Develop Reference

SAML assertion verification works in spring-security version 5.4.2, but not in 5.7.1

With spring-security 5.7.1 I get
Invalid signature for object [id6...]
This is the error message of the signature verification of the saml assertion. But with version 5.4.2 it works.
This is my application.yml
spring:
security:
saml2:
relyingparty:
registration:
okta-saml:
identityprovider:
entity-id: http://www.okta.com/e...
verification:
credentials:
- certificate-location: "classpath:saml-certificate/okta.crt"
singlesignon:
url: https://dev-7....okta.com/app/dev-7..._appsaml_1/e.../sso/saml
sign-request: false
Maybe something must be changed in application.yml?

have seen the Same problem after updating to Spring Boot 2.7.
the problem is related to verifying the SAML response signature
2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to establish trust of KeyInfo-derived credential 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Failed to verify signature using either KeyInfo-derived or directly trusted credentials

Caddy worked until last restart

I am currently working on an already started project, with the current situation (completely new to Caddy, so sorry if asking something basic):
A docker container with postgresSQL -- container called myappdb
A Spring Boot docker application with some microservices -- container called backend
A caddy docker container that reverse proxies to Spring boot container -- container called caddy
The three containers are in a docker network called project_net.
I worked on the spring boot backend and everything worked well. Accidentally I stopped the caddy container and restarted it, and now I cannot make rest calls to https server anymore.
Here the Caddyfile:
https://app.myapp.it {
tls myapp#gmail.com
reverse_proxy /* {
to backend:48795
flush interval -1
}
}
Here the Dockerfile for caddy image:
FROM caddy:2.4.5
COPY Caddyfile /etc/caddy/Caddyfile
ENV ACME_AGREE=true
EXPOSE 443
All is running on an apache application server and I thing everything is set up because everything worked well until yesterday!
Here the log of the caddy container on start:
2022-02-24T00:49:13.077709051Z 2022/02/24 00:49:13.077 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
2022-02-24T00:49:13.080517683Z 2022/02/24 00:49:13.080 WARN input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 2}
2022-02-24T00:49:13.082483777Z 2022/02/24 00:49:13.082 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022-02-24T00:49:13.083012379Z 2022/02/24 00:49:13.082 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2022-02-24T00:49:13.083044007Z 2022/02/24 00:49:13.082 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022-02-24T00:49:13.083262915Z 2022/02/24 00:49:13.082 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003bdb90"}
2022-02-24T00:49:13.088176927Z 2022/02/24 00:49:13.087 INFO tls cleaning storage unit {"description": "FileStorage:/data/caddy"}
2022-02-24T00:49:13.088214299Z 2022/02/24 00:49:13.087 INFO tls finished cleaning storage units
2022-02-24T00:49:13.088566440Z 2022/02/24 00:49:13.088 INFO http enabling automatic TLS certificate management {"domains": ["app.myapp.it"]}
2022-02-24T00:49:13.089217858Z 2022/02/24 00:49:13.088 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"}
2022-02-24T00:49:13.089255497Z 2022/02/24 00:49:13.088 INFO serving initial configuration
2022-02-24T00:49:13.090255185Z 2022/02/24 00:49:13.089 INFO tls.obtain acquiring lock {"identifier": "app.myapp.it"}
2022-02-24T00:49:13.104037308Z 2022/02/24 00:49:13.103 INFO tls.obtain lock acquired {"identifier": "app.myapp.it"}
2022-02-24T00:49:13.980759033Z 2022/02/24 00:49:13.980 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["app.myapp.it"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "myapp#gmail.com"}
2022-02-24T00:49:13.980807648Z 2022/02/24 00:49:13.980 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["app.myapp.it"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "myapp#gmail.com"}
2022-02-24T00:49:14.538528714Z 2022/02/24 00:49:14.538 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "app.myapp.it", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022-02-24T00:49:15.976582736Z 2022/02/24 00:49:15.976 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "app.myapp.it", "challenge_type": "tls-alpn-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2022-02-24T00:49:15.976692391Z 2022/02/24 00:49:15.976 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "app.myapp.it", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "order": "https://acme-v02.api.letsencrypt.org/acme/order/422657490/66417417610", "attempt": 1, "max_attempts": 3}
2022-02-24T00:49:17.508224302Z 2022/02/24 00:49:17.507 INFO tls.issuance.acme.acme_client trying to solve challenge {"identifier": "app.myapp.it", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022-02-24T00:49:18.933967989Z 2022/02/24 00:49:18.933 ERROR tls.issuance.acme.acme_client challenge failed {"identifier": "app.myapp.it", "challenge_type": "http-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Invalid response from http://app.ripapp.it/.well-known/acme-challenge/QG2yr7WcBg8Wbj9evi8oyk1CzaTFM0Y9bkgkmqq5Iww [91.187.200.219]: \"<html lang=\\\"en\\\" xml:lang=\\\"en\\\" xmlns=\\\"http://www.w3.org/1999/xhtml\\\">\\n<head>\\n <title>Connection denied by Geolocation</title>\\n \""}
2022-02-24T00:49:18.934101729Z 2022/02/24 00:49:18.933 ERROR tls.issuance.acme.acme_client validating authorization {"identifier": "app.myapp.it", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Invalid response from http://app.myapp.it/.well-known/acme-challenge/QG2yr7WcBg8Wbj9evi8oyk1CzaTFM0Y9bkgkmqq5Iww [91.187.200.219]: \"<html lang=\\\"en\\\" xml:lang=\\\"en\\\" xmlns=\\\"http://www.w3.org/1999/xhtml\\\">\\n<head>\\n <title>Connection denied by Geolocation</title>\\n \"", "order": "https://acme-v02.api.letsencrypt.org/acme/order/422657490/66417426840", "attempt": 2, "max_attempts": 3}
2022-02-24T00:49:20.696387362Z 2022/02/24 00:49:20.695 ERROR tls.obtain could not get certificate from issuer {"identifier": "app.myapp.it", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[app.myapp.it] solving challenges: app.myapp.it: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/422657490/66417435240) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2022-02-24T00:49:21.383148322Z 2022/02/24 00:49:21.382 INFO tls.issuance.zerossl generated EAB credentials {"key_id": "fiNQgkXxmfwTdX1q1gFasg"}
2022-02-24T00:49:24.460492479Z 2022/02/24 00:49:24.459 INFO tls.issuance.acme waiting on internal rate limiter {"identifiers": ["app.myapp.it"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "myapp#gmail.com"}
2022-02-24T00:49:24.460580992Z 2022/02/24 00:49:24.460 INFO tls.issuance.acme done waiting on internal rate limiter {"identifiers": ["app.myapp.it"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "myapp#gmail.com"}
I cannot work without resolving this (on http port is listening current active website, so I cannot test anything over http port).
It seems the problem is that letsencrypt refuses someway the connection. What can I do?
Is there something that I can do to solve? (or also if you need some other files and configurations)
Was thinking about changing to traefik, but the ideal thing is to solve and leave the structure of the project as it is.

