Spring Boot. how to secure some pages but not all the pages - spring-boot

We are creating a spring boot web application to send RSS data to a Ticker Sign (ticker).
The URLs that send RSS data to the ticker sign do not need to be secured with ldap or other credentials.
But we have one page we we update a custom message that we send to the Ticker sign. We want to secure this page with the corporate ldap.
Is it possible to configure spring boot to only require a login for one page and the rest of the pages can remain unsecured.

You can create a role with all permission to access and grant that access just in some methods using Spring security annotation http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
<http use-expressions="true">
<intercept-url pattern="/*"
access="hasRole('admin')"/>
</http>
Then in your free access method
#PreAuthorize("hasRole('admin')")
public void create(Contact contact);
To use this it is very important that you name your URLs wisely i.e. if you want to assign admin role then make a URL look something like /admin/v1/something-here. It will make things readable and simple for you.

Related

Custom AccessDecisionManager in spring security

We are integrating our JSF2 application with Spring Security. We have done the basic setup and its working fine. However we need to implement a custom access decision manager to filter the requests.
For example if user with user privileges try to access a page dedicated to admin, in this case we need to check first whether the user is logged in or not , if logged in get his authorities. I have written a access decision manager and i am still in the process of enhancing it. But when i deploy i am getting below error.
java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: class org.springframework.security.web.FilterInvocation
Any idea what is the reason for the same.
below is sample from my security-config.xml
disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">

Spring Security and Static web project

My Spring Web project with Spring Security works successfully. I want to separate "view" of the project by creating a new static web project. It will have a login screen, access to pages by user's role etc.
my spring-security.xml file
<http auto-config="true">
<intercept-url pattern=“/restricted” access="ROLE_ADMIN" />
<form-login login-page="/login"
 default-target-url="/welcome"
 authentication-failure-url=“/fail” />
<logout logout-success-url="/login" />
</http>
In addition to this, i have REST controllers that return JSON data; but they are stricted if user's role is not ROLE_ADMIN (.../restricted/getlist)
What do i have to do in static web page (client) side?
Thank you.
You can use Spring security tags :
<sec:authorize access="hasRole('ROLE_ADMIN')">
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html

Spring MVC annotation and security configuration

There are 2 Roles
1) ROLE_USER1
2)ROLE_USER2
I dont want to add every URI in spring-security.xml Example I have Manage User module, Where i can Create, Update, Delete and Read Users I have one controller named user controller. Mapping in that controller is
#RequestMapping (value="user/create")
#RequestMapping (value="user/list")
#RequestMapping (value="user/update")
#RequestMapping (value="user/delete")
I want ROLE_USER1 to only access "user/create" so in this case i have to add URI "user/create" for ROLE_USER1 role in secruity.xml
And ROLE_USER2 can access only "user/list" and "user/delete", In this case i have to add 2 URI's for ROLE_USER2 in security.xml
I want if this could happen somehow that i will always give /admin in URL that Admin role can access
And for SuperAdmin URL will contain /SuperAdmin
And I just have to give /Admin/** and /superAdmin/** in spring-security.xml
But to achieve the above scenario I have to add Multiple mappings in controller for single action. If I add multiple actions then i Have Jsp Action problem. i.e there could be either "/admin/user/create" or "/superAdmin/user/create"
I want to secure url's with minimum entries in Spring.security.xml
Regards
I don't think you should create a new Controller for admin and superadmin.
Instead you should just add the roles to the URL in security.xml. For example, if your current security.xml configuration is as below
<intercept-url pattern="/user/create" access="hasAnyRole('ROLE_USER1')" />
<intercept-url pattern="/user/delete" access="hasAnyRole('ROLE_USER2')" />
You just need to add admin and superadmin roles as below.
<intercept-url pattern="/user/create" access="hasAnyRole('ROLE_USER1', 'SuperAdmin', 'Admin')" />
<intercept-url pattern="/user/delete" access="hasAnyRole('ROLE_USER2', 'SuperAdmin', 'Admin')" />
In you Java code, if you have any special logic for different roles, you can access the current role as below and switch the logic.
SecurityContextHolder.getContext().getAuthentication().getAuthorities();

directory namespace, login and session management in spring framework

I am new in spring framework and little confused in managing the directory structure according to the role of user like admin (all jsp will be inside admin directory), how to make login according to the user role like admin will have access only to the admin directory and the session of the user it's time out etc.
I have used this website as reference for login management using hibernate :-
http://fruzenshtein.com/spring-mvc-security-mysql-hibernate/
what i want to do is to protect the user from seeing the pages, which they do not have permission in spring and my project is managing the directory as their role like admin - admin directory, user - user directory and other user - other directory and home pages, when admin will login he will have access to the pages inside admin.
Using hibernate security framework how can i do this.
You have to use SPRING security framework to achive that.
just add whatever filter you want to add in spring-security.xml.
For example: add
<intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<intercept-url pattern="/user/*" access="ROLE_USER" />
It will create check that accessing controller mapping starting with /admin* will require admin login.
Go through spring security docs then configure security with help of below link:
Steps for configuring spring security

How to handle requests if no matching spring security <intercept-url>?

I'm using spring 3.1.1 and spring security 3.1.0. I'd like to enforce a policy that all http requests that are not explicitly configured with an <intercept-url pattern="..." access="..."/> entry are handled in a particular way. For requests that match a configured <intercept-url/> I want to use typical role based access decisions. However, for non-matching requests, I want to either respond with a 404 (not found) (or maybe 403/forbidden). I want to do this so that I and other team members are forced to explicitly configure spring security and associated roles for any new endpoints.
I originally thought that I could use <intercept-url pattern="/**" access="denyAll"/> as the last intercept-url and that spring would do what I wanted. This technique works if the user is already authenticated but is a little strange for unauthenticated/anonymous users. For anonymous users, spring detects (in ExceptionTranslationFilter) that the user is anonymous and starts the authentication process when requests like /missingResource are processed. Typically this means that the user is redirected to a login form and, after logging in, is redirected back to /missingResource. So the user has to login in order to see a 404 (not found) page.
I ended up removing the intercept-url pattern="/**" access="denyAll"/> and writing a custom filter that runs after="FILTER_SECURITY_INTERCEPTOR" and responds with 404 for requests that are not matched by the FilterSecurityInterceptor but it seemed a little complicated. Is there a better or simpler way?
you can define a separate http element for intercept url /** with access ="denyAll" and add a custom entry-point-ref to avoid spring to redirect user to login form, you can use existing entryPoint Http403ForbiddenEntryPoint for showing 403 error response or implement your own by implementing AuthenticationEntryPoint.
Hope it helps.

Resources