I was asking why the WebSecurityExpressionHandleris annotated deprecated in spring security 3.1 and 3.2? There is no documentation in the api.
http://static.springsource.org/spring-security/site/docs/3.2.x/apidocs/org/springframework/security/web/access/expression/WebSecurityExpressionHandler.html
Does anybody know something about the reasons?
It looks like they are going to replace WebSecurityExpressionHandler with SecurityExpressionHandler<T> where T can be either FilterInvocation or MethodInvocation. Note that it doesn't affect implementation classes (DefaultWebSecurityExpressionHandler).
See also:
SEC-1562 Create SecurityExpressionHandler interface
Related
Is it possible to generate swagger ui documentation using interfaces rather than controller classes which implement the those interfaces?
Putting the documentation in the implementation class makes it look cluttered.
Springfox had this option, is it available in springdoc? If so, how to do it?
You just add the OpenAPI annotations on the interface level. An it just works.
This is a sample working demo and the annotation are on the interface level as well:
https://github.com/springdoc/springdoc-openapi-demos/tree/master/springdoc-openapi-spring-boot-2-webmvc
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
I currently have a spring mvc application which I'm trying to add spring security to. However, I can't use the #PreAuthorize annotation without getting the following error:
Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/springframework/cglib/transform/impl/MemorySafeUndeclaredThrowableStrategy
I'm currently using Spring Version 4.1.0 and Spring Security 3.2.5, which according to spring's documentation and other posts on here should work fine.
There's also a sample on their github which appears to be using the same versions without issue.
Any ideas?
The PreAuthorize tag has been added to a Controller, cglib is in the classpath, yet still the same error message. Any ideas?
Turns out it was version issues. Spring Security is currently at 3.2.5.Release, which I was using, but Spring was at 4.1.0.
As of 4.0.2, some of the cglib classes have been removed. The solution was to go down to 4.0.1 in Spring, or use the 4.0.0.M2 milestone release for spring security.
#PreAuthorize is implemented via AOP. If the method on which you put the annotation are not declared in an interface implemented by the class, Spring cannot use the default of JDK proxy, but uses CGLIB to proxy classes.
The error suggests you use class proxying, but do not have CGLIB in classpath.
Two ways to fix it :
add CGLIB to classpath
make your class implements an interface
BTW, you say you added #PreAuthorize to a RestController. #PreAuthorize annotation is more frequent in service layer. Normally, you use URL based authorization for what could exists in controller. The best way to fix the problem could be to move the #PreAuthorize annotation to the service class that should already be wired as an interface.
Colleagues,
In the spring security documentation I met following notion:
If you want to secure instances which are not created by Spring (using
the new operator, for example) then you need to use AspectJ.
Could anybody please show me workable example of such usage. The best case if this is done with help of static weaving.
Thank you in advance!
There is an Aspectj sample in the Spring Security codebase. It compiles against the spring-security-aspects module and then uses:
<global-method-security secured-annotations="enabled" mode="aspectj" />
to enable secured annotations. The code is very simple - it is really just a set of JUnit tests. If you take a look, you'll see that these include tests for both Spring-bean instances and instances created using the new operator.
If you want to know how spring-security-aspects works, check out the aspect source.
I am working with an app that uses spring-security 3.0 and oauth2 using spring-security-oauth-1.0.0.M3. It works fine. But it looks like migrating to spring-security 3.1 will not be trivial. I have been unable to find confirmation that the oauth module is still supported.
For example, the oauth tutorial mentions 3.0 not 3.1:
https://github.com/SpringSource/spring-security-oauth/wiki/tutorial
And I have encountered a problem similar to the Mar 4, 2012 comment in the following discussion when I attempt to do a straight upgrade to 3.1 using spring-security-oauth 1.0.0.M3 or M4:
http://code.google.com/p/spring-security-social/wiki/Usage
Specifically I see this in the Tomcat logs:
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration
problem: Failed to import bean definitions from URL location ...
Offending resource: class path resource [spring/applicationContext.xml]; nested
exception is org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected
exception parsing XML document from URL ...; nested exception is
org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class
[org.springframework.security.oauth2.config.OAuth2SecurityNamespaceHandler] for namespace
[http://www.springframework.org/schema/security/oauth2]: problem with handler class file or
dependent class; nested exception is java.lang.NoClassDefFoundError:
org/springframework/security/web/util/AntUrlPathMatcher
Can someone suggest a solution to the above problem, or point to a reference for using spring-security 3.1 and spring-security-oauth, or else suggest a better alternative to implement oauth2 using spring-security 3.1?
Or if I'm missing a fundamental point of spring-security 3.1, that would also be useful to know.
Thanks!
Yes, Spring Security OAuth milestone build 1.0.0.M6, and specifically the oauth2 module, supports Spring Security 3.1.0. It is not yet considered a release. The OAuth 2.0 spec itself is not final.
The 1.0.0.M6 samples appear to be the most accurate and complete reference for implementation. The full 1.0.0.M6 tag zipball is here.
The OAuth 2 Developers Guide is a good textual reference. It's not 100% accurate, at least with respect to 1.0.0.M6. For example, the attribute user-approval-page belongs to authorization-server not authorization-code.
The Maven pom.xml must refer to artifactId spring-security-oauth2 (not spring-security-oauth as in older versions such as 1.0.0.M3).