I am using a custom implemented SSO in my app which is using Spring.
(Recently I was upgrading my app to Spring 5.2.5 and Java 11.)
At final stage of that SSO process, a URL like below is posted which bypasses authentication/login page and opens main page.
http://localhost:8181/MyApp/j_spring_security_check?tokenId=999a1ec9-d92a-4a5e-a7ec-a8985c421000
But instead of opening main page it directs me to
access-denied-handler error-page="/ui/ordinary/noauthorization.xhtml"
But when I look at Spring debug logs, I realize that permitAll is matched. No access denied occured.
How can I find out what is really happening here? Why does not it proceed to main page or CustomAuthenticationFilter.attemptAuthentication method not called (overriding UsernamePasswordAuthenticationFilter)?
[2020-09-02 01:39:04,782][DEBUG] Checking match of request : '/j_spring_security_check'; against '/noauthorization.xhtml' - org.springframework.security.web.util.matcher.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:177)
[2020-09-02 01:39:04,782][DEBUG] Checking match of request : '/j_spring_security_check'; against '/login' - org.springframework.security.web.util.matcher.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:177)
[2020-09-02 01:39:04,782][DEBUG] Checking match of request : '/j_spring_security_check'; against '/j_spring_security_check' - org.springframework.security.web.util.matcher.AntPathRequestMatcher.matches(AntPathRequestMatcher.java:177)
[2020-09-02 01:39:04,782][DEBUG] Secure object: FilterInvocation: URL: /j_spring_security_check?tokenId=3e004f91-1aec-4f98-bc5c-1f49b69c209a; Attributes: [permitAll] - org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:219)
[2020-09-02 01:39:04,782][DEBUG] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#ca1ab61a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: node08gmgybqdzxi6l88ent9iokp01; Granted Authorities: ROLE_ANONYMOUS - org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:348)
[2020-09-02 01:39:04,782][DEBUG] Voter: org.springframework.security.web.access.expression.WebExpressionVoter#75a450d1, returned: 1 - org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:66)
[2020-09-02 01:39:04,782][DEBUG] Authorization successful - org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:243)
[2020-09-02 01:39:04,782][DEBUG] RunAsManager did not change Authentication object - org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:256)
[2020-09-02 01:39:04,782][DEBUG] /j_spring_security_check?tokenId=3e004f91-1aec-4f98-bc5c-1f49b69c209a reached end of additional filter chain; proceeding with original chain org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:313)
[2020-09-02 01:39:04,791][DEBUG] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#b7199c7 - org.springframework.security.web.header.writers.HstsHeaderWriter.writeHeaders(HstsHeaderWriter.java:169)
[2020-09-02 01:39:04,791][DEBUG] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. - org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext(HttpSessionSecurityContextRepository.java:351)
[2020-09-02 01:39:04,791][DEBUG] Chain processed normally - org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
[2020-09-02 01:39:04,792][DEBUG] SecurityContextHolder now cleared, as request processing completed - org.springframework.security.web.context.SecurityContextPersistenceFilter.
I have made many changes to xml after posting question but as far as I remember,
my securityContext.xml was like below:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans default-lazy-init="true"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:p="http://www.springframework.org/schema/p" xmlns:task="http://www.springframework.org/schema/task"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
<context:component-scan base-package="com.myapp.authentication" />
<http auto-config='true' use-expressions="true" entry-point-ref="myAuthenticationEntryPoint">
<custom-filter ref="customAuthenticationFilter" position="PRE_AUTH_FILTER"/>
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/templates/**" access="isAuthenticated()" />
.
.
<intercept-url pattern="/ui/ordinary" access="denyAll" />
<intercept-url pattern="/ui/ordinary/" access="denyAll" />
.
.
