My security configuration is as following:
#Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select username, password, activated from Person where username=?")
.authoritiesByUsernameQuery("select person.username, personrole.roleName from person, personrole, personandroles where person.username=? and personandroles.personid=person.personId and personrole.roleid=personandroles.roleid");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/empl").access("hasRole('employee')")
.antMatchers("/", "/index" , "/loginform", "/registerform","/approvelogin") .permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/loginform")
.loginProcessingUrl("/approvelogin")
.usernameParameter("username")
.passwordParameter("password")
.and()
.httpBasic().disable()
.and()
.exceptionHandling().accessDeniedPage("/403");
}
Where /approvelogin is the name of my login-controller. This controller expects a Modelattribute 'Person' and a request parameter 'role' (user may select a role as which to log in)
On the loginform I have this:
<form:form action="approvelogin" modelAttribute="userBean" method="POST">
<table>
<tr>
<td><label><b>Benutzername:</b></label>
<form:input type="text" path="username" required="true"/>
</td>
</tr>
<tr>
<td><label><b>Kennwort</b></label>
<form:input type="password" path="password" required="true">
</td>
<td>
<c:if test="${!empty roles}">
<select name="role">
<c:forEach var="r" items="${roles}">
<option value='${r.roleName}'>${r.roleName}</option>
</c:forEach>
</select>
</c:if>
</td>
<td> <input type="submit" value="Login"/>
</td>
</tr>
</table>
</form:form>
When I call /empl in the browser I am beeing redirected to loginform as expected. But after editing the correct user credencials I arrive on my 403.jsp.
Setting a breakpoint on the method successfullAuthentication(request, response, chain, authResult) of the class AuthenticationProcessingFilter shows that the 'authorities' collection is filled with the correct role 'employee'.
So I assume something else prevent my login controller from beeing entered at all.
The login controller:
#RequestMapping(value="/approvelogin", method=RequestMethod.POST)
public String login(#ModelAttribute("userBean") Person user, #RequestParam(value="role") String role, Model model){
if( user.getUsername().isEmpty() || user.getPassword().isEmpty() ){
model.addAttribute("error", "Please enter your username and password");
return "loginform";
}
else {
Person p = personDao.getPerson(user.getUsername(), user.getPassword());
if ( p == null) {
model.addAttribute("error", "Invalid Details, try again:");
return "loginform";
}
else{
String view="welcome";
model.addAttribute("loggedperson", p);
for( PersonRole r: p.getRoles() ){
if(r.getRoleName().equals(role)) {
view= role +"View";
break;
}
}
return view;
}
}
}
#RequestMapping(value="/empl")
public String employeeView(){
return "employeeView";
}
Your login controller will return String with role+View, are you sure that you have view with this name?
I think you want to redirect user after login to /empl.
Finally I found a solution. Instead of setting the
.loginProcessingUrl("/approvelogin")
I have to set the
.defaultSuccessUrl("/approvelogin")
Clearly after spring has done the authentication and has athorised the user to go on I am able to get to my custom login controller in order to redirect the user to the desired view (according to his role and request).
Related
So my bindingresult throws an error but I'm not able to see it for some reason and I'm not able to figure out what the problem is. I'm guessing the problem lies with the variable targetDate where there is a problem the type. I've pasted my controller and JSP code below. Any help is appreciated!
#Controller
public class ToDoController {
#Autowired
private ToDoService service;
// All date parameters displayed as mm/DD/yyyy
#InitBinder
protected void initBinder(WebDataBinder binder) {
SimpleDateFormat dateFormat = new SimpleDateFormat("mm/DD/yyyy");
binder.registerCustomEditor(Date.class, new CustomDateEditor(
dateFormat, false));
}
#RequestMapping(value = "/list-todo", method= RequestMethod.GET)
// HttpSession allows access to the session
public String showToDo(ModelMap model, HttpSession httpSession) {
String user = (String) httpSession.getAttribute("name");
model.addAttribute("todos", service.retrieveTodos(user));
return "list-todos";
}
// redirect to update form
#RequestMapping(value = "/update-todo", method= RequestMethod.GET)
public String getUpdateForm(ModelMap model, #RequestParam int id) {
System.out.println("ID " + id);
// To work with command bean
model.addAttribute("id", id);
model.addAttribute("todo", service.retrieveTodo(id-1));
return "updateToDo";
}
// What does Valid do?
