Cryptomator VS Spring Security

the best way to do this is with https://cryptomator.org

Before putting anything on a cloud service I would recommend 3rd party tools, like Cryptomator, to encrypt folders and such, then upload to a cloud service.

I use Cryptomator - https://cryptomator.org

I've used countless encryption "schemes" over the years, from True/Vera-Crypt to encrypted sparse bundles/images, and none have ever really felt right.

These days i tend to use Cryptomator[0] instead. It accomplishes what none of the others could do, which is transparent encryption across devices.

With Cryptomator, i simply create a vault somewhere in the cloud, stuff data in it, and i can access it from my laptop, phone or tablet, and not think much about it. It integrates into the normal file browsing APIs, and doesn't get in the way.

Because it does "per file" encryption, it also doesn't need to download a 20-100MB chunk from the cloud before decrypting, so it's rather fast (depending on file size of course).

[0]: https://cryptomator.org/

Cryptomator's arguably the most popular encryption software for cloud storage (you can give yourself zero-knowledge encryption by using them) - it's actually what they specialize & focus on (cloud encryption). It's 100% open source and Free to use on computers. On phones I believe it's just a 1-time fee of a few bucks ($13-14, then you have it forever) - note: their iOS offering is still new, so may be a bit unpolished at the moment.

This is the solution: https://cryptomator.org/

Cryptomator. It is made for uploading files securely to cloud storage, but works locally, is easy to use, and completely free for your use case.

Spring security has long had great OAuth2.0 support from both the server and client elements. Recently spring security added support for the private_key_jwt client authentication method as part of the authorization code grant flow. Spring Security GitHub ref

To be fair there were quite some unexpected surprises in the past with Spring and Kotlin (e.g. the Cachable annotation did not work with suspend functions, not all Spring security annotations were supported with coroutines), but most of them were ironed out already.

They recently updated all the examples in the javadocs if you wanna bump your Spring Security version to 5.7.3 (see here). Otherwise the reference docs all reflect the non-deprecated approach that uses SecurityFilterChain and supporting beans.

Spring Security 5.7

Since Spring Security 5.7.0-M2 the use of WebSecurityConfigurerAdapter was deprecated (link to GitHub - https://github.com/spring-projects/spring-security/issues/10822) to move to component-based security configuration.

When i start the flow, no proxy is used and even the WebClient is not used to get access token. And i get a timeout exception for that. The same issue was discussed in Github: https://github.com/spring-projects/spring-security/issues/8966

You can extract (and validate) the JWT token into the Principal by implementing the getPreAuthenticatedPrincipal method, and map the claims to user details by providing through a custom implementation of AuthenticationUserDetailsService.

Or, maybe simpler, is to create your own filter and add it after the SecurityContextPersistenceFilter. Here, just recreate the authentication token from the database, which is what token based authentication does (token based authentication has to preauthenticated authentication from the token for the actual user authentication with the user details).