Win a copy of Spring in Action (5th edition) this week in the Spring forum!

Puspender Tanwar

Ranch Hand
+ Follow
since Apr 21, 2015
Puspender likes ...
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Puspender Tanwar

I gone through some resources for OAuth2.0
Each says OAuth is for authorization and not for authentication.
But, using Spring's `OAuth` server, didn't we get a Authentication token(e.g JWT)? And that token is used for authentication.
Can someone please clarify this?
1 week ago
I have a REST API secured with OAuth2.0 I am able to get the access-token using http://localhost:8085/auth/token?grant_type=password& with username pass basic auth).
But when I am trying to access http://localhost:8085/signup , API returns a 401 unauthorized error.
Though I have used antMatchers("/signup").permitAll(), why API is expecting a access-token to access this resource? Passing access-token along with this request would signup a user.
This is my resource server configuration
2 weeks ago

Stephan van Hulst wrote:How did you get your assumptions?

I am following a Spring Security course where the Author said this:

using form­based authentication and using cookies to drive the security of our APIs is an option, but definitely not the best way to go. Driving authentication with cookies has well­known issues and so we're going to move past form­based authentication really quickly and we're going to make our way towards better solutions. The next option is basic authentication and basic authentication is a very simple algorithm. It's very mature and very well supported in clients. However, of course, this simplicity is also the reason why it's not very secure and not very flexible either............
...In Basic Auth, each interaction is essentially going to resend the credentials over the wire. So this is where token­based solutions come in. And the first solution we're going to discuss is of course OAuth.

1 month ago

Stephan van Hulst wrote:Anyway, you can use HTTP Basic and let the browser handle the login prompt, or you can just create your own login form and send the credentials like you would in any other POST request.

If I am not wrong, the Basic Authenticate and Login prompt window are two different concepts in spring security.
The one where the login prompt comes is called Form-Login and is handled by .formLogin() API of spring security. The credentials are then stored in cookies which is why Form-Login is unsafe.
Whereas, the Basic Authentication is all about resending the credentials for each request to the API.

Correct me if I am wrong. If I understood it right, then login is not applicable for Basic Authentication. Because login means I just need to send the credentials once, not with each request.
1 month ago
Hey Shiksha, question is not for social logins. Question is - Can we use Oauth for authorization of a user using his credentials. Their is no third party application involved
1 month ago
So the idea of using OAuth is only for accessing or giving access to third-party application? Otherwise application use the classic Basic Authentication for login a user who has already signup up their detail. Am I on the right track now?
1 month ago

Stephan van Hulst wrote:Do users need to provide their credentials somewhere or does your client application have a "hardcoded" secret with which it authenticates itself without the user having to do anything?

It's a kind of social networking platform. User logins using their original credential.
I am exposing the API using Spring-Boot and then consuming that API using the front-end framework REACT.js

It's generally the same idea, user Signup using there Email and password and then login using those same credentials. So, I have a login form. I am stuck here from a few days, where that login form submit button should point, should I create REST endpoint for this, like the signup have a separate endpoint "api/signup" ?
1 month ago
I read a lot of articles about OAtuh2, and they all show that OAuth is for social logins.
But what if I want to develop a web app and want to secure the API using OAuth. What I mean is, for authentication, I don't want to use Basic Authentication(which is less secure of course), I want to login using the OAuth. No third party client or api,  I am just accessing an API developed from a client, which(API) is exposed to be used by that client only.

Is it the correct use case of OAuth? How to implement it using Spring-Security(Boot)?
1 month ago
I have a doubt, suppose one day the Bcrypt would no more be secure enough(like the few others), how the large existing application handles migrating the already created user? How they decrypt the passwords using the new algorithm?
1 month ago

Stephan van Hulst wrote:Why do you want to use Argon2?

I read a Stackoverflow answer that Argon2 is better choice.

The documentation for PasswordEncoder itself states that BCrypt is recommended.

Isn't SCrypt better choice than Bcrypt?
1 month ago
Is there any implementation of Argon2 in Spring Security? I can't find any API for it.
The framework has support for Bcrypt and Scrypt, if Argon2 is not supported, which is the best one to choose from - Brypt vs Scrypt ??
1 month ago
After going through a lot of resources/blogs I finally learned how to implement a basic authentication on REST API urls. But still I am confused on how to add a login/logout in the REST Api.
All of the article, or the maximum article implement login/logout using Thymleaf or the client library inside the same project. They all use the formLogin() and logout() api of Spring Security.

So this is the authentication I learned so far, securing the URLs

Can someone please guide me on how to implement a login/logout for a REST Api. Just gives me some tips over Basic authentication, I will look for the other authentication myself. I just want a starting point.
I want to know the way I should login from my front-end application using REST Api.

1 month ago

Campbell Ritchie wrote:Have  look at this discussion.

Oracle will provide public updates of Oracle JDK 8 through at least December 2020 for personal desktop use and January 2019 for commercial use. After those dates (check which one for your user's use case!), users can either go onto a paid support plan or use a Java SE 8 / OpenJDK 8 binary distribution from another provider.
You can also continue to use Oracle JDK 8 indefinitely without updates.

My guess was right.
1 month ago
I am developing webservices for a social network website using Java + Spring.
But with recent news on Java being chargeable put me into confusion. As people are suggesting to switch to OpenJDK.

Can someone clarify what oracle will charge for, because as far as I understood it, oracle will charge for the support for java8. If I want further java8 release, bug fixes, security patches then I would need to buy a license for that. Or I am selling a commercial product with embedded Java.
Am I right here?

I am going to deploy Java 8 on AWS server. How oracle's decision could impact me?
1 month ago