EDIT: log from org.springframework.security: ***But if I look in the logs some requests after I can get the valid auth: Debug 2022-01-17 12:31:03.945 IST “Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=com..security.oauth.CustomOAuth2User@, Credenti…
Tag: spring-security
Token exchange in Spring OAuth2 client credentials flow
I have following Spring Security configuration: And following configuration is used: Now I need to do impersonation(https://datatracker.ietf.org/doc/html/rfc8693). So I need to pretend as some user. I need it because of “current user” logic inside some-app application. How can I reconfigure to ach…
Why this API is forbidden for an user having a JWT token containing the “correct” authority?
I am not so into Spring Security and JWT token and I have the following doubt on a project which I am working on. Basically I have this SecurityConfiguration class containing my Spring Security configuration, as you can see it is intended to handle JWT token: As you can see in the previous code I have the fol…
Spring security loginProcessingUrl only works on localhost
I have built an application by using Spring Boot and Thymeleaf. My application works as supposed in my localhost, but when I package it as a .war and deploy it in a test tomcat server, it prompts the login page and then either redirects me to the error page or brings me back to the login page. I have tried
Generic Authentication Filter in Spring Security used for Authentication
I’m new to Spring Security and would like to learn the authentication process a little bit better Here’s what I found on the Internet related to the topic if I’m wrong on the process please let me know: The authentication process begins in the Filter that might be part of a FilterChain. The …
spring security hasAuthority(“SCOPE_xxx”) method not working with spring authorization server version 0.2.0
I have created an authorization server using the new spring authorization server module. I am able to get the token successfully but when I try to use the token against a protected endpoint with hasAuthority() I get forbidden 403 error. Below my pom.xml file Below is my Authorization Server config And this is…
How do I get a JwtAuthenticationToken for my HandlerMethodArgumentResolver from the request’s Authorization header?
I have a Spring Boot application that requires a JwtAuthenticationToken passed in a HTTP Authorization header. The header itself provides a bearer token; Spring is doing some magic that I am currently unaware of to convert that bearer token string into a JwtAuthenticationToken. I have some code that extracts …
Spring Security injecting null @AuthenticatedPrincipal into controllers
Java 11, Spring Security here. I have the following endpoint/method in my @RestController: When I set a breakpoint inside this method and login to my app, token is null (meaning it was not properly injected as an @AuthenticatedPrincipal) however SecurityContextHolder.getContext().getAuthentication() returns a…
Can’t use any kind of SessionListener when using Spring Security in Spring Boot
I have a very basic Spring Security setup using Session. My problem is that I can’t find a way to use any kind of Session Listener (both Spring and Servlet API versions) to listen to SessionCreated event. Login is working and session is being created properly. The reason I need a listener is because I w…
How to design two seperate authorization/authentication configurations in spring boot?
I want to implement authentication and authorization for spring boot application with this design: First group of endpoints (“/api/**) will have authorization by passing the api-secret-key through requests headers. Authentication should be permitted for all. Second group (/admin/**) will have authentica…