I've got two apps running on different localhost ports, and the first calls a Spring Boot application that requires authorization.
The Spring Boot application tries to redirect from localhost:samenumber/url to localhost:samenumber/login.
I know that I can use
#CrossOrigin(origins = "localhost:otherport")
as an annotation for a method to allow localhost:otherport to access a method, but I don't actually have a method in a controller that handles /login.
I simply annotated my application's main class with #EnableOAuth2Sso, and am not sure what else to change to allow redirects to localhost:samenumber/login
In my Vaadin 7, Spring Boot application after successful authentication/authorization I need to return user to a page where login process was initiated.
But right now user returns to home page.
For example if user goes to:
http://127.0.0.1:8080/vaadin-ui/!#search
it redirects him to:
http://127.0.0.1:8080/vaadin-ui/login#search
and after login process to:
http://127.0.0.1:8080/vaadin-ui/
How to tell Spring Security and Vaadin application to return user to
http://127.0.0.1:8080/vaadin-ui/!#search
url ?
I'm migrating a JSF application from Spring Security 3.2 to 4.0.1. This version changes many default urls, for example the default login url to /login.
The application has its own login page (using JSF AJAX) and it is still displayed when calling /login, but all POST-Requests to this URL (and so all AJAX-Requests from the Login-Page) are captured by the UsernamePasswordAuthenticationFilter and that is trying to process the authentication, causing the request to get redirected to the loginform again.
After looking at the code this url seems to be hard-coded:
public UsernamePasswordAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
So I have to disable this filter completely, or better, avoid it's creation. Can anybody point me how I can do it.
Changing my login page to another url is working, but is not the nice solution.
EDIT: I have created a Bugticket in Spring Security for this: https://jira.spring.io/browse/SEC-2992
EDIT 2: I've found another workaround: If I set the login-processing-url for the form-login to something unused it is working, but seems to be very hacky. There should be a way to disable it completely. Also it should be stated in the migration guide, I lost hours until I found this.
I am going to assume that you are trying to upgrade to Spring Security 4.0.0 (the latest available version is 4.0.1).
Spring Security 3.x used spring_security_login as the default login URL (source: official documentation). This could be set to a custom value as <security:form-login login-page="/login"> and mapped to a controller to render a custom page.
Spring Security 4.x has abandoned spring_security_login and switched to login as the default login URL (source: official Spring Security 4.x migration guide). Therefore, the URL login now goes to the default Spring Security infrastructure, that displays the default, auto-generated login page.
There was a bug in 4.0.0 due to which the default infrastructure was still getting used in cases where the URL /login was manually mapped to a custom controller method. This bug has been fixed in 4.0.1. Do try upgrading to Spring Security 4.0.1 to see if you can use /login as the login URL.
It looks like you could call setFilterProcessesUrl(String) (or, equivalently, setRequiresAuthenticationRequestMatcher(RequestMatcher)) to override the default of /login.
First of all am new to spring security.
my Question is when I authenticate a user from form and redirect to a url of controller handler method and get a view.Then after user click a link,Then how to authenticate that url and other particular user.
This thing I did in Session validation in every jsp normal java with out spring security.
How to achieve this in spring security.
How can I overwrite default login logout pages of Spring Security. I will put my own login.html and logout.html files and don't use jsp files just works with static contents at that side.
Specify them in your security-context.xml (or whatever you've called yours) like this:
<form-login login-page="/login.htm" authentication-failure-url="/login.htm?login_error=1" default-target-url="/home/index.htm" />
But I think you'll find it difficult to write a login page that works with Spring Security and doesn't use JSP.
Here's an example JSP page you can start from: http://loianegroner.com/2010/01/spring-security-login-and-logout-form-jsp/