Why authorization failed after successful authentication

I configured CAS server with OAuth2.0 protocol (authorization code grant type) based on post https://apereo.github.io/2019/02/19/cas61-as-oauth-authz-server/
my server configuration (application.yml)
cas:
server:
name: https://casoauth.example.org:8443
prefix: ${cas.server.name}/cas
authn:
accept:
users: casuser::demo
oauth:
refreshToken:
timeToKillInSeconds: 2592000
code:
timeToKillInSeconds: 14400
numberOfUses: 10
accessToken:
timeToKillInSeconds: 14400
maxTimeToLiveInSeconds: 28800
grants:
resourceOwner:
requireServiceHeader: true
userProfileViewType: FLAT
ticket:
tgt:
maxTimeToLiveInSeconds: 28800
timeToKillInSeconds: 14400
st:
timeToKillInSeconds: 14400
serviceRegistry:
json:
location: classpath:/services
initFromJson: true
logging:
config: file:/etc/cas/config/log4j2.xml
level:
org:
apereo:
cas: DEBUG
json for register app
{
"#class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "client1",
"clientSecret": "password1",
"serviceId": "^https://casoauth.example.org:9999/.*",
"name": "OAuthService",
"id": 1000,
"bypassApprovalPrompt": false,
"supportedGrantTypes": [ "java.util.HashSet", [ "authorization_code" ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ]
}
app configuration
debug: true
server:
port: 9999
ssl:
keyStore: file:/etc/cas/thekeystore
keyStorePassword: changeit
keyPassword: changeit
security:
user:
password: user
ignored: /,/favicon.ico,/index.html,/home.html,/dashboard.html,/js/**,/css/**,/webjars/**
sessions: ALWAYS
oauth2:
sso:
loginPath: /dashboard/login
management:
security:
role: HERO
logging:
level:
org.springframework: INFO
com.netflix.discovery: 'OFF'
---
spring:
profiles: cas
security:
oauth2:
client:
clientId: client1
clientSecret: password1
accessTokenUri: https://casoauth.example.org:8443/cas/oauth2.0/accessToken
userAuthorizationUri: https://casoauth.example.org:8443/cas/oauth2.0/authorize
clientAuthenticationScheme: form
resource:
userInfoUri: https://casoauth.example.org:8443/cas/oauth2.0/profile
preferTokenInfo: false
After authentication on CAS server I get
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Tue Jun 04 17:10:41 CEST 2019
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token
URL https://casoauth.example.org:9999/dashboard/login?code=OC-1-lu5Hlcg2l3E4S5B68fs0-P-47tkh-4gR&state=ef17Ee
Any ideas what is wrong?

I had this problem. You should add your certificate to trusted certificate and problem will solve.

