29,158 questions
0
votes
0
answers
7
views
Customizing Saml2LogoutResponse in an AP-Initiated SLO
I'm testing my Spring servlet application for an AP-initiated SLO, and I get a 500 error from the Asserting party when I return a success message in SamlLogoutResponse. The AP logs indicate that the ...
- 83
Advice
0
votes
1
replies
25
views
Silent SSO with Auth0 in legacy Spring MVC (SSR) app with LDAP login and Spring Security 5
How to implement Auth0 Universal Login + Silent SSO + SLO in a legacy Spring MVC (SSR) app? Can the Auth0 SPA SDK be used?
I have a legacy Spring MVC (server-side rendered) application using:
Spring ...
- 625
0
votes
0
answers
54
views
Cannot resolve symbol 'PathPatternRequestMatcher'
I have this Spring Security configuration for Spring cloud 2025.0.0:
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
private RequestMatcher[] permittedAntMatchers() {
...
- 1,102
1
vote
0
answers
70
views
Return type mismatch: expected 'Any', actual 'Authentication?'
I tried to upgrade my codes to Spring Boot 4.0.0, and given the following Kotlin codes,
@Bean
fun auditorAware(): ReactiveAuditorAware<String> = ReactiveAuditorAware<String> {
...
- 9,609
0
votes
1
answer
70
views
Spring Authorization Server – /login keeps returning 403 instead of showing login page
I am learning Spring Authorization Server and trying to build a simple OAuth2 Authorization Server without OpenID Connect.
i want to handle the login page myself inside the same Authorization Server ...
- 122
0
votes
0
answers
56
views
Spring Security 3.1.4 requestmatchers with Pathvariable
I have an unclear situation. I'm using a controller with any endpoints. I have a two methods with Get endpoints /short and /{idOrCode}. Pathvariable is a String type. Endpoint with this pathvariable ...
- 71
1
vote
0
answers
62
views
Spring: How to redirect back to the form after authenticating its POST request?
I have got a (Thymeleaf) form which I have made accessible to all users, even to those who are not logged in, in order to improve the UX. Only submitting the form (through a POST request) requires ...
- 11
0
votes
0
answers
57
views
401 Unauthorized error when submitting multipart/form-data without multipartfile
I'm a beginner working on a team project and currently creating a "board" page in React + Spring Boot.
I'm really confused because I keep getting a 401 Unauthorized error when submitting a ...
- 1
Best practices
0
votes
2
replies
46
views
How to configure Nginx so that X.509 authentication implemented with Spring Security works correctly?
I have a REST API server application that authenticates users exclusively via X.509 authentication implemented with Spring Security, using the Common Name (CN) from the client certificate directly as ...
- 15
0
votes
0
answers
27
views
Blind SSRF on Sensitve Headers on Spring Boot Rest API
I have written my Spring Boot security configuration like this:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
DefaultBearerTokenResolver ...
- 1,663
1
vote
1
answer
106
views
keycloak frontend backend network configuraion in docker compose for localhost
I'm running keycloak, next js, and spring boot app using docker compose. Right now I'm having issue in setting up network configurations, usually either I'm getting issuer mismatch in the backend, or ...
- 13
1
vote
1
answer
88
views
Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Since more than one mappable servlet in your servlet context:
I am applying Spring Security in a Spring MVC (Spring Boot) application. The application already has CSRF and Session Management and I want to apply JWT Authentication along with Spring security. But ...
- 133
Best practices
4
votes
2
replies
120
views
How did you implement Attribute-based Access Control (ABAC) in Spring Boot?
I’ve been working on an issue in our Spring Boot application for some time now: authorization. Because we have a more complex permission model — permissions depend not only on roles, but also on user-...
- 25
0
votes
1
answer
87
views
Change default success URL in Spring Security using Vaadin 24
Has anyone been able to change the default success URL after login in Vaadin 24, where we are supposed to handle the filter as follows:
public SecurityFilterChain securityFilterChain(@NonNull ...
- 105
0
votes
0
answers
44
views
Spring Security filter chain not allowing public API Swagger
Below is my code block. I want to run my public API without JWT authorization. Even if I am using the security filter chain having been set to permit all public, I am still getting the issue of an ...
Advice
1
vote
1
replies
44
views
advertise RequestedAttribute in service provider metadata in Spring-security OpenSAML5
I am aware that some identity providers (IDPs) may not return all requested attributes but I would like to have them published in my service provider (SP) SAML metadata to encourage any IDP who does ...
- 3
1
vote
0
answers
58
views
Custom WebAuthn Login and Registration Pages in Spring Security
I'd like to add Passkey (WebAuthn) support to an application. As I want to have a custom designed login and registration page, I disable the default registration page and configure a custom login page....
