I am trying to use remember me, that seems to be very simple but I get a 404 when I launch the application (404 not found).
My jsp looks like that :
<form class="login" name='loginForm' action="<c:url value='/j_spring_security_check' />" method='POST'>
<input id="j_username" name="j_username" type="text" placeholder="Username" />
<input id="j_password" name="j_password" type="password" placeholder="Password" />
<input name="submit" type="submit" value="Sign In" class="btn btn-success btn-sm" />
<div class="remember-forgot">
<div class="row">
<div class="col-md-6">
<div class="checkbox">
<label>
<input type="checkbox" name="_spring_security_remember_me" />
Remember Me
</label>
</div>
</div>
<div class="col-md-6 forgot-pass-content">
Forgot Password
</div>
</div>
</div>
</form>
and My spring security xml :
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/j_spring_security_check" access="permitAll" />
<intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
<form-login
login-page="/login"
login-processing-url="/j_spring_security_check"
default-target-url="/admin"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-url="/login?error" ></form-login>
<logout logout-success-url="/login?logout" />
<csrf disabled="true"/>
<remember-me key="myAppKey" />
</http>
<beans:bean id="CustomAuthenticationProvider" class="com.meltum.springconfiguration.CustomAuthenticationProvider" />
<authentication-manager>
<authentication-provider ref="CustomAuthenticationProvider" />
</authentication-manager>
Does anybody know how to solve it ?
Try to name remember me checkbox same as in the spring security configuration -"remember_me". Or you can use default value "_spring_security_remember_me" with just "key" property in configuration.
Related
I'm trying to protect a resource by defining 2 HTTP elements and 2 authentication managers. Each HTTP element has a separate form to authenticate with. The first form and HTTP element is needed to access any resource. The second form is the authenticate with more complex authentication parameters (username, password, etc)
PROBLEM: When I have authenticated with first form to access the application, this works fine as expected, but then when I try to reach the second protected resource I never get to the form as it see's I need a new role (checks the auth object and fails as the role does not exist) here's where I'm a little lost.
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Exclude public pages and static resources -->
<http pattern="/favicon.ico" security="none" />
<http pattern="/js/**" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/img/**" security="none" />
<http pattern="/test**" auto-config="true" use-expressions="true" authentication-manager-ref="smsAuthManager">
<intercept-url pattern="/test" access="hasRole('ROLE_SMS_USER')" />
<intercept-url pattern="/refreshLoginPageTuring" access="permitAll" />
<intercept-url pattern="/loginTuring" access="hasRole('USER')" />
<form-login login-page="/loginTuring"
login-processing-url="/test-login"
authentication-failure-url="/accessdenied"/>
<logout logout-url="/logout" invalidate-session="true"/>
<!-- <access-denied-handler ref="/loginTuring"/> -->
</http>
<http auto-config="true" use-expressions="true" authentication-manager-ref="userPortal">
<intercept-url pattern="/getQRCode" access="permitAll" />
<intercept-url pattern="/refreshLoginPageTuring" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<intercept-url pattern="/" access="hasRole('USER')" />
<form-login login-page="/login" default-target-url="/menu"
authentication-failure-url="/accessdenied" />
<logout logout-success-url="/logout" />
<intercept-url pattern="/errors/error" access="hasRole('USER')" />
<intercept-url pattern="/menu" access="hasRole('USER')" />
</http>
<authentication-manager id="userPortal">
<authentication-provider ref="userPortalAuthenticationProvider" />
</authentication-manager>
<authentication-manager id="smsAuthManager">
<authentication-provider ref="smsAuthenticationProvider" />
</authentication-manager>
FORM:
<form id="form1" action="/test-login" method="post">
<label for="j_username"><spring:message code = "login.username" /></label>
<input id="j_username" value="${username}" name="j_username" type="text">
<label for="j_password"><spring:message code = "login.password" /></label>
<input id="j_password" value="${password}" name="j_password" type="password">
<label for="otc"><spring:message code = "login.otc" /></label>
<input id="otc" name="otc" type="password">
<button name="submit" type="submit" id="login" onclick="return validateForm()" class="btn btn-primary">Login</button>
<button name="sessionstart" type="submit" id="sessionstart" onclick="return validateAndChangeToRefreshImgAction()" class="btn">Refresh Image</button>
<br/>
<input type="hidden" name="rmShown" value="1">
<img id="scimage" style="block" src="<c:url value="/img/empty.gif" />"/>
</form>
" method="post" class="login-form">
" name="j_username" type="text">
I have created a custom authentication service for spring-security by implementing the interface UserDetailsService, which is refereed in a security-context.xml as a bean so it will be loaded when application starts. Currently the situation is, I have a LoginController with mapping to bean, a service which calls a method in DAO for checking if the username and password is correct. I just don't know what should come under controller. I am posting the code below. Kindly let me know what am I missing in controller. Thank you for your time.
