In my webapp the login page is http://localhost:8080/vsingh/login
I am able to do below
Open tab1 and open the login page
Open tab2 and open the login page
In tab1 login with USER1. User is redirected to homepage. Now open tab2 and login with USER2. Now user is redirected to homepage of USER1.
How can I logout USER1 automatically in this case? Any pointers are appreciated.
PS: I do redirect automatically to homepage is user is already logged in and hits the login page, however in this case, the tab was already open before the user attempted login
#RequestMapping("/login")
public String login() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken) && auth != null) {
return "redirect:userHome";
}
return "login";
}
Spring Security XML
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/*" access="permitAll" />
<access-denied-handler error-page="/login"/>
<form-login login-page="/login"
authentication-failure-handler-ref="customAuthFailureHandler"
username-parameter="username" password-parameter="password"
authentication-success-forward-url="/userHomeX" />
<csrf />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USERNAME, RTRIM(PASSWORD) AS PASSWORD, CASE WHEN ENABLED=1 AND ADMIN_LOCK = 0 THEN 1 ELSE 0 END AS ENABLED FROM JWBDATABASE.JWBSCHEMA.USERS WHERE USERNAME=?"
authorities-by-username-query="SELECT USERNAME,USER_ROLE AS ROLE FROM JWBDATABASE.JWBSCHEMA.USERS WHERE USERNAME=?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
<beans:bean id="customAuthFailureHandler"
class="com.vj.authenticationManager.CustomAuthFailureHandler">
</beans:bean>
Why it is not duplicate?
Question is not about allowing multiple logins in different tabs but somehow force a single login for all tabs. If someone logins thru an already open login page with a different userid, either the old one should be forced logged out or throw an error on new login with some message
Related
My application can have below URLs:
/siteadmin/homepage/
/siteusers/customer/createCustomer
Below is my spring-security.xml:
<beans:beans>
<http auto-config="true">
<intercept-url pattern="/siteusers***" access="isAuthenticated()" />
<!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
<intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
<form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
login-processing-url="/siteusers/loginprocess/login"
authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="b" password="123456" authorities="ROLE_ADMIN" />
<user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/ it is allowing user 'a' to view the page although his role is not admin. But when I try to hit http://localhost:8080/siteadmin then Spring Security is working fine ie. its showing access denied page.
I want to restrict /admin/* URLs for users who doesn't have Admin role.
See AntPathMatcher:
The mapping matches URLs using the following rules:
? matches one character
* matches zero or more characters
** matches zero or more directories in a path
Some examples:
com/t?st.jsp - matches com/test.jsp but also com/tast.jsp or com/txst.jsp
com/*.jsp - matches all .jsp files in the com directory
com/**/test.jsp - matches all test.jsp files underneath the com path
org/springframework/**/*.jsp - matches all .jsp files underneath the org/springframework path
org/**/servlet/bla.jsp - matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp
Your pattern /siteadmin***misses slashes. Use /siteadmin/**.
I'm trying to configure my spring-security project for first time but when I try to login I receive a message: "ERR_TOO_MANY_REDIRECTS". May be somewhere under the hood it redirects to admin again, but where?
here is my spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<http use-expressions="true" >
<csrf disabled="true"/>
<intercept-url pattern="/admin" access="hasRole('Admin')" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<access-denied-handler error-page="/403" />
<form-login login-page='/login' login-processing-url="/login" authentication-failure-url="/login?error=true"
username-parameter="username" password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/logoutSuccessful" delete-cookies="JSESSIONID" invalidate-session="true" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="myDataSource"
users-by-username-query= "select login, password, 'true' from employee where login=?"
authorities-by-username-query= "select login, role from employee where login =? " />
</authentication-provider>
</authentication-manager>
<beans:import resource="data-source-cfg.xml"/>
</beans:beans>
controller class:
#Controller
#RequestMapping("/")
public class HelloController {
#RequestMapping(method = RequestMethod.GET)
public String printWelcome(ModelMap model) {
return "login";
}
#RequestMapping(value="/admin", method = RequestMethod.GET)
public String showAdmin(ModelMap model) {
return "admin";
}
#RequestMapping(value="/login", method=RequestMethod.GET)
public String enter(#ModelAttribute("employee") Employee employee, ModelMap model){
return "redirect:/admin";
}
...
Table with user's login and role looks like:
Employee
|id|login |password |first_name|last_name|mobile_phone|role |
|1 |login1 |password1 |name1 |lname1 |phone1 |User |
|2 |login2 |password2 |name2 |lname2 |phone2 |Admin |
spring security version is 4.0.3.
This is my first experience with spring-mvc and spring-security so the question may be noobie. What is wrong?
The problem is you are simply redirecting to the admin page on the /login resource, which is where it will send people if they are not logged in. Since /admin requires a specific role, it will try to go to the login page if the user is not logged in which you have redirecting back to the admin page, thus creating a loop.
You want to return a view and not redirect back to the admin page.
Lets say my logout URL is: app/logout.
