I have got spring security using kerberos authentication successfully working. But it seems the spring framework is invoking KerberosServiceAuthenticationProvider.userDetailsService to get the roles, I would have thought that it gets the roles only once until the session is invalidated. My config looks like
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http entry-point-ref="spnegoEntryPoint" auto-config="false">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
<form-login login-page="/login.html" default-target-url="/" always-use-default-target="true"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="kerberosServiceAuthenticationProvider" />
<authentication-provider ref="kerberosAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="spnegoEntryPoint"
class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<beans:bean id="spnegoAuthenticationProcessingFilter"
class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<beans:property name="failureHandler">
<beans:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.html" />
<beans:property name="allowSessionCreation" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="kerberosServiceAuthenticationProvider"
class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
<beans:property name="ticketValidator">
<beans:bean
class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<beans:property name="servicePrincipal" value="HTTP/mywebserver.corpza.corp.co.za"/>
<beans:property name="keyTabLocation" value="classpath:mywebserver.keytab" />
<beans:property name="debug" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
</beans:bean>
<beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
<beans:property name="kerberosClient">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
<beans:property name="debug" value="true" />
</beans:bean>
</beans:property>
<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
</beans:bean>
<beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
<beans:property name="debug" value="true" />
<beans:property name="krbConfLocation" value="/etc/krb5.conf" />
</beans:bean>
<beans:bean id="dummyUserDetailsService" class="main.server.DummyUserDetailsService"/>
</beans:beans>
so my DummyUserDetailsService.loadUserByUsername(Styring username) is invoked each time a secure page is requested, I am loading the user roles from database and don't want to run the query each time a request is made, is there any configuration I need to do to prevent this?
thanks Michael, I got it working by extending SpnegoAuthenticationProcessingFilter class and overriding doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (skipIfAlreadyAuthenticated) {
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
if (existingAuth != null && existingAuth.isAuthenticated()
&& (existingAuth instanceof AnonymousAuthenticationToken) == false) {
chain.doFilter(request, response);
return;
}
}
super.doFilter(req, res, chain);
}
Tell Spring Security to cache the authentication in the HTTP Session. Here is how.
Related
I am facing issue in authenticating with openldap, I dont know how to configure spring security, ldap with Spring 4.0.0 version. Kindly provide sample reference.
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://localhost:389/dc=test,dc=com" />
</beans:bean>
<security:ldap-server id="contextSource"
url="ldap://localhost:389/dc=test,dc=com" />
<beans:bean id="authMgr"
class="org.springframework.security.authentication.ProviderManager">
<beans:constructor-arg>
<beans:list>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>uid={0},ou=users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<security:authentication-manager>
<security:ldap-authentication-provider
server-ref="contextSource" user-search-base="ou=users"
user-search-filter="(uid={0})" group-search-filter="ou=groups">
<security:password-compare hash="{sha}"
password-attribute="userPassword" />
</security:ldap-authentication-provider>
</security:authentication-manager>
Spring Security 4.0 LDAP Reference
LDAP best practise would be to search for the DN of the entry, hence configure
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value=""/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="contextSource" />
</bean>
Also typically the LDAP static group entries' naming attribute is cn, hence configure
<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupRoleAttribute" value="cn"/>
</bean>
instead of the example shown in the guide
I'm trying to enable CORS on the Spring Security 4.2.3.RELEASE.
spring-mvc.xml
<mvc:mapping path="/rest/**"
allowed-origins="*"
allowed-methods="GET, POST, HEAD, OPTIONS, PUT, DELETE"
allowed-headers="Content-Type, X-Requested-With,accept, Origin,Access-Control-Request-Method, Access-Control-Request-Headers, Authorization"
exposed-headers="Access-Control-Allow-Origin,Access-Control-Allow-Credentials"
allow-credentials="false"
max-age="10" />
</mvc:cors>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/rest/**" use-expressions="true" entry-point-ref="unauthorizedEntryPoint" create-session="stateless">
<csrf disabled="true"/>
<cors/>
<custom-filter before="FORM_LOGIN_FILTER" ref="jwtAuthenticationFilter"/>
</http>
when try to deploy:
Caused by: org.springframework.beans.factory.BeanCreationException: Could not create CorsFilter
I was solving a similar issue. I tried several approaches and here is the setting that works best if anybody else needs it.
