FAQ Database Discussion Community


Spring security check the user is logged or not when click a button

java,spring,spring-mvc,spring-security
I'm creating a simple web application for online flight reservation system using Spring MVC with Spring security. I've created following table to show flight details. <table class="table table-bordered table-hover table-striped "> <thead> <tr> <th>Flight No</th> <th>Flight destination</th> <th>Flight origin</th> <th>Flight date</th> <th>Flight time</th> <th>Book now</th> </tr> </thead> <tbody> <form:form commandName="reserv"...

Spring Security provides anonymous acces to all pages instead only one

spring-security
I my sprig-security.xml I've got: <security:http auto-config='true' create-session="stateless"> <security:intercept-url pattern="/registrate**" access="hasRole('ROLE_ANONYMOUS')" /> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <security:http-basic /> <security:csrf disabled="true"/> </security:http> The problem is that all protected pages are available for anonymous users, the only way to get access denied is to enter bad user's credentials, but with no credentials...

Make simple servlet filter work with @ControllerAdvice

spring,filter,exception-handling,spring-security,spring-boot
I've a simple filter just to check if a request contains a special header with static key - no user auth - just to protect endpoints. The idea is to throw an AccessForbiddenException if the key does not match which then will be mapped to response with a class annotated...

Spring Security (4.0.1) Integration with AngularJS. Getting Basic Authentication Popup every time user enters invalid credentials

angularjs,spring-security,popup,basic-authentication,www-authenticate
I am trying to integrate Spring Security (4.0.1) with AngularJS. I am able to do basic authentication using XML based configuration. The problem is, Web browser displays Pop up every time user enters invalid credentials. I have tried to remove WWW-Authenticate repsone header using plain ServletFilters as well as using...

Integration tests with spring security

java,spring-mvc,spring-security,integration-testing
I need to send a get request to the API, but despite having placed the administrator annotation get error @WithMockUser(roles="ADMINISTRADOR"). How do I send a request? API @RequestMapping(value = "/{id}", method = RequestMethod.GET) @PostAuthorize("returnObject.instancia == principal.instancia.instancia") public Validacao retrieve(@PathVariable("id") String id) { return validacaoService.retrieve(id); } Test @Test @WithMockUser(roles = "ADMINISTRADOR")...

Spring security not authenticate the user

java,spring-mvc,spring-security
I have a user with username sajjad and password 200200: <security:http auto-config="true" use-expressions="true"> <security:intercept-url pattern="/hello/" access="hasRole('ROLE_USER')"/> <security:form-login login-page="/myLogin.jsp" default-target-url="/pages/index.jsp" login-processing-url="/j_spring_security_check" authentication-failure-url="/myLogin.jsp?error=1" username-parameter="username" password-parameter="password"/> <security:csrf disabled="true"/> </security:http>...

Is it possible to login from a winforms application to a website which uses spring security?

java,c#,winforms,spring-mvc,spring-security
I want to call a web service from my winforms application. My application is written on c# and the webservice is secured using spring security. Is it possible to login to the website and call that web service?. If it is possible how to do that?...

SEVERE: Exception starting filter springSecurityFilterChain

spring,spring-security
I am trying to write spring application, and I have this code, but when run this code using Tomcat 8, This error appeared, I don't know what is the root cause of error, please help Error: 01:15:02.681 [localhost-startStop-1] INFO o.s.web.context.ContextLoader - Root WebApplicationContext: initialization started 01:15:02.756 [localhost-startStop-1] DEBUG o.s.w.c.s.StandardServletEnvironment -...

Spring Resttemplate login fails

java,spring,spring-mvc,spring-security,csrf
after an update to spring-4.1.6 i'am not able to login to my rest services any more. I looked on different sides, but couldn't solve the problem... so i ask for help. Here is my my web.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <!-- The definition of the...

My CustomUsernamePasswordAuthenticationFilter is not applying

spring,spring-mvc,spring-security
I have a server which authenticates user with spring security filter. Client sending their login credentials in json format for validity. So i created my custom UsernamePasswordAuthenticationFilter filter and declared it inside http tag. Login page is already their at client application. All that client needs to do is to...

ACL in spring security or permision configuration

java,spring,jsp,spring-mvc,spring-security
My requirement is the following: We have an application that uses roles lets said (ADMIN/USER/GUEST), depending on the role they can access to different sections on the application. However in an specific section, some of them can see some actions/options/buttons/tabs, it means for two ADMIN users, the configuration of the...

