Questions tagged [spring-security]
Spring Security is the Spring Framework's application security solution. Spring Security can be used to secure URLs and method invocations. It is widely used to secure standalone web applications and REST APIs.
28,954
questions
332
votes
4
answers
175k
views
Difference between Role and GrantedAuthority in Spring Security
There are concepts and implementations in Spring Security, such as the GrantedAuthority interface to get an authority to authorize/control an access.
I would like that to permissible operations, ...
- 4,842
306
votes
17
answers
185k
views
When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
I have a Spring MVC web app which uses Spring Security. I want to know the username of the currently logged in user. I'm using the code snippet given below . Is this the accepted way?
I don't ...
- 10.7k
272
votes
4
answers
129k
views
RESTful Authentication via Spring
Problem:
We have a Spring MVC-based RESTful API which contains sensitive information. The API should be secured, however sending the user's credentials (user/pass combo) with each request is not ...
- 22.7k
226
votes
3
answers
239k
views
How Spring Security Filter Chain works
I realize that Spring security build on chain of filters, which will intercept the request, detect (absence of) authentication, redirect to authentication entry point or pass the request to ...
- 22.7k
214
votes
7
answers
60k
views
What is the meaning and difference between subject, user and principal?
In the context of security frameworks, a few terms commonly occur subject, user and principal, of which I have not been able to find a clear definition and the difference between them.
So, what ...
- 61.5k
210
votes
19
answers
226k
views
How to manage exceptions thrown in filters in Spring?
I want to use generic way to manage 5xx error codes, let's say specifically the case when the db is down across my whole spring application. I want a pretty error json instead of a stack trace.
For ...
- 4,021
206
votes
20
answers
406k
views
How to fix Hibernate LazyInitializationException: failed to lazily initialize a collection of roles, could not initialize proxy - no Session
In the custom AuthenticationProvider from my spring project, I am trying read the list of authorities of the logged user, but I am facing the following error:
org.hibernate....
- 8,675
196
votes
1
answer
9k
views
Spring Security on Wildfly: error while executing the filter chain
I'm trying to integrate Spring Security SAML Extension with Spring Boot.
About the matter, I did develop a complete sample application. Its source code is available on GitHub:
spring-boot-saml-...
- 13.5k
181
votes
15
answers
166k
views
Spring 3.0 - Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Any ideas what could be the cause of this?
Unable to locate Spring
NamespaceHandler for XML schema
namespace
[http://www.springframework.org/schema/security]
org.springframework.web.context....
- 51.6k
179
votes
13
answers
176k
views
Unit testing with Spring Security
My company has been evaluating Spring MVC to determine if we should use it in one of our next projects. So far I love what I've seen, and right now I'm taking a look at the Spring Security module to ...
- 139k
178
votes
5
answers
74k
views
What's the difference between @Secured and @PreAuthorize in spring security 3?
It's not clear for me what is the difference in spring security between :
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact)
And
@Secured("ROLE_USER")
public void create(...
- 3,466
174
votes
9
answers
134k
views
How to get active user's UserDetails
In my controllers, when I need the active (logged in) user, I am doing the following to get my UserDetails implementation:
User activeUser = (User)SecurityContextHolder.getContext().getAuthentication(...
- 4,599
151
votes
9
answers
181k
views
How do I enable logging for Spring Security?
I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually ...
- 7,895
144
votes
14
answers
212k
views
Handle spring security authentication exceptions with @ExceptionHandler
I'm using Spring MVC's @ControllerAdvice and @ExceptionHandler to handle all the exception of a REST Api. It works fine for exceptions thrown by web mvc controllers but it does not work for exceptions ...
- 2,906
134
votes
29
answers
342k
views
Spring boot Security Disable security
When I use security.basic.enabled=false to disable security on a Spring Boot project that has the following dependencies:
<dependency>
<groupId>org.springframework.boot</...
- 1,843
134
votes
23
answers
466k
views
How to configure CORS in a Spring Boot + Spring Security application?
I use Spring Boot with Spring Security and Cors Support.
If I execute following code
url = 'http://localhost:5000/api/token'
xmlhttp = new XMLHttpRequest
xmlhttp.onreadystatechange = ->
if ...