#RequestMapping(value = "/update-todo", method= RequestMethod.POST)
public String submitUpdate(ModelMap model, #Valid ToDo todo, BindingResult result) {
if (result.hasErrors()) {
System.out.println("ERROR" + result.getAllErrors());
// Redirect and pass on the id value
return "redirect:/update-todo?id=" + todo.getId();
}
System.out.println("Update todo" + todo);
service.updateToDo(todo);
model.clear();
return "redirect:/list-todo";
}
// Will be executed first
#RequestMapping(value = "/add-todo", method= RequestMethod.GET)
public String showAddForm(ModelMap model) {
model.addAttribute("todo", new ToDo());
return "addToDo";
}
/*
* Will be executed after form is submitted
* #Valid ToDo - command bean from addToDo.jsp.
* #Valid to validate the information
* #BindingResult showcases the result of the validation
*/
#RequestMapping(value = "/add-todo", method= RequestMethod.POST)
public String submitAddForm(ModelMap model , #Valid ToDo todo, HttpSession httpSession, BindingResult result) {
System.out.println("running" + result);
// If there is validation error , return to addToDos page for user to fix the error
if (result.hasErrors()) {
return "redirect:/showAddForm?id=?" + todo.getId();
}
String user = (String) httpSession.getAttribute("name");
service.addTodo(user, todo.getDescription(), todo.getTargetDate(), false);
// Clears the url e.g. name?=jyj123
model.clear();
// return to the url which executes the showToDO
return "redirect:/list-todo";
}
// delete to do entry
#RequestMapping(value = "/delete-todo", method= RequestMethod.GET)
public String deleteToDo(ModelMap model, #RequestParam int id) {
service.deleteTodo(id);
model.clear();
return "redirect:/list-todo"; }
}
My JSP
<%# taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%# include file = "common/header.jspf" %>
<%# include file = "common/nav.jspf" %>
<div class="container">
<H1>Update your task!</H1>
<form:form method="POST" commandName="todo">
<!-- Carry on the id value -->
<form:hidden path = "id"/>
<form:hidden path = "user"/>
<fieldset class="form-group">
<form:label path="description">Description:</form:label>
<form:input path="description" type="text" class="form-control"
required="required" />
<form:errors path="description" cssClass="text-warning" />
</fieldset>
<fieldset class="form-group">
<form:label path="targetDate">Target Date</form:label>
<form:input path="targetDate" type="text" class="form-control"
required="required" />
<form:errors path="targetDate" cssClass="text-warning" />
</fieldset>
<fieldset class="form-group">
<form:radiobutton path="completion" value="true" />
<form:radiobutton path="completion" value="false" />
</fieldset>
<button type="submit" class="btn btn-success" >Submit Update</button>
</form:form>
<spring:hasBindErrors htmlEscape="true" name="todo">
<c:if test="${errors.errorCount gt 0}">
<h4>The error list :</h4>
<font color="red">
<c:forEach items="${errors.allErrors}" var="error">
<spring:message code="${error.code}"
arguments="${error.arguments}"
text="${error.defaultMessage}"/><br/>
</c:forEach>
</font>
</c:if>
</spring:hasBindErrors>
</div>
<%# include file = "common/footer.jspf" %>
EDIT: bindingresult throws this
ERROR[Field error in object 'todo' on field 'targetDate': rejected value [Tue Jan 05 00:00:00 SGT 2021]; codes [typeMismatch.todo.targetDate,typeMismatch.targetDate,typeMismatch.java.util.Date,typeMismatch]; arguments [org.springframework.context.support.DefaultMessageSourceResolvable: codes [todo.targetDate,targetDate]; arguments []; default message [targetDate]]; default message [Failed to convert property value of type 'java.lang.String' to required type 'java.util.Date' for property 'targetDate'; nested exception is org.springframework.core.convert.ConversionFailedException: Failed to convert from type [java.lang.String] to type [java.util.Date] for value 'Tue Jan 05 00:00:00 SGT 2021'; nested exception is java.lang.IllegalArgumentException]]
In your jsp you submit the form to "todo", not "update-todo". It would be nice to see your ToDo bean. Also: result.getAllErrors().
