The difference between WebSecurity and HttpSecurity in Spring Security

The Nature of HttpSecurity Spring Security 5.4 has a new way of configuring HttpSecurity. 1 2 3 4 5 6 7 8 9 @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http .antMatcher("/**") .authorizeRequests(authorize -> authorize .anyRequest().authenticated() ) .build(); } In fact, you can know that HttpSecurity is used to build a filter SecurityFilterChain that contains a series of filter chains, and normally our configuration is based around building SecurityFilterChain.

Spring Security Unit Testing

Spring Security Test Environment To use Spring Security in your unit tests, you need to add spring-security-test to your Spring Boot project. 1 2 3 4 5 <dependency> <groupId></groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> This way the contextual configuration of the tests can be combined with Spring Security, and the next few tricks will teach you. Spring Security Testing All tests are done under Spring Boot Test, which is supported by the @SpringBootTest annotation.

Various ways of handling exceptions in Spring

Usually the unified exception handling we set up in Spring Boot can only handle exceptions thrown by the Controller. Some requests have exceptions before they reach the Controller, and these exceptions cannot be caught by unified exceptions, such as some exceptions in the Servlet container. Today I encountered one in my project development, which irritated me because it returned an error message format that could not be handled uniformly, and

Spring Boot Containerization via Docker

Recently the company’s application ready to containerize, because dozens of applications from testing to release is too much trouble, and also because of environmental factors lead to a variety of problems in the deployment. In order to maintain a consistent environment in development, testing, production, the introduction of container technology, first take the edge of the project to try, to gain experience. Today a brief summary of several common Docker

SpringBoot integration of lightweight logging system loki - 2

Last post was a simple introduction to the use of Loki logging platform, and today a simple study of how to use Loki in practice to monitor Spring Boot applications, specially shared to give you a deeper understanding of this new technology. Loki’s log collection practice In previous article we used Docker Compose to start Grafana, Loki, and Protail at the same time to monitor an application. And the architecture of the whole logging system.

SpringBoot integration of lightweight logging system loki - 1

The project is formalized, the logging system is indispensable. The majority of logging platforms recommended to build based on ELK, but ELK is relatively heavy, the architecture is too large, small and medium-sized projects are not very good to hold, I hope to find a simple, if you really can not find then use ELK. before the reserve some technical candidates library, looked through the fruit of a logging system

ResponseEntity Usage Tips

The ResponseEntity object is Spring’s wrapper around the request response. It inherits from the HttpEntity object and contains the Http response code (httpstatus), the response header (header), and the response body (body). A Spring MVC interface to get user information usually we return the entity directly (with @RestController). 1 2 3 4 5 6 @GetMapping("/user") public User userinfo() { User user = new User(); user.setUsername(""); return user; } is equivalent

Spring Security gets the currently logged in user

In some scenarios we need to get who the current user is? If you are using Spring Secrity as a security framework you can get the current user by using the following means. SecurityContext Either in stateful Session mode or in the popular JWT mode you can use SecurityContext to get the current user. 1 2 Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); String currentPrincipalName = authentication.getName(); Of course, this approach is not rigorous enough, if the interface allows anonymous access is likely to return an anonymous user, and anonymous users can not be obtained directly through getName, so we need to optimize the above logic.

Realm in Keycloak

In the previous posts, I joined you for a cursory look at Keycloak. As I gradually learned more, I found that I entered a misunderstanding, originally I thought that the focus of Spring Security integration with Keycloak was on this aspect of Spring Security, in fact, I found that Keycloak has no room to work with several filters on Spring Security’s Adapter, perhaps it needs I think we need to understand Keycloak itself before we can have a breakthrough.

