I've spent about a full day attempting to get a very basic Spring Boot app with Spring security up and running to no avail. I cannot find a single example of code that works when I run it.
This example is from spring.io. Here is what I'm seeing in that example:
I start at http://localhost:8080 and see the welcome screen.
I click a link to http://localhost:8080/hello, which redirects me to http://localhost:8080/login.
I enter "user" and "password" as specified in WebSecurityConfig.java, which redirects me back to the welcome screen. I was expecting to be redirected to http://localhost:8080/hello.
When I click the same link to http://localhost:8080/hello I get the login screen again.
I've tried debugging via #EnableWebSecurity(debug = true) but there are no errors.
The above experience is endemic of what I experience when I download every example. Admittedly I'm new to Spring, and presumably I'm making some kind of newbie configuration mistake. Any help would be greatly appreciated.
I downloaded the code and ran using maven and it works perfectly fine. After logging in, for all subsequent page loads of http://localhost:8080/hello loads the page and not the login page again unless of course I log out. The problem you have mentioned may be caused by ( with quite high probability since you have mentioned it's endemic) is that your browser may be having issue with transmitting the default JSESSIONID cookie (which is set on first page visit and updated ( as good security practise by Spring security) on first login. For subsequent visits same JSESSIONID is sent to the server and it is a key for the session object stored on server which contains the now authenticated/authorized user. If some how this cookie is not transmitted back to server ( one reason could be it's disabled in browser setting) then your application (protected by spring security) would not know that you are an already authenticated user and will show you the login page again. For e.g, for Chrome you can see the cookie settings at Settings --> Content Settings --> Cookies --> Allow sites to save and read cookie data (recommended). You can also view the cookie header getting passed on each page load post successful login by using Developer tool in respective browser.
Related
I have a basic Spring (v5.3.23) web app running in an Apache Tomcat container (v9), and using eclipse as IDE. It uses Spring security for processing logins.
Everything runs almost correctly, but sometimes, after a successful login, the browser shows a white page, while there is no exception logged server-side or any other message. The problem appears both in development environment and production environment, so I don't think it's eclipse-related.
I have managed to pin down the problem to the following sequence :
Start tomcat container
Open login page in browser
After login, the secured home page is displayed correctly
Re-start tomcat (the problem occurs both when changes are made to the web app or not)
Refresh the browser, which redirects to login
Login again
The blank page is shown, no exception logged, no log messages in console
In this sequence, the problem occurs most of the time. If between steps 5 and 6 I refresh the page one more, meaning the login page is reloaded, the white page problem does not occur anymore, and the proper page is displayed.
A strong possibility is that it's something related to either the CSRF token in the login form or the JSESSION cookie of the container, but short of debugging through Spring code, I can't figure it out.
LATER EDIT
I narrowed down the issue to the CSRF token; if I change the value in the login form, I always get the blank page.
I have noticed the _csrf token has one value in the login form, then a different, but single value across all form that are used while the user is connected. Seems like the _csrf token is linked to the user session somehow.
The same happens when the login page is refreshed: different tokens in login & other app forms, but somehow,, sometimes, the initial token does not match what the server expects.
I am currently working on a small project using keycloak 2.5.0
I've already set up the user login and i'm now trying to implement a page wide logout button.
As the documentation states, is simply called the route
http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http: //application-root.com/
For the sake of simplicity i used an anchor tag to make this GET Request.
If i take a look into the Network tab of the firefox developer tools everything seems to be working fine. I am getting back a 302 status code for the redirection request. And after that, the application successfully requests the http: //application-root.com/ with a status code of 200 and redirects me to this page.
But when i want to request the locked content again (the one secured by keycloak) its still accessible.
But whenever i manually delete the JSESSIONID and KEYCLOAK_ADAPTER_STATE cookie after the redirection, everything works fine and i'm being logged out correctly. Sadly i can't delete those cookies programmaticly because they are HttpOnly
What is the expected behaviour of this request ?
