3,601 questions
29
votes
11
answers
80k
views
CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource
I have created two web applications - client and service apps.The interaction between client and service apps goes fine when they are deployed in same Tomcat instance.
But when the apps are deployed ...
- 617
18
votes
4
answers
21k
views
Springboot Security hasRole not working
I’m unable to use hasRole method in @PreAuthorize annotation. Also request.isUserInRole(“ADMIN”) gives false. What am I missing?
Although .hasAuthority(“ADMIN”) works fine.
I am assigning authorities ...
- 914
142
votes
26
answers
519k
views
How to configure CORS in a Spring Boot + Spring Security application?
I use Spring Boot with Spring Security and Cors Support.
If I execute following code
url = 'http://localhost:5000/api/token'
xmlhttp = new XMLHttpRequest
xmlhttp.onreadystatechange = ->
if ...
- 2,479
15
votes
3
answers
13k
views
Filter invoke twice when register as Spring bean
I want to use @Autowire with a Filter. So I define my filter in the SecurityConfig as below:
@Override
protected void configure(HttpSecurity http) throws Exception {
http....
- 7,687
4
votes
2
answers
4k
views
How to fix role in Spring Security?
I'm trying to use Spring Security in my project, here is the code:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
/...
- 177
27
votes
2
answers
25k
views
Spring Security : Multiple HTTP Config not working
I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.
Here is my configuration:
@Configuration
@Order(1)
public static ...
- 359
163
votes
9
answers
214k
views
How do I enable logging for Spring Security?
I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually ...
- 8,165
102
votes
11
answers
183k
views
Serving static web resources in Spring Boot & Spring Security application
I am trying to develop Spring Boot web application and securing it using Spring security java configuration.
After placing my static web resources in 'src/main/resources/public' as advised here in ...
- 7,775
174
votes
9
answers
136k
views
How to get active user's UserDetails
In my controllers, when I need the active (logged in) user, I am doing the following to get my UserDetails implementation:
User activeUser = (User)SecurityContextHolder.getContext().getAuthentication(...
- 4,629
68
votes
20
answers
264k
views
Spring security CORS Filter
We added Spring Security to our existing project.
From this moment on we get a 401 No 'Access-Control-Allow-Origin' header is present on the requested resource error from the our server.
That's ...
- 1,109
149
votes
14
answers
222k
views
Handle spring security authentication exceptions with @ExceptionHandler
I'm using Spring MVC's @ControllerAdvice and @ExceptionHandler to handle all the exception of a REST Api. It works fine for exceptions thrown by web mvc controllers but it does not work for exceptions ...
- 2,976
92
votes
3
answers
151k
views
How To Inject AuthenticationManager using Java Configuration in a Custom Filter
I'm using Spring Security 3.2 and Spring 4.0.1
I'm working on converting an xml config into a Java config. When I annotate AuthenticationManager with @Autowired in my Filter, I'm getting an exception ...
- 2,058
94
votes
4
answers
40k
views
Spring Security Configuration - HttpSecurity vs WebSecurity
I just need to understand something in Spring Security Configuration. Using the example below...
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
...
- 3,548
99
votes
3
answers
75k
views
How to create custom methods for use in spring security expression language annotations
I would like to create a class that adds custom methods for use in spring security expression language for method-based authorization via annotations.
For example, I would like to create a custom ...
- 20.7k
6
votes
1
answer
4k
views
How to use multiple login pages one for admin and the other one for user
I want two different login pages. One for admins and the other one for users.
Using the code below only the class with @Order(1) works when I remove the @Order annotation from the static classes, only ...
- 61
306
votes
18
answers
187k
views
When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
I have a Spring MVC web app which uses Spring Security. I want to know the username of the currently logged in user. I'm using the code snippet given below . Is this the accepted way?
I don't ...
- 10.9k
232
votes
20
answers
257k
views
How to manage exceptions thrown in filters in Spring?
I want to use generic way to manage 5xx error codes, let's say specifically the case when the db is down across my whole spring application. I want a pretty error json instead of a stack trace.
