We want to implement a consent page for customers visiting our website. One way I see is I can implement a filter which will check for a cookie, in case cookie is not present we will redirect the customer to /consent page. Once customer clicks on yes we will set a cookie. The filter will again check the cookies and customer can proceed with his requested pages.
Is there any out of box Interface provided by Spring which does this? I checked OncePerRequestFilter filter but it looks like it will not solve the requirement here.
If I understand you correctly, you want to Authentication through cookies. you can try about HandlerInterceptor.
Related
I am using Spring Framework to build a webapp. I have a restcontroller that verifies the user (Google oAuth) and sends responses to the page to determine if the user is valid. There is another page on the site, however, called storage. If the user wanted to go straight to mysite.com/storage. How would I send the user to that page? I tried having a regular controller to direct the user there but I get a circular path error. What is the right practice here? Am I missing anything? Thanks. let me know if you need more information.
I am using Spring Security 3.0.2 on a web site where users can log into their account. The account landing page has a button that takes you to a second page. Various users report that they have trouble getting to that second page because they are asked to log in again and again when they press the button. I cannot reproduce the problem myself, and it seems to work for most people. However, enough people have complained about the issue that I take them seriously. What could be the cause for such a spurious malfunction?
I see some possible cases maybe some of them would produce a 403 and not a redirect :
the second page is protected by a intercept-url with a list of role and some user doesn't have the required role. Maybe your account has some "admin" role which allow you to access any page that why you can not reproduce it
same problem but whith method #Secured with role that some users doesn't have
maybe these user aren't accepting cookie
maybe you have multiple domain the cookie is created for the domain www.domain.com then the user is redirected to another domain like www1.domain.com where the cookie doesn't apply.
maybe you have some kind of miss configuration in the load balancing the session is created on the 1st server, then the 2nd page is handled by the 2nd server where the session doesn't exists
maybe somewhere in the code you call session.invalidate()
hope it helps
I want to know how can I force a user to log in the the application again if the page is being opened in new tab or new browser.
Edit:-
My apologies I misunderstood the requirement.
I am authenticating the user in my log-in page but not anywhere else. So what is happening because of that, even if i log out of application and type url say bla.com/apple I can access my application.
I figured to prevent this from happening, I have to write a base controller that checks for the right user. Am I moving in the right direction.
Thanks
Addressing the edit -
Authentication can be handled per controller or on individual actions. Simple place the [Authorize] attribute appropriately. This assumes however that somewhere an authentication token is being set. [Authorize] checks against the HttpContext's current User (an IPrincipal).
You mentioned above that you're just validating against a local username and password, in one place, so I'm guessing that no token (session, cookie) are being set?
You have a few options here to get that token stored and persisted across requests:
ASP.Net integrated membership provider (Intro)
A custom MembershipProvider (Example)
Full-on custom flow. (Example)
Each has ups and downs and depends on how exactly you want to handle on-boarding your users. It's hard to answer more specifically because it can be a very large topic (and a very broad question).
Here's the official pages for MVC security.
Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.
I was able to successfully implement FormsAuthentication and use the Authorize Attribute to control which roles are authorized to access the different controllers and actions. I want to allow one particular action to be publicly available but It always send me to the login form.
I've tried using
[Authorize(Users="?")]
or
[Authorize(Users="*")]
but both send me to the login form.
however
[Authorize(Users="Admin")]
will only send non admin user to the login form as expected. Is this possible to do? Thank you.
I was able to accomplish what I wanted to do by following this article: http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx