I am migrating my spring security from 3.1.4 to 4.1.5. I am using RequestMatcher in my security config to filter out urls.I updated RequestMatcher to the correct package as suggested in Migration document to org.springframework.security.web.util.matcher.RequestMatcher.
I am pointing request-matcher-ref in to point the a custom class which implements RequestMatcher. But i am getting the following error in intellij - Cannot resolve required base class 'org.springframework.security.web.util.RequestMatcher'.
How to resolve this issue.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<security:debug/>
<bean id="preflightRequestMatcher" class="com.genesyslab.rcs.security.RequestMethodMatcher">
<constructor-arg index="0" value="OPTIONS"/>
<constructor-arg index="1" value="true"/>
</bean>
<bean id="regularRequestMatcher" class="com.genesyslab.rcs.security.RequestMethodMatcher">
<constructor-arg index="0" value="OPTIONS"/>
<constructor-arg index="1" value="false"/>
</bean>
<security:http auto-config="false" create-session="never" request-matcher-ref="preflightRequestMatcher" >
<security:intercept-url pattern="/**" access="ROLE_ANONYMOUS, IS_AUTHENTICATED_FULLY"/>
<security:http-basic />
</security:http>
<security:http pattern="/contact-centers/*/user-recordings/*/play/**" security="none" auto-config="false" create-session="always"/>
<security:http pattern="/contact-centers/*/user-screen-recordings/*/play/**" security="none" auto-config="false" create-session="always"/>
<security:http auto-config="false" create-session="always" request-matcher-ref="regularRequestMatcher">
<security:intercept-url pattern="/loginsession" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/logoutsession" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/keepalivesession" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/recordings/**" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/contact-centers/*/recordings/**" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/screen-recordings/**" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/certificates" access="ROLE_RECORD_KEY_READ,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/certificatepems" access="ROLE_RECORD_KEY_READ,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/checkcertificate" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/checkkey" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/addcertificateandkey" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/removecertificateandkey" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/version" access="ROLE_ANONYMOUS, IS_AUTHENTICATED_FULLY" />
<!-- All URLs should be covered above, it's error if we match this one -->
<security:intercept-url pattern="/**" access="ROLE_NOMATCH" />
<security:session-management>
<security:concurrency-control max-sessions="999999" error-if-maximum-exceeded="false"/>
</security:session-management>
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider ref='rcsAuthenticationProvider'/>
</security:authentication-manager>
RequestMethodMatcher.java
import lombok.AllArgsConstructor;
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
#AllArgsConstructor
public class RequestMethodMatcher implements RequestMatcher
{
final private String method;
final private boolean matchIfEqual;
#Override
public boolean matches(HttpServletRequest request) {
return method.equalsIgnoreCase(request.getMethod()) == matchIfEqual;
}
}
Related
I am using spring 4 and hibernate 5.
Below is the xml config for my spring security.
I have this line:
<intercept-url pattern="/android/download" access="permitAll" />
When i tried access from SOAPUI, all i get is
Authentication request failed: com.test.common.JwtTokenMissingException: No token found in request headers. Please login again!
com.test.common.JwtTokenMissingException: No token found in request headers. Please login again!
Is there something wrong with my config file? I do not wish to set to security="none" as i want it to go through spring security.
Could it be the order in which the authenication is done in my CustomAuthenticationFilter class?
