I have a problem applying css to the web pages, using spring security (3.0.7 version). I have the following config:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/faces/resources/**" filters="none"/>
<intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
<intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
<intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll" />
By default, I deny access to the whole pages. Then, I apply authorization to the concrete pages specifying their URLs patterns, and they apply first in the given order, being the denyAll rule the last one.
"inicio.xhtml" is the homepage.
"login.xhtml" is the login form.
"administracion" and "barco" directories contain pages that should be accessed just by authenticated users.
"catalogo" directory contains pages that should be accessed by everyone.
"error" directory contains the error pages of the app.
"plantillas" directory contains the template facelets pages of the
app (I use JSF2).
The "resources" directory contain images, css files, and javascript. So in the first line I tell spring security not to use the security filter for it.
However, with this configuration, when I run the app, css styles are not applied to pages!!
I've checked that if I turn the default authorization to "permitAll", it works. But I don't want to do that, beacuse it isn't a good practice.
Any idea why not working? I think it should work.
This works if you are adding stylesheets inline. For example:
<link type="text/css" rel="stylesheet" href="/resources/style.css" />
If you are using
<h:outputStylesheet>
tag, the url pattern should be like this
<intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>
Related
I support a website that uses Spring Security (5.3.3.RELEASE). The site can't be displayed in iframe in other sites because of the following configuration
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
Now I am asked to allow a few pages to be displayed in iframe in ANY other sites (not a specific list of sites). I looked at the Spring documentation, and it appears that I can add a bean in the following way:
<security:headers>
<security:frame-options policy="SAMEORIGIN" ref="bean_id"/>
</security:headers>
I am not able to find info about what interface or methods the bean (bean_id) must implement or whether it can be used to decide what pages are frameable. Any help or example is really appreciated.
The interface is of type AllowFromStrategy. But that interface is deprecated since the ALLOW-FROM is an obsolete directive that no longer works in modern browsers, see here. The alternative is to use CSP: frame-ancestors.
Spring Security has support for the Content-Security-Policy header. You can rely on the DelegatingRequestMatcherHeaderWriter implementation to add the headers only to specific pages, like so:
<http>
<!-- ... -->
<headers>
<header ref="headerWriter"/>
</headers>
</http>
<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
<beans:constructor-arg>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
c:pattern="/page-with-csp"/>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter"/>
</beans:constructor-arg>
</beans:bean>
We are developing a web application with Spring MVC and rest based conrollers. we have already implemented Authentication using spring security. Now this product should run with a valid license. This implementation is done and before webapp starts up we have this check to see whether product is licensed or not. If not user can upload license file and they can start use the product.
Once they start using the product, say after few days license might expire (of course, starting of server will catch this, but if there is no server re-start then they can happily use ever after expiry). So I want to have check on each request, whether the product is licensed (just like isAuthenticated()) or not. If not authenticated, i can redirect to License upload page.
Any ideas / pointers are appreciated.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<beans:bean id="mySuccessHandler" class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="localAuthenticationProvider" />
</authentication-manager>
<http auto-config="true" use-expressions="true">
<request-cache ref="authenticationRequestCache" />
<form-login login-page="/"
authentication-success-handler-ref="successHandler"
authentication-failure-url="/rest/login/reAuthenticate" />
<intercept-url pattern="/rest/**" access="isAuthenticated()" />
</http>
<beans:bean id="successHandler"
class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/rest/login/checkUser" />
</beans:bean>
To check on every request you could just add a filter to your app. But that would be very annoying for users who were half-way through doing something when they get redirected to the license page. It also seems quite inefficient. As an alternative, you could add an AuthenticationProvider which just checks when someone logs in and denies authentication otherwise.
Context is Spring 3.1 (we use Spring MVC and Spring Security).
What we are trying to do is an admin page only available when the admin profile is active. With Spring Security, we tried something like:
<security:http use-expressions="true" entry-point-ref="entryPointDenied">
<security:intercept-url pattern="/admin/**" access="denyAll" />
</security:http>
<beans profile="admin">
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="permitAll" />
<sec:form-login/>
</security:http>
</beans>
But that doesn't work as we can't override security:http definitions (we tried using the http#name attribute). So with above configuration, we get
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored.
Also we can't use the negated profile (i.e. profile="!admin") feature as it is introduced in Spring 3.2.
Ideally the solution should be purely Spring configuration.
Edit: added missing use-expressions="true" to the second security:http
I'm starting out with building basic applications in SpringMVC. At the same time, I wanted to use some easy to setup UI frameworks like Twitter Bootstrap. But, No clue on how to set it up.
Question:
Where do I place the downloaded bootstrap folder?
What I have so far.
I would put these in src/main/resources NOT under WEB-INF. These don't need to be protected.
Also, make sure you tell Spring where they are in your dispatcher servlet config file as per the documentation.
<mvc:resources mapping="/resources/**" location="/resources/" />
If you're using Spring security as well you'll need to make sure that the resources are not protected.
<http pattern="/resources/**" security="none"/>
You don't need the .less files unless you plan to compile custom css. Maven projects, you typically place them in the resources folder. resources/assets/css and resources/assets/js
In the JSP:
<spring:url scope="page" var="bootstrapStylesheetUrl" value="/resources/assets/css/bootstrap.css"/>
<spring:url scope="page" var="bootstrapResponsiveStylesheetUrl" value="/resources/assets/css/bootstrap-responsive.css"/>
<spring:url scope="page" var="bootstrapJavascriptUrl" value="/resources/assets/js/bootstrap.js"/>
And then in the head tag
<script src="${pageScope.bootstrapJavascriptUrl}"></script>
<link rel="stylesheet" href="${pageScope.bootstrapStylesheetUrl}"/>
<link rel="stylesheet" href="${pageScope.bootstrapResponsiveStylesheetUrl}"/>
Also, don't forget to add the spring taglib to the top of your jsp
<%# taglib prefix="spring" uri="http://www.springframework.org/tags" %>
In your spring servlet context config(productmgmt-servlet.xml) add the line:
<mvc:resources mapping="/resources/**" location="classpath:/"/>
I have a Spring MVC Web app that I'd like to show a simple Welcome Page (index.html). On that page, I just to have a 2 href links: one to bring me to the Login Page that is then implemented using Spring Security (2.5.6) and Hibernate 3 and the other to a Registration Page for new users.
However, the problem is that Spring Security automatically loads my login page each time and does NOT load the index.html page where I have coded the 2 links to forward me to either login or registration. I am brought to the login page which works fine. However, I never get to show the initial index.html page of my web application.
Can anyone shed light on how to prevent Spring Security from overriding the 'Welcome Page' with it's Login Page.
Many thanks.
Here is my Spring Security set up in web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring-beans.xml
WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
There's nothing wrong with your web.xml file, you need to show us your WEB-INF/spring-security.xml file.
If you keep getting directed to the login page, chances are you mess up the intercept-url pattern that causes your welcome page to be caught by Spring Security for further authentication before displaying it.
This is an example of the intercept-url tags that you will find in your WEB-INF/spring-security.xml file:-
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/admin/searchUsers.do" access="ROLE_ADMIN" />
<intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN" />
<form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/home.do"/>
<logout logout-success-url="/home.do"/>
</http>
use
<form-login login-page="/login.jsp" />
Controller should handle user's request and in your case no controller which mapped to this URL. When controller found, it performs some logic and returns view name which will be used to represent server's response. So, view name translator called only after controller and only for deduce full path to particular JSP file.
<mvc:view-controller path="/" view-name="index"/>
Try to add