I have bean following this tutorial.
http://www.codesandnotes.be/2014/10/31/restful-authentication-using-spring-security-on-spring-boot-and-jquery-as-a-web-client/#comment-515
And it is working great, But I cant figure out where the helloween cookie name is set. How can I override the name of X-CSRF-TOKEN?
It's handled in the JavaScript. For example:
$.cookie('helloween', JSON.stringify(cookie));
Related
I´m using spring security rest. Actually to refresh token im using this url: /oauth/access_token?grant_type=refresh_token&refresh_token=token
However i'm using api rest and I want to use /api/oauth to refresh token instead of /oauth.
I tried redirect in urlMappings, but response 404 not found.
"/api/oauth"(redirect: '/oauth')
"/api/oauth"(redirect: '/oauth')
As you found, that mapping won't work but there may not be a good reason to use a redirect anyway. The plugin provides a mapping like this:
"/oauth/access_token"(controller: 'restOauth', action: 'accessToken')
(see https://github.com/alvarosanchez/grails-spring-security-rest/blob/d5940921b4aea466a961957e0599321d01e4c6de/spring-security-rest/grails-app/controllers/grails/plugin/springsecurity/rest/RestOauthUrlMappings.groovy#L24)
You can map whatever url you like to that controller. You could do this...
"/api/oauth"(controller: 'restOauth', action: 'accessToken')
*** Work for me grails spring refresh token
-method : Post
-http://localhost:8085/oauth/access_token?grant_type=refresh_token&refresh_token={your_access_token}
So the thing is, this code works very well:
response["set-cookie"]="cookieName=#{#cookieValue.split.join}"
I can set a cookie, with a correct name and content (yes, split.join is correct too). But I need to set a domain too.
My website goes on domain like this: mysubdomain.mywebsite.com
But I need to set the cookie for domain mywebsite.com.
If I add it like this, the cookie is just not there:
response["set-cookie"]="cookieName=#{#cookieValue.split.join};Path=/;Domain=mywebsite.com"
I need to set a cookie with response["set-cookie"] because it is the only method that works for my long string. I tried every method, but I need to use this one.
So the question is: How can I set a domain by using response["set-cookie"] for setting cookie?
Well, prefer using an initializer here. Create a new file config/initializers/cookies.rb, and put the following code there:
options = {
key: 'your_cookie_name',
domain: 'your_domain'
}
Rails.application.config.session_store :cookie_store, options
This will make your cookie-related configuration at one place, although, it's not mandatory. You can still use the domain option to specify domain name for your cookie.
I wasn't able to make that works. I think Rails have some safety mechanism that prevents this (but it is correct to set cookie for domain from subdomain).
But I was able to do it by javascript:
document.cookie = "#{#cookieName}=#{#cookieContent};domain=yourdomain.com"
One line of code, works perfectly. Just put it in your view or to separate file and require it in application.js I am on subdomain but finally can set cookie for parent domain.
I'm using VAADIN with SpringBoot based on https://vaadin.com/spring . Things are working fine except of authentication. I'm using SpringBoot based SpringSecurity java config which works fine and SecurityContextHolder.getContext().getAuthentication() returns current user for me in VaadinUI. My config is pretty straighforward here:
http.authorizeRequests()
.antMatchers("/*").authenticated().and().httpBasic()
The problem is that SecurityContextHolder.getContext().getAuthentication() returns correct value only for the first request when VaadinUI is displayed. Then any subsequent Vaadin request (e.g. button click) returns null for SecurityContextHolder.getContext().getAuthentication() . Any idea how to make it work as expected?
This is because of the way Vaadin handles the requests. It does not use DispatcherServlet, and you probably need to use RequestContextListener (or RequestContextFilter) to enable request and session scopes.
Have a look discussion about a related topic here.
Make sure that your #Configuration class that extends WebSecurityConfigurerAdapter is annotated with #EnableWebSecurity.
I am currently using Spring Security OAuth2 with Reddit - and trying to pass the duration parameter when redirecting the user to an authorization URL.
This URL is constructed via getRedirectForAuthorization - which is a private method in AuthorizationCodeAccessTokenProvider - so it's not immediately clear how the duration parameter should be added in.
Am I missing anything?
Thanks.
You can add query parameters to the authorization request using a RequestEnhancer. You can inject one into the AccessTokenProvider and the DefaultRequestEnhancer includes a list of parameters to include (empty by default).
In case of login errors with Spring Boot Security: Both ${param.error} and ${param.logout} work with Thymeleaf - but how do I access them with e.g. Velocity?
OK, I wasn't aware that $param represents URL params. So ${param.error} and ${param.logout} are not generated from Spring Security, they are Thymeleaf-specific - meaning: one has to rebuild this for Velocity, they are not available out of the box