I have a spring boot application with default level spring security and i am using auth.userDetailsService(customuserservice) for the user authentication part. Apart from that we are using Google login button. My configuration file is
`http
.authorizeRequests()
.antMatchers("/","/securitylogin").permitAll()
.antMatchers("/SecondMainPage")
.hasAnyRole("SUPERADMIN","ADMIN","USER")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/securitylogin") //login
.usernameParameter("username") //optional
.passwordParameter("password") //optional
.defaultSuccessUrl("/loggedin")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.invalidateHttpSession(true)
.permitAll();`
Authentication part is working as expected but not the Google login part. After the Google login i am getting the email and fetching his details from the server and redirecting to one controller but the controller his reloading n number of times. I dont know why the single method is getting reloaded again and again.
http.antMatcher("/loginwithgoogle/**").anonymous();
If i use the above line the Google login part is working fantastically but the normal login authentication is not getting access.
web.ignoring().antMatchers(HttpMethod.POST, "/loginwithgoogle");
I tried the above one too but the same controller is reloading again and again for n number of times. Please help me to move on further. Anything else am i missing or am i going in the wrong way??
Actually i tried the same thing before but no idea why i didnt getting succeeded but the following thing works for me and updated the same if it helps for anyone.
http
.authorizeRequests()
.antMatchers("/loginwithgoogle/**").anonymous() //works this order
.anyRequest().authenticated() // with this line too
.antMatchers("/","/securitylogin").permitAll()
i dont know whether there is seperate order will be there or not but i tried the anonymous() seperately but didnt worked. The above is working perfectly.
UPDATE 11.09.2018
The Google login is working perfectly but roles are not working (ie) User can able to access the admin pages and exception handling is not working correctly.
Related
I am trying to implement Single Sing On using Spring Authorization Server which is based on oAuth2 and OIDC for Authorization and Authentication respectively, but as per the Spring Authorization Server feature list OIDC support is not fully integrated. Mainly the session management and logout part, I couldn't find. Also if there's any workaround for implementing sso and logout?
Feature List URL: https://docs.spring.io/spring-authorization-server/docs/current/reference/html/overview.html
These features are still on the backlog but are not scheduled yet (as of the time of this writing). See #58 and #266 respectively to follow progress on these features.
Given that there are a number of pieces to the specifications for both of these features, I imagine it would be a bit of a hassle to attempt a fully spec-compliant implementation of them as extensions to SAS (though I'm sure it's possible). Instead, you might pick a minimal subset of the logout feature as a way to get started.
Using Spring Security configuration, you can configure a logout endpoint in a custom way. Here's some pseudocode to get you started:
#Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.logout((logout) -> logout
.logoutRequestMatcher(new OrRequestMatcher(
new AntPathRequestMatcher("/logout", "GET"),
new AntPathRequestMatcher("/logout", "POST")
))
.addLogoutHandler((request, response, authentication) -> {
// Logic to validate an id_token_hint, client_id, etc.
// Throw exception in case of invalid request
})
.logoutSuccessHandler((request, response, authentication) -> {
// Get state and calculate redirect for logout success back to client
// http://127.0.0.1:8080/logout?success&state=...
// new SimpleUrlLogoutSuccessHandler()...
})
);
return http.build();
}
This assumes validation of some kind is implemented to prevent CSRF, denial of service, etc. You might also choose to add a logout confirmation page as a separate endpoint of the auth server that redirects to the logout endpoint when the user clicks a "Confirm" button, etc.
To use this, you simply redirect from your client application to the logout confirmation page, which redirects to the logout endpoint on confirm, which then redirects back to the client (which can then log out of the client automatically).
So I'm struggling with the integration between Keycloak and GWT.
I do have a AsyncCallBackHandler where I do handle the 403 exception and then redirect to logout when session expires.
My problem is the following :
I tried the Window.Location.replace("sso/logout") which gives me 502 for some reason when redirecting to login, but works fine with the logout button
I tried the Window.Location.replace("http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri"), it redirects fine to login page, but the problem is when logging in again, I get a weird behaviour like a file gets downloaded and login button gets disabled...
Not sure what I'm doing wrong, any help would be appreciated.
if (ex.getStatusCode() == HttpStatus.SC_FORBIDDEN) {
Window.Location.replace("sso/logout");
}
Configuration on Spring security side is the following :
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.logout()
.addLogoutHandler(keycloakLogoutHandler())
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/sso/login");
While running the spring mvc based application on http, it is working fine but once the application is moved to https based configuration, we are not able to get successful landing url page. The url which are non authenticated is working fine but the authenticated urls are not reachable even after providing correct login credentials.