XML file for spring security:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<sec:http auto-config="false" create-session="stateless" entry-point-ref="customEntryPoint" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/agent/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/analysis/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/android/download" access="permitAll" />
<intercept-url pattern="/android/**" access="hasRole('ADMIN') or hasRole('SNF_AGENT')" />
<intercept-url pattern="/audit/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/auth/logout" access="isFullyAuthenticated()" />
<intercept-url pattern="/external/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC') or hasRole('IC') " />
<intercept-url pattern="/index.xhtml" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/misc/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/missions/search" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC')" />
<intercept-url pattern="/report/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/request/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/target/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC')" />
<intercept-url pattern="/trawling/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/**" access="denyAll" />
<sec:custom-filter ref="customAuthenticationFilter"
before="PRE_AUTH_FILTER" />
<sec:csrf disabled="true" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</sec:authentication-manager>
<beans:bean id="customAuthenticationFilter"
class="com.test.common.CustomAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler"
ref="customSuccessHandler" />
</beans:bean>
<beans:bean id="customSuccessHandler" class="com.test.common.CustomSuccessHandler" />
</beans:beans>
/**EDITED **/
I missed out this portion of code for CustomAuthenticationFilter class:
#Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
{
String header = request.getHeader(this.tokenHeader);
if (request.getServletPath().contains(".xhtml"))
{
header = (String) request.getSession().getAttribute("token");
}
if (header == null || !header.startsWith(PropertiesUtil.TOKEN_HEADER))
{
throw new JwtTokenMissingException(msgProperty.getProperty(MessageUtil.ERR_AUTH_NO_TOKEN));
}
String authToken = header.substring(PropertiesUtil.TOKEN_HEADER.length());
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);
return getAuthenticationManager().authenticate(authRequest);
}
permitAll means that any authentication, even AnonymousAuthenticationToken is allowed, however your request never makes it that far. You have a custom filter, I assume it is derived from AbstractAuthenticationProcessingFilter, and since the filter throws an exception when the header is missing, you request never makes it to the AuthenticationManager!
There are several ways to solve this, here are two.
Create another filterchain <sec:http...> for endpoints that do not require a token, and use AnonymousAuthenticationFilter for this filter chain.
Return AnonymousAuthenticationToken from your filter if the JWT header is missing.
Hope this helps.
I try to implement concurrency-control in Spring security 4.0.4 I use form-login for auth. Here is my security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd ">
<security:http auto-config="true" >
<security:custom-filter ref="myFilter" before="FORM_LOGIN_FILTER"/>
<security:intercept-url pattern="/Welcome**" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/admin**" access="hasRole('ADMINISTRATOR')"/>
<security:intercept-url pattern="/Welcome**" access="isAuthenticated()"/>
<security:intercept-url pattern="/hello" access="isAuthenticated()"/>
<security:intercept-url pattern="/logout" access="isAnonymous()"/>
<security:intercept-url pattern="/student" access="hasRole('STUDENT')"/>
<security:intercept-url pattern="/failurl" access="hasRole('STUDENT1')"/>
<security:session-management invalid-session-url="/access" session-fixation-protection="newSession" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/access"/>
</security:session-management>
<security:logout logout-success-url="/access" delete-cookies="JSESSIONID" />
<security:form-login login-processing-url="/j_spring_security_check"
login-page="/access"
default-target-url="/hello"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/fail"
/>
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
<security:csrf />
</security:http>
<bean id="myFilter" class="com.www.sec.MyFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<!-- <security:password-encoder hash="sha-256"/> -->
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password,enabled from user_details where username=?"
authorities-by-username-query=
"select username,user_role from user_role where username =?" />
</security:authentication-provider>
</security:authentication-manager>
</beans>
Listener:
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
when we run it in different browsers, log in in both but I have 2 sessions active. It seems that concurrency control doesn't work.
How to implement concurrency control with using form-login?
i'm using spring security and AspectJ to log application's behavior. I need to capture a successful login and log it. My spring security configuration:
<security:http auto-config="true" authentication-manager-ref="authenticationManager" use-expressions="true">
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/loginFailed" access="permitAll"/>
<security:intercept-url pattern="/viewUserAccounts" access="hasRole('ROLE_ANTANI')" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<security:form-login
login-page="/login"
authentication-failure-url="/loginFailed"
login-processing-url="/loginAttempt"
password-parameter="password"
username-parameter="username"
/>
</security:http>
How can i define the right pointcut?
here's a solution to grab the results form the AuthenticationManager;
the context part (simplified version of what you have)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="test" password="test" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<aop:aspectj-autoproxy proxy-target-class="true"/>
<bean class="de.incompleteco.spring.aspect.UsernamePasswordAuthenticationFilterAspect"/>
</beans>
and the pointcut
package de.incompleteco.spring.aspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.security.core.Authentication;
#Aspect
public class AuthenticationManagerAspect {
#AfterReturning(pointcut="execution(* org.springframework.security.authentication.AuthenticationManager.authenticate(..))"