<intercept-url pattern="/ui/ordinary/**"
access="hasAnyRole('ROLE_ORDINARY','ROLE_ADMINISTRATOR','ROLE_ROOT')" />
<intercept-url pattern="/ui/**" access="isAuthenticated()" />
<intercept-url pattern="/login.xhtml" access="permitAll" />
<intercept-url pattern="/j_spring_security_check" access="permitAll" />
<intercept-url pattern="/noauthorization.xhtml" access="permitAll" />
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page='/login.xhtml'
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.xhtml"
always-use-default-target="false"
default-target-url="/ui/ordinary/list.xhtml" />
<access-denied-handler error-page="/ui/ordinary/noauthorization.xhtml" />
<logout logout-url="/j_spring_security_logout" logout-success-url="/login.xhtml?logout" delete-cookies="JSESSIONID" />
<csrf disabled="true" />
<session-management invalid-session-url="/login.xhtml"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customSpringAuthentication" />
</authentication-manager>
<beans:bean id="customAuthenticationFilter"
class="com.mayapp.authentication.CustomAuthenticationFilter" p:postOnly="false" p:authenticationManager-ref="authenticationManager">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="failureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="successHandler"/>
<beans:property name="sessionAuthenticationStrategy" ref="sessionFixationAttackHandler"/>
</beans:bean>
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/ui/ordinary/list.xhtml"/>
</beans:bean>
<beans:bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.xhtml?login_error=true"/>
</beans:bean>
<beans:bean id="customSpringAuthentication" class="com.mayapp.authentication.CustomSpringAuthentication"/>
<beans:bean id="myAuthenticationEntryPoint" class="com.mayapp.authentication.CustomAuthenticationEntryPoint">
<!-- beans:property name="loginFormUrl" value="/login.xhtml" /-->
<beans:constructor-arg value="/login.xhtml"/>
</beans:bean>
<beans:bean id="sessionFixationAttackHandler" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>
</beans:beans>
After numerious experiments, I was able to solve the problem.
I removed
<intercept-url pattern="/j_spring_security_check" access="permitAll" />
And the most important thing solving it was adding "setRequiresAuthenticationRequestMatcher" in my token filter's constructor as below:
public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
public CustomAuthenticationFilter() {
super();
// Because by default value of postOnly is true in UsernamePasswordAuthenticationFilter
super.setPostOnly(false);
super.setRequiresAuthenticationRequestMatcher( new AntPathRequestMatcher("/j_spring_security_check","GET") );
}
#Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
.
.
}
}
Thank to all guys who kindly asked me for more details to help me. I am appreciated
Related
I'm developing a website using spring security and I have a page that is unsecure, "product/58" where I have the following form:
<form:form name="offerForm" id="offer" modelAttribute="offerProposal" action="/product/make/offer/" method="post" enctype="multipart/form-data">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
<form:input path="minPrice"/>
</form:form>
The problem is if I do the login and I open the page (I'm a authenticated user), submit the form the spring security redirects me to denied controller and in the log shows:
2018-03-22 19:09:42,679 DEBUG [user1_308 (21C272993EC9D1BD7085533415452657)] [https://localhost:8443/standard/resources/js/slick/ajax-loader.gif] [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#4193b3e0: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#4193b3e0: Principal: com.projectx.standard.services.user.model.CustomUserDetails#58c7c40: Username: user1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7A5CB3F014A45BB6632A3503A7B23D02; Granted Authorities: ROLE_USER'
2018-03-22 19:09:42,680 DEBUG [user1_308 (21C272993EC9D1BD7085533415452657)] [https://localhost:8443/standard/resources/js/slick/ajax-loader.gif] [org.springframework.security.web.csrf.CsrfFilter] Invalid CSRF token found for https://localhost:8443/standard/product/make/offer/
2018-03-22 19:09:42,747 INFO [user1_308 (21C272993EC9D1BD7085533415452657)] [https://localhost:8443/standard/resources/js/slick/ajax-loader.gif] [com.projectx.standard.app.interceptor.LogInterceptor] [Start request] - ************* URL https://localhost:8443/standard/accessDenied/ *************
The spring security configuration is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<http pattern="/resources/css" security="none" />
<http pattern="/resources/images" security="none" />
<http pattern="/resources/js" security="none" />
<global-method-security secured-annotations="enabled" />
<beans:bean id="ajaxAwareLoginUrlAuthenticationEntryPoint" class="com.projectx.standard.app.handler.AjaxAwareLoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login/" />
</beans:bean>
<http use-expressions="true" disable-url-rewriting="true" entry-point-ref="ajaxAwareLoginUrlAuthenticationEntryPoint">
<access-denied-handler error-page="/accessDenied/" />
<session-management>
<concurrency-control expired-url="/login/" />
</session-management>
