I'm attempting to logout using Spring Security, but any time I call the logout url it changes the jsessionid, but I can still access urls that should be restricted and ask for me to log back in.
public void configure(HttpSecurity httpSecurity) throws Exception{
httpSecurity.httpBasic();
httpSecurity.authorizeRequests()
.mvcMatchers(HttpMethod.GET, "/privateEvent").hasAuthority("REGISTERED_USER")
.mvcMatchers(HttpMethod.DELETE, "/privateEvent/*").hasAuthority("RSVP_ADMIN")
.mvcMatchers("/registerPrivateEvent").hasAuthority("REGISTERED_USER")
.mvcMatchers("/guestList").hasAuthority("EVENT_PUBLISHER")
.mvcMatchers("/eventPublishersList").hasAuthority("RSVP_ADMIN")
.anyRequest().permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.deleteCookies("XSRF-TOKEN")
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/allDone")
.permitAll()
.and()
.csrf().disable();
}
Related
I'm developing a spring-boot application and its spring security configuration is as follows:
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/actuator/**", "/login*", "/logout*")
.permitAll();
httpSecurity
.cors().and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/taas/v1/**").hasRole("admin")
.antMatchers("/taas/v1/teams", "/taas/v1/profiles", "/taas/v1/tests/summary").hasRole("tester")
.antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary").hasRole("user")
.anyRequest().authenticated()
.and()
.exceptionHandling().accessDeniedHandler(customAccessDeniedHandler)
.and()
.httpBasic()
.and()
.formLogin()
.successHandler(customAuthenticationSuccessHandler)
.failureHandler(customAuthenticationFailureHandler)
.and()
.logout()
.logoutSuccessHandler(customLogoutSuccessHandler())
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID");
}
}
Even though i have set the url pattern for each roles. All users are able to access all endpoints as mentioned in antMatchers(). A user with role user is not supposed to access /taas/v1/profiles. But when I try to access that endpoint by logging in as user, I'm getting the response but expected response is 403 forbidden.
I request someone to provide a workaround for me.
I got this issue resolved by doing some minor changes in my antMatchers(). Below is the modified code.
The main issue is that antMatcher() pattern must not contain the context path, see Spring security antMatcher does not work
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors()
.and()
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/profiles").hasAnyRole("TESTER")
.antMatchers( "/teams", "/tests/summary").hasAnyRole("USER", "TESTER", "ADMIN")
.anyRequest().authenticated()
.and().csrf().disable()
.exceptionHandling()
.accessDeniedHandler(customAccessDeniedHandler)
.and()
.httpBasic()
.and()
.formLogin()
.successHandler(customAuthenticationSuccessHandler)
.failureHandler(customAuthenticationFailureHandler)
.and()
.sessionManagement()
.invalidSessionUrl("/invalidSession.html")
.maximumSessions(1).sessionRegistry(sessionRegistry()).and()
.sessionFixation().none()
.and()
.logout()
.logoutSuccessHandler(customLogoutSuccessHandler())
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID");
}
}
Please verify the code that you're sharing because as you've mentioned. A user with role user is not supposed to access /ptaas/v1/profiles. But when I try to access that endpoint by logging in as user.
Where your mapping says you've not configured access to user role as given.
.antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary").hasRole("user")
As per your comments it should have been .antMatchers( "/taas/v1/teams", "/taas/v1/tests/summary", "/ptaas/v1/profiles").hasRole("user")
How can I disable sessions for anonymous users in spring boot 2.0?
My current configuration:
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/actuator/**").permitAll()
.antMatchers("/password/forgot/**").permitAll()
.antMatchers("/password/reset/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/manage/**").permitAll()
.antMatchers( "/favicon.ico").permitAll()
.anyRequest().authenticated();
http
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(authSuccessHandler)
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
.invalidateHttpSession(true)
.permitAll();
}
}
When I open the login page, there is still a session created:
Perhaps the session is being automatically created by Spring Security. That behavior can be disabled by setting create-session to never. This means Spring Security will not attempt to automatically create a session.
<http create-session="never">
[...]
</http>
Some more details here: https://www.baeldung.com/spring-security-session
try adding "anonymous.disable()" after http in FormLoginWebSecurityConfigurerAdapter class.
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.anonymous.disable()
.authorizeRequests()
.antMatchers("/actuator/**").permitAll()
.antMatchers("/password/forgot/**").permitAll()
.antMatchers("/password/reset/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/manage/**").permitAll()
.antMatchers( "/favicon.ico").permitAll()
.anyRequest().authenticated();
http
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(authSuccessHandler)
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
.invalidateHttpSession(true)
.permitAll();
}
Enjoyy!
In my case I had to do 3 things:
Add http.anonymous.disable() to my WebSecurityConfigurerAdapter.
Also add http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER). I don't know why, but this DOES create sessions for my authenticated users, even though the docs say that it will never create sessions for you.
Deleted all my cookies before testing. I discovered that if you made a request with an old session cookie, the server would use said cookie to create a new session, ignoring completely the SessionCreationPolicy we just set.
I' d like to allow another page than the login one in my configuration, a registration page. I use the authorization_code grant to connect the users from another service, the client, so they are redirected to the oauth2 server to login then they are redirected back to the client.
