spring-boot-security | 自己尝试在基于spring-boot的restful API的安全认证上做的调研与测试

Hi All I'm currently following this guide to building a auth service in Spring boot https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/

I've modified it so when a user creates and account with a username and password it also returns a refresh_token.

However, when I do an Auth flow with lets say facebook or google, I see the access token is appended in a redirect URL (see here github link)

Now reading the OAuth doc this seems to make sense. However, how do I return the refresh token to the user as well. Is it safe to pass both access and refresh token in the URL?

This is a side project that me and my mate are working on (he's doing the front end which he hasnt started yet :D) so I'm curious if its 1) ok to put both tokens in the URL and 2) should I be setting these as cookies httpOnly somehow for him.

Sorry if this is a dumb question and thanks for reading

In my sample spring boot security project I want to add some BDD tests. I have added dependencies, feature file, sep definition etc. but mvn test ignoring all my test classes. I have some junit and selenium tests which are running fine.

Project is public https://gitlab.com/vivart/spring-boot-security to make it more simple I have removed all junit and selenium test.

Note: I have already tried all similar question suggestions.

I attempted to get all users, usin JWT Token and Spring Security. There is my source code as it follows:

Spring Console

I've been having trouble getting security working correctly, half of the problem was fixed with this Spring Boot Security wont ignore certain paths that dont need to be secured Second problem is spring is ignoring the HTTP status code on failure and always throws a 500.

When the JWT token is invalid I want to return a 401 and a json response. I keep getting a 500 and the white label html page. JwtFilter

I'm following this tutorial : https://www.baeldung.com/spring-boot-security-autoconfiguration to add Simple Auth. to my Spring Boot Project. When i try to run my application i always get this error :

Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.NoSuchMethodError: org.springframework.util.Assert.isTrue(ZLjava/util/function/Supplier;)V

IDK why im getting this or is this related something about Version problem. Do you guys have any idea about this ?

Good afternoon. How can I configure permissions and roles for a user relative to a specific controller for a specific entity (something similar to RBAC/ABAC) within one application without usage of different OAUTH2 services?

Example:

App has global USER roles: ROLE_USER, ROLE_ADMIN.

Also there's entity named Project. There may be many Projects that USER may be a member of. There're some Project USER roles: PROJECT_ADMIN, PROJECT_EDITOR, PROJECT_USER. Each project role can have their own permissions (authorities) like add user to project, edit project and so on. All role configs are stored in 'project_roles' and 'project_permissions' tables.

As I understood it can be implemented through PreAuthorize annotation, but how can current global user be matched to project role?

I am using this example https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world for creating spring boot rest api with json web token (JWT). but i am not found any api for forcefully logout using io.jsonwebtoken maven dependency .

i am using this dependency in pom :

I'm trying to get a new access token using a refresh token in Spring Boot with OAuth2. It should be done as following: POST: url/oauth/token?grant_type=refresh_token&refresh_token=....

It works fine if I'm using InMemoryTokenStore because the token is tiny and contains only digits/letters but right now I'm using a JWT token and as you probably know it has 3 different parts which probably are breaking the code.

I'm using the official migration guide to 2.4.

When I try to access the URL above, I'm getting the following message:

I'm using Spring Boot and Spring Security for my user signup and user login with JWT Authentication application.

I get this error when I do the Post request. The stack trace did not define which line in my code causes the problem. I think it's related to version compatibility. What is the issue?