{"id":13682396,"url":"https://github.com/spring-attic/spring-cloud-security","last_synced_at":"2025-04-30T09:32:22.529Z","repository":{"id":21068007,"uuid":"24367445","full_name":"spring-attic/spring-cloud-security","owner":"spring-attic","description":"Security concerns for distributed applications implemented in Spring","archived":true,"fork":false,"pushed_at":"2022-04-04T18:56:33.000Z","size":2798,"stargazers_count":530,"open_issues_count":27,"forks_count":245,"subscribers_count":77,"default_branch":"main","last_synced_at":"2024-08-02T13:34:05.590Z","etag":null,"topics":["cloud-native","feign","java","microservices","oauth2","spring","spring-boot","spring-cloud","spring-cloud-core","zuul"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spring-attic.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2014-09-23T10:47:51.000Z","updated_at":"2024-07-03T11:43:51.000Z","dependencies_parsed_at":"2022-08-25T11:40:37.090Z","dependency_job_id":null,"html_url":"https://github.com/spring-attic/spring-cloud-security","commit_stats":null,"previous_names":["spring-cloud/spring-cloud-security"],"tags_count":60,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spring-attic%2Fspring-cloud-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spring-attic%2Fspring-cloud-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spring-attic%2Fspring-cloud-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spring-attic%2Fspring-cloud-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spring-attic","download_url":"https://codeload.github.com/spring-attic/spring-cloud-security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224206047,"owners_count":17273378,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","feign","java","microservices","oauth2","spring","spring-boot","spring-cloud","spring-cloud-core","zuul"],"created_at":"2024-08-02T13:01:45.489Z","updated_at":"2024-11-12T02:30:35.515Z","avatar_url":"https://github.com/spring-attic.png","language":"Java","readme":"# spring-cloud-security is no longer actively maintained by VMware, Inc.\n\n////\nDO NOT EDIT THIS FILE. IT WAS GENERATED.\nManual changes to this file will be lost when it is generated again.\nEdit the files in the src/main/asciidoc/ directory instead.\n////\n\n\nimage::https://badges.gitter.im/Join%20Chat.svg[\"Gitter\",link=\"https://gitter.im/spring-cloud/spring-cloud-security?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge\"]\n\n\nSpring Cloud Security offers a set of primitives for building secure\napplications and services with minimum fuss. A declarative model which\ncan be heavily configured externally (or centrally) lends itself to\nthe implementation of large systems of co-operating, remote components,\nusually with a central indentity management service. It is also extremely\neasy to use in a service platform like Cloud Foundry. Building on\nSpring Boot and Spring Security OAuth2 we can quickly create systems that\nimplement common patterns like single sign on, token relay and token\nexchange.\n\nWARNING: In a future major release, the functionality contained in this project will move to the respective projects.\n\n== Upgrading to 1.1.0\n\nMost of the OAuth2 features moved from this project to Spring Boot 1.3, so from version 1.1 things are a little different here. Here\nis a guide to the available features as they were in 1.0, but with new names and slightly new APIs.\n\nAs in 1.0, an app will activate `@EnableOAuth2Sso` if you bind provide some\nfollowing properties in the `Environment`.\n\nYou can still customize the access rules in an SSO application, but instead\nof a specific callback (the old `OAuth2SsoConfigurer`) all you do now is\nadd `@EnableOAuth2Sso` to a `WebSecurityConfigurerAdapter`.\nFor example if you want the resources under \"/ui/**\" to be protected with OAuth2:\n\n[source,java,indent=0]\n----\n    @Configuration\n    @EnableOAuth2Sso\n    @EnableAutoConfiguration\n    protected static class TestConfiguration extends WebSecurityConfigurerAdapter {\n        @Override\n        public void match(RequestMatchers matchers) {\n            matchers.antMatchers(\"/ui/**\")\n                .authorizeRequests().anyRequest().authenticated();\n        }\n    }\n----\n\nIn this case the rest of the application will default to the normal\nSpring Boot access control for other paths (Basic authentication, or\nwhatever custom filters you put in place).\n\nThere is no `@EnableOAuth2Resource` annotation in Spring Cloud 1.1.\nYou just use the regular `@EnableResourceServer` from Spring OAuth.\n\n== Building\n\n:jdkversion: 1.8\n\n=== Basic Compile and Test\n\nTo build the source you will need to install JDK {jdkversion}.