EDIT: log from org.springframework.security: ***But if I look in the logs some requests after I can get the valid auth: Debug 2022-01-17 12:31:03.945 IST “Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=com..security.oauth.CustomOAuth2User@, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=***, SessionId=9438C880A19C93AADJI206B9B8B3386], Granted Authorities=[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]]]” Debug 2022-01-17 12:31:03.945 IST “Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=com..security.oauth.CustomOAuth2User@, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=***, SessionId=9438C880A19C93AADJI206B9B8B3386], Granted Authorities=[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]]]” Debug 2022-01-17
Tag: spring-security
Token exchange in Spring OAuth2 client credentials flow
I have following Spring Security configuration: And following configuration is used: Now I need to do impersonation(https://datatracker.ietf.org/doc/html/rfc8693). So I need to pretend as some user. I need it because of “current user” logic inside some-app application. How can I reconfigure to achieve it ? P.S. I tried to google it but I haven’t found anything relevant. Answer RFC 8693 Token
Why this API is forbidden for an user having a JWT token containing the “correct” authority?
I am not so into Spring Security and JWT token and I have the following doubt on a project which I am working on. Basically I have this SecurityConfiguration class containing my Spring Security configuration, as you can see it is intended to handle JWT token: As you can see in the previous code I have the following two matcher
Spring security loginProcessingUrl only works on localhost
I have built an application by using Spring Boot and Thymeleaf. My application works as supposed in my localhost, but when I package it as a .war and deploy it in a test tomcat server, it prompts the login page and then either redirects me to the error page or brings me back to the login page. I have tried
Generic Authentication Filter in Spring Security used for Authentication
I’m new to Spring Security and would like to learn the authentication process a little bit better Here’s what I found on the Internet related to the topic if I’m wrong on the process please let me know: The authentication process begins in the Filter that might be part of a FilterChain. The filter might be of type UsernamePasswordAuthenticationFilter. The
spring security hasAuthority(“SCOPE_xxx”) method not working with spring authorization server version 0.2.0
I have created an authorization server using the new spring authorization server module. I am able to get the token successfully but when I try to use the token against a protected endpoint with hasAuthority() I get forbidden 403 error. Below my pom.xml file Below is my Authorization Server config And this is my Security Config Here is my user
How do I get a JwtAuthenticationToken for my HandlerMethodArgumentResolver from the request’s Authorization header?
I have a Spring Boot application that requires a JwtAuthenticationToken passed in a HTTP Authorization header. The header itself provides a bearer token; Spring is doing some magic that I am currently unaware of to convert that bearer token string into a JwtAuthenticationToken. I have some code that extracts the user id from the token, which is used to locate
Spring Security injecting null @AuthenticatedPrincipal into controllers
Java 11, Spring Security here. I have the following endpoint/method in my @RestController: When I set a breakpoint inside this method and login to my app, token is null (meaning it was not properly injected as an @AuthenticatedPrincipal) however SecurityContextHolder.getContext().getAuthentication() returns an Authentication instance that looks totally fine. I get a NPE when the token.getCredentials() gets called at the bottom
Can’t use any kind of SessionListener when using Spring Security in Spring Boot
I have a very basic Spring Security setup using Session. My problem is that I can’t find a way to use any kind of Session Listener (both Spring and Servlet API versions) to listen to SessionCreated event. Login is working and session is being created properly. The reason I need a listener is because I want to initialize certain session
How to design two seperate authorization/authentication configurations in spring boot?
I want to implement authentication and authorization for spring boot application with this design: First group of endpoints (“/api/**) will have authorization by passing the api-secret-key through requests headers. Authentication should be permitted for all. Second group (/admin/**) will have authentication by hitting the /login endpoint passing username and password where I will have custom UserDetailService. If the authentication is