Please help me with the missing configurations/issues to resolve this problem.
The application is deployed over Jboss server.
Below are the configurations done as part of application.
protected void configure(HttpSecurity http) throws Exception {
System.out.println("I am configure");
http.csrf().disable();
// The pages does not require login
http.authorizeRequests().antMatchers("/login", "/logout", "/resetPassword", "/forgotPassword", "/change-password", "/confirm-account", "/registerPage", "/registerwithemail", "/resources/**", "/logoutSuccessful", "/login/**").permitAll();
http.authorizeRequests().antMatchers("/**").authenticated();
http.authorizeRequests().antMatchers("/home").authenticated();
http.authorizeRequests().antMatchers("/").authenticated();
// /userInfo page requires login as USER or ADMIN.
// If no login, it will redirect to /login page.
http.authorizeRequests().antMatchers("/userInfo").access("hasAnyRole('ROLE_USER', 'ROLE_ADMIN')");
// For ADMIN only.
http.authorizeRequests().antMatchers("/admin").access("hasRole('ROLE_ADMIN')");
// When the user has logged in as XX.
// But access a page that requires role YY,
// AccessDeniedException will throw.
http.authorizeRequests().and().exceptionHandling().accessDeniedPage("/403");
http.headers().frameOptions().sameOrigin();
// Config for Login Form
http.authorizeRequests().and().formLogin()//
// Submit URL of login page.
.loginPage("/login")//
.loginProcessingUrl("/j_spring_security_check") // Submit URL
.defaultSuccessUrl("/home", true)// userInfo (Changed to) home
.failureUrl("/login?error=true")//
.usernameParameter("username")//
.passwordParameter("password")
// For Remember-me
.and().rememberMe().rememberMeParameter("remember-me").tokenRepository(persistentTokenRepository()).tokenValiditySeconds(86400)
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/logoutSuccessful").invalidateHttpSession(true).deleteCookies("JSESSIONID", "remember-me");
}
if there is any channel security for http/https is required, please let me know about the configurations as I'm also traversing internally to different module using ip and port based http url.
So I'm working on a university project in which my group needs to create an android application that talks to a backend build with spring. So far we've been using JWT's for user authentication/authorization and everything was fine and dandy. However, our client wants to have single sign-on with Google and Facebook and of course to still be able to create an account, just like this form (but on android, not a browser).
I have spent the last month researching and googling how to do this and especially how it's supposed to integrate with the android app. I feel like I'm missing a key point because I see this everywhere, so I assume that is not that hard to do. As much as I understand, I can have two endpoints: login/google, login/facebook to get authorised with their authorisation server. That I have, I followed this guide and I understand 70-ish% of it.
Then my idea is to have users that are logging in for the first time to be saved in our database. I'm not entirely sure how to do that (because I'm not entire sure how the SSO spring code works..). My main questions tho are:
How to have both social login with google/fb and the ability to make an account/login with credentials.
If the user was to make an account, do I have my own authorisation server where I store credentials or do I manage that on the main server.
How do I handle that from the android app? Do I store the refresh token or do I do something else?
There are a couple of things
You want to integrate with spring-social for any social providers such as google/fb. Add the dependency and configure by following the tutorials
See https://github.com/spring-projects/spring-social/wiki/quick-start
If you also want users to create their own account, u do not need an authorization server. What u need is spring security vanilla form setup with a configuration
Something like
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login/")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("j_username")
.passwordParameter("j_password")
.successHandler(authenticationSuccessHandler())
.failureHandler(authenticationFailureHandler())
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(logoutSuccessHandler())
.invalidateHttpSession(true)
}
Yes but i recommend u find an oauth library you can just plug in.. and hopefully it will handle the refresh_token logic for you.. you should not need to implement these things yourself.
I hope this helped some, these questions you asked are very broad.. but hopefully it will get you somewhere.
I work on content management system, that has five antMatchers like the following:
http.authorizeRequests()
.antMatchers("/", "/*.html").permitAll()
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()
.antMatchers("/user/login").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable();
which suppose to mean that the visitors can see all site at root path (/*), and users can see only (/user), admin can see only (/admin), and there are two login pages one for users and another for admin.
The code seems to work fine, except the admin section - it doesn't work but return access denied exception.
I believe that the problem is in the order of your rules:
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()
The order of the rules matters and the more specific rules should go first. Now everything that starts with /admin will require authenticated user with ADMIN role, even the /admin/login path (because /admin/login is already matched by the /admin/** rule and therefore the second rule is ignored).
The rule for the login page should therefore go before the /admin/** rule. E.G.
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")