Spring Security OAuth2 - Add parameter to Authorization URL

spring,spring-security,oauth-2.0,spring-security-oauth2
I am using Spring Security with OAuth2 for authentication/authorization using following project. http://projects.spring.io/spring-security-oauth/ I have a requirement to add parameter to OAuth2 authorization url. I am not sure how should I add it to AuthorizationCodeResourceDetails bean? The problem is I want to start the user journey by login or registration...

multiple antMatcher in spring security

spring,spring-mvc,spring-security
I work on content management system, that has three antmatcher like the following http.authorizeRequests() .antMatchers("/", "/*.html").permitAll() .antMatchers("/user/**").hasRole("USER") .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/admin/login").permitAll() .antMatchers("/user/login").permitAll() .anyRequest().authenticated() .and() .csrf().disable(); which mean the visitors can see all site at root path (/*), and users can see only (/user), admin can see only (/admin), and there are two...

Spring Data Rest: Return Resources of User

java,spring,spring-security,spring-data-rest
I'm creating a simple CRUD-App (a shoppinglist) with Spring Boot and Spring Data Rest. I have a resource: ShoppingItem. Is there an easy way to only return the resources which belong to the user who send the request? (Multiple User support) So a User only get his own ShoppingItems and...

Configuring RequestContextListener in SpringBoot

spring,spring-mvc,spring-security,spring-boot
I have a Spring-Boot application which uses Spring-Security. I have a request scoped bean that I want to autowire into one of my custom Filters in the security filter chain, but at the moment it is not working. I understand that some config is needed to use request scoped beans...

how to custom spring-security authentication process with my own mechanism

java,spring,security,spring-mvc,spring-security
I'm trying to secure my app with spring security. My understanding about spring security is that they check the loaded password from UserDetails against the password user entered. The thing is my login authentication is inputing username and password into a pl/sql function which will return a result code. So...

Authentication failing spring security wildfly

spring-security,wildfly
I am trying to migrate my spring application from tomcat to wildfly. I can't login anymore. It seems that the initial successful authentication gets lost or over written and then an anonymous session gets created. spring security: 4.0.1.RELEASE wildfly 8.2.0 I'm stuck, can't figure it out. Any help or suggestions...

How to get user's authorization credentials in code with spring security?

spring,authentication,spring-security,crud
What I'm trying to do is to build CRUD REST service. It will maintain a database of users and theirs records. I'd like to allow users to get access only to their own records. I use Spring Security for authentication and store user's password hashed with Bcrypt. All I can...

Spring, security, boot, WebSecurityConfigurerAdapter - intercepting URL's dynamically via lookup in DB

spring-security,spring-java-config
I'm new to Spring, SpringSecurity and Boot - trying to create a webapplication where I have to lookup in a database whether a user has access to a requested URL or not. I've managed to make the authentication work (i.e UserDetailService with loadUserByUsername). In the database I have a table...

How to redirect user to different pages after logout with Spring Security and Grails

grails,spring-security
I am new to Groovy and Grails. I have developed an application using the Spring Security plugin using a database requested request map. I want a custom redirection to the home pages after logout according to the roles. If the user is ROLE_ADMIN, after logout he would be redirected to...

The type javax.servlet.ServletContext and javax.servlet.ServletException cannot be resolved

java,maven,servlets,spring-security
I'm trying to include Spring Security to my web project, i'm following this tutorial http://docs.spring.io/spring-security/site/docs/current/guides/html5//helloworld.html I've done everything in the tutorial with the given maven project and works fine. But when i'm trying to include it to my project a compilation error appear. Specifically when i extends from AbstractSecurityWebApplicationInitializer appear...

Spring sessionRegistry gives list of zero logged in users

spring,spring-security,spring-session
I had taken reference from this article to write a login page Krams tutorial But I changed the sessionRegistry configuration according to latest document http://docs.spring.io/autorepo/docs/spring-security/3.2.7.RELEASE/reference/htmlsingle/#concurrent-sessions And I get list of principals as 0. Here is my config file <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...

Spring LDAP Context.REFERRAL to follow

spring,spring-security,active-directory,ldap
How do I set the LDAP Context.REFERRAL to follow in a Spring Security configuration? This is related to a problem I already reported and for which I found an unsatisfactory solution before discovering the real solution I am seeking for involve setting this environment attribute in the LDAP context to...

How create a custom response when spring-security receives null credentials (username and password)?

spring,security,spring-security,basic-authentication,postman
I am using postman to send a username and password without value to my server; it's like username=null and password=null. To control the security of my server, I use spring security 3.2. When it receives these credentials spring-security responds with this error. Estado HTTP 500 - Fields must not be...

Spring - Call a Service method in JSTL

spring,spring-mvc,spring-security,spring-session
I'm using Spring Security to handle user authentication for my Spring MVC web app. I'm able to get the username from the Authentication object, but my username is the email address, and I want to be able to show the user's actual name in my header. So I have my...

Spring Security java.lang.StackOverflowError exception after all providers

java,spring,spring-mvc,spring-security
Environment: Spring 4.1.6 Spring Security 4.0.1 I have 2 authentication providers - one that hits ActiveDirectory, and then one that hits a custom database provider I've created. Logging in as a user that is in either of those environments works perfectly. The user is authenticated and the app continues. However,...