<logout logout-success-url="/" invalidate-session="true" logout-url="/logout" />
<intercept-url pattern="/favicon.ico" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/robots.txt" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/product/make/offer/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="permitAll"
requires-channel="https" />
<!-- Set the login page and what to do if login fails -->
<form-login login-page="/login/"
authentication-failure-handler-ref="customAuthenticationFailureHandler"
authentication-success-handler-ref="customAuthenticationSuccessHandler"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
always-use-default-target="false" />
<remember-me data-source-ref="dataSource"
remember-me-parameter="_spring_security_remember_me"
remember-me-cookie="SPRING_SECURITY_REMEMBER_ME_COOKIE" />
</http>
<beans:bean id="customAuthenticationSuccessHandler"
class="com.projectx.standard.app.handler.CustomAuthenticationSuccessHandler" />
<beans:bean id="customAuthenticationFailureHandler"
class="com.projectx.standard.app.handler.CustomAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/?error=true" />
</beans:bean>
<!-- Use a BCryptPasswordEncoder encoder since the user's passwords are
stored as BCryptPasswordEncoder in the database -->
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<authentication-manager>
<authentication-provider user-service-ref="loginService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>
This looks like CSRF but the form as the token. What I can do to fix this?
Thanks
I figure it out... If I added ?${_csrf.parameterName}=${_csrf.token} to the form action then everything works.
I don't know if it is the best approach, but it works!
I am using spring 4 and hibernate 5.
Below is the xml config for my spring security.
I have this line:
<intercept-url pattern="/android/download" access="permitAll" />
When i tried access from SOAPUI, all i get is
Authentication request failed: com.test.common.JwtTokenMissingException: No token found in request headers. Please login again!
com.test.common.JwtTokenMissingException: No token found in request headers. Please login again!
Is there something wrong with my config file? I do not wish to set to security="none" as i want it to go through spring security.
Could it be the order in which the authenication is done in my CustomAuthenticationFilter class?
XML file for spring security:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<sec:http auto-config="false" create-session="stateless" entry-point-ref="customEntryPoint" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/agent/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/analysis/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/android/download" access="permitAll" />
<intercept-url pattern="/android/**" access="hasRole('ADMIN') or hasRole('SNF_AGENT')" />
<intercept-url pattern="/audit/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/auth/logout" access="isFullyAuthenticated()" />
<intercept-url pattern="/external/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC') or hasRole('IC') " />
<intercept-url pattern="/index.xhtml" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/misc/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/missions/search" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC')" />
<intercept-url pattern="/report/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/request/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/target/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC')" />
<intercept-url pattern="/trawling/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/**" access="denyAll" />
<sec:custom-filter ref="customAuthenticationFilter"
before="PRE_AUTH_FILTER" />
<sec:csrf disabled="true" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</sec:authentication-manager>
<beans:bean id="customAuthenticationFilter"
class="com.test.common.CustomAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler"
ref="customSuccessHandler" />
</beans:bean>
<beans:bean id="customSuccessHandler" class="com.test.common.CustomSuccessHandler" />
</beans:beans>
/**EDITED **/
I missed out this portion of code for CustomAuthenticationFilter class:
#Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
{
String header = request.getHeader(this.tokenHeader);
if (request.getServletPath().contains(".xhtml"))
{
header = (String) request.getSession().getAttribute("token");
}
if (header == null || !header.startsWith(PropertiesUtil.TOKEN_HEADER))
{
throw new JwtTokenMissingException(msgProperty.getProperty(MessageUtil.ERR_AUTH_NO_TOKEN));
}
String authToken = header.substring(PropertiesUtil.TOKEN_HEADER.length());
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);
return getAuthenticationManager().authenticate(authRequest);
}
permitAll means that any authentication, even AnonymousAuthenticationToken is allowed, however your request never makes it that far. You have a custom filter, I assume it is derived from AbstractAuthenticationProcessingFilter, and since the filter throws an exception when the header is missing, you request never makes it to the AuthenticationManager!