- 2,399
132
votes
21
answers
225k
views
How to check "hasRole" in Java Code with Spring Security?
How to check user authority or permission in Java Code ? For example - I want to show or hide button for user depending on role. There are annotations like:
@PreAuthorize("hasRole('ROLE_USER')")
How ...
- 12.2k
132
votes
27
answers
238k
views
Remove "Using default security password" on Spring Boot
I added one custom Security Config in my application on Spring Boot, but the message about "Using default security password" is still there in LOG file.
Is there any to remove it? I do not need this ...
- 8,233
132
votes
3
answers
44k
views
Shiro vs. SpringSecurity [closed]
I have currently evaluating Java based security frameworks, I am a Spring 3.0 user so it seemed that SpringSecurity would be the right Choice, but Spring security seems to suffer from excessive ...
- 61.5k
126
votes
13
answers
176k
views
Spring Security 5 : There is no PasswordEncoder mapped for the id "null"
I am migrating from Spring Boot 1.4.9 to Spring Boot 2.0 and also to Spring Security 5 and I am trying to do authenticate via OAuth 2. But I am getting this error:
java.lang....
- 1,837
125
votes
7
answers
83k
views
What's the point of Spring MVC's DelegatingFilterProxy?
I see this in my Spring MVC app's web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter....
- 1,251
125
votes
7
answers
241k
views
How to manually set an authenticated user in Spring Security / SpringMVC
After a new user submits a 'New account' form, I want to manually log that user in so they don't have to login on the subsequent page.
The normal form login page going through the spring security ...
- 31.3k
121
votes
9
answers
209k
views
Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized
Not sure if this is a bug with Spring 5.0.3 or a new feature to fix things on my end.
After the upgrade, I am getting this error. Interestingly this error is only on my local machine. Same code on ...
- 4,068
118
votes
7
answers
242k
views
How to disable spring security for particular url
I am using stateless spring security,but in case of signup i want to disable spring security.I disabled using
antMatchers("/api/v1/signup").permitAll().
but it is not working,i am getting error ...
- 4,627
117
votes
9
answers
207k
views
How to disable 'X-Frame-Options' response header in Spring Security?
I have CKeditor on my JSP and whenever I upload something, the following error pops out:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&...
- 1,050
111
votes
8
answers
97k
views
How can I use Spring Security without sessions?
I am building a web application with Spring Security that will live on Amazon EC2 and use Amazon's Elastic Load Balancers. Unfortunately, ELB does not support sticky sessions, so I need to ensure my ...
- 2,015
110
votes
2
answers
31k
views
HttpSecurity, WebSecurity and AuthenticationManagerBuilder
Could anyone explain when to override configure(HttpSecurity), configure(WebSecurity) and configure(AuthenticationManagerBuilder)?
- 1,111
110
votes
11
answers
201k
views
Spring Security: Upgrading the deprecated WebSecurityConfigurerAdapter in Spring Boot 2.7.0
I am trying to update the WebSecurityConfigurerAdapter as it has been deprecated. The class is configured as follows:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = ...
- 1,366
104
votes
9
answers
206k
views
Spring Security configuration: HTTP 403 error
I'm trying to secure my website using Spring Security following the guides on the web.
So on my server side I have the following classes.
My WebSecurityConfigurerAdapter:
@Configuration
@...
- 1,207
104
votes
5
answers
128k
views
Securing Spring Boot API with API key and secret
I would like to secure the Spring Boot API so it is accessible only for the clients that has valid API key and secret. However, there is no authentication (standard login with username and password) ...
- 1,205
100
votes
18
answers
125k
views
Spring Boot: How to specify the PasswordEncoder?
Currently I got the main class:
package com.recweb.springboot;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@...
- 1,722
99
votes
11
answers
174k
views
Serving static web resources in Spring Boot & Spring Security application
I am trying to develop Spring Boot web application and securing it using Spring security java configuration.
After placing my static web resources in 'src/main/resources/public' as advised here in ...
- 7,633
99
votes
3
answers
74k
views
How to create custom methods for use in spring security expression language annotations
I would like to create a class that adds custom methods for use in spring security expression language for method-based authorization via annotations.
