I have configured spring authentication as below and its not working as expected
<sec:http auto-config="true">
<!-- Restrict URLs based on role -->
<sec:intercept-url pattern="pages/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/css/style.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="pages/**" access="ROLE_USER" />
<!-- Override default login and logout pages -->
<sec:form-login login-page="/login.jsp"
default-target-url="/pages/products.xhtml"
authentication-failure-url="/login.html?login_error=1" />
<sec:logout logout-url="/logout" logout-success-url="/login.jsp" />
</sec:http>
On server start up i have been redirected to login.jsp ,if i use login form i am redirected to products.xhtml so far fine but if i directly access products.xhtml , it just allowing me to access the product.xhtml(Even after closing the broser or even on server restart) instead of redirecting to login.jsp . Could anyone just me what i am missing exactly?
Thanks & Regards
Vijay
Your patterns and URLs aren't consistent. You have "/login.jsp" for the login page and "pages/login.jsp" in the intercept-url pattern.
Try using:
<http pattern="/css/**" security="none">
<http>
<intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.jsp"
default-target-url="/pages/products.xhtml"
authentication-failure-url="/login.html?login_error=1" />
<logout logout-url="/logout" logout-success-url="/login.jsp" />
</http>
The debug log for a particular request will explain exactly why it is or isn't secured.
Make sure you do not have a Cookie or a valid session...
Related
My application can have below URLs:
/siteadmin/homepage/
/siteusers/customer/createCustomer
Below is my spring-security.xml:
<beans:beans>
<http auto-config="true">
<intercept-url pattern="/siteusers***" access="isAuthenticated()" />
<!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
<intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
<form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
login-processing-url="/siteusers/loginprocess/login"
authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="b" password="123456" authorities="ROLE_ADMIN" />
<user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/ it is allowing user 'a' to view the page although his role is not admin. But when I try to hit http://localhost:8080/siteadmin then Spring Security is working fine ie. its showing access denied page.
I want to restrict /admin/* URLs for users who doesn't have Admin role.
See AntPathMatcher:
The mapping matches URLs using the following rules:
? matches one character
* matches zero or more characters
** matches zero or more directories in a path
Some examples:
com/t?st.jsp - matches com/test.jsp but also com/tast.jsp or com/txst.jsp
com/*.jsp - matches all .jsp files in the com directory
com/**/test.jsp - matches all test.jsp files underneath the com path
org/springframework/**/*.jsp - matches all .jsp files underneath the org/springframework path
org/**/servlet/bla.jsp - matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp
Your pattern /siteadmin***misses slashes. Use /siteadmin/**.
I am using Spring MVC and I am trying to make an html page accesible without the need to login. My security xml configuration is as follows:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/err404.html" access="permitAll()" />
<intercept-url pattern="/login.html" access="permitAll()"/>
<intercept-url pattern="/accesibleWithoutLogin.html" access="permitAll()" />
<intercept-url pattern="/assets/**" access="permitAll()" />
<intercept-url pattern="/**" access="hasRole('AUTH_ADMIN')" />
<form-login login-page="/login.html"
login-processing-url="/static/j_spring_security_check"
authentication-success-handler-ref="authSuccessHandler"
authentication-failure-url="/login.html?t=error" />
<access-denied-handler error-page="/403" />
<logout logout-success-url="/login.html?act=logout" />
</http>
with this configuration I can access accesibleWithoutLogin.html but all the back-end(ajax requests to spring mvc) functionality is lost.
How can this page be fully functinal without having to login?
Our application is protected by siteminder web agent and is on https.
Our application is running on weblogic and is on http.
When the user access protected URL, the siteminder login page(https) is displayed and the user enters his credentials here.
But after successful authentication, the user was redirected to http URL and page cannot be displayed or unable to connect message was displayed.
I fixed this issue by adding redirectHttp10Compatible="false" attribute to my view resolver.
Now, upon logout, the application is redirecting to logout success URL over http rather than https.
redirectHttp10Compatible="false" attribute is still in the same place.
Any help in this regard is very helpful and highly appreciated.
Thanks a lot in advance.