We have this
http.sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true)
and
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout-gimli-user")).permitAll()
.deleteCookies("JSESSIONID", "sessionid" /*, "sessdetail", "countfr"*/ );
and
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.invalidSessionUrl("/login?invalidSession") //dokunma
.maximumSessions(1) //dokunma
.maxSessionsPreventsLogin(true) //dokunma
.expiredUrl("/login?expired")
.sessionRegistry(sessionRegistry());
in
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
And in application.properties, we have
server.servlet.session.timeout=3m
When a user tries to login, user puts password + username, then one time code is sent to user. After this, user needs to put this code and then can view pages.
But if user does not put that code but only puts username+ password, and closes browser, logout is not working. Because logout is not invoked.
But timeout should work and kill after 3 minutes. Or tomcat should kill the session (because we deploy to external tomcat 9).
I tried this
https://stackoverflow.com/a/41450580/11369236
I added
#Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
but still same.
I put
List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
to
#Override
public Authentication authenticate(Authentication authentication) {
in public class CustomAuthenticationProviderWithRoles implements AuthenticationProvider {
and tried lots of logins without one time code confirm and saw that, sessions are increasing.
But when i try with putting one time code, it does not allow because of maxSessionsPreventsLogin
like here:
https://github.com/spring-projects/spring-security/issues/3078
Login page code:
<form method="POST" th:action="#{/login}">
<input autocomplete="off" class="form-control" id="mobile" name="username"
type="text">
<input autocomplete="off" class="form-control password" name="password"
type="password">
<button class="btn btn btn-block btn-primary btn-lg"
type="submit"
value="Log In">LOGIN
</button>
this is for
login:
http
.formLogin()
.loginPage("/login").permitAll()
and successhandler does this for successfull login:
response.sendRedirect("/otp");
Then, it sets the seconds which to count from for putting code. And sends another view to put code and which contains another form and submit button.
What can be best practice? For example user can close the page after putting user name password but session still remains. Despite there are timeouts.
I can use this and it solves it but I already session timeout in application.properties:
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response
request.getSession(false).setMaxInactiveInterval(11);
I am new to spring and I am trying to redirect to the same page if the form has errors. I am successful redirecting that but the problem is the form has a dynamic drop down and the values are not rendered when I return a model object. or when I do ModelAndView(new RedirectView("lookup")) I am able to render the dropdown values but I am unable to display the error messages.
code: jsp: lookup.jsp
<form:form name="lookupForm" method="POST" action="search.html" enctype="multipart/form-data" >
<div style= "color:red">
<form:errors path="empId" /></br>
<form:errors path="companyName" />
</div>
<form:label path="companyName">Company</form:label>
<select name= "companyList" path="companyName">
<option value="Select">Select</option>
<c:forEach var="element" items="${listCompany}">
<option value="${element.companyName}">${element.companyName}</option>
</c:forEach>
</select>
<form:label path="empId">Employee ID</form:label>
<form:textarea name="empId" path="empId" rows="5" cols="30"/>
<input type="submit" name="search" value="Search"/>
Controller:
#RequestMapping(value = "/lookup", method = RequestMethod.GET)
public ModelAndView lookupFormView(ModelAndView model,BindingResult result) {
List<Employee> listCompany = employeeDAO.getCompany();
Employee newContact = new Employee();
model.addObject("listCompany", listCompany);
model.addObject("command", newContact);
model.setViewName("lookup");
return model;
}
#RequestMapping(value = "/search", params = "search", method = RequestMethod.POST)
public ModelAndView lookupEmployee(HttpServletRequest request,HttpServletResponse response, #ModelAttribute("command") Employee emp,BindingResult result) throws Exception{
empValidator.validate(emp, result);
String lookupEmpId = null;
if (result.hasErrors()) {
return new ModelAndView(new RedirectView("lookup"));
//return new ModelAndView("lookup");
}
else{
-----
if i use this return new ModelAndView(new RedirectView("lookup")); its redirecting to lookup.jsp ,rendering the drop down valus but the error messages are not getting displayed.