,returning="result")
public void after(JoinPoint joinPoint,Object result) throws Throwable {
System.out.println(">>> user: " + ((Authentication) result).getName());
}
}
this will allow you to access the authentication object after it's come back from the AuthenticationManager.
Can anybody help me with spring security?
I have two folder under views 1: allusers 2: superusers
all users have hasRole("ROLE_USER") and superusers have: haseRole("ROLE_ADMIN","ROLE_USER")
I want when a user how has the ROLE_ADMIN after log in be redirect to the right folder i.e supersusers's folder and that one with only ROLE_USER to the allusers's folder.
Don't know how can I do it.
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org /2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<!-- interceptor pages -->
<intercept-url pattern="/**" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
<intercept-url pattern="/allusers/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/superusers/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/denied" access="permitAll" />
<intercept-url pattern="/getAllUsers" access="hasRole('ROLE_ADMIN')" />
<access-denied-handler error-page="/403" />
<form-login login-page="/index" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select username,password,'true' AS isEnabled from USER where USERNAME=?"
authorities-by-username-query="
select u.username ,r.`ROLE_NAME`,u.`PASSWORD` from USER u, USER_ROLE ur,ROLE r where (u.user_id = ur.user_id)
and (r.role_id=ur.role_id) and u.username =? " />
</authentication-provider>
</authentication-manager>
Here is my mvc-dispatcher.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan base-package="com.secure.weblayer" />
<mvc:annotation-driven />
<context:annotation-config />
<mvc:resources mapping="/resources/**" location="/resources/" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<!-- <property name="prefix" value="/WEB-INF/views/allusers/" />-->
<!-- <property name="prefix" value="/WEB-INF/views/superusers" />-->
<property name="suffix" value=".jsp" />
</bean>
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames" value="mymessages"></property>
</bean>
<bean
class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />
<bean
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping" />
</beans>
As you can see I use sql-query in my spring-security.xml for log in.
I can log in but can not be redirect to any desired pages. But when I in the xml file changethe property to : property name="prefix" value="/WEB-INF/views/allusers"
or : property name="prefix" value="/WEB-INF/views/superusers"
I can get access to all pages in those folders but not at the same time.
Please any help?
You dont wanna touch the InternalResourceViewResolver, as that affects all views.
You dont have your access rights correct, should be like this.
all users is normal users and admin users:
<intercept-url pattern="/allusers/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
superusers is just admin users
<intercept-url pattern="/superusers/**" access="hasRole('ROLE_ADMIN')" />
Also, remove:
<intercept-url pattern="/**" access="permitAll" />
And then you just want to redirect to right page after login.
So use this for your login controller:
#Controller
public class LoginController {
#RequestMapping(value="/welcome", method = RequestMethod.GET)
public String printWelcome(ModelMap model, SecurityContextHolderAwareRequestWrapper request) {
if(request.isUserInRole("ROLE_ADMIN")) {
return "redirect:/superusers";
} else {
return "redirect:/allusers";
}
}
}
This is a pretty simple question, I'm following a tutorial and I'm up to the point where I'm adding a passwordEncoder to my spring security, I have the following XML...
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/static/**" security="none" />
<http use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()" />
<!-- <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"
/> -->
<!-- <intercept-url pattern="/listAccounts.html" access="isAuthenticated()"
/> -->
<!-- <intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')"
/> -->
<!-- <intercept-url pattern="/*" access="denyAll" /> -->
<form-login />
<logout invalidate-session="true" logout-success-url="/"
logout-url="/logout" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
</beans:beans>
The problem is the <bean class="org.spr.. line just at the bottom is erroring saying security namespace does not allow
I do understand this, but is there a way I can use the reference without having to add <security: to everything else?
In your XML declaration you are declaring that "security:" is the default namespace:
xmlns="http://www.springframework.org/schema/security"
you have to preface all the elements not found in the security namespace with their prefix... in this case bean is in beans namespace... so you would need to say, beans:bean
This declaration:
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
should be:
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>