I want to block all pages except the login and error page with Spring Security, but if I do pattern="/*" it will lock absolutely all pages and result in an endless redirect. How I can lock all pages except login and error page for authorization?
<http auto-config="true">
<intercept-url pattern="/" access="ROLE_USER"/>
<form-login
login-page="/login"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="root" password="root" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
you can intercept login and error page first with access ANONYMOUSLY then intercept all pages, interception ordered based on order you write it, like
<http>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
in spring security documentation here
Related
I have a spring security application. Its working well. When I enter wrong credentials it redirect to spring_security_login?login_error where it show spring default login page. What I want is if user enter wrong credentials its should response with some custom message rather than redirecting to some link.
Here is my config
<http auto-config="true">
<form-login
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you just want to redirect the user to a custom URL use the authentication-failure-url attribute of <form-login>:
<http auto-config="true">
<form-login
authentication-failure-url="/myCustomLoginFailureURL"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you want full control over what happens on login failures, use the authentication-failure-handler-ref attribute:
<beans:bean id="authenticationFailureHandler" class="my.company.AuthenticationFailureHandler" />
<http auto-config="true">
<form-login
authentication-failure-handler-ref="authenticationFailureHandler"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
Note that my.company.AuthenticationFailureHandler needs to implement org.springframework.security.web.authentication.AuthenticationFailureHandler.
spring security file:
<intercept-url pattern="/login**" access="permitAll" />
<intercept-url pattern="/resources**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/login"/>
<form-login
login-page="/login"
default-target-url="/planning/view"
authentication-failure-url="/login?error"
login-processing-url="/login?process"
/>
<logout logout-success-url="/login" />
</http>
I want to deny access to all pages except:
- login and login processing pages
- resources folder and subfolders
I should have the correct rules after searching a bit but they don't seem to work. I am not able to see the login?error page and it's not willing to login my user.
After I successfully login when I try to login with another browser It redirects me to authentication-failure-url. Why it doesn't redirect to expired-url?
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" invalidate-session="true" delete-cookies="JSESSIONID"/>
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml?error=true"/>
<custom-filter before="FORM_LOGIN_FILTER" ref="customAjaxControlFilter" />
<session-management invalid-session-url="/login.xhtml?error=sessionExpired" session-authentication-error-url="/login.xhtml?error=alreadyLogin">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login.xhtml?error=expired"/>
</session-management>
EDIT: By the way, After I successfully logout it redirects me to invalid-session-url. I don't understand what is going on.
This is the expected behaviour. From the manual:
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used.
This is what happens if you set error-if-maximum-exceeded="true".
The expired-url parameter is used if you haven't set error-if-maximum-exceeded="true". In that case, the new login will be allowed, the original session will be marked as expired and if you try to use it, you will be redirected to this URL.
My web applications is secured with Spring-security and now I'm trying to setup two different login pages. Here is my configuration:
<http use-expressions="true" pattern="/mobile/**">
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ONE','ROLE_TWO')" requires-channel="http"/>
<form-login login-page="/loginm" login-processing-url="/loginm_check" default-target-url="/mobile/menu" authentication-failure-url="/loginmfailed" />
<logout logout-url="/logoutm" logout-success-url="/loginm" />
</http>
<http use-expressions="true">
<intercept-url pattern="/main.html" access="isAuthenticated()" requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login_check" default-target-url="/main.html" authentication-failure-url="/loginfailed"/>
<logout logout-url="/logout" logout-success-url="/login" />
</http>
The second form works well. But the first form doesn't seem to work at all. The server returns 404 for the login-processing-url="/loginm_check".
I'm using the latest Spring-Security 3.1.4.RELEASE.
Can anyone help with this?
Thanks
I am using the spring security for the authentication of my web application. I could successfully use it by configuring as follows:
<http auto-config='true'>
<intercept-url pattern="/Login" filters="none" access="ROLE_USER"/>
<form-login login-page='/Login' authentication-failure-url="/Login/Failure"
default-target-url="/Url"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
The above code working fine for if I directly login from the login page. If one of the user is accessing the different url which is not the login page. Now I want to restrict the user to access any direct url without login to the system first time.
How can i do that?
You need to change the intercept rule to:
<intercept-url pattern="/**" filters="none" access="ROLE_USER"/>
You might also have to exlude the login page from the auth requirement. Because a user does not have to login in order to see the login page. You can do that by adding:
<intercept-url pattern="/Login" filters="none"/>