- 41
-1
votes
2
answers
90
views
403 Error on Endpoint That Does Not Require Role Based Authentication But Token Authentication
I am following a tutorial with Spring Boot and I am stuck in the authentication phase. I have a JwtRequestFilter.java Security Filter Class which is implemented in SecurityConfig.java just before ...
- 125
0
votes
1
answer
87
views
Spring Boot OAuth2 with Casdoor behind AWS Lambda + HTTP API v2: state parameter encoding issue
I’m developing a Spring Boot application deployed behind an AWS API Gateway (HTTP API v2) with Lambda (handler based on SpringBootLambdaContainerHandler and HttpApiV2ProxyRequest).
I’m using OAuth2 ...
- 11
0
votes
0
answers
58
views
Spring Security SAML in Springboot 3.5.x not responding to forwarded requests
I have an older version of my app that I upgraded to SpringBoot 3.5.x and the SAML ACS URL changed after upgrading. So I used urlrewrite to forward the request from the old URL to the new URL. ...
- 39.4k
1
vote
0
answers
64
views
Spring Security 5 (Spring Boot 2.7) update to 6 (Spring Boot 3.2) causes different Response, HTTP.302 instead of HTTP.200
I'm struggeling with an Spring Boot Update of my service, from Spring Boot 2.7 to 3.2.
This update includes an update of Spring Security 5.7 to 6.1. The class WebSecurityConfigurerAdapter is no longer ...
- 53
1
vote
1
answer
101
views
Spring Boot 3 + Spring Security 6: 403 Forbidden when sending POST from Postman (stateless API)
I’m testing a POST endpoint of a stateless API (no sessions/forms) and Postman returns 403 Forbidden. I suspect CSRF, but I’m not sure how to configure it correctly in Security 6 for a stateless REST ...
1
vote
1
answer
94
views
Spring Security: AccessDeniedException with redirecting to the login page without OAuth 2 authentication
I follow the book Pro Spring Security 6 and try to make a simple OAuth 2 authentication. My configuration:
@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration {
@Bean
...
- 45
0
votes
0
answers
27
views
Logout with dynamic post_logout_redirect_uri on gateway
How to have post_logout_redirect_uri when we have spring-cloud-gateway which is served for multiple frontend applications and each of those applications could have it's own logout page?
Is it just ok ...
- 5,056
0
votes
0
answers
116
views
Spring Security configuration always redirecting to Login page
I recently upgraded Java, Springboot, Sprint Security, and Tomcat to versions 21, 3.5.6, 6.5.5, and 10, respectively, from versions 8, 2.7.5, 5.3.23, and 9, respectively, and I am updating my security ...
1
vote
2
answers
68
views
Spring OAuth2 Resource Server with Salesforce as IdP: how to handle roles without hitting the database every request?
Context
I have a Spring Boot REST API acting as an OAuth2 Resource Server, configured with Spring Security 6.
Salesforce is my external authorization server (IdP). The access token issued by ...
2
votes
0
answers
54
views
Intercept session timeout
I have an application written in Grails 6.x.
I use spring-security-core and spring-security-ldap plugins to authenticate against an Active Directory server.
I have set a timeout of 5 minutes, and once ...
- 955
0
votes
0
answers
40
views
Trying to get authenticated user ID in Spring; Property or field 'id' cannot be found on object of type User
I am trying to get the authenticated user ID. I want to access the user ID in the global layout.
templates/layout.html:
<li sec:authorize="isAuthenticated()" class="nav-item btn btn-...
- 62
0
votes
1
answer
88
views
OAuth2 login and linking associated OAuth2 clients to the logged in user
The intent of the Spring Boot application I'm building is to have a login against an IDP (Spring Security OAuth2 Login). For access to several third party APIs (Spring Security OAuth2 Client) I will ...
0
votes
0
answers
62
views
SecurityFilterChain bean from the library conflicts with managementSecurityFilterChain bean from ManagementWebSecurityAutoConfiguration
I have a library that specifies WebSecurity where I'm creating SecurityFilterChain bean. Actually, ManagementWebSecurityAutoConfiguration is annotated with @ConditionalOnDefaultWebSecurity and if my ...
0
votes
2
answers
125
views
How to set timeout for ClientCredentials OAuth2 token request in Spring Security 6.5.1 (using RestClientClientCredentialsTokenResponseClient)?
How to set timeouts for ClientCredentials token requests in Spring Security 6.5.1?
I'm using Spring Security OAuth2 Client 6.5.1 with ClientCredentials grant type, and need to set connect/read ...
- 59
0
votes
0
answers
44
views
How to write a custom meta annotation to check for authority when using Spring Security?
I have an enum with permission values:
public enum Permission {
DASHBOARD_OPEN("dashboard:open");
private final String key;
Permission(String key) {
this.key = key;
...
- 30.8k
0
votes
1
answer
46
views
Spring Method loadUser not called from custom OAuthUserService
I am trying to persist data about oauth logged users, but it seems that the method that I have overridden (loadUsers from DefaultOAuth2UserService) is not being called upon login completion. My code ...
