The bounty expires in 2 days. Answers to this question are eligible for a +50 reputation bounty.
Christopher Chua wants to draw more attention to this question.
I am trying to upgrade my spring security version to 5.3.3.RELEASE. I was able to build and deploy my war file, but after I have entered my credentials in my login page, I am getting page not found for my security_check_form. Below are my codes inside the ApplicationContext-Security.xml file.
<security:http use-expressions="true" entry-point-ref="AuthenticationEntryPoint" disable-url-rewriting="true">
<security:intercept-url pattern="/testing.jsp*" access="isAuthenticated()" />
<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="normalConcurrentSessionFilter"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="ogaLoginFilter"/>
<security:intercept-url pattern="/testing/gwt-log" access="permitAll"/>
<security:intercept-url pattern="/images*" access="permitAll"/>
<security:intercept-url pattern="/css*" access="permitAll"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/signin" access="permitAll"/>
<security:intercept-url pattern="/forgotPassword" access="permitAll"/>
<security:intercept-url pattern="/singlesignin" access="permitAll"/>
<security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
<security:logout invalidate-session="true"
success-handler-ref="normalLogoutSucessHandler" logout-url="logout"
delete-cookies="JSESSIONID" />
</security:http>
<bean id="normalConcurrentSessionFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<constructor-arg name="sessionInformationExpiredStrategy" ref="sessionInformationExpiredStrategy"/>
</bean>
<bean id="sessionInformationExpiredStrategy"
class="org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy">
<constructor-arg value="/cusLogin/signin.cl" />
</bean>
<bean id="ogaLoginFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy" />
<property name="authenticationManager" ref="AuthenticationManager" />
<property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler"/>
<property name="authenticationFailureHandler" ref="AuthenticationFailureHandler"/>
<property name="filterProcessesUrl" value="/security_check_form"></property>
</bean>
I have tried with beans:property instead of property, but the issues still persists
Related
In service layer, I used getAuthentication() but return null. but in controller, it work well.
Please help me.
Update:
I had security.xml:
<beans>
<security:http realm="Protected API"
use-expressions="true"
auto-config="false"
create-session="stateless"
entry-point-ref="JvCustomAuthenticationEntryPoint">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER"/>
<security:intercept-url pattern="/**"
access="isAuthenticated()"/>
<security:csrf disabled="true"/>
</security:http>
<bean id="customAuthenticationProvider" class="vn.jupviec.api.cleanerapp.auth.JvCustomAuthenticationProviderImpl"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="customAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
<bean id="JvCustomAuthenticationEntryPoint"
class="vn.jupviec.api.cleanerapp.auth.JvCustomAuthenticationEntryPoint"/>
<bean id="authenticationTokenProcessingFilter"
class="vn.jupviec.api.cleanerapp.auth.AuthenticationTokenProcessingFilter">
<constructor-arg ref="authenticationManager"/>
</bean>
</beans>
bla
I just upgraded to Spring Security 4.2.3.RELEASE and now I can't login. Specifically, when I login, submitting these parameters
OWASP_CSRFTOKEN ZLCK-J3VV-OJTK-8GZW-H68V-C8N6-CE6G-U6AQ
j_password aaa
j_username mouser
I get the error
Could not verify the provided CSRF token because your session was not found.
You can clearly see from the above it is there. Below is my Spring security configuration. What else do I need to check to get this working?
<beans:bean id="mycoUsernamePasswordUrlAuthenticationFilter"
class="org.collegeboard.myco.core.security.mycoUsernamePasswordUrlAuthenticationFilter">
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler">
<beans:bean
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/failure" />
<beans:property name="exceptionMappings" ref="exceptionMappings" />
</beans:bean>
</beans:property>
<beans:property name="authenticationSuccessHandler">
<beans:bean
class="org.collegeboard.myco.security.mycoAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/authenticate" />
<beans:property name="sessionService" ref="sessionService" />
</beans:bean>
</beans:property>
</beans:bean>
...
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg name="loginFormUrl" value="/login" />
</beans:bean>
<http name="defaultSecurity" security-context-repository-ref="mycoSecurityContextRepository"
auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager"
entry-point-ref="loginUrlAuthenticationEntryPoint">
<!-- <access-denied-handler error-page="/denied"/> -->
<custom-filter position="FORM_LOGIN_FILTER"
ref="mycoUsernamePasswordUrlAuthenticationFilter" />
<intercept-url pattern="/lti/launch" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/status" access="permitAll" />
<intercept-url pattern="/termsOfUse" access="permitAll" />
<intercept-url pattern="/privacyPolicy" access="permitAll" />
<intercept-url pattern="/contactUs" access="permitAll" />
<intercept-url pattern="/legal" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
...
<intercept-url pattern="/dwrsetcookie" access="isFullyAuthenticated()" />
<intercept-url pattern="/dwrpageid" access="permitAll" />
<logout invalidate-session="true" logout-success-url="/logout" logout-url="/j_spring_security_logout" />
</http>
<authentication-manager alias="authenticationManager" id="authenticationManager">
<authentication-provider user-service-ref="sbdUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
Try to add the below CSRF input to your login jsp,
<input type="hidden" name="${_csrf.parameterName}"value="${_csrf.token}"/>
Or disable CSRF by adding the below to http tag
<csrf disabled="true"/>
I know this question has been asked a couple of times before but I somehow am not able to crack it. Help would really be appreciated, as I am stuck on it for a while.
