I am currently using Spring Security 4 on Spring MVC. I try to config anti-CSRF using REST service, not servlet. This post is very useful but it uses Java configuration. How can I convert
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
into an XML configuration environment?
Thanks.
XML can be following for addfilterAfter()
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.security.filter.CustomFilter"/>
Hope it will help....
Related
I want to use the xml configuration file for registering clients for OAUTH2 in my web application. I know that there exist support for xml tags using the client-registrations tag
However I want to register the client registration repository as a bean. So that it is extensible, something like this:
<beans:bean id="clientRegistrationRepository" class="org.springframework.security.oauth2.client.registration.ClientRegistrationRepository">
<beans:constructor-arg index="0" ref="clientRegistration"/>
</beans:bean>
... more tags expanding clientRegistration
However this does not work. Does any one know how we can do this ?
I support a website that uses Spring Security (5.3.3.RELEASE). The site can't be displayed in iframe in other sites because of the following configuration
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
Now I am asked to allow a few pages to be displayed in iframe in ANY other sites (not a specific list of sites). I looked at the Spring documentation, and it appears that I can add a bean in the following way:
<security:headers>
<security:frame-options policy="SAMEORIGIN" ref="bean_id"/>
</security:headers>
I am not able to find info about what interface or methods the bean (bean_id) must implement or whether it can be used to decide what pages are frameable. Any help or example is really appreciated.
The interface is of type AllowFromStrategy. But that interface is deprecated since the ALLOW-FROM is an obsolete directive that no longer works in modern browsers, see here. The alternative is to use CSP: frame-ancestors.
Spring Security has support for the Content-Security-Policy header. You can rely on the DelegatingRequestMatcherHeaderWriter implementation to add the headers only to specific pages, like so:
<http>
<!-- ... -->
<headers>
<header ref="headerWriter"/>
</headers>
</http>
<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<beans:constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
c:pattern="/page-with-csp"/>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter"/>
</beans:constructor-arg>
</beans:bean>
Can any one tell me, how to configure spring mvc project that contains controllers both annotated and configured??
I want to configure static pages using ParametrizedViewController and rest of all using Annotations.
But it is not working??
Please someone tell the configuration file(dispatcher-servlet.xml in my case) which will contain both this requirements.
Thanks in advance.
<!-- Registering MVC stuff necessary for #RequestMapping -->
<mvc:annotation-driven />
<!-- Your view controller definition -->
<mvc:view-controller path="/home" view-name="home" />
Context is Spring 3.1 (we use Spring MVC and Spring Security).
What we are trying to do is an admin page only available when the admin profile is active. With Spring Security, we tried something like:
<security:http use-expressions="true" entry-point-ref="entryPointDenied">
<security:intercept-url pattern="/admin/**" access="denyAll" />
</security:http>
<beans profile="admin">
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="permitAll" />
<sec:form-login/>
</security:http>
</beans>
But that doesn't work as we can't override security:http definitions (we tried using the http#name attribute). So with above configuration, we get
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored.
Also we can't use the negated profile (i.e. profile="!admin") feature as it is introduced in Spring 3.2.
Ideally the solution should be purely Spring configuration.
Edit: added missing use-expressions="true" to the second security:http
What is the best way to protect our Spring MVC application from CSRF and XSS.
Is there native Spring MVC support for this?
In Spring:
Forms ( globally):
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
Forms ( locally):
<spring:htmlEscape defaultHtmlEscape="true" />
You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration
<http>
<!-- ... -->
<csrf />
</http>
Here is a blog about it.
http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html
another one.
http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC
For token generation esapi can be used.
https://code.google.com/p/owasp-esapi-java/