Puspender Tanwar

Ranch Hand
+ Follow
since Apr 21, 2015
Puspender likes ...
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Puspender Tanwar

Thanks Stephan.
Suppose in future, I want to grant few users some extra permissions. Like you are the Author of the Spring forum, so you have some extra permissions.
In the same manner, users of my website would be granted special permissions based on their points.

How this is handled? ACL?
1 month ago
Suppose I have two entities User and


which are having One-to-Many relationship.
Now, User theCoder created an article - "How to ask question?" . Article got saved in Article table with foreign key theCoder.
Now, another user theHacker logged into the application from somewhere and read the "How to ask question?" article. Now, he/she tried to perform delete/update actions on the article, which they are not allowed to. Only the owner of the article can delete/update the article.

How should I achieve this?

One way is to check the principle(logged in user's username) and then compare the user who create that article. If they match, delete/update the post otherwise throw 403 unauthorized.

But that would be a lot to do in multiple controllers. Is there something handy provided by the Spring security?

I looked for it and there is ACL security, but I don't understand if it's the one I am in use of. Nor there are some good articles/blogs/tutorials found on the web.
1 month ago

Stephan van Hulst wrote:Why are those three sub-modules POM projects?

Sorry, typo it was. All those three are jar projects
2 months ago

Stephan van Hulst wrote:No, <dependencyManagement> only configures dependencies, it doesn't include them.

Regardless, what you want isn't possible and doesn't make much sense. You can't use a JAR project as a parent, and declaring dependencies in a POM project doesn't make sense of you don't want to include them in child modules.

actually it's a multi module maven project.

sample-common contains some common classes/operations to the other two modules.
sample-persistence contains Database entities other other persistence related stuff.
sample-rest contains the Controllers and other stuff for creating REST API.

These all three modules are <packaging>pom</packaging>

The dependency I use in sample-common, I don't want them to include in the other two modules. How do I achieve this?
2 months ago
I am having this pom file in one of the module of a multi-module maven project.

I want the validation-api to be included in my sample-common module only, and not in its child modules and that's why I declared it in <dependencyManagement>. But putting it this way, doesn't even include the validation-api in the sample-common. It's not even brining dependencies in this module.

What is the correct way then?
2 months ago
It was the private access modifier causing the issue.
2 months ago
I am securing my REST API using spring security where I am trying to secure a Controller using method level annotations. I am using @PreAuthorize("isAuthenticated()") to make sure that the user is Authenticated to access that particular Controller method.

But this is not working, even I am having prePostEnabled = true configuration. I am getting 200 response status, even though I am not providing the auth details.

Earling I was using URL level authorisation, and everything was working fine.
2 months ago
I am sending a GET request for Basic authentication, to which the server(the backend API) would return(if the authentication is successful) a cookie. This is working fine for POSTMAN, but in browser cookie is not being set.

Here is my application flow:

1. Browser/POSTMAN login using basic authentication. Send credentials using Authorization Basic xxxxxx== header.
2. Server reads the authentication details, and if correct it creates a cookie named auth and send it back with the response(above code). For security layer, I am using Spring security.
3. For further requests, that cookie will automatically be sent with each request. Now I had to take that cookie and extract the authentication details from that. After that, I had to add Authorization Basic xxxxxx== to that request(Because now the Authorization not sent by the client, only cookie sent). For this I created the Filter which will run before Spring's BasicAuthenticationFilter.class

Step 2 is working for POSTMAN, but not for the browser. In POSTMAN, the server sent response contains Set-Cookie →auth=Basic xxxxxxxx=; Domain=localhost; HttpOnly.

curl -i -u pu@gmail.com:password@ http://localhost:8085/api/v1/login

HTTP/1.1 200
Set-Cookie: auth=Basic xxxxxxxx==; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 0
Date: Tue, 12 Feb 2019 05:59:33 GMT

The response header in browser:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:3007
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Tue, 12 Feb 2019 11:52:10 GMT
Expires: 0
Pragma: no-cache
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

What additional configuration do I need to do here?

3 months ago
JSESSIONID won't work for me, because I am using the RESTful, the stateless API. So, no space for JSESSIONID.
However, creating an authentication cookie will maintain the statelessness of the application, because there will be no state maintained by the server, only the client would save a cookie which will be carried with each request.

Yes, sending credentials in URL is a terrible idea.
3 months ago
I am securing my REST API using Basic-Auth. I came to know that for a stateless API, the backend should send a cookie(with 'httpOnly' & 'secure' flag) for basic authentication, which then will be carried with each request. But I have few doubts here:

1.  What should be the name of that cookie?
2.  How to set the cookie?
3.  How Spring security layer identifies and extracts the Base64 encoded credentials from that cookie?

As of now, this is my security config:

And since I have no Idea from where to set that authentication cookie, I am trying this:

http://localhost:8080/login is a URL which is basic auth protected, if the user provides correct credentials, then it sends the authentication cookie with the response.

But again, I have no idea where to bring the username password for this current user.
3 months ago

So it's better if your ReST application contains its own authentication mechanism (or better, a pre-debugged non-container one, like maybe Spring Security). The simplest way to do that is to have a ReST call that sends userID and password as an encrypted request and receives a token (basically, a "jsessionid" from the app instead of the container). This would then be used for the duration of the conversation as an add-on to the ReST calls. The main difference is that the authentication environment wouldn't be in the webapp or the webapp server, but in whatever common backend all the webapps in the cluster shared.  

Yes, it's a REST api secured using Spring Security.
But, what additional benefit does JSESSIONID adds, if still, I need to send the credentials for each request over the wire. What is the whole purpose of maintaining a session(using JSESSIONID) if the backend server can't remember the user? My apology if I am missing something.
4 months ago
I am using basic authentication for my REST api. I don't understand the use case of JSESSIONID cookie if we are sending the credentials with each request, like the way we did it in stateless basic authentication.
How JSESSIONID helps here? Does the server doesn't check for username password if the JSESSIONID is valid?
4 months ago
I have written the frontend of an application using React.js and whose backend REST API is built using Spring boot.
I am successful is in integrating the "social login for Facebook" from frontend and now I have this information returned from facebook

Now, my requirement is to create an account of this user into my own application(own Database) using the user's email as the primary key for his/her account. This user will have its own content(likes, interests, feeds).
But I have no idea where should I start now, what would be the flow of the backend API and the complete application.

Can someone please guide.
5 months ago
I gone through some resources for OAuth2.0
Each says OAuth is for authorization and not for authentication.
But, using Spring's `OAuth` server, didn't we get a Authentication token(e.g JWT)? And that token is used for authentication.
Can someone please clarify this?
5 months ago