Spring Security Forrward fro one login page to another - spring-mvc

I am using Spring Security 3.2 annotations.
I configured two HttpSecurity to secure /admin/** (ADMIN role) and /** (USER role). Each secured section has its own login page.
At startup the user is directed OK to login page of USER.
In this page there is a link to a secured page of ADMIN, so my thought was that when clicking on that link the user will be directed to the ADMIN login page. BUT it seems that the browser stays on USER login page.
What am I missing?

check your logs, turn them on in log4j.properties file if you cant see anything.
Probably spring security consider you as an authorized user but without required ADMIN role.
Try to log out and type admin page url directly in your browser - do you get admin login page?

Related

AuthorizeAttribute, anyway of checking in advance if this will pass

I have controller actions which have AuthorizeAttribute on them
Often someone will try an old url which will take them (forms authentication) to the logon page and then redirect to the url, but it may be for whatever reason that they are no longer allowed to access to that page
Is there any way of testing the url before redirecting?
I can decompose the url into the area/controller/action and test it but it feels clumsy to do that
(Extra info)
Our site is part of a product family, in the desktop app we can determine who has access to what parts. e.g. we may have a clocking page, a user accesses it and keeps the url. In the main product we remove their access to this page, the authorizeattribute now says they don't have access to it.
So we get
they try to access the url
forms authentication says they don't have access and reroutes to the logon page
they logon, however they still don't have access to this page and they are redirected again to the logon page.
With form authentication, please make sure you have set authentication cookie on logon page after validating user:
FormsAuthentication.SetAuthCookie(userId, rememberMe);
This will authenticate user in order to prevent from redirecting to Logon page again.
You can also check to see whether the user has been authenticated by:
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
var loggedOnUserId = HttpContext.Current.User.Identity.Name;
}

FOSUserBundle for admin and front end

I am new to Symfony2. I am trying to use FOSUserBundle for user authentication.
Is it possible to use single FOSUserBundle for admin as well as front end section? If yes, then what changes i will need to make at script level?
What i want is:
1. if i access url http://localhost/symfony/admin/ then i should be redirected to http://localhost/symfony/admin/login if admin is not logged in and after successful login, i should be redirected to http://localhost/symfony/admin/
2. if i access url http://localhost/symfony/profile/ then i should be redirected to http://localhost/symfony/login if user is not logged in and after successful login, i should be redirected to http://localhost/symfony/profile/.
By default FOSUserBundle create user as administrator. So what change need to place in to let bundle create user role for front end automatically and admin role for admin section.
You need to override the authentication-success listener in your security configuration to have user's redirected to different pages after login depending on their roles.
Have a look at this answer and maybe find some inspiration by looking at symfony's DefaultAuthenticationSuccessHandler.
Further you will need to override the access-denied handler ( see this answer ) to have user's get redirected to different login pages depending on the url they're trying to access without being authenticated.

Sina Weibo Authorization page

I'm developing a Sina Weibo integration and I'm doing the oauth correctly but I have a problem with authorization page. When I click on enter, I accept authorization page and I can loggin correctly but if I log off and I try to clic another time enter, I can only see a login page, but no an authorization page.
How can I force that an authorization page shows always?
The correct login flow consists of the following:
1. redirect user to the authorize page with the app's client id
2. client logs in to weibo (authentication)
3. client grants the application requested permissions (authorization)
4. client is redirected to your app page.
I believe the step you are asking about is #3. Once a user has granted your application permissions, this will be stored on their weibo account. The user will no longer be prompted to grant permissions every time the user logs in. The exception is when the user has removed your application from their weibo account. Thus there is no way for your application to force the user to reauthorize your app every time. It is unclear under what circumstances this would ever be required/beneficial.
As a side note:
If a user is already logged in, #2 is skipped by default. The user can be forced to relogin with the forcelogin parameter described in the docs: http://open.weibo.com/wiki/2/oauth2/authorize/en

Redirect to Home page if user already logged in, in same browser asp .net c#

I want to make application that if user in logged in the web site in one tab of browser and if he open application in second tab than he should not redirect to login page but he should redirect to Home page. just like Facebook or yahoomail in asp.net C#
please help
To do this you should use a persistent auth cookie. This will allow authentication to be maintained across tabs. It's a flag when you authenticate users, see here.
FormsAuthentication.SetAuthCookie("name", true); // persistant auth cookie
You can set a custom session attribute in Session_Start method in Global.asax, and when home page loads check that assigned session still available or not, if it exists still then redirect to logged page.
if (Session["UserId"] != null){Response.Redirect("/home/Index");}
I hope this will help you.

ASP.NET: directing user to login page, after login send user back to page requested originally?

I am trying to manually implement a login system in ASP.NET 3.5. Basically, on load, I would like the site to check and see if user object is active, if not, than I want the login page to appear.
After user has logged in successfully, I would like the user to be able to access the same page he has requested originally.
for example:
user request to: MyPage.aspx - not logged in
login page appears instead of MyPage.aspx
user logs in successfully
MyPage.aspx appears instead of Default.aspx for example
Peering at the System.Net namespace, I see that there is an "HttpWebRequest Class" which has a "HttpWebRequest.AllowAutoRedirect Property" but am unsure how that would get me back from the login page.
NOTE: I know there are automatic authentication systems setup in ASP.NET, but I would like to have manual control over the database.
-- Tomek
What you could do, if you don't want to actually use the built in Forms Authentcation is:
Check if the user is authenticated on each page you want to hide from anonymous users. If they are not authenticated, redirect them to your login page with the URL in the query string.
if(!HttpContext.Current.User.Identity.IsAuthenticated) {
Response.Redirect(~/login.aspx?redirect=this_page.aspx");
}
Then on your login page, after a user logs in. Check the query string to see if there is a redirect parameter.
if(!String.IsNullorEmpty(Request.QueryString["redirect"]) {
string url = ResolveClientURL(redirect);
Response.Redirect(url);
}
Of course this is all built into .NET using Authentication, where you can deny anonymous access to certain directories, and when you do that, .NET will redirect to your login page (which is set in the web.config) and will include a "ReturnURL=blahblah" on your login page.
Just an FYI.
Just save the originally requested url in Session or a hidden field on the login page
After successful login, use Server.Transfer or Response.Redirect to jump to that page.
It looks like another method is described here. It seems that you can use the following object to return from the login page:
FormsAuthentication.RedirectFromLoginPage
Yet, according to the article, the better method is to use what JackM described, but with an overload:
Response.Redirect("~/default.aspx", false);
In doing so, you prevent the Session from ending when the page is redirected.

Resources