For ...
- 4,331
123
votes
8
answers
251k
views
How to disable spring security for particular url
I am using stateless spring security,but in case of signup i want to disable spring security.I disabled using
antMatchers("/api/v1/signup").permitAll().
but it is not working,i am getting error ...
- 4,807
16
votes
7
answers
35k
views
Spring Boot 2.0.x disable security for certain profile
In Spring Boot 1.5.x, I've had Security configured and in certain profiles (e.g. local), I've added security.basic.enabled=false line to the .properties file to disable all security for that profile. ...
- 1,127
140
votes
29
answers
383k
views
Spring boot Security Disable security
When I use security.basic.enabled=false to disable security on a Spring Boot project that has the following dependencies:
<dependency>
<groupId>org.springframework.boot</...
- 1,913
92
votes
2
answers
255k
views
When to use Spring Security`s antMatcher()?
When do we use antMatcher() vs antMatchers()?
For example:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
...
- 7,537
48
votes
14
answers
188k
views
Spring Boot Security CORS
I have a problem with CORS filter on spring security URL's.
It doesn't set Access-Control-Allow-Origin and other exposed header on URL's belonging to spring sec (login/logout) or filtered by Spring ...
- 3,347
67
votes
5
answers
64k
views
Configuring Spring Security 3.x to have multiple entry points
I have been using Spring Security 3.x for handling user authentication for my projects, and so far, it has worked flawlessly.
I recently received the requirements for a new project. In this project, ...
- 40.3k
37
votes
7
answers
67k
views
Spring Security:password encoding in DB and in applicationContext
Have config (applicationContext-security.xml):
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="sha"/>
<...
- 13.6k
49
votes
13
answers
133k
views
Spring Boot CORS filter - CORS preflight channel did not succeed
I need to add CORS filter to my Spring Boot web application.
I have added CORS mappings as described in the following documentation http://docs.spring.io/spring/docs/current/spring-framework-...
- 26.1k
8
votes
2
answers
10k
views
Spring Boot 3 with Spring Security Intercepts exceptions I don't want it to
I'm building an API using Spring Boot 3.0.2 with Spring Security, I've built out the security filter chain and it's working fine as far as blocking unauthenticated requests. But I have a ...
- 331
236
votes
3
answers
253k
views
How Spring Security Filter Chain works
I realize that Spring security build on chain of filters, which will intercept the request, detect (absence of) authentication, redirect to authentication entry point or pass the request to ...
- 23.8k
63
votes
9
answers
39k
views
Spring Security and @Async (Authenticated Users mixed up)
I asynchronously invoke a method with Spring, using @Async. This method invokes another method annotated with @PreAuthorize, the Spring Security Annotation. To make the authorization work I have to ...
- 1,685
336
votes
6
answers
190k
views
Difference between Role and GrantedAuthority in Spring Security
There are concepts and implementations in Spring Security, such as the GrantedAuthority interface to get an authority to authorize/control an access.
I would like that to permissible operations, ...
- 4,912
63
votes
6
answers
117k
views
How to apply Spring Security filter only on secured endpoints?
I have the following Spring Security configuration:
httpSecurity
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
...
- 1,139
130
votes
9
answers
267k
views
How to manually set an authenticated user in Spring Security / SpringMVC
After a new user submits a 'New account' form, I want to manually log that user in so they don't have to login on the subsequent page.
The normal form login page going through the spring security ...
- 32.4k
130
votes
13
answers
188k
views
Spring Security 5 : There is no PasswordEncoder mapped for the id "null"
I am migrating from Spring Boot 1.4.9 to Spring Boot 2.0 and also to Spring Security 5 and I am trying to do authenticate via OAuth 2. But I am getting this error:
java.lang....
- 1,873
86
votes
7
answers
112k
views
Disable Spring Security for OPTIONS Http Method
Is it possible to disable Spring Security for a type of HTTP Method?
We have a Spring REST application with services that require Authorization token to be attached in the header of http request. I ...