\n\nSpring Cloud uses Maven for most build-related activities, and you\nshould be able to get off the ground quite quickly by cloning the\nproject you are interested in and typing\n\n----\n$ ./mvnw install\n----\n\nNOTE: You can also install Maven (\u003e=3.3.3) yourself and run the `mvn` command\nin place of `./mvnw` in the examples below. If you do that you also\nmight need to add `-P spring` if your local Maven settings do not\ncontain repository declarations for spring pre-release artifacts.\n\nNOTE: Be aware that you might need to increase the amount of memory\navailable to Maven by setting a `MAVEN_OPTS` environment variable with\na value like `-Xmx512m -XX:MaxPermSize=128m`. We try to cover this in\nthe `.mvn` configuration, so if you find you have to do it to make a\nbuild succeed, please raise a ticket to get the settings added to\nsource control.\n\nFor hints on how to build the project look in `.travis.yml` if there\nis one. There should be a \"script\" and maybe \"install\" command. Also\nlook at the \"services\" section to see if any services need to be\nrunning locally (e.g. mongo or rabbit).  Ignore the git-related bits\nthat you might find in \"before_install\" since they're related to setting git\ncredentials and you already have those.\n\nThe projects that require middleware generally include a\n`docker-compose.yml`, so consider using\nhttps://docs.docker.com/compose/[Docker Compose] to run the middeware servers\nin Docker containers. See the README in the\nhttps://github.com/spring-cloud-samples/scripts[scripts demo\nrepository] for specific instructions about the common cases of mongo,\nrabbit and redis.\n\nNOTE: If all else fails, build with the command from `.travis.yml` (usually\n`./mvnw install`).\n\n=== Documentation\n\nThe spring-cloud-build module has a \"docs\" profile, and if you switch\nthat on it will try to build asciidoc sources from\n`src/main/asciidoc`. As part of that process it will look for a\n`README.adoc` and process it by loading all the includes, but not\nparsing or rendering it, just copying it to `${main.basedir}`\n(defaults to `${basedir}`, i.e. the root of the project). If there are\nany changes in the README it will then show up after a Maven build as\na modified file in the correct place. Just commit it and push the change.\n\n=== Working with the code\nIf you don't have an IDE preference we would recommend that you use\nhttps://www.springsource.com/developer/sts[Spring Tools Suite] or\nhttps://eclipse.org[Eclipse] when working with the code. We use the\nhttps://eclipse.org/m2e/[m2eclipse] eclipse plugin for maven support. Other IDEs and tools\nshould also work without issue as long as they use Maven 3.3.3 or better.\n\n==== Activate the Spring Maven profile\nSpring Cloud projects require the 'spring' Maven profile to be activated to resolve\nthe spring milestone and snapshot repositories. Use your preferred IDE to set this\nprofile to be active, or you may experience build errors.\n\n==== Importing into eclipse with m2eclipse\nWe recommend the https://eclipse.org/m2e/[m2eclipse] eclipse plugin when working with\neclipse. If you don't already have m2eclipse installed it is available from the \"eclipse\nmarketplace\".\n\nNOTE: Older versions of m2e do not support Maven 3.3, so once the\nprojects are imported into Eclipse you will also need to tell\nm2eclipse to use the right profile for the projects.  If you\nsee many different errors related to the POMs in the projects, check\nthat you have an up to date installation.  If you can't upgrade m2e,\nadd the \"spring\" profile to your `settings.xml`. Alternatively you can\ncopy the repository settings from the \"spring\" profile of the parent\npom into your `settings.xml`.\n\n==== Importing into eclipse without m2eclipse\nIf you prefer not to use m2eclipse you can generate eclipse project metadata using the\nfollowing command:\n\n[indent=0]\n----\n\t$ ./mvnw eclipse:eclipse\n----\n\nThe generated eclipse projects can be imported by selecting `import existing projects`\nfrom the `file` menu.\n\n\n== Contributing\n\n:spring-cloud-build-branch: master\n\nSpring Cloud is released under the non-restrictive Apache 2.0 license,\nand follows a very standard Github development process, using Github\ntracker for issues and merging pull requests into master. If you want\nto contribute even something trivial please do not hesitate, but\nfollow the guidelines below.\n\n=== Sign the Contributor License Agreement\nBefore we accept a non-trivial patch or pull request we will need you to sign the\nhttps://cla.pivotal.io/sign/spring[Contributor License Agreement].\nSigning the contributor's agreement does not grant anyone commit rights to the main\nrepository, but it does mean that we can accept your contributions, and you will get an\nauthor credit if we do.  Active contributors might be asked to join the core team, and\ngiven the ability to merge pull requests.\n\n=== Code of Conduct\nThis project adheres to the Contributor Covenant https://github.com/spring-cloud/spring-cloud-build/blob/master/docs/src/main/asciidoc/code-of-conduct.adoc[code of\nconduct]. By participating, you  are expected to uphold this code. Please report\nunacceptable behavior to spring-code-of-conduct@pivotal.io.