I created a registration form accessible from the login page, but I 'm not able to reach it I' m automaticly redirected to the login page.
Here is my configuration
#Override
protected void configure(HttpSecurity http) throws Exception { // #formatter:off
http.requestMatchers()
.antMatchers("/login**", "/oauth/**")
.and()
.authorizeRequests()//autorise les requetes
.anyRequest()//pour n'importe quel path
.authenticated()//aux utilisateur authentifié
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login.do")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.userDetailsService(userDetailsServiceBean());
}
I'd like to allow a /registration path but I don't know how to do that.
Here is the solution
#Override
protected void configure(HttpSecurity http) throws Exception { // #formatter:off
http.requestMatchers()
.antMatchers("/login**", "/registration"/*, "/logout.do"*/, "/oauth/**")
.and()
.authorizeRequests()
.antMatchers("/registration")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login.do")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.userDetailsService(userDetailsServiceBean());
}
My login page is http://localhost:8080/nradmin/welcome
and my home page (after successful log in) is http://localhost:8080/nradmin/home
I'd like to log out and not anymore be able anymore to access any other page like the home page but only the welcome (login) page. If I type http://localhost:8080/nradmin/home on the browser after logout I continue to have access to the home page without logging in.
I've implemented the following methods overriden from the abstract class WebSecurityConfigurerAdapter:
#Override
protected void configure(HttpSecurity http) throws Exception { http
.authorizeRequests()
.antMatchers("/welcome").permitAll()
.antMatchers("/home", "/account/**", "/price/**").hasRole("ADMIN")
.antMatchers("/home", "/account/**", "/price/**").access("hasRole('ROLE_ADMIN')")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/welcome")
.defaultSuccessUrl("/home")
.and()
.logout()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutSuccessUrl("/welcome")
.logoutUrl("/welcome")
.deleteCookies()
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/welcome")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
#Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication() .withUser("username").password(passwordEncoder().encode("12345")).roles(LoginDataConstants.ROLE_ADMIN)
}
#Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
Does anyone have an idea how to do it?
I guess it may be due to having the same url in the methods logoutUrl and logoutSuccessUrl.
I suggest you to change logoutUrl to other path, for example just /logout and then try to perform the logout hitting that url. It should complete the logout task and the redirect to the logoutSuccessUrl, which is /welcome
Add CSRF
Reference from spring docs.
Will perform logout with the URL /logout is requested with any HTTP method
#Override protected void configure(HttpSecurity http) throws Exception {
http.
logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
}
You can also reference a good example on stack overflow using this same method here
When I had this issue I used this line
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
Where
.logoutSuccessUrl("/login") was the page the user will be redirected to.
You could re-factor your code to something like this
#Override
protected void configure(HttpSecurity http) throws Exception { http
.authorizeRequests()
.antMatchers("/welcome").permitAll()
.antMatchers("/home", "/account/**", "/price/**").hasRole("ADMIN")
.antMatchers("/home", "/account/**", "/price/**").access("hasRole('ROLE_ADMIN')")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/welcome")
.defaultSuccessUrl("/home")
.and()
.logout()
.and() // This section is re-factored.
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/welcome").deleteCookies("JSESSIONID") //Or try .logoutSuccessUrl("/nradmin/welcome")
.invalidateHttpSession(true)
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/welcome")
.and()
.sessionManagement()
.sessio hinCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
Update : This is a modified version. This is essentially what I use in my project except for this portion:
.and()
.exceptionHandling()
.accessDeniedPage("/welcome")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
So, I believe it should work; otherwise, I believe it may be a setup issue/configuration that resides somewhere else in your project. Please try the below example.
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/nradmin/welcome", "/home", "/account/**", "/price/**").hasRole("ADMIN")
.anyRequest().permitAll()
.and()
.formLogin()
.loginPage("/nradmin/welcome")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/nradmin/welcome").deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/nradmin/welcome")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
I'm using Spring security 3.2 and have this configuration:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.rememberMe()
.rememberMeServices(rememberMeServices())
.key(env.getProperty("security.rememberme.key"))
.and()
.formLogin()
.loginProcessingUrl("/app/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.logout()
.logoutUrl("/app/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.addFilter(basicAuthenticationFilter(basicAuthenticationEntryPoint(), authenticationManager()))
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/login/**").permitAll()
.antMatchers("/logout/**").permitAll()
.antMatchers("/super_admin/**").hasRole("ADMIN")
.antMatchers("/administration/**").hasRole("ADMIN")
.antMatchers("/*").permitAll()
.antMatchers("/app/**").authenticated();
When I'm logged as user with role ADMIN and I'm accessing http://mydomain:8080/super_admin and http://mydomain:8080/#/administration this is not being blocked. (Works fine)
But when I log in as user without role ADMIN this is being blocked http://mydomain:8080/super_admin, but I can still access http://mydomain:8080/#/administration.
Is there a problem with #?
How I can block http://mydomain:8080/#/administration
Thank you for any feedback.
Values after the # are not send to the server. You have to use some JavaScript to check if it's ok for the user to access the page.
Evgeni is correct, the values after the # is called the fragment or anchor part of the URL, and is used by web browsers not the server.
Example of a fragment URL http://en.wikipedia.org/wiki/Hurricane_Ginger#Impact. This link will take you to Hurricane_Ginger heading Impact