- 5,769
68
votes
3
answers
77k
views
Spring Security 3 database authentication with Hibernate
I need to authenticate users from database, Spring Security documents don't tell how to authenticate with hibernate. Is that possible and how can I do that?
- 24.7k
54
votes
4
answers
171k
views
How to use OAuth2RestTemplate?
I'm trying to understand how to use a OAuth2RestTemplate object to consume my OAuth2 secured REST service (which is running under a different project and let's assume also on a different server etc...)...
- 741
26
votes
6
answers
45k
views
How to dynamically decide <intercept-url> access attribute value in Spring Security?
In Spring Security we use the intercept-url tag to define the access for URLs as below:
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<intercept-url pattern="/student" access="...
- 1,768
99
votes
9
answers
241k
views
How do I get the Session Object in Spring?
I am relatively new to Spring and Spring security.
I was attempting to write a program where I needed to authenticate a user at the server end using Spring security,
I came up with the following:
...
- 4,267
77
votes
8
answers
67k
views
Can Spring Security use @PreAuthorize on Spring controllers methods?
Can Spring Security use @PreAuthorize on Spring controllers methods?
- 22.6k
46
votes
8
answers
81k
views
How to pass an additional parameter with spring security login page
I am trying to set the database name as the request input parameter from the spring security login page. At present I am only getting username that's been retrieved using spring security ...
- 915
186
votes
5
answers
79k
views
What's the difference between @Secured and @PreAuthorize in spring security 3?
It's not clear for me what is the difference in spring security between :
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact)
And
@Secured("ROLE_USER")
public void create(...
- 3,556
122
votes
9
answers
223k
views
How to disable 'X-Frame-Options' response header in Spring Security?
I have CKeditor on my JSP and whenever I upload something, the following error pops out:
Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&...
- 1,139
78
votes
6
answers
76k
views
JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
Background
I am in the process of setting up a RESTful web application using Spring Boot (1.3.0.BUILD-SNAPSHOT) that includes a STOMP/SockJS WebSocket, which I intend to consume from an iOS app as ...
- 9,030
76
votes
9
answers
130k
views
How to enable HTTP response caching in Spring Boot
I have implemented a REST server using Spring Boot 1.0.2. I'm having trouble preventing Spring from setting HTTP headers that disable HTTP caching.
My controller is as following:
@Controller
public ...
- 2,720
68
votes
8
answers
212k
views
Spring Security exclude url patterns in security annotation configurartion
I have spring web application with Spring security configured using java config approach. I want to exclude some URL patterns from authentication(eg: static resources etc..). I have done this earlier ...
- 2,281
65
votes
1
answer
43k
views
Spring security's SecurityContextHolder: session or request bound?
Is the Userprincipal I retrieve from SecurityContextHolder bound to requests or to sessions?
UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication()....
- 5,206
37
votes
6
answers
33k
views
CharacterEncodingFilter don't work together with Spring Security 3.2.0
I'm new to Spring MVC framework and I have got an issue that I can not resolve by myself. Everything started when I integrated spring security with my application, after that all unicode values from ...
- 726
19
votes
3
answers
53k
views
Java Spring Security config - multiple authentication providers
There are several references of multiple authentication providers in spring security, but no example in Java config could be located.
The following link gives the XML notation:
Multiple ...
- 521
3
votes
2
answers
13k
views
Disabling a filter for only a few paths
How do I get a filter to apply to every request off the root path except for ones I want to ignore? Here's my example:
I have a Spring Security filter like so:
private static class ...
- 520
122
votes
9
answers
220k
views
Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized
Not sure if this is a bug with Spring 5.0.3 or a new feature to fix things on my end.
After the upgrade, I am getting this error. Interestingly this error is only on my local machine. Same code on ...
- 4,088
121
votes
11
answers
239k
views
Upgrading the deprecated WebSecurityConfigurerAdapter in Spring Boot 2.7.0
I am trying to update the WebSecurityConfigurerAdapter as it has been deprecated. The class is configured as follows:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = ...
- 1,526