I have read many discussions, even on this forum, and I have found many suggestions but I have not found valid code.
I use Spring Boot 2.5.1 and Java 11 but I want to keep my application up to date. I need a code that is possibly valid also in the future.
Is there official Spring support?
Related
I have a Spring framework based app in which I have been instructed to add AES-256 encryption. I have added this using the standard Spring security Encryptors.textEncryptor(...)
When I ran it on our development servers I got errors which indicated issues with key lengths so I updated the server's Java with Java JCE's unlimited policy files from Oracle.
However when attempting to get the code deployed to our test servers, the server admins are refusing to update the Java installations.
After talking with security, they suggested down grading the encryption from AES-256 to AES-128 under the assumption that it will work without the unlimited policy files.
As you can tell I'm not greatly knowledgeable in this area.
I've looked online, but it appears that the Spring encryption cannot be downgraded to AES-128.
Does anyone know if this downgrade can be done? or am I have to roll my own encryption setup?
Ended up using the spring source code as a base for rolling our own. Not hard really.
In various projects, I am using versions 2.0.2 and 2.1.4 of Spring Web Services. Given that neither of these are listed any longer on the project page at spring.io (http://projects.spring.io/spring-ws/) I am thinking that they're past EOL. Can anyone confirm, or better yet, provide a link to the official EOL announcement/schedule for Spring Web Services?
Thanks in advance.
Good news! Since Spring reorganized their web site (quite some time back now, but this is a really old question), it's much more obvious: https://spring.io/projects/spring-ws#support.
I am using spring security in my application for authenticating. I want to fail all logins which happened within a specific time period since session start(e.g 150ms). I can write code to achieve this. I wanted to know if spring security has this functionality built in where I can specify a timeperiod and all login request within that specified time fails.
Thanks,
I think there is no such built-in mechanism in spring for this usecase. Your requirement seems not really a common requirement and therefore could not be expected to find something like this in a general programming framework.
How to secure REST services (OAuth) with Spring Boot?
The closest I can get is:
http://spring.io/guides/gs/securing-web/
http://spring.io/guides/gs/authenticating-ldap/
You could add the OAuth2AuthenticationProcessingFilter pretty easily to a Boot app. The closest sample would probably be the spring-boot-sample-secure, since it explicitly adds a WebSecurityConfigurerAdapter, which is what you'd have to do. There is no native autoconfiguration support for OAuth in Spring Boot yet (but please feel free to add it). It is on the roadmap, but unlikely to get a lot of attention unless more people ask for it.
I cannot find a complete example anywhere of a Spring Security Web App with Open Id registration similar to stackoverflows.
I would say I'm pretty techy guy but I find Spring Security extremely intimidating with its weird Spring XML DSL.
I have found bits and pieces of how one would do the good ole' stackoverflow registration using:
Spring Security Open ID sample WAR
Hillerts Blog 3 part blog posting
Spring Security Official Doc on OpenId (the email attributes are wrong see next link)
Stackoverflow posting about email attributes
JQuery OpenId library for picking your OpenId provider Stackoverflow has a modified one that seems to include Facebook
Best Article on the subject but a little long winded
Another example like previous one for Google App Engine
But no complete examples (WAR). Does anyone know or have a working example (ie WAR) that does more than just authenticate with an in-memory openid urls?
UPDATE: The latest version of Spring Social does a very good job of managing Oauth registration. We ended up using it instead. Although its not OpenId I have grown to prefer Oauth over OpenId. For those interested in there is a project to use OpenId with spring social: https://github.com/molindo/spring-social-openid
Have you looked at the latest version of the sample code (for the 3.1 release)?
It has several improvements to make it simpler to use Google and Yahoo authentication together (with different attribute exchange configurations simultaneously), uses a similar login dialog to stack overflow and performs simple registration in the case of users who have not previously accessed the app.
See this issue https://jira.springsource.org/browse/SEC-1431 (and the linked one) for more information.
I know this is not really helpful in answering your Question but I am currently building a Grails based web application and initailly started using Spring Security but also found it difficult to setup.
I then changed to Apache Shiro and it is much simpler to implement. But it doesn't have support for openid out of the box, but the nimble grails plugin does so you may be able to use that as an example to write your own.
Yes,
There is a war to download on http://repo1.maven.org/maven2/org/springframework/security/spring-security-samples-openid/3.0.1.RELEASE/
Maybe it can help you.
It's not exactly OpenID, it uses Facebook Connect, but checkout Spring's GreenHouse. That's great code written by the guys from Spring you can use to jumpstart your app.
Yes, In spring application, user can authenticate into your application with open ID provider.
1) Here is the sample example of spring open ID login application.
2) Here is the sample example of spring security social login application and blog here.