For example, I would like to create a custom ...
- 20.3k
98
votes
9
answers
231k
views
How do I get the Session Object in Spring?
I am relatively new to Spring and Spring security.
I was attempting to write a program where I needed to authenticate a user at the server end using Spring security,
I came up with the following:
...
- 4,207
96
votes
11
answers
169k
views
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object.
This is the spring security config:
<http pattern="/login.jsp" security="none"/>
<http>
...
- 1,100
95
votes
5
answers
122k
views
How to secure REST API with Spring Boot and Spring Security?
I know that securing REST API is widely commented topic but I'm not able to create a small prototype that meets my criteria (and I need to confirm that these criteria are realistic). There are so many ...
- 3,430
93
votes
8
answers
349k
views
Unsupported Media Type in postman
I am implementing spring security with oauth2 and jwt.
the below is my login function
function doLogin(loginData) {
$.ajax({
url : back+"/auth/secret",
type : "POST",
...
user7477092
92
votes
3
answers
149k
views
How To Inject AuthenticationManager using Java Configuration in a Custom Filter
I'm using Spring Security 3.2 and Spring 4.0.1
I'm working on converting an xml config into a Java config. When I annotate AuthenticationManager with @Autowired in my Filter, I'm getting an exception ...
- 1,998
91
votes
4
answers
37k
views
Spring Security Configuration - HttpSecurity vs WebSecurity
I just need to understand something in Spring Security Configuration. Using the example below...
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
...
- 3,420
90
votes
14
answers
277k
views
disabling spring security in spring boot app [duplicate]
I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed).
I add this to the application.properties:
security.basic.enable: false
...
- 1,711
89
votes
2
answers
243k
views
When to use Spring Security`s antMatcher()?
When do we use antMatcher() vs antMatchers()?
For example:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
...
- 7,435
86
votes
3
answers
34k
views
spring security AuthenticationManager vs AuthenticationProvider?
Can someone tell me the difference between an AuthenticationManager and an AuthenticationProvider in Spring Security?
How are they used and how are they called. It is my understanding that a ...
- 4,607
86
votes
6
answers
33k
views
JAAS for human beings
I am having a hard time understanding JAAS. It all seems more complicated than it should be (especially the Sun tutorials). I need a simple tutorial or example on how to implement security (...
- 11.1k
85
votes
7
answers
108k
views
Disable Spring Security for OPTIONS Http Method
Is it possible to disable Spring Security for a type of HTTP Method?
We have a Spring REST application with services that require Authorization token to be attached in the header of http request. I ...
- 5,682
85
votes
3
answers
99k
views
What's the "principal" in Spring Security?
I'm really new to Spring and Spring Security. I was reading about Spring Security and it came out the concept of principal, which should be the current logged user. But what if we have more than one ...
- 15.8k
82
votes
8
answers
164k
views
Spring Security permitAll not allowing anonymous access
I have a single method that I want to allow both anonymous and authenticated access to.
I am using Spring Security 3.2.4 with Java based configuration.
The overridden configure method (in my custom ...
- 1,663
82
votes
7
answers
127k
views
Spring Security with roles and permissions
I'm trying to set up role-based Security with permissions. I'm trying to do this together with Spring-Security.
I don't want to set up ACL as it seems it's an overkill for my requirements.
I just ...
- 6,770
79
votes
6
answers
71k
views
JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
Background
I am in the process of setting up a RESTful web application using Spring Boot (1.3.0.BUILD-SNAPSHOT) that includes a STOMP/SockJS WebSocket, which I intend to consume from an iOS app as ...
- 8,984
78
votes
6
answers
97k
views
spring security: NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.config.annotation.ObjectPostProcessor] found
I'm trying to add spring-security to my rest app.
I followed the tutorial (https://spring.io/guides/tutorials/spring-security-and-angular-js/) on spring website to do it but there it uses spring-boot ...
- 2,177
78
votes
3
answers
95k
views
What is the use of @Order annotation in Spring?
I have come across a glance of code which uses @Order annotation. I want to know what is the use of this annotation with respect to Spring Security or Spring MVC.
Here is an example:
@Order(1)
...
- 9,388