I had a Spring Boot 2.7.6 app with Spring Security 5.7.5 running without problems: authentication works, I navigate through the different pages according to roles, Swagger UI is usable, etc. I don’t have a deprecated warning for your information. I migrated to Spring Boot 3.0.0 and therefore Spring Security 6.0.0. I followed the migration guides and the server starts without
Tag: spring-security
Why does Spring Security 6 not create sessions when authenticating with curl and basic auth?
I recently upgraded to Spring Security 6, and have found that authenticating using basic auth from JS or from curl no longer works but authenticating with basic auth using Java’s HttpClient does work. My goal is to be able to authenticate with all approaches. The app uses Java 17, Spring Security 6, and Spring Session 3. It has a “login”
Spring security exception handling custom response
How is it possible to return a json instead a html? I got: i need something like this: My Adapter: The CustomAuthenticationEntryPoint Answer Pragmatically we can print/write to response[.getWriter()] within our entry point, like: BasicAuthenticationEntryPoint@github Then we can pass a test like: To make it work for basic authetication and “wrong credentials” see also: https://stackoverflow.com/a/74547059/592355 . Dup/Related: How to set
Isn’t SecurityContextHolder a Bean?
Trying to Autowire SecurityContextHolder I get error Turns out that it is available from any part of the code like How come it isn’t a bean and how does it get initialized under the hood? Are there other static utility classes like that available to be consumed from anywhere and how do I find them? Answer SecurityContextHolder is a utility
Spring. One-time add session attributes after authorization
Stack: Spring Security and Thymeleaf. I have the following problem: I want to show or not show some elements in all html templates depending on user’s role. So, I need a boolean variable “isAdmin” in all templates so that I can use it in conditions: Please help me find the best solution. What I tried: Option 1. I can add
Is CSRF token require for Rest API in Spring boot
I am creating a Rest API using Spring boot on back-end and React js on frontend . I have a login form on React , should I enable csrf token on login/register form or not . After user logs in that user will get access token which I will store in memory in React and Refresh token in http only
Spring Boot, Spring-Security – BcrypPasswordEncoder in new component-based security configuration
I am trying to use the new Component-Based (Without WebSecurityConfigurerAdapter) configuration and setted up my Security Configuration as follow: SecurityConfiguration.java file but when I run the application and try to log a user the following error appears even though I have the BCryptPasswordEncoder as a bean in my SecurityConfiguration: Error Stack Trace* Which is the correct way to set up
How to have the same type of User object when using multiple AuthenticationProviders?
I have two working AuthenticationProviders in my Server: Once a user is logged in, I access their data via SecurityContextHolder.getContext().getAuthentication().getPrincipal() (with appropriate checks for no or anonymous logins). For the JDBC login the principal is a org.springframework.security.core.userdetails.User object and for LDAP it is a org.springframework.security.ldap.userdetails.LdapUserDetailsImpl object. I would like to ultimately use the same custom User class for both providers,
c.e.security.jwt.AuthEntryPointJwt : Unauthorized error: Full authentication is required to access this resource
application.properties config log Go to URL http://localhost:8088/swagger-ui/index.html How to fix it? Answer Your configuration is mostly correct, your swagger page loads properly except that when it tries to retrieve the swagger config and api-docs via its ajax call it fails to do so because it’s under security’s control. Look at your dev tools and watch the network traffic; you’ll probably
A better way to implement a large amount of cascading roles and authorities in Spring Security?
So i’m currently refactoring the backend code for my organization to prep for future upgrades. It currently runs fine, its just that the code is getting quite messy because of the sheer amount of roles and authorizations that exist in this org. So our backend stack here is a simple springboot Rest API, we use a third party Oauth authentication