SpringSecurity: 4.2.0.RELEASE. All server's API calls are prefixed with /api/ path
Spring security context:
<http use-expressions='true'>
<!-- unrelated code skipped for brevity -->
<cors configuration-source-ref="corsSource"/>
</http>
<beans:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
<beans:property name="corsConfigurations">
<util:map>
<beans:entry key="/api/**">
<beans:bean class="org.springframework.web.cors.CorsConfiguration">
<beans:property name="allowCredentials" value="true"/>
<beans:property name="allowedHeaders">
<beans:list>
<beans:value>Authorization</beans:value>
<beans:value>Content-Type</beans:value>
</beans:list>
</beans:property>
<beans:property name="exposedHeaders">
<beans:list>
<beans:value>Account-Locked</beans:value>
<beans:value>Account-Disabled</beans:value>
<beans:value>Bad-Credentials</beans:value>
</beans:list>
</beans:property>
<beans:property name="allowedMethods">
<beans:list>
<beans:value>POST</beans:value>
<beans:value>GET</beans:value>
<beans:value>OPTIONS</beans:value>
</beans:list>
</beans:property>
<beans:property name="allowedOrigins" value="http://localhost:3000"/>
</beans:bean>
</beans:entry>
</util:map>
</beans:property>
</beans:bean>
And in my dispatcher-servlet.xml
<mvc:cors>
<mvc:mapping path="/api/**"
allowed-origins="http://localhost:3000"
allow-credentials="true"
allowed-methods="GET, OPTIONS"
/>
</mvc:cors>
Remember to change allowed-origins as well as allowedHeaders (= headers client is allowed to attach to request), exposedHeaders (= headers the server is allowed to attach to its response) and allowedMethods.
To keep sessions for authorized users I have to add allowCredentials property in Spring Security configuration and also to set withCredentials flag to true in JavaScript calls. I used axios so if you use another library, the flag may be named differently.
I am using Freemarker template with Spring MVC. Is there a way to return HTTP Status 500 if there is any error rendering the template?
Currently I am using attempt block to handle error, but would like to throw Internal Server error and allow web server to redirect to a default error page
<#attempt>
attempt block
<#recover>
recover block
</#attempt>
Below is my servlet-context.xml
<beans:bean id="viewResolver"
class="org.springframework.web.servlet.view.freemarker.FreeMarkerViewResolver">
<beans:property name="cache" value="true" />
<beans:property name="prefix" value="" />
<beans:property name="contentType" value="text/html; charset=UTF-8" />
<beans:property name="suffix" value=".ftl" />
<beans:property name="exposeSessionAttributes" value="true" />
</beans:bean>
Below change in servlet-context.xml resolved the issue. Now it throws HTTP 500 error which is intercepted by web server and I am able to mast the message by redirecting to pre-defined error page.
<beans:bean id="freemarkerConfig"
class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer">
<beans:property name="templateLoaderPath" value="/WEB-INF/ftl/" />
<beans:property name="freemarkerSettings">
<beans:props>
<beans:prop key="template_exception_handler">rethrow</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
This is the java-based equivalent configuration:
#Bean
public FreeMarkerConfigurer freemarkerConfig() throws TemplateException {
FreeMarkerConfigurer freeMarkerConfigurer = new FreeMarkerConfigurer();
freeMarkerConfigurer.setTemplateLoaderPath("/WEB-INF/views/ftl/");
Properties settings = new Properties();
settings.setProperty(freemarker.template.Configuration.TEMPLATE_EXCEPTION_HANDLER_KEY, "rethrow");
freeMarkerConfigurer.setFreemarkerSettings(settings);
return freeMarkerConfigurer;
}
A simple way to change the mode from "debug" to "rethrow" is to configure it in your application.properties:
spring.freemarker.settings.template_exception_handler=rethrow
I am using spring-security with a Spring-MVC application. Currently I am able to login user, password hashing and all is working beautifully. Whenever I need the authenticated person object, I retrieve the name via Spring security, then by accessing database I get the user object. All good till there. Now when I load the application first time, I log in, I close the tab, and I again give the application address, I would like to check if the user is authenticated and redirect. This is where I am having problem. I went through many tutorials on net, and I am almost doing the same. Kindly have a look at what I am doing wrong. Thank you for your time.