My security XML appended below has been working file for a while, but it is needed that I add another tag to include WebService Security
Existing Security XML
<security:http pattern="/abc.html" security="none"/>
<security:http pattern="/dev.html" security="none"/>
<security:http entry-point-ref="authenticaionEntryPoint">
<security:intercept-url pattern="/*.xyz" access="ROLE_USER"/>
<security:logout logout-success-url="/login_failure.do" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="customAuthenticationFilter"/>
<security:anonymous username="guest" granted-authority="ROLE_ANONIM"/>
</security:http>
<bean id="authenticaionEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.jsp" />
</bean>
<bean id="customAuthenticationFilter" class="package.security.CustomAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/login_success.jsp" />
<property name="alwaysUseDefaultTargetUrl" value="false" />
</bean>
</property>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login_failure.do" />
</bean>
</property>
</bean>
<bean id="authenticationProvider" class="package.security.CustomAuthenticationProvider" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="authenticationProvider"/>
</security:authentication-manager>
I need to add
<security:http pattern="/SetWebServices*" create-session="stateless" authentication-manager-ref="remotingAuthenticationManager" auto-config="true">
<security:intercept-url pattern="/SetWebServices*" access="ROLE_USER"/>
<security:http-basic/>
</security:http>
<security:authentication-manager alias="remotingAuthenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="adminuser" password="adminpass" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
Both of them work separately but putting second piece on top gives 403 Access denied on /SetWebServices?WSDL.
Any help/direction/inputs would be really appreciated.
I have the following spring security configuration.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- For S2OAuth endpoints -->
<http pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</http>
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
<!-- Remember Me -->
<remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
<!-- Authorization policy definition: TODO consider replacing with #Secured on #Controllers -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll" />
<intercept-url pattern="/members/**" access="permitAll" />
<intercept-url pattern="/groups/**" access="permitAll" />
<intercept-url pattern="/pubsub/**" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter. Consider #Secured on #Controller. -->
<intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<!-- TODO this should be restricted to admin users only -->
<intercept-url pattern="/admin/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="usernamePasswordAuthenticationProvider" />
</authentication-manager>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<bean id="jdbcRememberMeRepository" class="com.springsource.greenhouse.rememberme.JdbcRememberMeRepository" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="coreUserDetailsService" class="com.springsource.greenhouse.rememberme.RememberMeUserDetailsService" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" xmlns="http://www.springframework.org/schema/beans">
<property name="tokenRepository" ref="jdbcRememberMeRepository" />
<property name="userDetailsService" ref="coreUserDetailsService" />
<property name="key" value="myRememberMeKey" />
<property name="alwaysRemember" value="true" />
</bean>
<!-- For S2OAuth endpoints -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails" />
</beans:bean>
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="greenhouseApi" />
</beans:bean>
<beans:import resource="security-oauth-provider.xml" />
</beans:beans>
When I tick the remember-me checkbox , I see my remember-me database is populated as shown in the snapshot. Now I close the browser and try to access the url which needs sign-in. I am able to see the page. Now here I am confused about whether I am able to see the page because of login or because of remember-me. Secondly I see in the remember-me database table the last date is not updated. What can be the reasons for this?
Restarting your browser is not enough. To test remember me functionality you need to be sure that your session is expired. If lastUsed was not updated then it means that remember me functionality was not used. In your case HTTP session was active. You need to deactivate it and there are multiple options to do it:
wait for session expiration. Hint: you can set minimal session timeout, for example set 1 minute in your web.xml.
or remove session cockie (do not remove all coockies for your domain, remember me use coockie too)
or stop your application server then clean up a directory where it persist session data and start it again. For tomcat it is tomcat_root/work.
Setting up session timeout value to 1 minute in web.xml:
<session-config>
<session-timeout>1</session-timeout>
</session-config>
I have the following spring security configuration.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- For S2OAuth endpoints -->
<http pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</http>
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
<!-- Authorization policy definition: TODO consider replacing with #Secured on #Controllers -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll" />
<intercept-url pattern="/members/**" access="permitAll" />
<intercept-url pattern="/groups/**" access="permitAll" />
<intercept-url pattern="/pubsub/**" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter. Consider #Secured on #Controller. -->
<intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<!-- TODO this should be restricted to admin users only -->
<intercept-url pattern="/admin/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="usernamePasswordAuthenticationProvider" />
</authentication-manager>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- Remember Me -->
<http>
<remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
</http>
<bean id="jdbcRememberMeRepository" class="com.springsource.greenhouse.rememberme.JdbcRememberMeRepository" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="coreUserDetailsService" class="com.springsource.greenhouse.rememberme.CoreUserDetailsService" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" xmlns="http://www.springframework.org/schema/beans">
<property name="tokenRepository" ref="jdbcRememberMeRepository" />
<property name="userDetailsService" ref="coreUserDetailsService" />
<property name="key" value="myRememberMeKey" />
<property name="alwaysRemember" value="true" />
</bean>
<!-- For S2OAuth endpoints -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails" />
</beans:bean>
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="greenhouseApi" />
</beans:bean>
<beans:import resource="security-oauth-provider.xml" />
</beans:beans>
I am getting the following exception.
Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute
Offending resource: class path resource [com/springsource/greenhouse/config/security.xml]
at org.springframework.beans.factory.parsing.FailFastProblemReporter.error(FailFastProblemReporter.java:68)
...
I am new to spring security. I don't know the cause of this exception.
You cannot add your remember-me declaration into new empty http element. Use some other existed http element where authentication entry point is already configured (for example via form-login element):
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
<remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
...
<http/>