I'm having trouble getting Spring Security to work in my Spring MVC app. It is configured correctly (I think) and I am fully expecting it to use the configured security filter on all requests. It isn't. My question isn't to make sure I'm configured correctly so I'm not going to post any code, I am only asking if there is a method or something I can call in one of my controllers that will return true or false signifying if Spring Security is actually enabled or not so I can know how to proceed debugging. Thanks!
In your case, you could use spring actuator.
This is module used for application monitoring. You can read more about it, in this blog post: http://www.baeldung.com/spring-boot-actuators
Related
I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.
I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically.
Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.
Is there some documentation, website or whatever else, describing what to do to implementsthis ?
Thank you very much !
From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request
PKCE will automatically be used when the following conditions are true:
client-secret is omitted (or empty)
client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)
A really strange situation is observed in our application (Spring Boot 1.5.6 with all-default BOM dependencies): you can perfectly log in (with AbstractPreAuthenticatedProcessingFilter), but this still leaves Principal in request null! I.e. request.getUserPrincipal() is null while SecurityContextHolder.getContext().getAuthentication() is not!
This in turn affects the ability of our health endpoint to be sensitive: it uses Principal (see HealthMvcEndpoint.exposeHealthDetails(HttpServletRequest, Principal)) which is injected by ServletRequestMethodArgumentResolver, which in turn takes it from the request...
Looks like I'm missing something simple, but still can't find it :(
So, after creating a new Spring Boot application and debugging it to its guts, I've found out that nobody actually sets Principal into the request. It's Spring who wraps it into another one that uses Spring's SecurityContext for the above (and some other methods). And this wrapping is done by the SecurityContextHolderAwareRequestFilter, which is there by default (see HttpSecurity.servletApi())...
But somebody has disabled the default Spring Security configuration for our project, so the filter was not there!
I'm studying the Spring Security framework with Spring Boot, and one thing I dislike about boot is it's obscurity. There's so much magic happening, troubleshooting and customization is trial and error, guessing what is configured automatically and where. This is high risk in the security field, as misconfigured system may be compromised.
I would like to replace springSecurityFilterChain with my own implementation. In vanilla Spring I would register DelegatingFilterProxy with a different name in web.xml, and implement corresponding bean. However, Spring boot apparently registers springSecurityFilterChain automatically if jars are present, and now I'm not sure if the auto configuration will back of just by declaring the springSecurityFilterChain in a traditional way, or will this lead to misconfigured system?
Generally, I would like to understand Spring boot better, and not just guessing what is happening, where and how to take control of that area.
There are a lot of preconfigured things, but you can override every single step. The magic of #EnableAutoConfiguration is just convenience. The --debug switch should tell you more what is happening in the background.
http://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html
If you use Spring Boot 1.4.x (I'm not sure about previous releases), one of the following would work.
#EnableAutoConfiguration(exclude = {org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration.class})
OR
#SpringBootApplication(exclude = { org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration.class})
OR
In your application.properties file,
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration
Sometimes you may need to exclude the org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration class as well.
Do you really want to disable the whole security chain? I don't see the use case, but if, then you do not need #EnableWebSecurity at all. If you only want to adjust the chain, create a Class annotated with #Configuration and #EnableWebSecurity which is extending WebSecurityConfigurerAdapter. There you can tell who is allowed to do what by overriding configure(HttpSecurity).
I am developing an web application using java with Spring MVC and Sprin-Security. I can see, Spring Security does the authentication and security related tasks by itself which is OK. I was wondering how Spring Security detects the password field from database on which the authentication is made!!!
I have stored the user passwords in a column named 'xyz'. Now, how can I ask Spring-Security to look for user password in the column 'xyz'???? I tried to find a clear answer for this, but couldn't. So, if you guys please help me to make a clear concept about this.... I appreciate that!!
First, you need to setup JDBC Connectivity. For that you can use Spring JDBC so that the connections are spring managed.
Then, you need to override UserDetailsService of Spring Security to your own queries. An example is given here
Then wire your services either via programmatic configuration or via XML configuration, whichever way you have done it in your project.
I'm attempting to integrate Spring's default access control list implementation into a Jersey contained Restful API. I successfully was able to implement Basic Authentication using the Spring Security Filter Chain and setting up an authentication manager in my securityContext.xml.
My problem in a nutshell is, after adding the acl-context.xml and making adjustments to other parts of the project, my project seems to not recognize the #pre and #post annotations. It doesn't throw an error, but it doesn't make queries to the database according to the mysql log. Is there something about the default implementation of Spring's ACL that relies on Spring MVC classes like #controller, #transactional, #resource, or #service?
Here is the repo with the code as it is now (I appologize for the extra classes laying about. It is a maven project.
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/tree/secure
web.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/src/main/webapp/WEB-INF/web.xml
webSecurityConfig.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/src/main/resources/webSecurityConfig.xml
acl-context.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/src/main/resources/acl-context.xml
pom.xml:
https://github.com/DataAnalyticsinStudentHands/RESTFUL-WS/blob/secure/pom.xml
I'm sorry I would love to paste the .xmls here but I can't seem to get the formatting to work and its deleting characters. Please let me know if there is anything else I can do to clarify the situation. If I'm doing anything overtly stupid in regards to anything else, please let me know. I welcome the criticism. I'm the only person on our team working on network security and I don't have anyone here to give me feedback.