Spring Framework SAML unable to find needed beans through autowired

spring-security,saml-2.0,spring-saml
I am trying to setup SSO with spring security SAML (spring security 4.0.1 and saml 1.0.1) but on startup I get the following error: Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.saml.log.SAMLLogger] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency...

Spring boot security with 3 fields authentication and custom login form

spring,security,spring-security,spring-boot
I'm using spring boot and i need to implement spring security with 3 fields authentication process username, password and corporate identifier as a hidden input in a form. I implemented a custom usernamepasswordauthenticationfilter but it not seems to be enough to setup the security config. EDIT : Users don't seem...

Trouble with Login using Spring Boot and JDBC Security

spring,spring-security,spring-boot
My build.gradle file: task wrapper(type: Wrapper) { gradleVersion = '2.4' } buildscript { repositories { mavenCentral() maven { url "http://repo.spring.io/release" } } dependencies { classpath("org.springframework.boot:spring-boot-gradle-plugin:1.2.3.RELEASE") } } apply plugin: 'java' apply plugin: 'spring-boot' repositories { mavenCentral() maven { url "http://repo.spring.io/release" } } dependencies { compile("org.springframework.boot:spring-boot-starter-web") compile("org.springframework.boot:spring-boot-starter-jdbc")...

Spring Oauth2 RemoteTokenServices error on extractAuthentication

java,spring,oauth,spring-security,spring-security-oauth2
I have a resource server and an auth server. On resource request it verifies the received access_token with the auth server on a /oauth/check_token endpoint. This gives a response that makes my request crash. The response is sent as: Written [{exp=1433335640, scope=[read, write], authorities=[ROLE_USER], client_id=client-w-s}] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessag[email protected]] When...

Why does the Spring Social plugin occasionally return an empty email on the User class?

facebook,grails,spring-security,spring-social
I have a Grails project (v2.4.2) that is making use of the spring-security-facebook:0.17 plugin to authenticate via Spring Security. At first sight, all seems well. However, there is a large set of users that for some unknown reason I cannot access their email address. I am using spring social to...

How to STOP browsers from sharing session amongst tabs?

javascript,jsp,security,browser,spring-security
How to NOT share session between multiple browser tabs ? I am using Spring Security in JSP/Servlet application and I want to know "How can we achieve the behavior with Spring Security where user is forced to login again whenever he changes the browser tab ?". Disclaimer Question is similar...

Adding Bcrypt Encoding to Spring MVC Security with limit login attempts

java,spring,spring-mvc,spring-security,spring-bean
I have a working project with limit login attempts i just need to add Bcrypt password encryptation. I have the following beans: <beans:bean id="customUserDetailsService" class="com.setelog.spring.service.CustomUserDetailsService"> <beans:property name="usersByUsernameQuery" value="select * from users where username = ?"/> <beans:property name="authoritiesByUsernameQuery" value="select username, role from user_roles where username =?" /> <beans:property name="dataSource" ref="dataSource" />...

java.lang.NoClassDefFoundError: : org/springframework/aop/config/AbstractInterceptorDrivenBeanDefinitionDecorator with Spring Security

spring,maven,spring-security
I just don't get why do I have this error if I've already got aop library. My spring-security-context.xml, the place I've got crash looks like: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd...

Spring Security AbstractAuthenticationProcessingFilter Extension Losing Instance Variable Value

java,spring,spring-security
Once again, I'm hoping I'm doing something really dumb here. :) I have an extension of AbstractAuthenticationProcessingFilter in my Spring Security implementation, and in that extension, in the attemptAuthentication method, I access the passed-in HttpServletRequest object and pull out a header value, which I store in an instance variable. I'm...

Null pointer Exception in Spring Security Expression's isAnonymous method

spring,spring-security
I'm using Spring Security 3.2. I get the Null Pointer Exception whenever I deploy my project on Apache Tomcat Server. The web.xml is <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>ch04</display-name>...

SAML login errors

spring,spring-security,saml-2.0,spring-saml
We are using ADFS as an IDP and our application acts as SP. Below is a sample Auth response <?xml version="1.0" encoding="UTF-8"?> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_82062d3d-897f-473e-90ad-0bb351d63b22" IssueInstant="2015-04-29T20:39:17.240Z" Version="2.0"> <Issuer>http://adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />...

Spring security session time out

java,spring,session,spring-security
My configuration of session timeout doesn't work. It show me a message that I made when tu user is inactive for 1 minute. But whenever I refresh the page. The session Still persist. <session-config> <session-timeout> 15 </session-timeout> </session-config> Here is the session config of my web.xml and here is the...

java.lang.IllegalStateException: BeanFactory not initialized or already closed - call 'refresh' before accessing beans via the ApplicationContext

java,spring,spring-security
I need to add Spring Security with customized login page and connection to database to my Spring MVC project. I am receiving following error message, based on answers of other questions, I tried to change the code, for example I changed my Spring Security Schema version to 4.0 but the...

