Tag: spring-security

Spring Security returns 403 instead of 401 and creates invalid Redis session cookie

I’m using Spring Security and Spring Data Redis to keep track of user sessions with custom roles and entitlements. When I try to hit a PreAuthorized endpoint without a session cookie in my browser, it …

HTTP Basic Authentication using Spring Boot’s Java based configuration

I am trying to set up a simple Spring Boot application secured with HTTP Basic Authentication using a single user with a hard-coded password. So far, I got it working using XML based configuration. …

How do I unit test spring security @PreAuthorize custom expression

@PostMapping @ResponseStatus(HttpStatus.CREATED) @PreAuthorize(“@messageSecurityService.isAuthorized(#userAuthentication)”) public void sendMessage(@…

Spring 5 Oauth2 – How to provide the check token URL in my Resource server?

I need some help.. I set up an AuthorizationServer using @EnableAuthorizationServer from Spring-security-oauth2 for grant type “client_credentials”. Able to create, check tokens and everything good with this. /oauth/token /oauth/checkToken Followed this sample for Authorization server I have a separate project that has the REST APIs to be secured. I can’t use @EnableResourceServer because that project uses Spring 5.2.8 and the

Spring Security – How to get the roles assigned to user

I am implementing JWT Role Based Authorization. I am testing my apis through postman. The users first makes a POST request and registers itself where we pass in the firstname, empid and password. The …

Spring Security roles issue

I overrode the method in the SpringWebConfig and I want to give all pages of application only for admins. @Override protected void configure(HttpSecurity http) throws Exception { http….

Using static methods with Spring Security to get current user details

I have a requirement to get the details of the current user who has been loggedIn. To get the details, we can use the SecurityContextHolder.getContext() and extract the details. According to, …

Spring actuator ‘/auditevents’ endpoint returns 404

I am getting a 404 error when invoking /actuator/auditevents endpoint. Upon closer look, I see that available endpoint listing doesn’t include /auditevents endpoint. pom.xml dependencies <…

Use multiple HttpSessionIdResolver with Spring

I want to use the HTTPSessionIdResolver for everything located under “/api**” and for everything else the standard CookieResolver. How is this possible, so that the two configurations use different …

Adding Same Site Header to JSESSIONID Spring Security

Google chrome has introduced changes that require setting the Same-Site header. In order to achieve this, I added a custom filter as follows, public class SameSiteFilter extends GenericFilterBean { …