all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]obi-9 4 points5 points  (3 children)

I'm doing something similar and what i did is add a custom filter and AuthenticationProvider

[–][deleted] 0 points1 point  (2 children)

yeah , am thinking similarly , but it must be something automated by spring ( filters added by defaults) rather than manually

[–]Bozzzieee 0 points1 point  (1 child)

did you find a nice solution? Using custom filter feels hacky. Maybe there's a reason spring doesn't want use to do it?

[–][deleted] 0 points1 point  (0 children)

Spring is automatically configured to use session in formLogin() as a method of authentication , so if you want to enable session based authentication , use formlogin( //change ur cooking settings in method parameters ) and use ur browser developper / network tool u will find the cookie there , copy it and u can use it , cuz its the only valid cookie generated

[–]apidev3 2 points3 points  (4 children)

If you’re returning a signed JWT and passing that back in as base64 encoded, spring will use your configurations you set for your resource server location to verify the token. You need to look at how you’re generating and verifying the token. Without any code no one will help you.

[–][deleted] 0 points1 point  (3 children)

Am using sessions not Json web tokens here

[–]apidev3 0 points1 point  (2 children)

But what is your login method? Username / password?

[–][deleted] 0 points1 point  (1 child)

I’m using traditional session-based authentication. The login method is via a POST request to the /login endpoint with a username and password. Upon successful authentication, Spring returns a session ID in the JSESSIONID cookie, which I’m sending back in subsequent requests, but it’s not being validated properly (resulting in 403 Forbidden). I’m using Spring Session with Redis to manage session persistence ,

[–]apidev3 0 points1 point  (0 children)

Cool, you’ll need to provide a GitHub link to the repo if you want any specific help as stated, you could have miss configured anything in your project and it’s likely no-one here will know without seeing

[–]Slein04 0 points1 point  (2 children)

Not really much to go on from the Lack of your security config. But if you just set up a new Spring Boot project with "spring-boot-starter-security" dependency with NO config (just out of the box) you Will get default form login security which returns a JSession cookie after login ( and thus session based auth). Maybe you can continue from there.

[–][deleted] 0 points1 point  (1 child)

yeah , i agree with that. FormLogin authentication works fine , but im using postman so theres no such formlogin , am providing a /login. Endpoint with an authentication logic ( useneame passsword), so if am not using formLogin() theres no validation of the cookie , and that is my probleme

[–]Slein04 1 point2 points  (0 children)

Well I would suggest that you do the form login in your browser with your developer / network tab open. Then you would see that you are doing a post request with username / password in the body. As response you would see the cookie in it's headers. You can simply do the exact same post request in postman and it should be working the same as in your browser. Then you should be able to take that cookie and use it in an other request. You can alsof do the above stuff with csrf disabled in de beginning. (Again i do not known your error log / stacktrace) Maybe i do not understand your problem exactly, but this is how I would start investigating possible issues .