1
vote
1
answer
657
views
Migrate AntPathRequestMatcher to PathPatternRequestMatcher
I have this code which I want to migrate:
private RequestMatcher[] permittedAntMatchers() {
return Stream.concat(
"/admin/", "*/admin/"
)
...
- 1,102
0
votes
0
answers
87
views
Spring Boot CSRF/XSRF Token Validation Bypass
I'm facing an issue with my application which is allowing the user to change the X-XSRF-TOKEN and it's being validated in the backend.
For the context: I'm using Spring Boot 2.7.7 and Spring Security ...
- 1,585
0
votes
0
answers
75
views
Spring OAuth2 login page doesn’t load correctly when accessed through Gateway
I’m using a Spring OAuth2 Authorization Server with a Gateway in front of it.
When I access the login page directly via http://localhost:9999 (the OAuth2 server port), everything works: the CSS loads ...
0
votes
1
answer
103
views
Spring OAuth2 Authorization Server: IllegalArgumentException when deserializing custom User class after consent approval
I'm trying to set up a Spring Authorization Server for learning purposes. The login and consent screens work, but after I approve the consent screen and submit the /authorize request, I get the ...
- 55
3
votes
1
answer
167
views
Disable @PreAuthorize
I have a Spring Security configuration for permitting all requests:
@Configuration
@EnableWebSecurity
@Profile("no-auth")
public class NoAuthSecurityConfig {
private static final Logger ...
- 1,102
1
vote
0
answers
52
views
Spring boot upgrade requires csrf token for miltipart file upload post request
We upgraded our spring boot application from 2.5.14 to 3.5.5, now POST requests for multipart file upload are failing with a 403 response. This is a service to service interface, no user login is ...
- 159
2
votes
2
answers
225
views
AuthorizationDeniedException: Access Denied
I want to disable Spring Security and to allow every request:
public class DefaultSecurityConfig {
@Bean
@Order(1)
@Profile("no-authentication")
public ...
- 1,102
0
votes
0
answers
59
views
Spring Boot own token authenticator not working
I have a Spring Boot application in which a want to use a token (stored in a database table) for authentication. I added an own filter and authentication provider but the provider isn't used. Why is ...
- 2,980
0
votes
0
answers
68
views
Login fails when using char[] instead of String for password credentials
Describe the bug
When using UsernamePasswordAuthenticationToken with a char[] password instead of a String, authentication fails.
From a security perspective, it is recommended to use char[] to avoid ...
0
votes
1
answer
85
views
Where should roles and missions/ACLs be managed when building an authorization server?
I’m trying to build my own Spring Authorization Server (for learning purposes and possibly to use across multiple projects in the future).
I’m already familiar with Spring Security and resource server ...
- 55
1
vote
0
answers
69
views
How to run CacheRequestBodyGatewayFilterFactory before Spring Security filters in Spring Cloud Gateway?
Body
I’m working on a Spring Cloud Gateway project with Spring Security enabled.
I want to cache the request body using the existing CacheRequestBodyGatewayFilterFactory so that the body is available ...
- 11
0
votes
1
answer
39
views
Anonymous SecurityContext initiated when using SpringSecurity with permitted patterns
I am using Spring Security 6.4.8.
I need to allow an endpoint for initiation of the login, say /fun, in which I need to have certain logic (e.g. do something with a passed parameter).
Therefore, I ...
- 852
2
votes
1
answer
70
views
Spring Boot OAuth2 + MFA: Cached /oauth2/authorize request becomes null on server (works locally)
Body:
I developed an IAM system using Spring Boot where I integrated multi-factor authentication (MFA).
Here’s the flow I implemented:
A client sends a GET request to /oauth2/authorize.
This redirects ...
0
votes
0
answers
63
views
Spring Boot authentication token and autoscaling
For a BFF we use tokens to communicate to the backend. We also use MongoDB to save the sessions to the database to enable multiple clusters.
I'm trying to enable autoscaling, but unfortunately I don't ...
- 21
0
votes
0
answers
417
views
An error occurred while attempting to decode the Jwt: Timeout while waiting for cache refresh
I have a Spring Boot application that uses JWT Token based authentication. The issuer and IDP of the token is Auth0.
Sometime back I got an error An error occurred while attempting to decode the Jwt: ...
- 408
-4
votes
1
answer
58
views
JSL-Springboot security login page redirecting infinitely (ERR_TOO_MANY_REDIRECTS)
/login page seems to be stuck in a loop of being redirected to self.
For context, I want /register & /login to be visible without authentication, while all other pages in my project should ...
0
votes
1
answer
152
views
403 Forbidden returned in spring boot
I have a spring boot application that uses rest to communicate with clients, this application has 2 types of users: visitors and employees.
These 2 users have different authentication methods but they ...
- 3