AbstractRoutingDataSource change map in runtime

java,spring,spring-security
I have now 2 tables in database: User user_database In user I store login, password,role In user_database i store database driver,url,password and user. Diagram database I want user login to my page and next connection what he done will be sent to user database. Why i need what? I planing...

Standalone Spring OAuth2 JWT Authorization Server + CORS

spring-security,cors,jwt,spring-security-oauth2
So I have the following Authorization Server condensed from this example from Dave Syer @SpringBootApplication public class AuthserverApplication { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } /* added later @Configuration @Order(Ordered.HIGHEST_PRECEDENCE) protected static class MyWebSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http //.csrf().disable()...

Spring AuthenticationManagerBuilder Password Hashing

spring,spring-security,spring-boot
I'm trying to set up user authentication in Spring, but after adding password hashing it doesn't authenticate. I am using Spring Boot and Spring Security. Here is a shortened version of my code: Customer entity: @Entity public class Customer { private String username; private String password; public Customer() { }...

LoggerFactory is not a Logback LoggerContext but Logback is on the classpath

java,logging,spring-security,spring-boot,dependency-management
I think some module in spring-boot-starter-security is conflict with log4j, but I don't know which one. my gradle dependence is as following: compile("org.springframework.boot:spring-boot-starter-thymeleaf") compile("org.springframework.boot:spring-boot-starter-security"){ exclude module: "spring-boot-starter-logging" } compile "org.apache.logging.log4j:log4j-api" compile "org.apache.logging.log4j:log4j-core" compile "org.apache.logging.log4j:log4j-slf4j-impl" compile('org.apache.poi:poi:3.10.1')...

Spring Boot testing with Spring Security. How does one launch an alternative security config?

java,spring,spring-mvc,spring-security,spring-boot
My spring boot application has an Application class. When I run it (as an application), it launches itself within an embedded servlet container (Tomcat, in my case). Somehow (through Application's @annotations, I suppose), WebSecurityConfig (extending WebSecurityConfigurerAdapter) in the same package is loaded. WebSecurityConfig contains two important blocks of configuration information:...

Testing WebSecurityConfigurerAdapter

java,spring,spring-mvc,spring-security,spring-boot
This is my test, I'm adding additional header tests after testing my filter @RunWith( SpringJUnit4ClassRunner.class ) @WebAppConfiguration @EnableWebMvcSecurity @SpringApplicationConfiguration( classes = { MockServletContext.class, HttpSessionConfig.class, WebSecurityConfig.class } ) @SuppressWarnings( "PMD.TooManyStaticImports" ) public class HeadersTest { private MockMvc mockMvc = null; @Autowired private WebApplicationContext context; @Before public void setup() { mockMvc =...

Spring Security: Deny access to controller methods, if @PreAuthorize annotation is missing

java,spring,spring-security
I have a web application configured to use Spring Security 3.2 in standard way. I'm using the @PreAuthorize annotation to secure the Controllers method. Now, I would like to deny access to each controller method UNLESS it is annotated with @PreAuthorize. I have tried the following approaches: super controller Each...

Spring Boot: Inject a custom context path

spring,spring-mvc,tomcat,spring-security,spring-boot
I'm running a Spring Boot 1.2.3 application with embedded Tomcat. I'd like to inject a custom contextPath on every request, based on the first part of the URL. Examples: http://localhost:8080/foo has by default contextPath="" and should get contextPath="foo" http://localhost:8080/foo/bar has by default contextPath="" and should get contextPath="foo" (URLs without path...

sec:authorize doesn't work

spring-mvc,spring-security,thymeleaf
Recently I have started a new project and decided to use the latest versions of spring, spring security and thymeleaf I have included these packets def springVersion = '4.1.6.RELEASE' def securityVersion = '4.0.1.RELEASE' def thymeleafVersion = '2.1.2.RELEASE' compile "org.springframework:spring-core:$springVersion" compile "org.springframework:spring-webmvc:$springVersion" compile "org.springframework.security:spring-security-web:$securityVersion" compile "org.springframework.security:spring-security-config:$securityVersion" compile...

Obtaining handle to Collection/Array object in @PreFilter and @PostFilter in Spring Security

spring,spring-mvc,spring-security
In Spring Security, @PreFilter and @PostFilter can be used to trim/prune the argument/return object and filterObject references each element in the object and is used to loop through the argument/return Collection/Array. However, I need to get a handle to the actual Collection/Array as a whole and not specific elements in...

