Spring Security - overriding default configuration in profile - spring-mvc

Context is Spring 3.1 (we use Spring MVC and Spring Security).
What we are trying to do is an admin page only available when the admin profile is active. With Spring Security, we tried something like:
<security:http use-expressions="true" entry-point-ref="entryPointDenied">
<security:intercept-url pattern="/admin/**" access="denyAll" />
</security:http>
<beans profile="admin">
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="permitAll" />
<sec:form-login/>
</security:http>
</beans>
But that doesn't work as we can't override security:http definitions (we tried using the http#name attribute). So with above configuration, we get
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored.
Also we can't use the negated profile (i.e. profile="!admin") feature as it is introduced in Spring 3.2.
Ideally the solution should be purely Spring configuration.
Edit: added missing use-expressions="true" to the second security:http

Related

Spring security: allow a few pages to be displayed in iframe

I support a website that uses Spring Security (5.3.3.RELEASE). The site can't be displayed in iframe in other sites because of the following configuration
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
Now I am asked to allow a few pages to be displayed in iframe in ANY other sites (not a specific list of sites). I looked at the Spring documentation, and it appears that I can add a bean in the following way:
<security:headers>
<security:frame-options policy="SAMEORIGIN" ref="bean_id"/>
</security:headers>
I am not able to find info about what interface or methods the bean (bean_id) must implement or whether it can be used to decide what pages are frameable. Any help or example is really appreciated.
The interface is of type AllowFromStrategy. But that interface is deprecated since the ALLOW-FROM is an obsolete directive that no longer works in modern browsers, see here. The alternative is to use CSP: frame-ancestors.
Spring Security has support for the Content-Security-Policy header. You can rely on the DelegatingRequestMatcherHeaderWriter implementation to add the headers only to specific pages, like so:
<http>
<!-- ... -->
<headers>
<header ref="headerWriter"/>
</headers>
</http>
<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<beans:constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
c:pattern="/page-with-csp"/>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter"/>
</beans:constructor-arg>
</beans:bean>

Spring Security addFilterAfter using XML confirguation

I am currently using Spring Security 4 on Spring MVC. I try to config anti-CSRF using REST service, not servlet. This post is very useful but it uses Java configuration. How can I convert
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
into an XML configuration environment?
Thanks.
XML can be following for addfilterAfter()
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.security.filter.CustomFilter"/>
Hope it will help....

How to enforce license check on each .jsp page on spring mvc webapplication?

We are developing a web application with Spring MVC and rest based conrollers. we have already implemented Authentication using spring security. Now this product should run with a valid license. This implementation is done and before webapp starts up we have this check to see whether product is licensed or not. If not user can upload license file and they can start use the product.
Once they start using the product, say after few days license might expire (of course, starting of server will catch this, but if there is no server re-start then they can happily use ever after expiry). So I want to have check on each request, whether the product is licensed (just like isAuthenticated()) or not. If not authenticated, i can redirect to License upload page.
Any ideas / pointers are appreciated.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<beans:bean id="mySuccessHandler" class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="localAuthenticationProvider" />
</authentication-manager>
<http auto-config="true" use-expressions="true">
<request-cache ref="authenticationRequestCache" />
<form-login login-page="/"
authentication-success-handler-ref="successHandler"
authentication-failure-url="/rest/login/reAuthenticate" />
<intercept-url pattern="/rest/**" access="isAuthenticated()" />
</http>
<beans:bean id="successHandler"
class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/rest/login/checkUser" />
</beans:bean>
To check on every request you could just add a filter to your app. But that would be very annoying for users who were half-way through doing something when they get redirected to the license page. It also seems quite inefficient. As an alternative, you could add an AuthenticationProvider which just checks when someone logs in and denies authentication otherwise.

Which are the classes used for User Authentication in alfresco.4.2.c in the case of External SSO?

I am trying to implement External SSO in alfresco share. I am using alfresco.4.2.c.
I want to enable debug mode for the classes which are using for Authentication in the case of External SSO.
So please let me know the class names which are using in External SSO.
Depends on which SSO you are integrating say OpenAM, CAS etc
SlingshotUserFactory class is used for default authentication in Alfresco Share
You can override its entry as below in share-config-custom.xml
<config evaluator="string-compare" condition="WebFramework">
<web-framework>
<!-- SpringSurf Autowire Runtime Settings -->
<!-- Developers can set mode to 'development' to disable; SpringSurf caches,
FreeMarker template caching and Rhino JavaScript compilation. -->
<defaults>
<page-type>
<id>login</id>
<page-instance-id>slingshot-login</page-instance-id>
</page-type>
<user-factory>webframework.factory.user.custom.slingshot
</user-factory>
</defaults>
</web-framework>
</config>
Add below entry in custom-slingshot-application-context.xml
<bean id="webframework.factory.user.custom.slingshot" class="com.test.web.site.ExtSlingshotUserFactory"
parent="webframework.factory.user.slingshot">
</bean>
now on login it will call your class for authentication

spring security css styles don't work

I have a problem applying css to the web pages, using spring security (3.0.7 version). I have the following config:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/faces/resources/**" filters="none"/>
<intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
<intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
<intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll" />
By default, I deny access to the whole pages. Then, I apply authorization to the concrete pages specifying their URLs patterns, and they apply first in the given order, being the denyAll rule the last one.
"inicio.xhtml" is the homepage.
"login.xhtml" is the login form.
"administracion" and "barco" directories contain pages that should be accessed just by authenticated users.
"catalogo" directory contains pages that should be accessed by everyone.
"error" directory contains the error pages of the app.
"plantillas" directory contains the template facelets pages of the
app (I use JSF2).
The "resources" directory contain images, css files, and javascript. So in the first line I tell spring security not to use the security filter for it.
However, with this configuration, when I run the app, css styles are not applied to pages!!
I've checked that if I turn the default authorization to "permitAll", it works. But I don't want to do that, beacuse it isn't a good practice.
Any idea why not working? I think it should work.
This works if you are adding stylesheets inline. For example:
<link type="text/css" rel="stylesheet" href="/resources/style.css" />
If you are using
<h:outputStylesheet>
tag, the url pattern should be like this
<intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>

Resources