There are several ways to solve this, here are two.
Create another filterchain <sec:http...> for endpoints that do not require a token, and use AnonymousAuthenticationFilter for this filter chain.
Return AnonymousAuthenticationToken from your filter if the JWT header is missing.
Hope this helps.
I'm developing a web application using Spring MVC and Spring security. Actually I do not have an error but a warning instead. It looks like this warning will come up with an error soon:)
When I try to deploy my application, it is deployed successfully but a warning appears:
"WARNING: Possible error: Filters at position 7 and 8 are both instances of org.springframework.security.web.session.SessionManagementFilter"
I have both sessionManagementFilter and preAuthenticationFilter in my spring-security xml.
I've googled the problem but it looks like there is not anybody that gets the same warning. What is this warning? Will it cause an error and how can I fix it? I cannot solve the issue, I'll be appreciated if someone helps me. Thank you.
My spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http create-session="never" use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
<intercept-url pattern="/restricted/**" access="isAuthenticated()" />
<custom-filter position="PRE_AUTH_FILTER" ref="myPreAuthFilter" />
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/invalid-session.xhtml?concurrent=true" />
</session-management>
<logout logout-url="/cikis" invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="myLogoutHandler" />
</http>
<beans:bean id="myLogoutHandler" class="com.test.MyLogoutHandler" />
<beans:bean id="userDetailsServiceImpl" class="com.test.UserDetailsServiceImpl" />
<beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="com.test.ForbiddenURLEntryPoint" />
<beans:bean id="preAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceImpl" />
</beans:bean>
<beans:bean id="myPreAuthFilter" class="com.test.MyPreAuthenticationFilter">
<beans:property name="authenticationManager" ref="appControlAuthenticationManager" />
</beans:bean>
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
</beans:bean>
<beans:bean id="jsfRedirectStrategy" class="com.test.JsfRedirectStrategy"/>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
<authentication-manager alias="appControlAuthenticationManager">
<authentication-provider ref="preAuthenticationProvider" />
</authentication-manager>
</beans:beans>
Spring security includes SessionManagementFilter by default on startup.
If you want to specify your own SESSION_MANAGEMENT_FILTER you have to disable session-fixation-protection, just type:
<http create-session="never" use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<session-management session-fixation-protection="none"/>
<custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
<...>
</http>
Can anybody help me with spring security?
I have two folder under views 1: allusers 2: superusers
all users have hasRole("ROLE_USER") and superusers have: haseRole("ROLE_ADMIN","ROLE_USER")
I want when a user how has the ROLE_ADMIN after log in be redirect to the right folder i.e supersusers's folder and that one with only ROLE_USER to the allusers's folder.
Don't know how can I do it.
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org /2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<!-- interceptor pages -->
<intercept-url pattern="/**" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
<intercept-url pattern="/allusers/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/superusers/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/denied" access="permitAll" />
<intercept-url pattern="/getAllUsers" access="hasRole('ROLE_ADMIN')" />
<access-denied-handler error-page="/403" />
<form-login login-page="/index" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select username,password,'true' AS isEnabled from USER where USERNAME=?"