The below are the config files(edited, removed irrelevant lines) :
<-- DISPATCHER SERVLET -->
<context:component-scan base-package="xxx.xxx.controllers"/>
<mvc:annotation-driven />
<mvc:default-servlet-handler/>
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="100000000"/>
</bean>
<bean id="jspViewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:viewClass="org.springframework.web.servlet.view.JstlView"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp"
p:redirectHttp10Compatible="false"
/>
<-- SPRING SECURITY XML FILE -->
<http pattern="/login/login.action" security="none"/>
<http pattern="/login/logout.action" security="none"/>
<http pattern="/WEB-INF/jsp/Login.jsp" security="none"/>
<http pattern="/WEB-INF/jsp/Logout.jsp" security="none"/>
<http auto-config="false" entry-point-ref="http403EntryPoint" use-expressions="true">
<form-login login-page="/login/login.action"
default-target-url="/home.action"
authentication-failure-url="/login/login.action?loginFailed=true"
always-use-default-target="true"/>
<custom-filter ref="siteMinderAgent" position="PRE_AUTH_FILTER"/>
<logout logout-success-url="/login/logout.action"
invalidate-session="true" />
</http>
<beans:bean id="siteMinderAgent"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="SM_USER"/>
<beans:property name="authenticationManager" ref="appAuthenticationManager" />
</beans:bean>
<beans:bean id="preauthAuthProvider"
class="com.xxx.security.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="http403EntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<authentication-manager alias="appAuthenticationManager">
<authentication-provider ref="preauthAuthProvider"/>
</authentication-manager>
I am working on a Spring MVC application and I have deployed that on a Tomcat installation on the server. In the configuration which I will post below of Tomcat and Spring, HTTP communication occurs on port 80 and HTTPS on port 8443.
Now when the application is deployed, I can see in the browser URL as
https://domainname.com:8443/nameOfPage
I don't want want to show the port number to the user. What should I do, kindly let me know.
Thank you.
Spring Security config.xml
<security:http create-session="ifRequired" use-expressions="true" auto-config="true" disable-url-rewriting="true">
<security:form-login login-page="/"
default-target-url="/canvas/list"
always-use-default-target="false"
authentication-failure-url="/denied.jsp" />
<security:remember-me key="_spring_security_remember_me"
user-service-ref="userDetailsService"
token-validity-seconds="1209600"
data-source-ref="dataSource" />
<security:logout logout-success-url="/"
delete-cookies="JSESSIONID"
invalidate-session="true"
logout-url="/j_spring_security_logout" />
<security:intercept-url pattern="/" requires-channel="https" access="permitAll" />
<security:intercept-url pattern="/canvas/list" access="hasRole('ROLE_USER')" requires-channel="https" />
<security:port-mappings>
<security:port-mapping http="80" https="443" />
</security:port-mappings>
</security>
Apache Tomcat server.xml:
<Connector port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/path/to/keystore.jks"
keystorePass="password" />
The only way to achieve this is to use port 443 instead.
The browser will always tell you if you're using a non-standard port, and the standard port for HTTPS is 443.
Similarly, for HTTP if you use any port other than 80, the port number will show in the address bar.
I am developing a Spring MVC / Spring Security application.
I do not have any exceptions or errors, but there is a redirect loop on one of the pages.
I'm using Spring 3.0.1 and Spring Security 3.0.1.
My dispatcher-security.xml:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http auto-config="true" use-expressions="true">
<security:form-login login-page="/login" default-target-url="/login" authentication-failure-url="/fail2login"/>
<security:logout logout-success-url="/"/>
<security:intercept-url pattern="/auth/**" access="hasRole('ANONYMOUS')" />
<security:intercept-url pattern="/js/**" access="hasRole('ANONYMOUS')" />
<security:intercept-url pattern="/css/**" access="hasRole('ANONYMOUS')" />
<security:intercept-url pattern="/**" access="hasRole('ADMIN')" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource1"
users-by-username-query=" select name,password,enabled from user where name=?"
authorities-by-username-query="select u.name, r.role from user u, role r where u.role = r.auto_id and u.name =? "
/>
</security:authentication-provider>
</security:authentication-manager>
</beans>
Please help me......
The default-target-url attribute defines the page where the user is redirected in case of a successful login. Usually it is the home page of your application. You have default-target-url="/login", so it redirects you back to the login page after a successful login.
I do not understand the meaning of the ANONYMOUS role in you example. If it is the build-in role for anonymous users, I think it is called ROLE_ANONYMOUS.
In this case you probably use it incorrectly, and these two lines:
<security:intercept-url pattern="/js/**" access="hasRole('ANONYMOUS')" />
<security:intercept-url pattern="/css/**" access="hasRole('ANONYMOUS')" />
should be replaced with something like this:
<security:intercept-url pattern="/js/**" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
<security:intercept-url pattern="/css/**" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
Otherwise unauthontificated users ONLY will be able to access the /js/ and /css/ directories.
ROLE_USER in not a build-in role, it is a role that you define manually for all authenticated users.
See also:
What is the difference between ROLE_USER and ROLE_ANONYMOUS
The Spring Security Reference: Anonymous Authentication