Am i missing something ?
Has anyone experienced anything similar ?
Thanks for any help
I implemented logout using Keycloak 4.8.3 version. Mandatory parameter is id token (id_token_hint). Optional parameter is redirect url (post_logout_redirect_uri).
Example:
http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEY0gyNnl0OFV0OEJQTGxoR&post_logout_redirect_uri=http:%2F%2Fapplication-root.com%2F
Currently I know that my setup is working because I was able to login properly using the basic HTTP authentication.
I used these properties:
security.basic.enabled=true
security.user.name=user
security.user.password=1qaz2wsx
security.user.role=USER
However, I want to relogin again. I tried clearing cookies (I assumed it was saved there), I checked my local/session storage and cookies in Chrome dev tools but it was blank.
I tried accessing my site in incognito and it asks me to login (for the first time since I only logged in to Chrome non-incognito).
How do I "kill" my session in Spring Security?
If you use basic authentication, the browser stores the authentication until you close it (or exit the incognito mode, if you used it). There is no possibility to delete the session on server side, since the browser would just reauthenticate. If you want to be able to logout, use form login.
I've tried to debug this without any success. I have a working Spring Application with GWT and Spring Security, but when I change the security-context around to use CAS authentication, I do get redirected to the cas page (usually), but after successful login, I get redirected to the correct url, but I get a "page not found error" at the browser level. After refreshing the page (same url), I'm logged in, and application loads as expected. No errors in the logs, as far as I can tell, no differences in what's happening in the application when using CAS vs normal spring security form login.
I believe this answered my question:
http://static.springsource.org/spring-security/site/faq/faq.html#faq-cached-secure-page
which basically states that if you're securing html pages, you're in charge of configuring caching, so that a cached page can't be accessed. In my case, this wasn't entirely clear, as the gwt services were still getting secured, so I wasn't seeing secured content, but still, that was the problem-
I'm using Spring Framework 3.0.5 and Spring Security 3.0.5 for developing a webapplication where users can log in and log out, using Remember-Me-Service, if they want to.
As I don't have pretty much experience, I wonder if it's working correctly. I use PersistentTokenApproach (with my own implementation, because I use Hibernate.) I can see the cookie is created on login and deleted on logout.
If I have an valid Remember-Me-Cookie and close the Browser, Im successfully logged in again when I open the browser again. So far, so good.
Now, I'd just like to know if those things I noticed are working as they are expected to or if I maybe did make a mistake.
1) When a user logs in without remember-me and the browser-tab is closed (not the browser itself), on reopening a new browser-tab he is still authenticated (he's using the same JSESSIONID). When closing the browser and reopening again, he isn't authenticated anymore. Regarding the security of a webapplication, is this a recommended ("normal") behaviour?
2) When remember-me used and the user is successfully authenticated (by login or later by cookie), there are no more checks on the cookie. that means, if meanwhile the user is online I'd delete the cookie from the database, the user would still be logged in, allowed to watch even the secured pages. I guess this happens because he was authenticated before and keeps using the same SESSIONID. When I close the browser and reopen it again, he isn't authenticated anymore.
3) When I dont own a cookie and open the main page, for every request I send (every picture, every file on the page) the server is checking for the rememberme-cookie. Is that correct?
Sorry for the newbie-questions, but I just want to make sure everything is working as it should. :-) Thanks in advance!
1) As far as tabs within a browser go, I am pretty sure they all share the same browser session. If you try using gmail or other web-based services you'll see the same behaviour when you close / open tabs. With older versions of IE (maybe version 6) separate instances had their own sessions, unless they were spawned from existing IE instances.
2) This sounds correct. Its not really ideal to hit the database on every request after they have been authenticated.
3) That is correct, as by default the spring security filters will be filtering on /* - and trying to look for authentication info. You can add excludes to your security config for resources you dont need to protect- ie
<http> <intercept-url pattern="/images/**" filters="none"/>