I have built a spring MVC application using Spring Tool Suite. I also used Spring Security to handle access permissions and login/logout.
The application is currently using http protocol, but I want to move to https completely.
What should I do?
Should I also reconfigure STS' VFabric tc Server to run the appliction? If so, how?
You need to configure your application container if you want to use https protocol.
VFabric tc Server docs about SSL:
http://pubs.vmware.com/vfabric5/index.jsp?topic=/com.vmware.vfabric.tc-server.2.6/admin/manual-config-ssl.html
Still you can use Spring Security features. HTTP/HTTPS Channel Security is achieved with ChannelProcessingFilter. Fortunately it can be easily configured with Spring Security XML Namespace.
Spring Docs:
If your application supports both HTTP and HTTPS, and you require
that particular URLs can only be accessed over HTTPS, then this is
directly supported using the requires-channel attribute on intercept-url
Example Config:
<http>
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
</http>
More info: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-requires-channel
Related
When i need to put Load Balancer to Proxy Service deployed on WSO2 EI 6.5.0,
Would i need to implement Clustering with it?
1. I found below sample on Docs :
<loadbalance algorithm="org.apache.synapse.endpoints.algorithms.RoundRobin">
<endpoint>
<address uri="service_url (instance21">
<enableAddressing/>
<suspendOnFailure>
<initialDuration>20000</initialDuration>
<progressionFactor>1.0</progressionFactor>
</suspendOnFailure>
</address>
</endpoint>
<endpoint>
<address uri="service_url (instance2)">
<enableAddressing/>
<suspendOnFailure>
<initialDuration>20000</initialDuration>
<progressionFactor>1.0</progressionFactor>
</suspendOnFailure>
</address>
</endpoint>
</loadbalance>
it is the right way to create LB ?
2. I tried it below too :
https://medium.com/#snsavithrik1/wso2-ei-worker-manager-clustering-on-a-single-machine-dae1161bcb78
but i think that is not balancing service load through all proxy It only handles request
it's Manager node, Worker node does nothing
Note : i expect that when i send request to proxy services, if this service is busy, it sends coming requests to other node to handling it
Something like this :
[LOG] Response from service1
[LOG] Response from service2
Please refer to the documentation on [1]. The provided blog does not contain the load balancer configuration. Further to add to this, in the EI servers we do not have the concept of the worker, manager. This was a concept introduced in the ESB servers where the worker nodes serve the requests and the manager node was used to manage the artifacts deployed.
[1]-https://docs.wso2.com/display/EI650/Clustering+the+ESB+Profile
I have an Asp.net MVC application, which is connected to many Asp.net Web Api services.
It consumes the services using HttpClient requests. These methods exists in SDK libraries.
Is it possible to inspect (sniff) the REST requests, and before being sent, to add additional information in the Headers?
All the Asp.Net Web APIs are on the same local network as the Asp.net MVC application.
I am not sure why do you call the REST api from the ASP.NET MVC controllers, you can call it directly from the Views using jQuery Ajax.
As for the inspection, you can do it using Fiddler, but you will have to update web.config for your ASP.NET MVC application by changing the default proxy like below:
<system.net>
<defaultProxy
enabled = "true" useDefaultCredentials = "true">
<proxy autoDetect="false" bypassonlocal="false"
proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" />
</defaultProxy>
</system.net>
Make sure the proxy port for Fiddler is not changed from the default one 8888
I am securing a Webapp (war) that lives on Tomcat 8. I am using Keycloak as my Authentication Server.
The previous webapp we secured were using Servlet Filters and we could make it switch between authentication mechanism programmatically.
But now Keycloak is a requirement.. For normal authentication keycloak requires us to modify the Context.xml and specify it as follow:
For Normal Authentication:
<Context path="/your-context-path">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
For SAML:
<Context path="/your-context-path">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
</Context>
My question is, is there a way to switch between these 2 programmatically ? Could we specify more than one Valve there ?
I'm making a Spring MVC web-app with some RESTfull resources as an API.
I need the RESTfull part to have some custom filters as I do not want any redirection and I want any exception to be translated with the corresponding HTTP error code and a basic JSON description.
On the other hand, the rest of the website have to be more common and redirect people when they are not logged in etc.
One more thing, I wish to use the #Secured annotations and a post-authentication in some case.
How do I define the multiple http namespaces correctly (on Spring 3.1)?
Here is my erroneous configuration:
<global-method-security secured-annotations="enabled" />
<http pattern="/rest/**" authentication-manager-ref="authenticationManager" entry-point-ref="restAuthenticationEntryPoint">
<form-login login-page="/rest/login" login-processing-url="/rest/postlogin"
authentication-success-handler-ref="restAuthenticationSuccessHandler"
authentication-failure-handler-ref="restAuthenticationFailureHandler"
username-parameter="username" password-parameter="password" />
<logout logout-url="/rest/logout" invalidate-session="true" />
</http>
<http pattern="/**" authentication-manager-ref="authenticationManager">
<form-login login-page="/login" login-processing-url="/postlogin"
username-parameter="username" password-parameter="password" />
<logout />
</http>
The funny part is that this configuration works partially as I can login with /rest/login and I get the response from my custom success handler. I can also login from /login and I get the proper redirection to /. The logout are working both fine too.
Next, all the controllers beans have #Secured("ROLE_USER") in the secured methods. But all the secured methods don't ever get secured. Why is that so?
#Secured({"ROLE_USER"})
#RequestMapping(method = RequestMethod.GET, headers = { "Range" })
public #ResponseBody
HttpEntity<List<T>> list(#RequestHeader("Range") String range) {
I've read documentations everywhere and I'm more confused than ever.
Why are my methods not being secured?
Must the http namespace define an access so that the #Secured annotations work?
Are the http namespace overwriting my #Secured annotations? If it's so, how can I define multiple "login pages" with custom filters and being able to use annotations?
Here are some facts:
* I'm using Spring and SpringSecurity 3.1
* I have a custom AuthenticationManager to retrieve user details from hibernate daos.
* Some controllers are extending an abstract class where the #Secured annotations lies. But it still doesn't work for a simple controller.
* My controllers are discovered with a context:component-scan and a base-package.
* The security works fine with one http namespace.
please help, i'm getting mad with this!
Check out this answer about making sure the web context is visible to the global-method-security declaration and possibly using class proxying.
To answer your other questions, no the http namespace shouldn't affect the use of #Secured annotations, other than that the user is authenticated by the web part of the application and that information will be used by the method security interceptor when making an access decision. Unless you override it (using access-decision-manager-ref), method security will use a standard AccessDecisionManager which grants or denies access based on the roles a user has.
I have a web application secured with spring security (Spring 3.1.0). Now if a customer wants to register to my service, Spring Security say "No". This makes sense because the user is not yet authorized.
The controller, which gets the register data is a spring mvc controller. I need to exclude this from spring security I think.
I've excluded some urls so far like this:
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
Is it possible, to exclude a (Spring MVC)Controller, or is this the wrong way to approach this?
By the way, I also tried to annotate tho at the method:
#PreAuthorize("hasRole('IS_AUTHENTICATED_ANONYMOUSLY')")
Why don't you try permitAll instead?
<intercept-url pattern="/index.jsp" access="permitAll" />