I have a problem with Spring Security,
since I updated Spring Security versione from 3.* to 4.0.* i notice a lot of problem using Internet Explorer 8+ with my applications.
I found that is possible to disable Content Type Options including this directive in the Spring tag:
<content-type-options disabled="true"/>
But in this way i'm vulnerable from XSS attacks. There is a way to disable the content sniffing for only png file?
Thanks in advance for all kind of help or info
Related
i'm currently working on a project, and my client has established a vulnerability scan on my application with acunetix tool and it's has given him an alert about Directory traversal attack.
The vulnerability was detected on my static folder that contains all the js/css/images folders, i've used spring security to deny access to those folders but the filter has blocked the access from inside the app, no style and js script can be loaded with this approach.
I've found on the internet that users of spring framework should update the version but i'm using spring boot and i think it's still affected by this vulnerability.
How can i fix this problem.
Thanks in advance.
Please check out the Pivotal Security page to:
determine if this vulnerability has already been fixed
send a repro project to the security team using the email address provided on that page
Note that vulnerability scanners often get things wrong, so just joining a generated report will likely be a false positive.
I have a Spring framework based app in which I have been instructed to add AES-256 encryption. I have added this using the standard Spring security Encryptors.textEncryptor(...)
When I ran it on our development servers I got errors which indicated issues with key lengths so I updated the server's Java with Java JCE's unlimited policy files from Oracle.
However when attempting to get the code deployed to our test servers, the server admins are refusing to update the Java installations.
After talking with security, they suggested down grading the encryption from AES-256 to AES-128 under the assumption that it will work without the unlimited policy files.
As you can tell I'm not greatly knowledgeable in this area.
I've looked online, but it appears that the Spring encryption cannot be downgraded to AES-128.
Does anyone know if this downgrade can be done? or am I have to roll my own encryption setup?
Ended up using the spring source code as a base for rolling our own. Not hard really.
I'm in the process of moving my application from Spring Security's CAS client to JASIG's Java CAS client. This was due to our security group adding some custom functionality to the JASIG version.
I've seen on JASIG's website the examples of how to configure the CAS client using Spring's configuration. I've used this example:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
I'm using STS and it complains about numerous lines being incorrect or deprecated. Also, when using the spring security CAS client I configured my roles as part of the <sec:http> block using intercept-url tags like this:
<sec:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_OPERATOR', 'ROLE_ADMINISTRATOR')" method="GET" />
However, in the example the roles are configured in the FilterSecurityInterceptor bean and while it uses the sec:intercept-url tags the expressions don't work.
I believe the issue is that the example is from an earlier version of spring security but I'm using a newer version.
Does anyone know of an updated version of the configuration for the above sample? I know I need to upgrade my config from what the example shows but I'm not a full time security guy, just a developer tasked with doing this move, so I don't live an breath this stuff every day. Any help would be greatly appreciated.
My env:
Spring Source Framework v3.2.2
Spring Security v3.1.4
JASIG CAS Client v3.2.1
-Richard Ward
Spring session seems like a very interesting project but I have not been able to find much information on how to properly incorporate it in a spring security application. The readme on project github page has some information but I dont think thats applicable to spring security. Another example thats mentioned on the same page is to utilize this mechanism for REST access. Thats another use case that i think can benefit from an example. I would appreciate if some information on the subject can be shared. Thanks.
You can use Spring Session with Spring Security by simply ensuring to place the Spring Session Filter before Spring Security's filter. There is also an security sample project that demonstrates the use of Spring Session with Spring Security within the distribution. You can run it by cloning the repository and running the following:
./gradlew :samples:security:tomcatRun
The application will be available at http://localhost:8080/
Does anyone over here has experience integrating TAM with Grails spring security for single sign on. If so can you help me get a quick start or point to any tutorials.
Thanks
You would probably want to use Spring Security's pre authentication feature and examine the header sent from TAM. To do so you would write your own authentication provider which is really simple and just looks for the header. See this for some more information