I am using Spring MVC with Spring Security ver4.0.1.RELEASE.
I was trying to control the concurrent user login to 1 and show an error message if user already logged In.
The Concurrent Session Management is working as expected but the expireUrl("") is not working. The .formLogin().loginPage("").failureUrl("") is always called instead of expireUrl(""). Please help.
Below is my SpringSecurityConfiguration.java which extends WebSecurityConfigurerAdapter
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/", "/home").permitAll()
.antMatchers("/Access_Denied").permitAll()
.antMatchers("/login").permitAll()
.and().formLogin().loginPage("/login")
.failureUrl("/login?out=1")
.usernameParameter("userID").passwordParameter("password")
.and().csrf().and()
.logout()
.deleteCookies( "JSESSIONID" )
.logoutSuccessUrl( "/logout" )
.invalidateHttpSession( true )
.and().exceptionHandling().accessDeniedPage("/accessDenied.jsp")
.and()
.sessionManagement()
.maximumSessions(1)
expiredUrl("/login?time=1")
.sessionRegistry(sessionRegistry);
}
My Initializer class will looks like below -
protected Filter[] getServletFilters() {
return new Filter[] { new HiddenHttpMethodFilter() };
}
public void onStartup(ServletContext servletContext) throws ServletException {
super.onStartup(servletContext);
servletContext.addListener(new SessionListener());
servletContext.addListener(new CustomHttpSessionEventPublisher());
}
The below links provide extra info for this type of security configuration -
http://codehustler.org/blog/spring-security-tutorial-form-login-java-config/
https://gerrydevstory.com/2015/08/02/managing-spring-security-user-session/
Have you tried to move session management up on the chain?
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/", "/home").permitAll()
.antMatchers("/Access_Denied").permitAll()
.antMatchers("/login").permitAll()
.and().sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?time=1")
.sessionRegistry(sessionRegistry);
.and().formLogin().loginPage("/login")
.failureUrl("/login?out=1")
.usernameParameter("userID").passwordParameter("password")
.and().csrf().and()
.logout()
.deleteCookies( "JSESSIONID" )
.logoutSuccessUrl( "/logout" )
.invalidateHttpSession( true )
.and().exceptionHandling().accessDeniedPage("/accessDenied.jsp")
}
Related
There are Authorization Server(UAA) and Resource Server and Gateway applications that have been working correctly. The scenario for authentication is authorization_code. In the first time after authentication, the end of request is added ;jesessionid=[value], so its result is exception from HttpFirewall of Gateway application, because of having ';' in the request.
My question is that what is it and why jessionid is added the end of request? and how is it adaptable with HttpFirewall.
I have found a way around but I know it has some risks. It is like this:
#Bean
public HttpFirewall allowUrlEncodedSlashHttpFirwall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowSemicolon(true);
return firewall;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.headers().cacheControl().disable()
.and()
.headers()
.cacheControl()
.disable()
.frameOptions()
.sameOrigin()
.and()
.httpBasic().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.mvcMatchers("/uaa/**", "/login**", "/favicon.ico", "/error**").permitAll()
.anyRequest().authenticated()
.and()
.logout()
.permitAll();
}
#Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
web.httpFirewall(allowUrlEncodedSlashHttpFirwall());
}
As above configuration, the ; is skipped but it is not right and it has some risks.
What is the correct way and config to solve this problem?
I am trying to ignore directory using websecurity.ignore. I have the following configuration.
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/product_save").hasAuthority("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll().and().csrf().disable()
.exceptionHandling().and()
.rememberMe()
.key("uniqueAndSecret")
.rememberMeCookieName("broman-remember-me")
.tokenValiditySeconds(60 * 60 * 24).and()
.sessionManagement().maximumSessions(1);
}
#Override
public void configure(WebSecurity web)throws Exception {
web.ignoring().antMatchers("/static/**");
}
}
The above configuration doesn't ignore.
Your code:
#Override
public void configure(WebSecurity web)throws Exception {
web.ignoring().antMatchers("/static/**");
}
will ignore all URLs that start with /static/** like http://localhost:8080/static/...
