Develop Reference

Why Doesn't Intercept Url Work?

This is my Spring Security configuration:
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login"
authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
.......
I add this: <intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" to avoid to enter in that section.. but I can enter into monitoring after loggin as "normal" user...
Why??

The order of <intercept-url .../> does matter. As the new intercept-url pattern="/monitoring" comes after pattern="/**" it it ignored because all URLs for monitoring have already been processed by <intercept-url pattern="/**" access="isAuthenticated()" />.
You should write :
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/**" access="isAuthenticated()" />
As a general rule intercept-url pattern="/**" must always be last

Spring redirect view is not working

I am using Spring Controllers to show my jsp views and Spring security.
In security context, all users can access to /login (login.jsp) but only authenticated users can access to /home (home.jsp).
When i remove the session id from browser cookies, the next request in the app should redirect to login page.
My method to show login page in controller is:
#RequestMapping(value = {"/login","/login.do"})
public ModelAndView showLoginForm() {
String username = getUsername();
if(!username.equals("anonymousUser")){
return new ModelAndView("redirect:/home");
}
return new ModelAndView("login");
}
My url is on /home but when i try to redirect to login using this function return new ModelAndView("login") the browsers stay with the same url.
My spring security config
<http entry-point-ref="loginEntryPoint"
use-expressions="true" create-session="always">
<session-management
session-authentication-strategy-ref="sas" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/accessDenied.do" access="permitAll" />
<intercept-url pattern="/app/**" access="permitAll" />
<intercept-url pattern="/signup/createuser" access="permitAll" />
<intercept-url pattern="/changepassword/changefirstpassword" access="permitAll" />
<intercept-url pattern="/recoverpassword/recoverPasswordRequest" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/**" access="authenticated" />
<access-denied-handler error-page="/accessDenied.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="domainFormLoginFilter" />
<logout success-handler-ref="myLogoutSuccessHandler" />
</http>
Why my browser doesnt redirect to login page? tks

First remove your controller and add the following to your security configuration.
<sec:intercept-url pattern="/home" access="isAuthenticated()" />
<sec:intercept-url pattern="/login" access="permitAll()" />
Work with the framework not against or around it...

Spring security not working as expected

I'm using spring security with the below configuration. Every time i try to access the root url i.e. '/', it takes me to '/verify'. Can someone please tell me what I'm missing?
<http auto-config='true' use-expressions='true'>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/verify" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/admin/**" access="hasAnyRole('SUPER','ADMIN')" />
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login login-page="/verify" default-target-url="/home"
username-parameter="user_email" password-parameter="user_password"
always-use-default-target="true" authentication-failure-url="/verify"
authentication-success-handler-ref="authSuccessHandler" />
<logout logout-success-url="/logout" logout-url="/logoutuser" />
<headers>
<cache-control />
<hsts />
</headers>
</http>
My controller
#Controller
public class VerifyController {
#RequestMapping(value = "/verify")
public String userVerification() {
return "index";
}
}

It seems you for the URL pattern "/**" instruct SS to run isAuthenticated()
Could that trigger the redirect to /verify?

I cannot be sure of it, but a common pitfall is to forget to allow access to resource files, images, css, or js that are used by public HTML or JSP pages (eventually through controllers).
If it is your problem, my advice is to put them either under a resources folder, or rather under images, css, and js folders and add corresponding lines in Spring Security config :
<http auto-config='true' use-expressions='true'>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
...
</http>

In Spring Security, access is not applied properly on intercept url

I wrote following code in my project-security.xml file.
<security:http name="dbservice" pattern="/pages" use-expressions="true" entry-point-ref="WMSecAuthEntryPoint" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/pages/Test" access="hasAnyRole('ROLE_admin')"/>
</security:http>
<security:http name="common" auto-config="false" use-expressions="true" entry-point-ref="WMSecAuthEntryPoint" disable-url-rewriting="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/app.variables.json" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/topnav/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/rightnav/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/leftnav/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/header/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/footer/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/Main/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/index.html" access="isAuthenticated()"/>
<security:request-cache ref="nullRequestCache"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="WMSecAuthFilter"/>
<security:intercept-url pattern="/app.css" access="permitAll"/>
<security:intercept-url pattern="/config.js" access="permitAll"/>
<security:intercept-url pattern="/config.json" access="permitAll"/>
<security:intercept-url pattern="/app.js" access="permitAll"/>
<security:intercept-url pattern="/types.js" access="permitAll"/>
<security:intercept-url pattern="/login.html" access="permitAll"/>
<security:intercept-url pattern="/pages/Login/**" access="permitAll"/>
<security:intercept-url pattern="/pages/Common/**" access="permitAll"/>
<security:intercept-url pattern="/themes/**" access="permitAll"/>
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:intercept-url pattern="/**/app/build/application/**" access="permitAll"/>
<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/services/security/**" access="permitAll"/>
<security:intercept-url pattern="/securityService.json" access="permitAll"/>
<security:intercept-url pattern="/" access="isAuthenticated()"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:remember-me key="WM_APP_KEY" services-ref="rememberMeServices"/>
</security:http>
The problem is that pattern "/pages/Test" does not get restricted for all users (users other than admin). They can access this url.
Whereas when I put
this line in "common" http section then it works.
Note that I want to make it work in above scenario only as I can manage my urls section wise.

Return Http Status (eg. 401) or redirect Spring Security

Hi I use this configuration to Spring Security:
<http auto-config="true" use-expressions="true">
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<form-login login-page="/login" login-processing-url="/resources/j_spring_security_check" authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
I need to return an Http Error Code like 401 if the Content-Type in my header's request is: application/json; otherwise I want to redirect to Login Page.
But with this configuration, regardless of request content type I'm being redirected to login url with a 302 response code..
Is there a way to do this??
EDIT:
I want use only one servlet to handler the html and json so I try this:
#Component
public class CustomEntryPoint extends LoginUrlAuthenticationEntryPoint {
private final Logger log = LoggerFactory.getLogger(CustomEntryPoint.class);
public CustomEntryPoint(String loginFormUrl) {
super(loginFormUrl);
}
#Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
if(request.getContentType() != null && request.getContentType().equals("application/json")) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Access Denied");
}else {
super.commence(request, response, authException);
}
}
}
And this is my new Security Configuration:
<http auto-config="true" use-expressions="true" entry-point-ref="customEntryPoint">
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<form-login login-page="/login" login-processing-url="/resources/j_spring_security_check" authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<beans:bean id="customEntryPoint" class="x.x.CustomEntryPoint">
<beans:constructor-arg value="/login"/>
</beans:bean>
What do you think about that? It is a correct way to do it, or do you know a better way?
Thank you

I solved in this way:
public class CustomEntryPoint extends LoginUrlAuthenticationEntryPoint {
private static final String XML_HTTP_REQUEST = "XMLHttpRequest";
private static final String X_REQUESTED_WITH = "X-Requested-With";
public CustomEntryPoint(String loginFormUrl) {
super(loginFormUrl);
}
#Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
if (XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH))) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} else {
super.commence(request, response, exception);
}
}
}
And Security configuration is:
<http auto-config="true" use-expressions="true" entry-point-ref="customEntryPoint">
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<form-login login-page="/login" login-processing-url="/resources/j_spring_security_check" authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<beans:bean id="customEntryPoint" class="x.x.CustomEntryPoint">
<beans:constructor-arg value="/login"/>
</beans:bean>