-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to publish an AuthenticationManager
@Bean
without WebSecurityConfigurerAdapter
#11926
Comments
Note: We should also enhance the deprecation notice in 5.7/5.8 to include a hint of where to get the same information. Perhaps a link to this reference documentation, or a simplified example method signature for a |
When this is completed we should update the link to the blog post in |
#12343 can provide more use cases to the documentation |
Here is my journey. I want to use Here is my user.
Here is my curl test.
As you can see, it always gives me 403 forbidden error, but I already configured @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(new JwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
} Why? I found a solution here: https://stackoverflow.com/questions/75768437/requestmatchers-permitall-does-not-work After a lot of try and fail, I found that the following simplified version also works! @Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(userDetails);
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
} But once I remove and forward the request to some Looks like spring security uses the default DaoAuthenticationProvider in this case but not the default InMemoryUserDetailsService. I think put the |
The reason I didn't configure UserDetailsService at first because spring security gives me this impression: it always has something by default. AuthenticationFilter -> UsernamePasswordAuthenticationFilter by default In my previous journey, once we exposed |
Sorry you had some trouble, @uniquejava. Please see my initial comment on this issue for how I recommend publishing an Regarding the
Thanks for the suggestion! However, we prefer to use a more secure posture by default. In Spring Security 6, for example, requests that are missing an authorization rule are actually denied by default. I would argue that it's better for you to learn about this than it would be to have a weaker security posture by default. Hopefully, you can see the point here. 😉 If you have any further questions, please use Stack Overflow and feel free to share a link to the posted question so others can find it. |
Hello there, Just bumped into this "problem" after migrating from Spring Security 5.7.6 to Spring Security 6. The docs at first glance looked fine, but this stupid /error problem drove me crazy. It started with a non-existing favicon.ico and ended with a double login in the background that set a lot of things back and fort for my users, but guess what, on Firefox it did not cause problems, on Chromium it DID! I know the docs are clear but maybe for the error page there could be a simple example or an admonition that if you forgot to configure the paths properly, you can end up having HTTP 403 for or redirects (it depends on your config) for example for non existing static resources. I understand the logic behind the enforcement, but maybe a lot of developer will face it, and they might not be able to understand the reason behind that. |
Thanks for your input on this everyone, and sorry for the delay in getting this task done. I've updated the Username/Password Authentication page. It now includes a few full examples (those discussed on this issue), and also links to other pages organized by use case similar to other recent updates to the docs. You can preview the 5.8 version here (also forward ported up through 6.2/main). Feedback welcome! If you do see additional items to add, please feel free to open a new issue. |
We should adapt the recommendations and examples in the blog article Spring Security without the WebSecurityConfigurerAdapter into the reference documentation.
For example, we can configure an
AuthenticationManager
for use by the application that can perform user authentication (similar toformLogin()
) like so:Context:
Many applications require the use of an
AuthenticationManager
outside the Spring Security filter chain (e.g. in a@RestController
). The LDAP Authentication example recommends publishing anAuthenticationManager
@Bean
, and this example can be generalized and numerous examples given for various scenarios.The text was updated successfully, but these errors were encountered: