Due to a migration to Spring security 6 and the WebSecurityConfigurerAdapter deprecation I need to adapt the security conf below, buit not sure if I am going in the correct way. @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Inject private UserDetailsService userDetailsService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService)… Read More Adapting to Spring security 6

AuthenticationEntryPoint triggers even if authorization is successfully passed, when I try to go to an endpoint that does not exist. How do I make it go to a 404 page? This is my Spring Security configuration @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http .cors().and() .csrf().disable() .exceptionHandling() .authenticationEntryPoint(customAuthenticationEntryPoint()).and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .authorizeHttpRequests() .requestMatchers("/api/auth/**").permitAll() .anyRequest().authenticated().and()… Read More Spring Security — 'Full authentication is required to access this resource' for a non-existing endpoint

when I put a gap between quotation marks " " I have ArrayIndexOutOfBoundsException and when I close quotation marks "" inside the split it shows on my board the first letter of firstname and the first letter of lastname.More spesific the console shows problem in (UserServiceImpl.java:68),(UserServiceImpl.java:60),(UserServiceImpl.java:61),(AuthController.java:60) @Getter @Setter @NoArgsConstructor @AllArgsConstructor public class UserDto { private… Read More how can I fix the .ArrayIndexOutOfBoundsException

I’ve been stuck for a while now. I’m modifying my Spring Security project by adding Jwt. Currently, I’m trying to make the JwtEncoder and JwtDecoder work in SecurityConfig, I need RSAPrivateKey and RSAPublicKey for these methods. To get these Key-values I’m using a Record with @ConfigurationProperties annotation. But Getting this Record into the SecurtyConfig gives… Read More Parameter 1 of constructor in required a bean of type that could not be found

I am just learning Spring Security. My goal is to authenticate the user by their username and password, which are stored in PostgreSQL. So far, this is what I have: @Configuration @EnableWebSecurity @EnableMethodSecurity public class configurator { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeHttpRequests(auth -> auth .anyRequest().authenticated() ) .httpBasic(); return http.build();… Read More Created CustomUserDetailService. Now what?

In my code, I have User entity who have multiple fields and I’m trying to handle field exception that’s work fine. If any field is null then JVM will throw ConstraintViolationException which is I’m handling perfectly with Custom Exception Handling but my problem is if password field is null then JVM will throw IllegalArgumentException. My… Read More How to handle "java.lang.IllegalArgumentException: rawPassword cannot be null"

Spring recently deprecated WebSecurityConfigurerAdapter which does seem as not the smartest move, given that the new way is extremely poorly documented and WebSecurityConfigurerAdapter was basically omnipresent. Now I tried to add a custom Filter to the Security Filterchain, which was easy before but does seem to bring some trouble now. I found a workaround, but… Read More Spring get instance of AuthenticationManager complicated since WebSecurityConfigurerAdapter deprecated

I use spring-boot 2.6.8 with spring security When user don’t enter correct information, i would like to do an operation. So I created this class. @Component public class AuthenticationFailureEventListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent { private LoginAttemptService loginAttemptService; @Override public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent e) { WebAuthenticationDetails auth = (WebAuthenticationDetails) e.getAuthentication().getDetails(); loginAttemptService.loginFailed(e.getAuthentication().getName(), auth.getRemoteAddress()); } } If a user enter a… Read More AuthenticationFailureBadCredentialsEvent never called

This might sound like a dumb question, but I don’t understand, what "isEnabled" in the "UserDetails" class is for. The documentation says "Indicates whether the user is enabled or disabled. A disabled user cannot be authenticated." So, the only thing I really need this boolean for is, to disable authentication for some users? Because I… Read More What exactly is "isEnabled" in the "UserDetails" class for?

We are developing a web API using Spring Boot that should support a React client alongside mobile apps. For the web side of things we use session management with cookies for authorization and have CSRF enabled, the mobile application will be sending authorization info using bearer tokens. Now let’s say we have an endpoint for… Read More Conditional CSRF protection in Spring security