As spring-security-oauth2 obsoleted ref: EOL for Spring Security OAuth,
cannot use #oauth2.hasScope([scope]) in xml config provided by OAuth2SecurityExpressionMethods.java
Expected to see ast parser or similar handler in either spring-security-oauth2-jose, spring-security-oauth2-client, spring-security-oauth2-core to accomplish that in the following example, #oauth2 security expressions on method level.
Is there something i missed for xml config for oauth2 scope checking?
Or i must implement it by hasAuthority('SCOPE_[scope]')
thanks
have to switch to hasAuthority("SCOPE_scope")
Spring Security converts scopes that follow the granted authority naming convention
ref: OAuth 2.0 Migration Guide
Related
Landing on Spring security is really an stucky path.
I need to implement an authentication mechanism in order to pick jwt token and extract authentication.
It's really complicated to be sure whether I'm using best approach in order to implement it.
I need to implement and JWTAuthenticationFilter
Questions:
Why do I need to extend from BasicAuthenticationFilter? All exemples over there extends from it to implement a JWTAuthenticationFilter! What does it have to do with BASIC mechanism?
Also I saw over there JWTAuthorizationFilter. Why ...AuthorizationFilter instead of ...AuthenticationFilter?
Which is the best approach about to get my goal?
You don't need to provide a custom filter for that, you can use spring-security-oauth2-resource-server dependency and configure Spring Boot, like so:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://idp.example.com/issuer
By doing this, Spring Security will go to the identity provider and retrieve the JWT keys to validate the token provided in the request. If you need to customize the behavior you can override Spring Boot auto-configuration, see the documentation.
I have a web application which exposes CXF JAX WS SOAP Services and also an OData REST Service.
As i understand from the spring documentations, in order to authenticate the JAX WS requests we need to create a Interceptor and write our own code to call the spring security Authentication Manager to authenticate the request. This i am able to achieve in my application. But in order to use spring security with JAX WS i have to disable the csrf for the endpoint urls.
Hence i dont want to use spring security for authentication and instead wants to use the container managed security where i can do the check in web.xml itself.
But there are certain roles i want to check at method levels and i find spring security pretty helpful at method level security.
So my question is whether i can use container manage authentication and for authorizations spring security ? Do you see any security issues here ?
and in case i want to enable the csrf for the jax WS endpoints then how can we pass the csrf token for a service call?
Regards,
Soumya Ranjan
I successfully completed login module of my application using spring security's inbuilt authentication & authorization mechanism.But later i was told to check if i can integrate WSO2 (SOA solution as external Authorization mechanism) with Spring security so that i can use Spring security's authentication mechanism alone and WSO2 for authorization instead of using Spring security provided Authorization.
I did search & read the documentation and i could get details about using External authentication with Spring security & nothing about External authorization.I would like to know if i can do the same and also how i can do it.Any pointers will be really helpful for me.
What options do I have to enforce authentication/authorization in a java web app ?
From my research, there's:
JAAS
JNDI
Spring security
Any others ? Does JEE5 or JEE6 have anything new ?
if you do not want to implement the identity-provider by yourself, you can consider using OpenID. This way, you can use any OpenID provider to provide the authentication/authorization.
In addition, you can consider OAuth2.
Do not mix between the two, there are many posts here that can explain the differences...
See Securing Web Applications chapiter for JEE6. Also you can consider Apache Shiro as alternative for Spring Security. If you already use Spring Framework then just go with Spring Security.
We'd like to add Oauth2 support for a spring mvc and spring security based web application, so the oauth2 security module (http://www.buynfctags.com/nfc-tags/stickers/printed-nfc-sticker-ntag.html) seems a great fit.
But which flows exactly are supported? The docs only list the web-server flwo, but what about client-side and resource owner password flow for example. Will it work out of the box?
All the main OAuth2 flows are supported - authorization-code, implicit, client-credentials and password. There is more information in the github wiki and you might also want to take a look at the authorization-server element in the namespace schema.
The CloudFoundry UAA project is a useful example of using Spring Security OAuth2 in practice.