You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
187 lines
6.1 KiB
187 lines
6.1 KiB
= Authentication Migrations |
|
|
|
The following steps relate to how to finish migrating authentication support. |
|
|
|
== Propagate ``AuthenticationServiceException``s |
|
|
|
{security-api-url}org/springframework/security/web/authentication/AuthenticationFilter.html[`AuthenticationFilter`] propagates {security-api-url}org/springframework/security/authentication/AuthenticationServiceException.html[``AuthenticationServiceException``]s to the {security-api-url}org/springframework/security/web/AuthenticationEntryPoint.html[`AuthenticationEntryPoint`]. |
|
Because ``AuthenticationServiceException``s represent a server-side error instead of a client-side error, in 6.0, this changes to propagate them to the container. |
|
|
|
So, if you opted into this behavior by setting `rethrowAuthenticationServiceException` to `true`, you can now remove it like so: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
AuthenticationFilter authenticationFilter = new AuthenticationFilter(...); |
|
AuthenticationEntryPointFailureHandler handler = new AuthenticationEntryPointFailureHandler(...); |
|
handler.setRethrowAuthenticationServiceException(true); |
|
authenticationFilter.setAuthenticationFailureHandler(handler); |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val authenticationFilter: AuthenticationFilter = AuthenticationFilter(...) |
|
val handler: AuthenticationEntryPointFailureHandler = AuthenticationEntryPointFailureHandler(...) |
|
handler.setRethrowAuthenticationServiceException(true) |
|
authenticationFilter.setAuthenticationFailureHandler(handler) |
|
---- |
|
|
|
Xml:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.AuthenticationFilter"> |
|
<!-- ... --> |
|
<property ref="authenticationFailureHandler"/> |
|
</bean> |
|
|
|
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler"> |
|
<property name="rethrowAuthenticationServiceException" value="true"/> |
|
</bean> |
|
---- |
|
====== |
|
|
|
changes to: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
AuthenticationFilter authenticationFilter = new AuthenticationFilter(...); |
|
AuthenticationEntryPointFailureHandler handler = new AuthenticationEntryPointFailureHandler(...); |
|
authenticationFilter.setAuthenticationFailureHandler(handler); |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val authenticationFilter: AuthenticationFilter = AuthenticationFilter(...) |
|
val handler: AuthenticationEntryPointFailureHandler = AuthenticationEntryPointFailureHandler(...) |
|
authenticationFilter.setAuthenticationFailureHandler(handler) |
|
---- |
|
|
|
Xml:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.AuthenticationFilter"> |
|
<!-- ... --> |
|
<property ref="authenticationFailureHandler"/> |
|
</bean> |
|
|
|
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler"> |
|
<!-- ... --> |
|
</bean> |
|
---- |
|
====== |
|
|
|
[[servlet-opt-in-sha256-rememberme]] |
|
== Use SHA-256 in Remember Me |
|
|
|
In 6.0, the `TokenBasedRememberMeServices` uses SHA-256 to encode and match the token. |
|
To complete the migration, any default values can be removed. |
|
|
|
For example, if you opted in to the 6.0 default for `encodingAlgorithm` and `matchingAlgorithm` like so: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
@Configuration |
|
@EnableWebSecurity |
|
public class SecurityConfig { |
|
@Bean |
|
SecurityFilterChain securityFilterChain(HttpSecurity http, RememberMeServices rememberMeServices) throws Exception { |
|
http |
|
// ... |
|
.rememberMe((remember) -> remember |
|
.rememberMeServices(rememberMeServices) |
|
); |
|
return http.build(); |
|
} |
|
@Bean |
|
RememberMeServices rememberMeServices(UserDetailsService userDetailsService) { |
|
RememberMeTokenAlgorithm encodingAlgorithm = RememberMeTokenAlgorithm.SHA256; |
|
TokenBasedRememberMeServices rememberMe = new TokenBasedRememberMeServices(myKey, userDetailsService, encodingAlgorithm); |
|
rememberMe.setMatchingAlgorithm(RememberMeTokenAlgorithm.SHA256); |
|
return rememberMe; |
|
} |
|
} |
|
---- |
|
|
|
XML:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<http> |
|
<remember-me services-ref="rememberMeServices"/> |
|
</http> |
|
<bean id="rememberMeServices" class= |
|
"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> |
|
<property name="userDetailsService" ref="myUserDetailsService"/> |
|
<property name="key" value="springRocks"/> |
|
<property name="matchingAlgorithm" value="SHA256"/> |
|
<property name="encodingAlgorithm" value="SHA256"/> |
|
</bean> |
|
---- |
|
====== |
|
|
|
then the defaults can be removed: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
@Configuration |
|
@EnableWebSecurity |
|
public class SecurityConfig { |
|
@Bean |
|
SecurityFilterChain securityFilterChain(HttpSecurity http, RememberMeServices rememberMeServices) throws Exception { |
|
http |
|
// ... |
|
.rememberMe((remember) -> remember |
|
.rememberMeServices(rememberMeServices) |
|
); |
|
return http.build(); |
|
} |
|
@Bean |
|
RememberMeServices rememberMeServices(UserDetailsService userDetailsService) { |
|
return new TokenBasedRememberMeServices(myKey, userDetailsService); |
|
} |
|
} |
|
---- |
|
|
|
XML:: |
|
+ |
|
[source,xml,role="secondary"] |
|
---- |
|
<http> |
|
<remember-me services-ref="rememberMeServices"/> |
|
</http> |
|
<bean id="rememberMeServices" class= |
|
"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> |
|
<property name="userDetailsService" ref="myUserDetailsService"/> |
|
<property name="key" value="springRocks"/> |
|
</bean> |
|
---- |
|
====== |
|
|
|
== Default authorities for oauth2Login() |
|
|
|
In Spring Security 5, the default `GrantedAuthority` given to a user that authenticates with an OAuth2 or OpenID Connect 1.0 provider (via `oauth2Login()`) is `ROLE_USER`. |
|
|
|
In Spring Security 6, the default authority given to a user authenticating with an OAuth2 provider is `OAUTH2_USER`. |
|
The default authority given to a user authenticating with an OpenID Connect 1.0 provider is `OIDC_USER`. |
|
If you configured the `GrantedAuthoritiesMapper` only for the purpose of updating to 6.0, you can remove it completely.
|
|
|