Spring Security Oauth2 XML Configuration in Detail - spring-security-oauth2

I want to use the xml configuration file for registering clients for OAUTH2 in my web application. I know that there exist support for xml tags using the client-registrations tag
However I want to register the client registration repository as a bean. So that it is extensible, something like this:
<beans:bean id="clientRegistrationRepository" class="org.springframework.security.oauth2.client.registration.ClientRegistrationRepository">
<beans:constructor-arg index="0" ref="clientRegistration"/>
</beans:bean>
... more tags expanding clientRegistration
However this does not work. Does any one know how we can do this ?

Related

Spring security: allow a few pages to be displayed in iframe

I support a website that uses Spring Security (5.3.3.RELEASE). The site can't be displayed in iframe in other sites because of the following configuration
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
Now I am asked to allow a few pages to be displayed in iframe in ANY other sites (not a specific list of sites). I looked at the Spring documentation, and it appears that I can add a bean in the following way:
<security:headers>
<security:frame-options policy="SAMEORIGIN" ref="bean_id"/>
</security:headers>
I am not able to find info about what interface or methods the bean (bean_id) must implement or whether it can be used to decide what pages are frameable. Any help or example is really appreciated.
The interface is of type AllowFromStrategy. But that interface is deprecated since the ALLOW-FROM is an obsolete directive that no longer works in modern browsers, see here. The alternative is to use CSP: frame-ancestors.
Spring Security has support for the Content-Security-Policy header. You can rely on the DelegatingRequestMatcherHeaderWriter implementation to add the headers only to specific pages, like so:
<http>
<!-- ... -->
<headers>
<header ref="headerWriter"/>
</headers>
</http>
<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<beans:constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
c:pattern="/page-with-csp"/>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter"/>
</beans:constructor-arg>
</beans:bean>

Spring Security addFilterAfter using XML confirguation

I am currently using Spring Security 4 on Spring MVC. I try to config anti-CSRF using REST service, not servlet. This post is very useful but it uses Java configuration. How can I convert
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
into an XML configuration environment?
Thanks.
XML can be following for addfilterAfter()
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.security.filter.CustomFilter"/>
Hope it will help....

Spring mvc resources not loading on first run

I m developing a spring web application .
I have put all my resources folder in webcontent folder and configured it in my dispatcher.xml
<mvc:resources location="/asset/" mapping="/asset/**" />
I have configured my startup page as following
<mvc:view-controller path="/" view-name="Framework/start"/>
My application is running fine and all the resources are also loading but not on the first run. Means when I deploy my application on tomcat7 and hit the url for the first time the css are not loaded also my href which is mapped to a controller is also not working but once I am logged in and logout everything works fine.
After lots of effort i concluded that the problem was not with the resource path but the problem was due to the interceptor . The authentication interceptor that i have added was called multiple times due to the request to the resources and as there was no session created till that time it was returning false.
Hence i exclude any calls to resources folder from the interceptor in the following way-
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<mvc:exclude-mapping path="/asset/**"/>
<bean class="com.model.AuthenticationInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
Also one imp thing mvc:exclude-mapping is added from spring 3.2 onwards so one need add the schema "http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd"

Which are the classes used for User Authentication in alfresco.4.2.c in the case of External SSO?

I am trying to implement External SSO in alfresco share. I am using alfresco.4.2.c.
I want to enable debug mode for the classes which are using for Authentication in the case of External SSO.
So please let me know the class names which are using in External SSO.
Depends on which SSO you are integrating say OpenAM, CAS etc
SlingshotUserFactory class is used for default authentication in Alfresco Share
You can override its entry as below in share-config-custom.xml
<config evaluator="string-compare" condition="WebFramework">
<web-framework>
<!-- SpringSurf Autowire Runtime Settings -->
<!-- Developers can set mode to 'development' to disable; SpringSurf caches,
FreeMarker template caching and Rhino JavaScript compilation. -->
<defaults>
<page-type>
<id>login</id>
<page-instance-id>slingshot-login</page-instance-id>
</page-type>
<user-factory>webframework.factory.user.custom.slingshot
</user-factory>
</defaults>
</web-framework>
</config>
Add below entry in custom-slingshot-application-context.xml
<bean id="webframework.factory.user.custom.slingshot" class="com.test.web.site.ExtSlingshotUserFactory"
parent="webframework.factory.user.slingshot">
</bean>
now on login it will call your class for authentication

Spring MVC : using wildcards in <mvc:resources>

I'm implementing a cache busting system for a Spring MVC application.
For this system to work, I have to strip the "cache busting code" from a given url. Let's say my generated cache busting code is "123" and I have a .css url that is: /public-123/css/style.css. In this example, I want /public/css/style.css to be succesfully called (-123 must be stripped).
This works in my "mvc-config.xml" context file:
<mvc:resources mapping="/public-123/**" location="/public/" />
But I would also like any cache busting code to work, even if it's not the current one. For example, I would also like /public-456/css/style.css to reach the style.css file.
If I try to add another wildcard to the mapping:
<mvc:resources mapping="/public-*/**" location="/public/" />
It doesn't work! I receive a 404....
How could I specify the "mapping" attribute so any code after the "public-" part is well managed?
One way to handle this is to use Spring EL, as shown in the Spring docs:
<mvc:resources mapping="/resources-#{applicationProps['application.version']}/**" location="/public-resources/"/>
You could probably store the "123" part in a properties file so it only gets set once. E.g. via property-placeholder:
<context:property-placeholder location="classpath:myApp.properties"/>
<mvc:resources mapping="/resources-${cache.code}/**" location="/public-resources/"/>
This has the advantage of being able to read this code in your JSP pages (to generate links) via the same properties value.
I managed to get this working by manually defining the ResourceHttpRequestHandler to handle assets that are located on the filesystem alongside the <mvc:resources /> tag:
<bean id="assetsResourceHandler" class="org.springframework.web.servlet.resource.ResourceHttpRequestHandler">
<property name="locations">
<list>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg value="file:#{applicationProps['assets.basedir']}"></constructor-arg>
</bean>
</list>
</property>
</bean>
I guess you're doing this to achieve cache busting for your static resources.
In the meantime, Spring 4.1 has dedicated features for this, so you can remove a lot of that custom configuration.
Something like this:
<mvc:resources mapping="/public/**" location="/public/"/>
<mvc:resource-chain resource-cache="true">
<mvc:resolvers>
<mvc:version-resolver>
<mvc:content-version-strategy patterns="/**"/>
</mvc:version-resolver>
</mvc:resolvers>
</mvc:resource-chain>
</mvc:resources>

Resources