if i use this return new ModelAndView("lookup"); its redirecting to lookup.jsp ,errors are displayed but the dynamic dropdown values are not rendered.
Please help me in finding which part of my code is wrong or Is their a way to display error messages and render dynamic dropdown values
Just return the view name and set the error message in the Model itself. Simply check the error message in the JSP if found then show it.
sample code:
#RequestMapping(value = "/search", params = "search", method = RequestMethod.POST)
public String lookupEmployee(HttpServletRequest request,HttpServletResponse response,
#ModelAttribute("command") Employee emp,BindingResult result) throws Exception{
empValidator.validate(emp, result);
String lookupEmpId = null;
if (result.hasErrors()) {
emp.setErrorMessage("Your error message.");
return "lookup";
}else{
...
return "successPage";
}
}
I'm accessing the SavedRequest in the login controller to set the redirect url in the login form. When the session expires (or first login after server is started), savedRequest is null.
If I access a url in a fresh browser session, saved request is available.
Any way i can access the redirect url consistently from the login controller?
NB. I'm using spring 3.2.3..from what I can tell savedRequest is no longer accessbile from the session.
login.jsp
<form action="${actionUrl}" method='POST' autocomplete='off'>
<span class="box-label">Username:</span>
<input type="text" name="j_username" data-dojo-type="dijit/form/TextBox" data-dojo-props="style:{width:'150px'}">
<span class="box-label">Password:</span>
<input type="password" name="j_password" data-dojo-type="dijit/form/TextBox" data-dojo-props="style:{width:'150px'}">
<input type="submit" data-dojo-type="dijit/form/Button" data-dojo-props="label:'Login'"/>
<input type="hidden" name="redirect" value="${redirect}">
</form>
Login Controller:
#Controller
public class LoginController {
#RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(final HttpSession session, final Model model, final HttpServletRequest request,
final HttpServletResponse response) {
addRedirectUrlToModel(model, request, response);
return "login";
}
private void addRedirectUrlToModel(final Model model, final HttpServletRequest request, final HttpServletResponse response) {
SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
if (savedRequest != null) {
model.addAttribute("redirect", savedRequest.getRedirectUrl());
} else {
System.out.println("saved request is null");
}
}
Security config:
<sec:http auto-config="true" use-expressions="true">
<sec:form-login login-page="/login"
authentication-success-handler-ref="authSuccHandler"
authentication-failure-handler-ref="authFailHandler" />
<sec:logout delete-cookies="JSESSIONID" invalidate-session="true" />
<sec:access-denied-handler error-page="/error/not-authorised"/>
<sec:session-management session-fixation-protection="none"
invalid-session-url="/login/sessionExpired"
session-authentication-error-url="/login/alreadyLoggedIn"
>
<sec:concurrency-control max-sessions="1"
expired-url="/login/sessionExpiredDuplicateLogin"
error-if-maximum-exceeded="false"/>
</sec:session-management>
When you try to get the savedrequest of the expire session, it will come null. You can fix this by creating a new DefaultSavedRequest. After creating the DefaultSavedRequest, you can set into the HttpServletRequest.getSession() and move it during the session in different requests.