Manage OAuth2 authentication authorization server Keycloak through the management API

When using Keycloak, you may have noticed that user management is done through the UI provided by Keycloak, which is convenient but often not suitable for use in development. For example, you can’t let end-users go directly to Keycloak’s Admin Console to register. Therefore, it is necessary to APIize these functions, and today we are going to share a method to operate Keycloak through programming. Introduction to Keycloak Admin Client

The execution flow of an interface between Keycloak and Spring Security

In the previous article we got familiar with the common configuration of Keycloak, today we will do an analysis of the execution flow of Keycloak adapted to Spring Security and briefly understand some of its customized Spring Security filters. Execution flow of /admin/foo In the Spring Boot application adapted with Keycloak and Spring Security, I wrote a /admin/foo interface and configured the permissions for this interface as follows. 1 2

Common properties of Keycloak adapters

In the last Keycloak article, we successfully adapted Keycloak to Spring Security with a keycloak.json configuration. It contains quite a few properties that I feel we need to learn together as we go deeper into the process. Common properties of Keycloak adapters realm Domain name, this is a mandatory item. resource The application’s client_id, a unique identifier for each client registered on the Keycloak server. This is a mandatory item.

Using Keycloak as an Authentication Authorization Server in Spring Security

Keycloak provides adapters for popular Java applications. In previous articles, we demonstrated security protection for Spring Boot using one of the adapters. Keycloak also provides adapters for Spring Security, and in the following articles we will learn together about the use of Spring Security adapters. The installation of Keycloak can be found in the previous tutorials in the series. Adapter integration In our Spring application we integrate keycloak-spring-security-adapter. 1 2

OIDC authentication authorization protocol

In the previous article we reviewed the OAuth 2.0 process with an example, and pointed out the limitations of OAuth 2.0: The client cannot identify the resource owner as the correct advocate, and while commercially available OAuth 2.0 can guarantee authorization security, OAuth 2.0 itself does not provide clear specifications for user authentication. This is where OIDC comes into play. OIDC OIDC is a variant of OAuth 2.0. OIDC (OpenID Connect) builds on the Auth 2.

OAuth 2.0 is only the authorization protocol, OIDC is the authentication authorization protocol

In the previous article we did a hands-on exercise on Keycloak protecting Spring Boot applications. We showed you how powerful Keycloak is. But in order to master Keycloak you need to understand the OpenID Connect (OIDC) protocol. OIDC is an extension of OAuth 2.0. Why does it extend OAuth 2.0? Before we can figure this out we need to review the OAuth 2.0 protocol again. OAuth 2.0 We’ve talked a lot about the OAuth 2.

Protecting Your Spring Boot Applications with the Keycloak Authentication Authorization Platform

This article tries out the keycloak counterpart of the Spring Boot Adapter to see how keycloak protects Spring Boot applications. Client I believe many of you have used WeChat Open Platform and Ant Open Platform. First we need to register a client on these open platforms to get a set of credentials like username and password. Some of them are called appid and secret; some are called clientid and secret,

Unified authentication authorization platform keycloak first experience

This article will further experience Keycloak, give us an intuitive understanding of it, and then go deeper and deeper to break down its design concepts and ideas. General idea Since we already know beforehand that Keycloak provides an adapter for Spring Security. Let’s first get the core concepts of Keycloak clear independently and then work on how it incorporates Spring Security. Installing Keycloak The Keycloak version for this article is 14.

Unified authentication authorization platform keycloak Introduction

Recently, I want to open up the user relationship of several applications and get a centralized user management system to unify the user system of the application. After some research, I selected Red Hat’s open source Keycloak, which is a very powerful unified authentication authorization management platform. The reason why Keycloak was selected is based on the following reasons. Ease of Use Keycloak provides a one-stop single sign-on solution for web applications and Restful services.

Spring 6 And Spring Boot 3

The annual SpringOne conference was held online last September 1-2 due to an epidemic, and Pivotal (the owner of the Spring Project) hosts this conference once a year to meet with thousands of developers, customers and partners from around the world to share technical practices and discuss technology trends. Each conference also reveals the next big step in the Spring Project’s evolution. The highlight of this year’s conference is definitely Spring Framework 6.

SpringMVC exception handling system in-depth analysis

SpringMVC has a complete system for handling exceptions, and it works very well. This article talks about the exception handling system in SpringMVC. We will sort out the exception system in SpringMVC from beginning to end. 1. Exception Resolver Overview In SpringMVC’s exception system, the big boss at the top is the HandlerExceptionResolver, an interface with a single method. 1 2 3 4 5 public interface HandlerExceptionResolver { @Nullable ModelAndView resolveException( HttpServletRequest request, HttpServletResponse response, @Nullable Object handler, Exception ex); } The resolveException method is used to resolve the exceptions generated during the request processing and eventually return a ModelAndView.