Spring Security (Java Config): Using antmatchers for same URL with differing HTTP methods

I'm trying to restrict GET access to a URL for one role, and POST access to the same URL for another role as seen below.
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("readuser").password("password").roles("USER", "READ").and()
.withUser("admin").password("password").roles("USER", "READ", "WRITE");
}
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().permitAll().and()
.logout().permitAll().and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/foo").hasRole("READ")
.antMatchers(HttpMethod.POST, "/api/foo").hasRole("WRITE")
.anyRequest().authenticated()
.and().csrf().disable()
.httpBasic();
When I try a GET (or a POST) with my readuser account, I get an access denied error; but when I try either with the admin account, it can do both.
However, when I remove the line .antMatchers(HttpMethod.POST, "/api/foo").hasRole("WRITE") then my readuser account can properly hit /api/foo with a GET request.
How can I make Spring Security allow both of these restrictions?
UPDATE - including relevant spring security debug log information
Here are the relevant logs when attempting with readuser:
************************************************************
Request received for GET '/api/foo?id=foo':
Request(GET //localhost:8089/api/foo?id=foo)#b4603eb
servletPath:/api/foo
pathInfo:null
headers:
Authorization: Basic cnVudXNlcjpwYXNzd29yZA==
Cookie: JSESSIONID=node0fe3b0i44a5sbpohi6jq6dkkw0.node0
Cache-Control: no-cache
Accept: */*
User-Agent: PostmanRuntime/3.0.11-hotfix.2
Connection: keep-alive
Postman-Token: 99a23213-6cf8-4686-9886-7f9c2de13c6f
Host: localhost:8089
Accept-Encoding: gzip, deflate
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
.
.
.
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against '/api/foo'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/foo?id=foo; Attributes: [hasRole('ROLE_WRITE')]
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#a38eb23d: Principal: org.springframework.security.core.userdetails.User#5c7268d6: Username: readuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_READ, ROLE_USER
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#7b20c046, returned: -1
2017-05-08 11:31:27.819 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
.
.
.
2017-05-08 11:31:27.823 DEBUG 5812 --- [p1731685294-106] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

You are using the wrong HttpMethod class.
javax.ws.rs.HttpMethod#GET returns a String and therefore you use antMatchers(String... antPatterns) instead of antMatchers(HttpMethod method, String... antPatterns) in your Spring Security configuration.
With that configuration Spring Security checks against the URL patterns GET and /api/foo (both for all HTTP methods), see your log:
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/foo'; against '/api/foo'
You have to use org.springframework.http.HttpMethod#GET, which returns a HttpMethod object.

Source folder "src" does not exist - have you run forge create yet?

Just downloaded version 3.3.0 for windows today. I installed python and trying to get started with my first app with forge create but I am getting the following in the error log:
2012-04-28 18:03:28,285 [ INFO] Forge tools running at version 3.3.0
2012-04-28 18:03:28,288 [ DEBUG] Forge build tools version: 3.3.0
2012-04-28 18:03:28,288 [ DEBUG] main: {"server": "https://trigger.io/api/"}
2012-04-28 18:03:28,299 [ DEBUG] GET https://trigger.io/api/version_check/3/3/0/
2012-04-28 18:03:29,661 [ DEBUG] checking API response for success or error
2012-04-28 18:03:29,661 [ INFO] Update result: you already have the latest tools
2012-04-28 18:03:44,101 [ DEBUG] GET https://trigger.io/api/auth/loggedin
2012-04-28 18:03:44,279 [ DEBUG] checking API response for success or error
2012-04-28 18:03:44,279 [ DEBUG] already authenticated via cookie - continuing
2012-04-28 18:03:44,279 [ INFO] Registering new app "helloworld" with trigger.io...
2012-04-28 18:03:44,279 [ DEBUG] POST https://trigger.io/api/app/
2012-04-28 18:03:56,368 [ DEBUG] checking API response for success or error
2012-04-28 18:03:56,368 [ INFO] Fetching initial project template
2012-04-28 18:03:56,368 [ DEBUG] already authenticated - continuing
2012-04-28 18:03:56,368 [ DEBUG] GET https://trigger.io/api/app/xxx/initial_files/
2012-04-28 18:03:56,579 [ DEBUG] unzip is available, using it
2012-04-28 18:03:56,782 [ DEBUG] unzip output
2012-04-28 18:03:56,782 [ DEBUG] Can't execute /c/Program Files/Common Files/Symbian/tools/unzip.pl.
2012-04-28 18:03:56,782 [ DEBUG] Extracted initial project template
2012-04-28 18:03:56,782 [ DEBUG] Removed downloaded file ".\initial.zip"
2012-04-28 18:03:56,782 [ INFO] Building app for the first time...
2012-04-28 18:03:56,782 [ ERROR] Source folder "src" does not exist - have you run forge create yet?
Is it suppose to look for unzip within Symbian folder?
Not sure how to fix this, any help would be appreciated ...
Thanks,
EE

From these lines in the output, it looks like a different version of 'unzip' is being used from what our tools expect:
2012-04-28 18:03:56,579 [ DEBUG] unzip is available, using it
2012-04-28 18:03:56,782 [ DEBUG] unzip output
2012-04-28 18:03:56,782 [ DEBUG] Can't execute /c/Program Files/Common Files/Symbian/tools/unzip.pl.
This is causing the basic template app not be unzipped (creating the src directory) hence the error.
Could you try removing '/c/Program Files/Common Files/Symbian/tools/unzip.pl' from the PATH and retrying 'forge create'