authorities-by-username-query="
select u.username ,r.`ROLE_NAME`,u.`PASSWORD` from USER u, USER_ROLE ur,ROLE r where (u.user_id = ur.user_id)
and (r.role_id=ur.role_id) and u.username =? " />
</authentication-provider>
</authentication-manager>
Here is my mvc-dispatcher.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan base-package="com.secure.weblayer" />
<mvc:annotation-driven />
<context:annotation-config />
<mvc:resources mapping="/resources/**" location="/resources/" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<!-- <property name="prefix" value="/WEB-INF/views/allusers/" />-->
<!-- <property name="prefix" value="/WEB-INF/views/superusers" />-->
<property name="suffix" value=".jsp" />
</bean>
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames" value="mymessages"></property>
</bean>
<bean
class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />
<bean
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping" />
</beans>
As you can see I use sql-query in my spring-security.xml for log in.
I can log in but can not be redirect to any desired pages. But when I in the xml file changethe property to : property name="prefix" value="/WEB-INF/views/allusers"
or : property name="prefix" value="/WEB-INF/views/superusers"
I can get access to all pages in those folders but not at the same time.
Please any help?
You dont wanna touch the InternalResourceViewResolver, as that affects all views.
You dont have your access rights correct, should be like this.
all users is normal users and admin users:
<intercept-url pattern="/allusers/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
superusers is just admin users
<intercept-url pattern="/superusers/**" access="hasRole('ROLE_ADMIN')" />
Also, remove:
<intercept-url pattern="/**" access="permitAll" />
And then you just want to redirect to right page after login.
So use this for your login controller:
#Controller
public class LoginController {
#RequestMapping(value="/welcome", method = RequestMethod.GET)
public String printWelcome(ModelMap model, SecurityContextHolderAwareRequestWrapper request) {
if(request.isUserInRole("ROLE_ADMIN")) {
return "redirect:/superusers";
} else {
return "redirect:/allusers";
}
}
}
I am using Spring MVC and Spring Security. My redirects were switching https to http until I found this post. Spring MVC "redirect:" prefix always redirects to http -- how do I make it stay on https?. I also had to set the redirectHttp10Compatible property to false in my AjaxUrlBasedViewResolver.
The problem is that https still switches to http after login. Once I am logged in I can set my app back to https in the address bar and it will stick. Also, I am using IP authentication for most users in which case https stays thanks to the solution above.
I am trying to add redirectHtp10Compatible to login_security_check or something like that but am stuck. Here my security-config.xml.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<global-method-security pre-post-annotations="enabled" />
<http auto-config='true' access-denied-page="/login">
<intercept-url pattern="/static/styles/**" filters="none" />
<intercept-url pattern="/static/scripts/**" filters="none" />
<intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/error/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/api/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/ajaxTimeOut" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/checkSystem" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/adminUser/**" access="ROLE_SSADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/ajaxTimeOut" login-processing-url="/login_security_check" authentication-failure-url="/login?login_error=t" default-target-url="/" always-use-default-target="true" />
<logout logout-url="/logout" logout-success-url="/"/>
<custom-filter position="PRE_AUTH_FILTER" ref="ipPreAuthFilter" />
</http>
<beans:bean id="ipAuthDetailsSource" class="com.mydomain.security.IPBasedPreAuthenticatedDetailsSource" />
<beans:bean id="ipPreAuthFilter" class="com.mydomain.security.IPPreAuthenticationFilter">
<beans:property name="authenticationManager" ref="preAuthManager" />
<beans:property name="authenticationDetailsSource" ref="ipAuthDetailsSource" />
</beans:bean>
<beans:bean id="preAuthManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="preAuthProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="preAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthUserService" />
</beans:bean>
<beans:bean id="preAuthUserService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
<authentication-manager>
<authentication-provider user-service-ref="userService">
<password-encoder ref="passwordEncoder" >
<salt-source user-property="salt" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userService" class="com.mydomain.security.UserServiceImpl" />
<beans:bean id="passwordEncoder" class="com.mydomain.security.PasswordEncoder">
<beans:constructor-arg value="256" />
</beans:bean>
Thanks.
Add the requires-channel attribute to your secure urls in the intercep-url nodes
just like this:
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https" />