Validating Multiple Roles in Spring Security

spring,authentication,spring-security,authorization,intercept
I have added all the required libs and dependencies for the security and the application is working for single role & Any role cases Single: <security:intercept-url pattern="/**" access="hasRole('enabled')" /> Any Role <security:intercept-url pattern="/**" access="hasAnyRole('enabled','view')" /> is there are way to check multiple(AND or All Roles) roles using the expression ?...

Configuring Spring Boot Security to use BCrypt password encoding in Grails 3.0

grails,spring-security,spring-boot,bcrypt,grails-3.0
In Grails 3.0, how do you specify that Spring Boot Security should use BCrypt for password encoding? The following lines should provide a sense of what I think needs to be done (but I'm mostly just guessing): import org.springframework.security.crypto.password.PasswordEncoder import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder PasswordEncoder passwordEncoder passwordEncoder(BCryptPasswordEncoder) My application loads spring-boot-starter-security as a...

Why is my spring boot stateless filter being called twice?

rest,spring-security,spring-boot,restful-authentication,jwt
I'm trying to implement stateless token-based authentication on a rest api I've developed using Spring Boot. The idea is that the client includes a JWT token with any request, and a filter extracts this from the request, and sets up the SecurityContext with a relevant Authentication object based on the...

Spring BadCredentials Event not firing

java,spring,spring-security
I want to log if a user tries to authenticate with wrong credentials. Therefore i have added this event listener class to my project: import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationListener; import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent; import org.springframework.stereotype.Component; @Component public class AuthenticationFailureListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent>{ private...

Spring Boot - How to kill current Spring Security session?

spring,spring-security,spring-boot
Currently I know that my setup is working because I was able to login properly using the basic HTTP authentication. I used these properties: security.basic.enabled=true security.user.name=user security.user.password=1qaz2wsx security.user.role=USER However, I want to relogin again. I tried clearing cookies (I assumed it was saved there), I checked my local/session storage and...

Is it possible to permit all users except anonymous one?

java,spring,spring-security
How can I permit access to URL such that only anonymous one can't get the page? I'm using Spring security. <intercept-url pattern="/pattern/page.html" access="__WHAT_SHOULD_BE_HERE__"/> ...

Spring MVC - upload file shows The request sent by the client was syntactically incorrect

java,spring-mvc,file-upload,spring-security
When I upload file with another details using form sumbmition, it shows an error HTTP Status 400 - type Status report message description The request sent by the client was syntactically incorrect. jsp page <form:form method="POST" action="addbanners?${_csrf.parameterName}=${_csrf.token}" modelAttribute="banner" enctype="multipart/form-data"> <h2>New Banner</h2> <table> <tr><td>Banner Name</td> <td><form:input type="text" name="thematicdayid" id="thematicdayid" path="bannerName"...

HTTP Basic with Spring Security XML configuration doesn't use HttpBasicConfigurer

java,spring-security
It seems that XML configuration and Java are not performing the same tasks in Spring Security, regarding the HTTP Basic configuration. When using the following Java configuration: protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .and() .authorizeRequests() .anyRequest().authenticated(); } A HttpBasicConfigurer is used in order to use a different...

How to implement Spring Security Ldap authentication using the configurer class correctly?

spring,authentication,spring-security,ldap,spring-ldap
Hi I'm trying to implement spring's ldap authentication using the WebSecurityConfigurerAdapter class. So far I can authenticate through the in memory method and even my corp's ldap server, however the latter method I'm only able to authenticate if I pass a hardcoded userDN and password when I create the new...

Spring Security 4 with custom provider and handlers not caching the url before authentication

java,spring,spring-security
I've configured a custom authentication provider, a success handler and a failure handler in Spring Security (v4.0.1). When using the default ones, after displaying the login page, the user was redirected to the previously requested url. However, I lost that behaviour when implementing my own ones, so I'm trying to...

Spring Security login with UserDetailsService and Java config

java,spring,spring-mvc,spring-security
I am trying to add login functionality with a database lookup with Spring Security, and I am really struggling. I want to look up the user by implementing the UserDetailsService interface. I have read a ton of documentation and Googled for hours, but I am still stuck. Most of the...

Security Context Returning Null value in Web App

spring,spring-security,vaadin
In my web application the security context is with a value of ([email protected]fffff: Null authentication) and on doing some search I found something like : "Look to see if you have any references to SecurityContextHolder in your code. If you do, ensure that you have the SecurityContextPersistenceFilter place on any...

Different credentials in Spring Boot for app authentication and management authentication?

spring,authentication,spring-security,spring-boot
I want to use http basic authentication for my Spring Boot application with one set of credentials and at the same time I want to configure actuator to use a different set of credentials for the management resources (health, env etc). I've read the Actucator documentation where it says that...