Spring Boot serves the content of the static folder by default. So if you have some folders or files in the static folder (like static resources related to customers and managers, etc..) you can ignore them one by one:
#Override
public void configure(WebSecurity web)throws Exception {
web.ignoring().antMatchers("/customers/**", "/managers/**", "/monitor.html");
}
This will ignore:
http://localhost:8080/customers/ - and all sub-URLs
http://localhost:8080/managers/ - and all sub-URLs
http://localhost:8080/monitor.html
I work on a JEE project, using the Spring Boot framework.
For the authentification, I use Spring Security, and I specified the pages in my template.
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/token", "/index", "/index.html", "/main", "/main.html", "/main2", "/main2.html", "/recent1", "/recent1.html", "/recent2", "/recent2.html").hasRole("USER");
http
.csrf()
.disable()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error=true")
.defaultSuccessUrl("/index");
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
}
The issue is that when I run the application and I wrote the URL with uppercase letters like: localhost:8080/INDEX.HTML or I add two letters localhost/index.httml, the page does appear without authantification.
If I understand correctly, here is the desired logic:
/login does not need to be secured by Spring Security (no roles are required)
All the other pages have to be secured with "USER" role.
To implement this, you could try the following:
#Override
public void configure(WebSecurity web) throws Exception {
// configuring here URLs for which security filters
// will be disabled (this is equivalent to using
// security="none")
web
.ignoring()
.antMatchers(
"/login"
)
;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().hasRole("USER");
http.csrf().disable().formLogin()
.loginPage("/login").failureUrl("/login?error=true")
.defaultSuccessUrl("/index");
http.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
}
So item 1 (no security on /login) is moved to configure(WebSecurity), and item 2 is left in the original configure(HttpSecurity).
I want to secure my HATEOAS REST API build with Spring. All requests should need authorization and POST requests to "/rooms" should need the admin role. My WebSecurityConfigurerAdapter implementation code looks like this right now:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// Todo: Make sure that all resources need to be authenticated and POST rooms needs ADMIN role
.anyRequest().authenticated()
.antMatchers(HttpMethod.POST, "/api/v1/rooms").hasRole("ADMIN")
.and()
.httpBasic()
.and()
.csrf().disable();
}
Right now all resources only need authentication if I put the "anyRequest().authenticated()" line before the "antMatchers..." line, but then the needed "ADMIN" role doesn't work or get applied and vice versa.
How am I to get both things working at the same time?
Kind Regards,
Florian
Securityconfiguration.java
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/public/**")
.permitAll().antMatchers("/sa/**").hasAuthority("sa")
.antMatchers("/admin/**").hasAuthority("admin")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/index.html").and()
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
.csrf().disable();
}
And in the rest controller use..
#RequestMapping("/admin/adduser")
public void addUser(#RequestBody User user) {
authService.addUser(user);
}
The following code did it for me:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/v1/rooms").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.csrf().disable();
}
}
Thank you for the response Pankaj.
I`ve tried to config Spring Security.
This is my sucurity config.
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
http.authorizeRequests()
.antMatchers("/api/**", "/denied**").permitAll()
.anyRequest().denyAll()
.and()
.exceptionHandling().accessDeniedPage("/denied")
.and()
.csrf().disable();
// #formatter:on
}
When I access url "localhost:8080/admin", I expect "/denied" page.
But it shows default 403 page provided spring security.
Is there any problem my configuration?
Update:
Change .anyRequest().denyAll() to .anyRequest().authenticated()
#Override
protected void configure(HttpSecurity http) throws Exception {
// #formatter:off
http.authorizeRequests()
.antMatchers("/api/**", "/denied**").permitAll()
.anyRequest().authenticated()
.and()
.exceptionHandling().accessDeniedPage("/denied")
.and()
.csrf().disable();
// #formatter:on
}
If u need to use requiresSecure(), just add .requiresChannel().anyRequest().requiresSecure().and() after .and()