I had a Spring Boot 2.7.6 app with Spring Security 5.7.5 running without problems: authentication works, I navigate through the different pages according to roles, Swagger UI is usable, etc. I don’t have a deprecated warning for your information. I migrated to Spring Boot 3.0.0 and therefore Spring Secu…
Tag: spring-security
Why does Spring Security 6 not create sessions when authenticating with curl and basic auth?
I recently upgraded to Spring Security 6, and have found that authenticating using basic auth from JS or from curl no longer works but authenticating with basic auth using Java’s HttpClient does work. My goal is to be able to authenticate with all approaches. The app uses Java 17, Spring Security 6, and…
Spring security exception handling custom response
How is it possible to return a json instead a html? I got: i need something like this: My Adapter: The CustomAuthenticationEntryPoint Answer Pragmatically we can print/write to response[.getWriter()] within our entry point, like: BasicAuthenticationEntryPoint@github Then we can pass a test like: To make it wo…
Isn’t SecurityContextHolder a Bean?
Trying to Autowire SecurityContextHolder I get error Turns out that it is available from any part of the code like How come it isn’t a bean and how does it get initialized under the hood? Are there other static utility classes like that available to be consumed from anywhere and how do I find them? Answ…
Spring. One-time add session attributes after authorization
Stack: Spring Security and Thymeleaf. I have the following problem: I want to show or not show some elements in all html templates depending on user’s role. So, I need a boolean variable “isAdmin” in all templates so that I can use it in conditions: Please help me find the best solution. Wha…
Is CSRF token require for Rest API in Spring boot
I am creating a Rest API using Spring boot on back-end and React js on frontend . I have a login form on React , should I enable csrf token on login/register form or not . After user logs in that user will get access token which I will store in memory in React and Refresh token in http only
Spring Boot, Spring-Security – BcrypPasswordEncoder in new component-based security configuration
I am trying to use the new Component-Based (Without WebSecurityConfigurerAdapter) configuration and setted up my Security Configuration as follow: SecurityConfiguration.java file but when I run the application and try to log a user the following error appears even though I have the BCryptPasswordEncoder as a …
How to have the same type of User object when using multiple AuthenticationProviders?
I have two working AuthenticationProviders in my Server: Once a user is logged in, I access their data via SecurityContextHolder.getContext().getAuthentication().getPrincipal() (with appropriate checks for no or anonymous logins). For the JDBC login the principal is a org.springframework.security.core.userdet…
c.e.security.jwt.AuthEntryPointJwt : Unauthorized error: Full authentication is required to access this resource
application.properties config log Go to URL http://localhost:8088/swagger-ui/index.html How to fix it? Answer Your configuration is mostly correct, your swagger page loads properly except that when it tries to retrieve the swagger config and api-docs via its ajax call it fails to do so because it’s unde…
A better way to implement a large amount of cascading roles and authorities in Spring Security?
So i’m currently refactoring the backend code for my organization to prep for future upgrades. It currently runs fine, its just that the code is getting quite messy because of the sheer amount of roles and authorizations that exist in this org. So our backend stack here is a simple springboot Rest API, …