How to disable spring security for particular url

java,spring,spring-mvc,spring-security
I am using stateless spring security,but in case of signup i want to disable spring security.I disabled using antMatchers("/api/v1/signup").permitAll(). but it is not working,i am getting error below: message=An Authentication object was not found in the SecurityContext, type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException I think this means spring security filters are working My url's order...

From where hasRole from @PreAuthorize take its values in Spring?

java,spring,spring-mvc,spring-security
Hi I am new to Spring and I am trying to understand the security model a little more. In our project we controller which method is annotated with @PreAuthorize("hasRole('REPORT_VIEW')") So I am wondering from where this REPORT_VIEW comes from is it ENUM or is based on some xml configuration? I...

Difference between isAuthenticated and isFullyAuthenticated

spring,spring-security
I'm trying to learn spring security, and I have question: what is the difference between isAuthenticated and isFullyAuthenticated in spring security

Spring Boot not displaying web contents

spring,spring-mvc,spring-security,spring-boot
I have a Spring Boot Application used as a secured REST API backend. I would like to have some static page with the documentation about that API (I'd like to use a Wiki, for instance) As far as I try I cannot make it display static contents: e.g. I tried...

Spring OAuth2 not giving refresh token

java,spring,spring-security,spring-security-oauth2
I am running a OAuth Provider using Spring and "password" grant type. Running this (provider is on port 8080): curl -u "app:appclientsecret" "http://localhost:8080/oauth/token" --data "grant_type=password&username=marissa&password=koala" returns: {"access_token":"56da4d2b-7e66-483e-b88d-c1a58ee5a453","token_type":"bearer","expires_in":43199,"scope":"read"} For some reason there is no refresh token. I know according to the spec, the refresh token is optional; is there some way...

Spring Security @PreAuthorize on controllers

spring-mvc,spring-security
I'm trying to use the url (ant based) matching along with @PreAuthorize("permitAll") on some controllers i.e. @Controller @RequestMapping("/register") public class RegistrationController { ... @PreAuthorize("permitAll") @RequestMapping(method = RequestMethod.GET) public String register() { ... } SecurityConfig: @Configuration @EnableWebMvcSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http)...

Grails 2.4.4 spring security role doesn't apply to user

java,spring,grails,spring-security,spring-annotations
I have controller: class AdminController { def springSecurityService @Secured(['ROLE_ADMIN', 'ROLE_USER']) def index() { render "test"; } And user with role ROLE_ADMIN in the table: But, when I use: springSecurityService.getPrincipal().getAuthorities() There is only one role: ROLE_NO_ROLES Why? def loggedInUser = springSecurityService.currentUser; returns correct user. Config: ... grails.plugin.springsecurity.userLookup.userDomainClassName = '...' grails.plugin.springsecurity.userLookup.authorityJoinClassName =...

not able to savedata to mysql db, in gradle project, Neither BindingResult nor plain target object for bean name 'goal' available as request attribute

mysql,spring-security,spring-boot,thymeleaf
I was watching tutorial and i created user-login and verifying the user, when i created addGoal, my goal was not entering in my mysql database, since i am able to login so my database connection are correct, and i am using thymeleaf with javaconfig for my annotations, please help me...

org.springframework.security.core.userdetails.User cannot be cast to MyUserDetails

java,spring-mvc,spring-security
I am getting class cast exception when I implement User class of spring security. I want to add few additional details in MyUserDetails (id) but I am not able to get the result. This question is answered here but then two I am getting error, don't know where I am...

Spring security error in native spring class during OpenId Client Implementation

java,spring,spring-security,openid-connect
MY app Initializer public class AppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer{ @Override protected Class<?>[] getRootConfigClasses() { // TODO Auto-generated method stub return new Class[]{ApplicationConfiguration.class}; } @Override protected Class<?>[] getServletConfigClasses() { // TODO Auto-generated method stub return null; } @Override protected String[] getServletMappings() { // TODO Auto-generated method stub return new String[]{"/"}; } }...

Spring Security + LDAP + CustomLdapAuthoritiesPopulator + RememberMe

java,spring,spring-security,ldap,remember-me
I have a little problem with spring security :) What is my goal: Configure LDAP auth with custom roles, fetched from database, and remember me functionality. What is done: LDAP Auth: OK Custom roles for AD users from database: OK Remember me: FAIL My problem is: 'Remember me' works fine,...

Failed to instantiate LoginUrlAuthenticationEntryPoint: No default constructor found

spring,spring-security
I am trying to migrate from Spring 3.x to Spring 4.x but Spring Security XML file couldn't be loaded properly. The XML configuration I suppose needs to be changed but I couldn't find the same over the INTERNET. The XML Configuration that worked with Spring 3.x isn't working with 4.0.1.RELEASE....

