The Spring Security SAML extension sample application doesn't seem to be compatible with Spring Security 4.2.2 (the latest at the time of this writing). At least not out of the box. Is this due to a compatibility issue between the SAML extension and Spring Security or just something that needs to be tweaked / updated in the sample application?
I've seen this link...
Spring Saml not working with latest Spring Security 4.0.0.RELEASE
...where a commenter says that the SAML extension should be compatible with Spring Security 4, but I can't seem to figure out what changes need to be made to the SAML example application to get it working. Has anyone else figured this out?
Thanks!
Related
I’ve an existing Spring Boot project used to authenticate an Angular SPA with SAML.
The dependencies included in the Spring Boot project are:
-spring-boot-starter-security (version 2.6.6)
-spring-security-saml2-core (version 1.0.10.RELEASE)
I’ve replaced the spring-security-saml2-core with spring-security-saml2-service-provider
because spring-security-saml2-core is being superseded by the SAML feature set in Spring Security Core and the configuration it’s more simplified.
Exist a similar feature (see : Section 9.5
https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/configuration-sso.html#configuration-authentication-assertion)
to serialize the SAML assertion response with spring-security-saml2-service-provider ?
I've solved. Saml2Authentication returns the SAML response object, as decoded XML (see: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.html)
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
Getting 404 on authorizationcode and accesstoken service I am Trying to upgrade spring security oauth2 from 1.0.5.Release to 2.0.5.Release.
I am using spring security 3.2.5 version,spring core 3.2.13 and spring oauth2 2.0.5.Release.
Do we need spring 4 for spring-oauth2-2.0.5.Release?
Do I need to use java config for spring-oauth2-2.0.5.Release?
When I use the same xml
config which works in 1.0.5 doesnot work in
spring-oauth2-2.0.5.Release?
Do we need spring 4 for spring-oauth2-2.0.5.Release?
Yes, I believe so.
Do I need to use java config for spring-oauth2-2.0.5.Release?
No.
When I use the same xml config which works in 1.0.5 doesnot work in spring-oauth2-2.0.5.Release?
Is that a question? It should work, but without more details it's going to be hard to say. There are some API changes in 2.0, so depending on the customization you did, you may or may not have to re-implement bits of it.
A 404 is pretty generic, so maybe your whole application just failed to start? Impossible to say without more data.
The main thing I noticed that changed was the token stores packages where changed so for example:
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
becomes
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
Also previously in 1.0.5 I had used the TokenServicesUserApprovalHandler which I could no longer find in any of the packages. I removed the reference to that class and user-approval-handler-ref="userApprovalHandler" I had added to the oauth:authorization server. Mines seems to be working now on 2.0.5, hope this helps.
I'm using Spring Security 3.1.0 with Remember Me enabled.
I've noticed that SPRING_SECURITY_REMEMBER_ME cookies appeared 2 or 3 times in client's browser.
Cookies with the same value, but with different path: Path=/, Path=/user,Path=/categories
The app is running in / context, so I don't understand how cookies with other paths created.
It happened more than once, but I didn't succeed to reproduce this behavior.
Any idea, how I've might caused it?
Thanks
Alex
UPDATE:
Spring Security version 3.0.5 to 3.1.0
I m using spring security core plugin 1.2.7.2 and spring security ui 0.2 versions for my application.
I couldn't log on using the credentials I created. The new user is in the database. I looked around I read about double encryption password issues going on between core and ui plugin. The issue is still persisting. I got it worked by commenting the beforeInsert/beforeUpdate methods in the User Domain class. I was wondering if the issue is fixed in the new version?
Is there a different workaround for this? Please advice
Thanks much
There's a setting for this in the latest release (0.2) - see the grails.plugins.springsecurity.ui.encodePassword setting in the "Password Encryption" section in section 10 of the docs: http://grails-plugins.github.com/grails-spring-security-ui/docs/manual/