\n\n=== Code Conventions and Housekeeping\nNone of these is essential for a pull request, but they will all help.  They can also be\nadded after the original pull request but before a merge.\n\n* Use the Spring Framework code format conventions. If you use Eclipse\n  you can import formatter settings using the\n  `eclipse-code-formatter.xml` file from the\n  https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/spring-cloud-dependencies-parent/eclipse-code-formatter.xml[Spring\n  Cloud Build] project. If using IntelliJ, you can use the\n  https://plugins.jetbrains.com/plugin/6546[Eclipse Code Formatter\n  Plugin] to import the same file.\n* Make sure all new `.java` files to have a simple Javadoc class comment with at least an\n  `@author` tag identifying you, and preferably at least a paragraph on what the class is\n  for.\n* Add the ASF license header comment to all new `.java` files (copy from existing files\n  in the project)\n* Add yourself as an `@author` to the .java files that you modify substantially (more\n  than cosmetic changes).\n* Add some Javadocs and, if you change the namespace, some XSD doc elements.\n* A few unit tests would help a lot as well -- someone has to do it.\n* If no-one else is using your branch, please rebase it against the current master (or\n  other target branch in the main project).\n* When writing a commit message please follow https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html[these conventions],\n  if you are fixing an existing issue please add `Fixes gh-XXXX` at the end of the commit\n  message (where XXXX is the issue number).\n\n=== Checkstyle\n\nSpring Cloud Build comes with a set of checkstyle rules. You can find them in the `spring-cloud-build-tools` module. The most notable files under the module are:\n\n.spring-cloud-build-tools/\n----\n└── src\n    ├── checkstyle\n    │   └── checkstyle-suppressions.xml \u003c3\u003e\n    └── main\n        └── resources\n            ├── checkstyle-header.txt \u003c2\u003e\n            └── checkstyle.xml \u003c1\u003e\n----\n\u003c1\u003e Default Checkstyle rules\n\u003c2\u003e File header setup\n\u003c3\u003e Default suppression rules\n\n==== Checkstyle configuration\n\nCheckstyle rules are *disabled by default*. To add checkstyle to your project just define the following properties and plugins.\n\n.pom.xml\n----\n\u003cproperties\u003e\n\u003cmaven-checkstyle-plugin.failsOnError\u003etrue\u003c/maven-checkstyle-plugin.failsOnError\u003e \u003c1\u003e\n        \u003cmaven-checkstyle-plugin.failsOnViolation\u003etrue\n        \u003c/maven-checkstyle-plugin.failsOnViolation\u003e \u003c2\u003e\n        \u003cmaven-checkstyle-plugin.includeTestSourceDirectory\u003etrue\n        \u003c/maven-checkstyle-plugin.includeTestSourceDirectory\u003e \u003c3\u003e\n\u003c/properties\u003e\n\n\u003cbuild\u003e\n        \u003cplugins\u003e\n            \u003cplugin\u003e \u003c4\u003e\n                \u003cgroupId\u003eio.spring.javaformat\u003c/groupId\u003e\n                \u003cartifactId\u003espring-javaformat-maven-plugin\u003c/artifactId\u003e\n            \u003c/plugin\u003e\n            \u003cplugin\u003e \u003c5\u003e\n                \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n                \u003cartifactId\u003emaven-checkstyle-plugin\u003c/artifactId\u003e\n            \u003c/plugin\u003e\n        \u003c/plugins\u003e\n\n    \u003creporting\u003e\n        \u003cplugins\u003e\n            \u003cplugin\u003e \u003c5\u003e\n                \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n                \u003cartifactId\u003emaven-checkstyle-plugin\u003c/artifactId\u003e\n            \u003c/plugin\u003e\n        \u003c/plugins\u003e\n    \u003c/reporting\u003e\n\u003c/build\u003e\n----\n\u003c1\u003e Fails the build upon Checkstyle errors\n\u003c2\u003e Fails the build upon Checkstyle violations\n\u003c3\u003e Checkstyle analyzes also the test sources\n\u003c4\u003e Add the Spring Java Format plugin that will reformat your code to pass most of the Checkstyle formatting rules\n\u003c5\u003e Add checkstyle plugin to your build and reporting phases\n\nIf you need to suppress some rules (e.g. line length needs to be longer), then it's enough for you to define a file under `${project.root}/src/checkstyle/checkstyle-suppressions.xml` with your suppressions. Example:\n\n.projectRoot/src/checkstyle/checkstyle-suppresions.xml\n----\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE suppressions PUBLIC\n\t\t\"-//Puppy Crawl//DTD Suppressions 1.1//EN\"\n\t\t\"https://www.puppycrawl.com/dtds/suppressions_1_1.dtd\"\u003e\n\u003csuppressions\u003e\n\t\u003csuppress files=\".*ConfigServerApplication\\.java\" checks=\"HideUtilityClassConstructor\"/\u003e\n\t\u003csuppress files=\".