We are developing a web application with Spring MVC and rest based conrollers. we have already implemented Authentication using spring security. Now this product should run with a valid license. This implementation is done and before webapp starts up we have this check to see whether product is licensed or not. If not user can upload license file and they can start use the product.
Once they start using the product, say after few days license might expire (of course, starting of server will catch this, but if there is no server re-start then they can happily use ever after expiry). So I want to have check on each request, whether the product is licensed (just like isAuthenticated()) or not. If not authenticated, i can redirect to License upload page.
Any ideas / pointers are appreciated.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<beans:bean id="mySuccessHandler" class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="localAuthenticationProvider" />
</authentication-manager>
<http auto-config="true" use-expressions="true">
<request-cache ref="authenticationRequestCache" />
<form-login login-page="/"
authentication-success-handler-ref="successHandler"
authentication-failure-url="/rest/login/reAuthenticate" />
<intercept-url pattern="/rest/**" access="isAuthenticated()" />
</http>
<beans:bean id="successHandler"
class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/rest/login/checkUser" />
</beans:bean>
To check on every request you could just add a filter to your app. But that would be very annoying for users who were half-way through doing something when they get redirected to the license page. It also seems quite inefficient. As an alternative, you could add an AuthenticationProvider which just checks when someone logs in and denies authentication otherwise.
Related
I support a website that uses Spring Security (5.3.3.RELEASE). The site can't be displayed in iframe in other sites because of the following configuration
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
Now I am asked to allow a few pages to be displayed in iframe in ANY other sites (not a specific list of sites). I looked at the Spring documentation, and it appears that I can add a bean in the following way:
<security:headers>
<security:frame-options policy="SAMEORIGIN" ref="bean_id"/>
</security:headers>
I am not able to find info about what interface or methods the bean (bean_id) must implement or whether it can be used to decide what pages are frameable. Any help or example is really appreciated.
The interface is of type AllowFromStrategy. But that interface is deprecated since the ALLOW-FROM is an obsolete directive that no longer works in modern browsers, see here. The alternative is to use CSP: frame-ancestors.
Spring Security has support for the Content-Security-Policy header. You can rely on the DelegatingRequestMatcherHeaderWriter implementation to add the headers only to specific pages, like so:
<http>
<!-- ... -->
<headers>
<header ref="headerWriter"/>
</headers>
</http>
<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<beans:constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
c:pattern="/page-with-csp"/>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter"/>
</beans:constructor-arg>
</beans:bean>
I am currently using Spring Security 4 on Spring MVC. I try to config anti-CSRF using REST service, not servlet. This post is very useful but it uses Java configuration. How can I convert
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
into an XML configuration environment?
Thanks.
XML can be following for addfilterAfter()
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.security.filter.CustomFilter"/>
Hope it will help....
Context is Spring 3.1 (we use Spring MVC and Spring Security).
What we are trying to do is an admin page only available when the admin profile is active. With Spring Security, we tried something like:
<security:http use-expressions="true" entry-point-ref="entryPointDenied">
<security:intercept-url pattern="/admin/**" access="denyAll" />
</security:http>
<beans profile="admin">
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="permitAll" />
<sec:form-login/>
</security:http>
</beans>
But that doesn't work as we can't override security:http definitions (we tried using the http#name attribute). So with above configuration, we get
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored.
Also we can't use the negated profile (i.e. profile="!admin") feature as it is introduced in Spring 3.2.
Ideally the solution should be purely Spring configuration.
Edit: added missing use-expressions="true" to the second security:http
What is the best way to protect our Spring MVC application from CSRF and XSS.
Is there native Spring MVC support for this?
In Spring:
Forms ( globally):
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
Forms ( locally):
<spring:htmlEscape defaultHtmlEscape="true" />
You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration
<http>
<!-- ... -->
<csrf />
</http>
Here is a blog about it.
http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html
another one.
http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC
For token generation esapi can be used.
https://code.google.com/p/owasp-esapi-java/
I have a Spring MVC Web app that I'd like to show a simple Welcome Page (index.html). On that page, I just to have a 2 href links: one to bring me to the Login Page that is then implemented using Spring Security (2.5.6) and Hibernate 3 and the other to a Registration Page for new users.
However, the problem is that Spring Security automatically loads my login page each time and does NOT load the index.html page where I have coded the 2 links to forward me to either login or registration. I am brought to the login page which works fine. However, I never get to show the initial index.html page of my web application.
Can anyone shed light on how to prevent Spring Security from overriding the 'Welcome Page' with it's Login Page.
Many thanks.
Here is my Spring Security set up in web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring-beans.xml
WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
There's nothing wrong with your web.xml file, you need to show us your WEB-INF/spring-security.xml file.
If you keep getting directed to the login page, chances are you mess up the intercept-url pattern that causes your welcome page to be caught by Spring Security for further authentication before displaying it.
This is an example of the intercept-url tags that you will find in your WEB-INF/spring-security.xml file:-
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/admin/searchUsers.do" access="ROLE_ADMIN" />
<intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN" />
<form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/home.do"/>
<logout logout-success-url="/home.do"/>
</http>
use
<form-login login-page="/login.jsp" />
Controller should handle user's request and in your case no controller which mapped to this URL. When controller found, it performs some logic and returns view name which will be used to represent server's response. So, view name translator called only after controller and only for deduce full path to particular JSP file.
<mvc:view-controller path="/" view-name="index"/>
Try to add