Spring-data and Spring-security integration

spring,spring-security,integration,spring-data
The document said by introducing a bean of type SecurityEvaluationContextExtension then it will make available all the commons built-in security expressions like 'principal', 'hasRole', etc. The example shows a simple integration using 'principal' in the @Query @Query("select m from Message m where m.to.id = ?#{ principal?.id }") Now what if...

Grails remote control plugin - Spring Security Configuration

grails,spring-security,geb,remote-control
Whenever I try to use the Grails Remote Control plugin, I get the following Exception. groovyx.remote.RemoteControlException: Error sending command chain to 'http://localhost:8080/******/grails-remote-control' [test] at groovyx.remote.transport.http.HttpTransport.send(HttpTransport.groovy:65) [test] at groovyx.remote.client.RemoteControl.sendCommandChain(RemoteControl.groovy:114) [test] at groovyx.remote.client.RemoteControl.exec(RemoteControl.groovy:73) [test] at...

Spring logout gives 404 error

java,spring,spring-mvc,spring-security
I've gone through all of the solutions listed at SO but can't seem to make it work. I've a simple spring-security xml file- <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd...

loadUserByUsername execute twice using DaoAuthenticationProvider

java,spring-mvc,spring-security
I am using DaoAuthenticationProvider for authenciation but when I submit form loadUserByUsername is called twice by super.authenticate(authentication) intially it throws BadCredentialsException and then next time it login successfully This process is working fine if I do not use passwordencoder but when I use it loadUserByUsername method is called twice. Below...

Spring Security Kerberos chained with basic

java,spring,jboss,spring-security,wildfly
I have a hopefully quick question about Spring Security. I am looking for a solution to integrate security into our application which provides SSO but HTTP basic as well. One of the automated pieces of our system can only support basic authentication and we are pretty locked into it. Currently...

Spring boot using Spring Security authentication failure when using SpringPlainTextPasswordValidationCallbackHandler in an XwsSecurityInterceptor

spring-security,spring-boot,spring-ws,ws-security
I have set a up a spring boot (1.2.3) application with spring security and spring-ws. I have configured spring security to use .ldapAuthentication() for authentication in my WebSecurityConfigurerAdapter. I am trying to get the same spring security authenticationManager to authenticate my spring ws SOAP web services using ws-security usernametokens (plain...

Using Spring Security, what's the right way to manage authorization to query responses?

java,spring,spring-security
Using Spring Security (v. 3.2.5), what's the right way to manage authorization to query responses? I have configured Spring Security to regulate access to different parts of the system based on user roles. But in many places, the principal is querying for data (e.g. looking up previously persisted details "owned"...

Basic Auth to Receive Token in Spring Security

api,rest,spring-security,jwt
I am implementing a RESTful API where the user must authenticate. I want the user to POST their credentials in order to receive a JSON web token (JWT), which is then used for the remainder of the session. I have not found any good sources of information to set this...

WARNING DefaultFilterChainValidator.checkLoginPageIsntProtected Anonymous access to the login page doesn't appear to be enabled

spring,spring-security,redirect-loop
I am creating a plain Login form for spring security authentication: Here is security-config.xml <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security...

Use thymeleaf template for some pages and rest for some for building gradle project

rest,spring-mvc,gradle,spring-security,thymeleaf
I am new to this please someone tell me whether I can use Thymeleaf template for some pages and REST for some for building Gradle project? I created my login page retrieving through MySQL database using Thymeleaf template now for adding other information in my database I want to use...

log access denied events with Spring Security and J2EE container authentication

spring-security
I've got spring security configured as @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = false) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .anyRequest().authenticated() .and() .jee() .mappableRoles("ROLE1", "ROLE2"); } } And then @Secured annotations with roles on the rest endpoints. Doesn't matter what...

OAuth2 - Status 401 on OPTIONS request while retrieving TOKEN

spring-security,oauth-2.0,cors,single-page-application,restful-authentication
Our stack uses Backbone as our client-side app and Spring Boot as a RESTful API. We're trying to make basic authentication using OAuth2 with user providing username and password. We use Spring Security for authentication and jQuery $.ajax method for making requests. However the response we get is 401(unauthorized) status...

Spring MVC + Tiles + Spring Security = The requested resource is not available

java,spring,spring-mvc,spring-security,tiles
I have to say the equation in the title drives me crazy. As soon as I add the DelegatingFilterProxy to web.xml I get the 'Error 404 The requested resource is not available'. Otherwise the web app works fine. I am sure the problem with my configuration but I just cannot...

Spring security logout - add a message only when logout triggered from a logged in user

spring,spring-security
Lets say my logout URL is: app/logout. I need to show a message - "You are succesfully logged out" in logout page only when logout was triggred by clikcing the logout button. The message should not be displayed if the user enters this URL directly. Any idea how to implement...