*ConfigClientWatch\\.java\" checks=\"LineLengthCheck\"/\u003e\n\u003c/suppressions\u003e\n----\n\nIt's advisable to copy the `${spring-cloud-build.rootFolder}/.editorconfig` and `${spring-cloud-build.rootFolder}/.springformat` to your project. That way, some default formatting rules will be applied. You can do so by running this script:\n\n```bash\n$ curl https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/.editorconfig -o .editorconfig\n$ touch .springformat\n```\n\n=== IDE setup\n\n==== Intellij IDEA\n\nIn order to setup Intellij you should import our coding conventions, inspection profiles and set up the checkstyle plugin.\nThe following files can be found in the https://github.com/spring-cloud/spring-cloud-build/tree/master/spring-cloud-build-tools[Spring Cloud Build] project.\n\n.spring-cloud-build-tools/\n----\n└── src\n    ├── checkstyle\n    │   └── checkstyle-suppressions.xml \u003c3\u003e\n    └── main\n        └── resources\n            ├── checkstyle-header.txt \u003c2\u003e\n            ├── checkstyle.xml \u003c1\u003e\n            └── intellij\n                ├── Intellij_Project_Defaults.xml \u003c4\u003e\n                └── Intellij_Spring_Boot_Java_Conventions.xml \u003c5\u003e\n----\n\u003c1\u003e Default Checkstyle rules\n\u003c2\u003e File header setup\n\u003c3\u003e Default suppression rules\n\u003c4\u003e Project defaults for Intellij that apply most of Checkstyle rules\n\u003c5\u003e Project style conventions for Intellij that apply most of Checkstyle rules\n\n.Code style\n\nimage::https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/{spring-cloud-build-branch}/docs/src/main/asciidoc/images/intellij-code-style.png[Code style]\n\nGo to `File` -\u003e `Settings` -\u003e `Editor` -\u003e `Code style`. There click on the icon next to the `Scheme` section. There, click on the `Import Scheme` value and pick the `Intellij IDEA code style XML` option. Import the `spring-cloud-build-tools/src/main/resources/intellij/Intellij_Spring_Boot_Java_Conventions.xml` file.\n\n.Inspection profiles\n\nimage::https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/{spring-cloud-build-branch}/docs/src/main/asciidoc/images/intellij-inspections.png[Code style]\n\nGo to `File` -\u003e `Settings` -\u003e `Editor` -\u003e `Inspections`. There click on the icon next to the `Profile` section. There, click on the `Import Profile` and import the `spring-cloud-build-tools/src/main/resources/intellij/Intellij_Project_Defaults.xml` file.\n\n.Checkstyle\n\nTo have Intellij work with Checkstyle, you have to install the `Checkstyle` plugin. It's advisable to also install the `Assertions2Assertj` to automatically convert the JUnit assertions\n\nimage::https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/{spring-cloud-build-branch}/docs/src/main/asciidoc/images/intellij-checkstyle.png[Checkstyle]\n\nGo to `File` -\u003e `Settings` -\u003e `Other settings` -\u003e `Checkstyle`. There click on the `+` icon in the `Configuration file` section. There, you'll have to define where the checkstyle rules should be picked from. In the image above, we've picked the rules from the cloned Spring Cloud Build repository. However, you can point to the Spring Cloud Build's GitHub repository (e.g. for the `checkstyle.xml` : `https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/spring-cloud-build-tools/src/main/resources/checkstyle.xml`). We need to provide the following variables:\n\n- `checkstyle.header.file` - please point it to the Spring Cloud Build's, `spring-cloud-build-tools/src/main/resources/checkstyle-header.txt` file either in your cloned repo or via the `https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/spring-cloud-build-tools/src/main/resources/checkstyle-header.txt` URL.\n- `checkstyle.suppressions.file` - default suppressions. Please point it to the Spring Cloud Build's, `spring-cloud-build-tools/src/checkstyle/checkstyle-suppressions.xml` file either in your cloned repo or via the `https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/master/spring-cloud-build-tools/src/checkstyle/checkstyle-suppressions.xml` URL.\n- `checkstyle.additional.suppressions.file` - this variable corresponds to suppressions in your local project. E.g. you're working on `spring-cloud-contract`. Then point to the `project-root/src/checkstyle/checkstyle-suppressions.xml` folder. Example for `spring-cloud-contract` would be: `/home/username/spring-cloud-contract/src/checkstyle/checkstyle-suppressions.xml`.\n\nIMPORTANT: Remember to set the `Scan Scope` to `All sources` since we apply checkstyle rules for production and test sources.\n","funding_links":[],"categories":["Java"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspring-attic%2Fspring-cloud-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspring-attic%2Fspring-cloud-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspring-attic%2Fspring-cloud-security/lists"}