I am writing an application in Spring Boot. I am using the Spring boot default security mechanism. But I want to disable security for certain endpoints like monitoring, healthcheck etc.
You can add following configuration in Spring Boot application.properties
security.ignored= # Comma-separated list of paths to exclude from the default secured paths
Use security.ignored=Url Paths to be ignored property in application.properties
Related
I am trying to upgrade my existing grails application from version 2.5.6 to 3.3.11.
So far, container managed application was configured in the application via web.xml, with <login-config>. Here is the configuration:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/login</form-login-page>
<form-error-page>/login/login_error</form-error-page>
</form-login-config>
</login-config>
As grails 3 has stopped supporting web.xml file, I am wondering how to maintain Container Managed Authentication. The reason for using Container Managed Authentication (CMA) is that our application doesn't want to handle the authentication process, as different customers have different authentication mechanisms at their end. So we prefer CMA.
Have read many online forums, they all end up with Spring Security plugin. But didn't find a configuration with Spring Security which gives control of authentication to the container.
So, how to configure CMA with Grails 3?
I added spring security to my spring application , added jars are spring security config,spring security security web and spring security core, still it is showing ' enable web security' annotation as cannot be resolved as a type.
i used web.xml, applicationcontext.xml, and annotations. Now i added a new class which contains spring security annotations.
This is because of spring security config jar 3.0 release , i updated to 3.2 then it is working .
I am writing an application in Spring to be deployed to a Cloudfoundry container and want to override the default tomcat session timeout value from the Java buildpack. What are the options available to me if I want it to be a configurable value outside my code? i.e. avoid the use of HttpSession.setMaxInactiveInterval(int).
set-env JAVA_OPTS -Dserver.session.timeout=30
some way in application properties?
It sounds like you are using Spring Boot. If so, you could set server.session.timeout=30 in an application.properties file that gets included with your app. This file is usually in /src/main/resources in the source tree and is bundled into the jar file at build time.
I have a basic springboot application with spring security added in.
When I change the application context path by specifying server.context-path (say /xyz) in application.properties, all endpoints except spring security change as expected to /xyz/endpoint1.
Spring security still redirects unauthenticated requests with a 302 to /login.
Is there anyway to force spring security to respect the context path set in spring boot config?
By default spring boot exposes a number of JMX endpoints, has anyone had any experience securing these, it seems there is no security surrounding JMX.
The only config available to Spring boot:
endpoints.jmx.enabled=true
endpoints.jmx.domain= # the JMX domain, defaults to 'org.springboot'
endpoints.jmx.unique-names=false
endpoints.jmx.enabled=true
endpoints.jmx.staticNames=
I have seen examples using JmxSecurityAuthenticator, should I follow this pattern.
AFAIK securing the JMX connections is all about how you set up the server. I think you just need to add a #Bean of type ConnectorServerFactoryBean.