Spring boot require authorization at context root

spring,spring-security,spring-boot
I'm in the process of researching Spring Boot for a project, and have run into a curious issue with Spring Security. The application is configured to require authentication for all URLs via the following Java configuration: http .authorizeRequests() .antMatchers("/**") .authenticated() I've confirmed that this works fine for most views: attempting...

Spring security - Basic auth

java,spring,spring-security,spring-boot,basic-authentication
I'm trying to insert data using a POST request but I'm getting a 403 error. When I use GET, basic authentication works. For testing I use Fiddler. What's the problem? Security config: @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests()...

spring-security-oauth2 2.0.7 refresh token UserDetailsService Configuration - UserDetailsService is required

spring,spring-security,spring-security-oauth2,spring-security-ldap
I would have one question regarding the configuration of spring-security-oauth2 2.0.7 please. I am doing the Authentication using LDAP via a GlobalAuthenticationConfigurerAdapter: @SpringBootApplication @Controller @SessionAttributes("authorizationRequest") public class AuthorizationServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthorizationServer.class, args); } @Override public void addViewControllers(ViewControllerRegistry registry) {...

Spring security throws javax.servlet.ServletException: Could not resolve view with name 'j_spring_security_check'

java,spring,spring-mvc,spring-security,tiles-3
I am trying to add Spring security with customized login page and access to database to my Spring MVC application. It seems like my mapping is wrong as it can not map j_spring_security_check. To solve the issue I had a look at following pages 1,2,3 but could not solve the...

Configuring a Custom LDAP Authentication Provider with Spring Security

java,spring,authentication,spring-security,ldap
I'm trying to configure the Spring Security with LDAP Authentication, but I need to get the username for all login requests. I configure my spring-security.xml who points to my MyCustomAuthenticationProvider class. I think the configuration is correct, but in runtime, the Spring first try to login with his own LdapAuthenticationProvider....

Spring response ajax: 403 error

spring-mvc,spring-security,spring-java-config
I am using Spring with java-config AbstractAnnotationConfigDispatcherServletInitializer instead of web.xml and my spring-controller code: @RequestMapping(value = "/demo1", method = RequestMethod.POST) public @ResponseBody String demo1(HttpServletRequest request, HttpServletResponse response) { String poreqid = request.getParameter("poid"); String refid = request.getParameter("refid"); String status = request.getParameter("key"); String key = poreqid+ refid+ status; return key; } }...

Intercepting login calls with Spring-Security-Rest plugin in Grails

rest,grails,spring-security
I am using the spring security rest plugin for Grails to provide a login mechanism for an AngularJS app. Login works fine, but I can't figure out how to intercept login calls, in order to store additional statistics on (invalid/valid) login attempts. As I am quite new to Spring Security...

spring filters applies to all api urls Errors

spring-security,spring-java-config
i am new to spring security,problem is that filter is applied to all request urls i-e. /api/user/signup. i want to exclude /api/user/signup path to go through the filter. i even tried following web.ignoring() .antMatchers("/api/user/**") .antMatchers("/api/user/signup") but filter again applied to it. Filter requires authkey token and signup request obvously will...

NotReadablePropertyException when tomcat startup with Spring Boot

java,spring-security,spring-boot
When my springboot application startup, I have the following exception. I didn't found where is problem, if someone has an idea... thanks by advance 2015-05-18 14:50:49,313 DEBUG c.q.q.Application:50 - Running with Spring Boot v1.2.3.RELEASE, Spring v4.1.6.RELEASE 2015-05-18 14:50:51,848 DEBUG o.j.logging:33 - Logging Provider: org.jboss.logging.Slf4jLoggerProvider 2015-05-18 14:50:51,991 DEBUG c.q.q.c.AsyncConfiguration:36 - Creating...

Jhipster - JpaRepository “principal.username” @Query - org.springframework.expression.spel.SpelEvaluationException

testing,spring-security,jhipster
I have an error while I am testing my rest controller on a specific method. I am using the @Query annotation to do my database query. And it's using the "principal.username" to do it. I don't have the all picture on how principal.username is fetched and used in my application....

Authenticate using SAML-based Basic Authentication?

spring-security,saml,spring-saml
I have a use case where a web application needs to let users authenticate in two different ways but using the same user data store (aka IDP) via SAML. User's browser is redirected to IDP and redirected back with SAML assertion (aka WebSSO Profile). User makes request to SP providing...

How to go to another page after login in Spring security

java,spring,jsp,spring-mvc,spring-security
Here is the jsp file that shows details of the flight information. <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ include file="../layout/taglib.jsp" %> <table class="table table-bordered table-hover table-striped "> <thead> <tr> <th>Flight No</th> <th>Flight destination</th> <th>Flight origin</th> <th>Book now</th> </tr> </thead> <tbody> <form:form commandName="reserv" action="flight-reservation"...