Controller :
#RequestMapping(value = "/", method = RequestMethod.GET)
public String listPersons(Model model) {
boolean id = isAuthenticated(); // Here I am calling the function I have written to see if I am logged in
if(id){
return "redirect:/canvas/list";
} else {
model.addAttribute("person", new Person());
model.addAttribute("listPersons", this.personService.listPersons());
model.addAttribute("notices",new Notes());
model.addAttribute("canvases",new Canvas());
return "person";
}
}
isAuthenticatedFunction :
private boolean isAuthenticated(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(authentication == null){ return false;}
if(authentication instanceof AnonymousAuthenticationToken) {
return false;
} else {
return true;
}
}
Security-application-context.xml
<import resource="servlet-context.xml" />
<!-- Global Security settings -->
<security:global-method-security pre-post-annotations="enabled" />
<security:http pattern="/" security="none" />
<security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
<security:form-login login-page="/" default-target-url="/canvas/list" always-use-default-target="false" authentication-failure-url="/login?error" />
<security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" token-validity-seconds="1209600" data-source-ref="dataSource"/>
<security:intercept-url pattern="/canvas/list" access="hasRole('ROLE_USER')" />
<security:logout logout-success-url="/" delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout" />
<security:port-mappings>
<security:port-mapping http="80" https="443"/>
</security:port-mappings>
<security:session-management session-fixation-protection="newSession" invalid-session-url="/invalidSession.html">
<security:concurrency-control max-sessions="3" error-if-maximum-exceeded="true" expired-url="/sessionExpired.html"/>
</security:session-management>
</security:http>
<!-- queries to be run on data -->
<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="key" value="_spring_security_remember_me" />
<beans:property name="tokenRepository" ref="jdbcTokenRepository"/>
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
</beans:bean>
<!--Database management for remember-me -->
<beans:bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="createTableOnStartup" value="false"/>
<beans:property name="dataSource" ref="dataSource" />
</beans:bean>
<!-- Remember me ends here -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="LoginServiceImpl">
<security:password-encoder ref="encoder"/>
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
<beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>
</beans>
To retrieve logged in user, I am using the method mentioned below, which works like a charm right now.
#Override
public Person getCurrentlyAuthenticatedUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(authentication == null){
System.out.println("User is not authenticated");
return null;
} else {
Person person = personDAO.findPersonByUsername(authentication.getName());
return person;
}
}
i'm developping a webapp using SS for role managing. when i try to log in as admin it works fine,but the problem is when i want to log in as user it does too, which something i don't want to be. any ideas plz
this is my security-cpntext.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- We will be defining all security related configurations in this file -->
<http pattern="/login" security="none" />
<http use-expressions="true" >
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/index" access="hasRole('Admin')"/>
<form-login login-page="/login" default-target-url="/index" authentication-failure-url="/login"/> <!-- We will just use the built-in form login page in Spring -->
<access-denied-handler error-page="/login" />
<!-- <intercept-url pattern="/**" access="isAuthenticated()"/> --><!-- this means all URL in this app will be checked if user is authenticated -->
<logout logout-url="/logout" logout-success-url="/index"/> <!-- the logout url we will use in JSP -->
</http>
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" ></beans:property>
</beans:bean>
<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5"></password-encoder>
</authentication-provider>
</authentication-manager>
I can see two potential issues here that may be causing the problem.
1) You're specifying hasRole('Admin') for /index. If the role name is called Admin then you should specify hasRole('ROLE_Admin').
2) You've got duplication in your configuration. The <authentication-manager> tells Spring security to create a ProviderManager instance. So you've declared this, but you've also manually specified the ProviderManager as a bean instance duplicating what <authentication-manager> does. Remove the following:
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" ></beans:property>
</beans:bean>
<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider"/>
</beans:list>
</beans:property>
</beans:bean>
And leave:
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5"></password-encoder>
</authentication-provider>
</authentication-manager>
Try that and see what you get.