to switch to a more secure password encoding mechanism, then I would recommend you use BCrypt. I would use something like this to migrate your users: // Implement the old PasswordEncoder interface public class MigrateUsersPasswordEncoder implements PasswordEncoder { @Autowired ShaPasswordEncoder legacyEncoder; @Autowired JdbcTemplate template; BCryptPasswordEncoder bcryptEncoder = new BCryptPasswordEncoder(); @Override public String … Read more

Multiple roles using @PreAuthorize

You can create a custom annotation to validate many roles and conditions. P.e.: @Retention(RetentionPolicy.RUNTIME) @PreAuthorize(“hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_AGENT) ” + “|| hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_ADMIN)” + “|| (hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_CUSTOMER) && #userId == principal.username)”) public @interface IsAuthenticatedAsAgentOrCustomerIsUserId { } Then, you can use this annotation as below: @IsAuthenticatedAsAgentOrCustomerIsUserId Folder findByUserIdAndType(@Param(“userId”) String userId, @Param(“typeId”) FolderType id); This annotation validate that user logged as role … Read more

Feign and Spring Security 5 – Client Credentials

For this to work with Spring Security 5 and Feign you need to have a working Spring Security config a Feign interceptor a Feign configuration using that interceptor Working Spring Security Config Here we will register a generic internal-api client for your oauth2 client credentials. This is where you specify the client-id,client-secret, scopes and grant … Read more

Standalone Spring OAuth2 JWT Authorization Server + CORS

Found the reason for my Problem! I just needed to end the filterchain and return the result immediatly if a OPTIONS request is processed by the CorsFilter! SimpleCorsFilter.java @Component @Order(Ordered.HIGHEST_PRECEDENCE) public class SimpleCorsFilter implements Filter { public SimpleCorsFilter() { } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletResponse response … Read more

Java Spring Security config – multiple authentication providers

May be this will help you :- @Configuration @EnableWebSecurity @Profile(“container”) public class XSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationProvider authenticationProvider; @Autowired private AuthenticationProvider authenticationProviderDB; @Override @Order(1) protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProvider); } @Order(2) protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProviderDB); } @Override public void configure(WebSecurity web) throws Exception { web .ignoring() … Read more

What’s the difference between @Secured and @PreAuthorize in spring security 3?

The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can: Access methods and properties of SecurityExpressionRoot. Access method arguments (requires compilation with debug info or custom ParameterNameDiscoverer): @PreAuthorize(“#contact.name == principal.name”) public void doSomething(Contact contact) (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler … /></…>).

How to dynamically decide access attribute value in Spring Security?

The FilterInvocationSecurityMetadataSourceParser class in Spring-security (try Ctrl/Cmd+Shift+T in STS with the source code) parses the intercept-url tags and creates instances of ExpressionBasedFilterInvocationSecurityMetadataSource, that extends DefaultFilterInvocationSecurityMetadataSource that implements FilterInvocationSecurityMetadataSource that extends SecurityMetadataSource. What I did is to create a custom class that implements FilterInvocationSecurityMetadataSource, OptionsFromDataBaseFilterInvocationSecurityMetadataSource. I used DefaultFilterInvocationSecurityMetadataSource as base to use urlMatcher, to implement the … Read more

Spring boot Security Disable security

In case you have spring-boot-actuator in your package, you should add the following @EnableAutoConfiguration(exclude = { org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class}) With older Spring-boot, the class was called ManagementSecurityAutoConfiguration. In newer versions this has changed to @SpringBootApplication(exclude = { org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class, org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration.class} ) UPDATE If for reactive application you are having the same issue, you can exclude the following … Read more