private void addRedirectUrlToModel(final Model model, final HttpServletRequest request, final HttpServletResponse response) {
SavedRequest savedRequest = new DefaultSavedRequest(request, new PortResolverImpl());
request.getSession().setAttribute("SPRING_SECURITY_SAVED_REQUEST", savedRequest);
if (savedRequest != null) {
model.addAttribute("redirect", savedRequest.getRedirectUrl());
} else {
System.out.println("saved request is null");
}
}
I am using Spring security for authenticating users. I created a custom authentication provider and now I am wondering how I can get error messages from the provider into my form. This is the authenticate() method in my custom authentication provider:
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UserProfile profile = userProfileService.findByEmail(authentication.getPrincipal().toString());
if(profile == null){
throw new UsernameNotFoundException(String.format("Invalid credentials", authentication.getPrincipal()));
}
String suppliedPasswordHash = DigestUtils.shaHex(authentication.getCredentials().toString());
if(!profile.getPasswordHash().equals(suppliedPasswordHash)){
throw new BadCredentialsException("Invalid credentials");
}
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(profile, null, profile.getAuthorities());
return token;
}
This is my form:
<form name='f' action="<c:url value='j_spring_security_check' />" method='POST'>
<div id="data-entry-form">
<div class="form-entry">
<label><spring:message code="login.form.label.email"/></label>
<input type='text' name='j_username' value=''>
</div>
<div class="form-entry">
<label><spring:message code="login.form.label.password"/></label>
<input type='password' name='j_password'/>
</div>
<div class="form-entry">
<input type="submit" value="Verzenden"/>
</div>
</div>
How would I get error messages into my form? From the moment I press the login button, Spring takes over, so the only method I could generate error messages in would be the authenticate() method...
3 Steps of the safest way (we don't rely on the LAST_EXCEPTION):
Specify error page (for example "login-error") in configuration for your custom authentication provider
httpSecurity
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/img/**").permitAll()
.anyRequest().fullyAuthenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.failureUrl("/login-error")
.and()
.logout().permitAll()
Create controller for url /login-error that returns view of your custom login page (for example "login") with the next code:
#Controller
public class LoginController {
#GetMapping("/login-error")
public String login(HttpServletRequest request, Model model) {
HttpSession session = request.getSession(false);
String errorMessage = null;
if (session != null) {
AuthenticationException ex = (AuthenticationException) session
.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
if (ex != null) {
errorMessage = ex.getMessage();
}
}
model.addAttribute("errorMessage", errorMessage);
return "login";
}
}
Get the error message into your page finally (ThymeLeaf tags for example):
<!--/*#thymesVar id="errorMessage" type="java.lang.String"*/-->
<div class="alert" th:if="${errorMessage}" th:text="${errorMessage}"></div>
I was able to solve it like this:
<c:if test="${param.auth eq 'failure'}">
<div class="error">
<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</div>
</c:if>
Note that you need to detect whether there was an error via a special parameter which you can set in your spring-security config like this:
<security:form-login [...] authentication-failure-url="/login?auth=failure" />
EDIT:
Actually, passing that parameter is not necessary. Instead, one can simply check whether SPRING_SECURITY_LAST_EXCEPTION.message is defined, like this:
<c:if test="${not empty SPRING_SECURITY_LAST_EXCEPTION.message}">
<div class="error">
<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</div>
</c:if>
I think that you should be able to get the messages in the same way than using the "standard" authenticators.
If an exception (or more than one) is thrown in the authentication process, the last exception is stored in a session attribute: SPRING_SECURITY_LAST_EXCEPTION.
So, to get the last exception message from the JSP you can use something like this:
<%=((Exception) request.getSession().getAttribute("SPRING_SECURITY_LAST_EXCEPTION")).getMessage()%>;
Of course, if you have a controller you should probably get the message from the controller and pass only the string to the jsp. This is only an example ;)