I need to show a message - "You are succesfully logged out" in logout page only when logout was triggred by clikcing the logout button.
The message should not be displayed if the user enters this URL directly. Any idea how to implement this?
Controller:
#RequestMapping(value ="/logout", method = RequestMethod.GET)
public ModelAndView logout(HttpServletRequest request, HttpServletResponse response) {
ModelAndView model = new ModelAndView();
//some code here to distingish
model.addObject("msg", "You are succesfully logged out!");
model.setViewName("login");
return model;
}
Spring-Security.xml:
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config="true" create-session="ifRequired" use-expressions="true">
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>
<form-login
login-page="/login"
default-target-url="/home"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
As it is for Spring Security, I think that the simplest way is to use spring security to restrict /logout to authenticated users.
Using the namespace it would be :
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>
Using Java configuration, it would be :
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/logout").authenticated()
...
}
Add #RequestParam(value = "foo", required = false) Boolean foo
Add this additional parameter to logout button, if foo exist and is true do your logic
I have a web application using spring 3.2.The login process is done through spring security.When a user gives a url to view the profile of a particular user he will redirect to login page if he is not logged in.I need to go back to the user's profile if he is not successfully logged in.Since I am using angular js my urls are in the form
http://mydomain.com/#/view-profile/71 to view the profile of the user.If I am not logged in it will redirect to login page.In the browser url becomes http://mydomain.com/login#/view-profile/71 but after successful login it is not redirecting to the specified url.How can I make that with angularjs.
In app.js I have given like this
$routeProvider.when('/view-profile/:id',
{
templateUrl: '/partials/editor/view-profile.htm',
action: 'kc.view-profile',
resolve: {
loadData: ViewCtrl.loadUserProfile
}
}
);
And for authentication in security.xml it is written like
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/login" login-processing-url="/j_security_check" authentication-failure-url="/login?error=true"/>
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
<intercept-url pattern="/assets/**" access="permitAll" />
<intercept-url pattern="/application/signin/**" access="permitAll" />
<intercept-url pattern="/application/signup/**" access="permitAll" />
<intercept-url pattern="/application/manage/**" access="ROLE_EDITOR" />
<interce
pt-url pattern="/application/**" access="isAuthenticated()" />
<!--<intercept-url pattern="/application/connect/**" access="permitAll" />-->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
Spring Security doesn't support Ajax login out-of-the-box, that's why your application isn't working correctly.
You can have a look at this sample application that handles Ajax login/logout with AngularJS + Spring Security:
https://github.com/jhipster/jhipster-sample-app
I had to implement some specific Ajax handlers, as you can see here:
https://github.com/jhipster/jhipster-sample-app/tree/master/src/main/java/com/mycompany/myapp/security
I have this problem:
in a java web-app (with spring and spring-security 3.1.4) there's a sso authentication; this means the user authenticates as soon as he log in on his pc.
The configuration is this:
<sec:http>
<sec:logout />
<sec:form-login login-page="/login.jsp" default-target-url="/" />
<sec:anonymous username="guest" granted-authority="ROLE_GUEST" />
<sec:custom-filter ref="headersFilter" after="SECURITY_CONTEXT_FILTER" />
<sec:custom-filter ref="jaasFilter" after="SERVLET_API_SUPPORT_FILTER" />
</sec:http>
and this works (actually login.jsp doesn't exist because the user is already logged in as I said above).
Now the problem is that I want to have a "backdoor";this means there should be a login page for me and my team to test and mantain the app.
It should work like this:
-I call localhost/wepapp/myloginpage and I should see the myloginpage.jsp (this works now);
-I click on "login" button and I enter in the second " element" and if the login is ok then I should get redirected to "/" (this doesn't work and I'm simply redirected on "login");
-with the configuration below it seems that I can see "/" without authentication, too, if I call it (localhost/wepapp)
I tried this configuration but it doesn't work, I mean I can see "/" without authentication and I get redirected to login (I also tried other small variations but same result, more or less):
<sec:http pattern="/myloginpage">
<sec:logout />
<sec:form-login login-page="/myloginpage" default-target-url="/" />
</sec:http>
<sec:http pattern="/login">
<sec:logout />
<sec:form-login login-page="/login" default-target-url="/" />
<sec:anonymous username="guest" granted-authority="ROLE_GUEST" />
<sec:custom-filter ref="headersFilter" after="SECURITY_CONTEXT_FILTER" />
<sec:custom-filter ref="jaasFilter" after="SERVLET_API_SUPPORT_FILTER" />
</sec:http>
My myloginpage.jsp:
<form action="login" method="POST">
<table>
<tr>
<td>
Name
</td>
<td>
<input type="text" name="name">
</td>
</tr>
.........
</form>
I also have the controller for myloginpage:
#Controller
public class Myloginpage {
publicMyloginpage() {
}
#RequestMapping("/myloginpage")
public String home() {
return "myloginpage";
}
}
Thankx,
Adrian
It seems you are missing the <intercept-url> tags to configure access to certain paths.
<sec:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />