When using Spring Security how does this code work - specifically why is the basic authentication used together with form login, aren't they mutually exclusive ? In what situation does it make sense to use both of them like in the sample code below:
<http>
<intercept-url pattern='/login.jsp' access='permitAll' />
<intercept-url pattern='/**' access='ROLE_USER' />
<http-basic />
<form-login login-page='/login.jsp' always-use-default-target='true' />
</http>
I suppose that you can use them separately.
But using them together allows us to secure Rest services using Basic Auth and
Web Pages using form login.
Related
I am trying to configure my SS3.2 to do something quite simple: reject any HTTP request that's not directed at my login service; and allow access to the login service without authorization.
I have the following in my security.xml:
<http pattern="/login/**" security="none" />
<!--
<intercept-url pattern="/login/**" access="permitAll" requires-channel="https"/>
-->
<http auto-config="true" use-expressions="true">
<custom-filter ref="myCustomFilter" before="BASIC_AUTH_FILTER" />
</http>
Now since the login service will transport authentication information, it obviously needs to be secured by SSL/TLS. But I can't figure out how to force it to use SSL/TLS, while still letting it skip the custom filter.
Any suggestions?
I am using GWT and url for my incharge page as
http://www.example.com/backend.html?locale=en&gwt.codesvr=127.0.0.1%3A9997#incharge
I would like to check this url with Spring Role Authorization. I used in my spring-security.xml as below
<sec:http auto-config="false" entry-point-ref="authenticateFilterEntryPoint" access-denied-page="/unSecure.html">
<sec:intercept-url pattern="#incharge" access="ROLE_ADMIN"/>
<sec:logout logout-url="/logout.html" logout-success-url="/login.html" invalidate-session="true"/>
<sec:form-login login-page="/login.html"
login-processing-url="/login_check"
authentication-failure-url="/login.html?error=1"/>
<sec:session-management invalid-session-url="/login.html">
<sec:concurrency-control max-sessions="50" error-if-maximum-exceeded="true"/>
</sec:session-management>
<sec:remember-me key="TBdqj219ab910lsAc12" token-validity-seconds="604800"/>
</sec:http>
But always pass and spring security filter was not bind. Please help me how to check user's role when given url contain #incharge ?
It was long time since I do not use Spring, but seeing this link, the pattern attr looks like powerful.
I am just guessing but probably if you do something like:
pattern="^.*#incharge$", should work.
From my point of view the pattern is the key here. I am not sure if Spring internally respects the hash, but it is worth to try.
:)
I want to integrate LDAP in my spring application.
Requirement:- On request it should divert to my login page then ask for user/password. Then on submit it should authentication from LDAP.
Thanks
There is a special project in Spring called Spring Security for this purpose. The core functionality is built as a set of servlet API filters. There are multiple connectors for user's database (LDAP, DB, Active Directory, etc.) Here you can see how to add a basic conf. Your conf may looks like this:
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout />
</http>
Note that I prefer SpEL expressions for security rules. And here you can see how to add LDAP.
Hope it helps.
Along with that you also need other LDAP configuration like this
<ldap-server url="ldap://localhost:10389/dc=example,dc=com" />
<authentication-manager alias="authenticationManager"
erase-credentials="true">
<ldap-authentication-provider
user-dn-pattern="uid={0},ou=people" group-search-base="ou=groups"
group-search-filter="(members={0})">
</ldap-authentication-provider>
</authentication-manager>
Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!
I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.
I was wondering how to the remove the remember me cookie when using spring remember me services.
I am using the default remember me cookie name
I came across the following documentation in spring to delete the JSESSION.
<http>
<logout delete-cookies="JSESSIONID" />
</http>
But is it possible to do something like below to delete the remember me cookie as well
I don't have a logout controller and i have the following configuration in the spring xml.
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?param.error=bad_credentials" />
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
....................
I don't think you have to manually delete the remember-me cookie. The AbstractRememberMeServices implements the LogoutHandler interface, so it will receive a call-back from the LogoutFilter, and makes sure the remember-me cookie is cancelled on logout.