LoginController.java :
#Controller
#RequestMapping(value = "/login",method = RequestMethod.GET)
public class LoginController {
#Resource(name="userDetailsService")
private LoginService loginService;
}
LoginService.java
#Transactional
#Service("userDetailsService")
#RequestMapping("")
public class LoginService implements UserDetailsService{
#Autowired private UserDao userDao;
#Autowired private Assembler assembler;
#Override
#Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails userDetails = null;
User user = userDao.findByName(username);
if(user == null) { throw new UsernameNotFoundException("Wrong username or password");}
return assembler.buildUserFromUserEntity(user);
}
}
Security-applicationContext.xml
<import resource="servlet-context.xml" />
<!-- Global Security settings -->
<security:global-method-security pre-post-annotations="enabled" />
<!-- Spring Security framework settings -->
<security:http use-expressions="true" auto-config="false" access-denied-page="/403" disable-url-rewriting="true">
<security:session-management>
<security:concurrency-control max-sessions="3" error-if-maximum-exceeded="true"/>
</security:session-management>
<security:form-login login-page="/users" default-target-url="/users" always-use-default-target="true"
authentication-failure-url="/denied" username-parameter="username" password-parameter="password" />
<security:logout logout-url="/logout" logout-success-url="/login?out=1" delete-cookies="JSESSIONID" invalidate-session="true" />
<security:intercept-url pattern="/*" requires-channel="any" access="permitAll" />
<security:intercept-url requires-channel="any" pattern="/login*" access="permitAll"/>
<security:intercept-url pattern="/**" requires-channel="any" access="hasRole('ROLE_USER')" />
</security:http>
<!-- queries to be run on data -->
<security:authentication-manager alias="authenticationManager" >
<security:authentication-provider user-service-ref="userDetailsService" />
</security:authentication-manager>
</beans>
Servlet-context.xml
<mvc:annotation-driven/>
<mvc:default-servlet-handler/>
<!-- Enables the Spring MVC #Controller programming model -->
<resources mapping="/resources/**" location="/resources/" />
<!-- beans start here -->
<beans:bean class = "org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp"/>
</beans:bean>
<context:component-scan base-package="com.WirTauschen"/>
<tx:annotation-driven transaction-manager="transactionManager"/>
Login form HTML code
**<form id="form" action="<c:url value='/login'/>" method="POST">
<div class="box-wrapper">
<h4>LOGIN</h4>
<div class="iconic-input">
<input type="text" placeholder="Username" name="j_username" value="">
<i class="icons icon-user-3"></i>
</div>
<div class="iconic-input">
<input type="password" placeholder="Password" name="j_password" value="">
<i class="icons icon-lock"></i>
</div>
<input type="checkbox" id="loginremember"> <label for="loginremember">Remember me</label>
<br>
<br>
<div class="pull-left">
<input name="submit" type="submit" class="orange" value="Login">
</div>
<div class="pull-right">
Forgot your password?
<br>
Forgot your username?
<br>
</div>
<br class="clearfix">
</div>
<div class="footer">
<h4 class="pull-left">NEW CUSTOMER?</h4>
<a class="button pull-right" href="create_an_account.html">Create an account</a>
</div>
</form>
</li>
</ul>
</li>
<li><i class="icons icon-lock"></i> Create an Account</li>
</ul>
</nav>
I am stuck trying to create a web app using spring security 3.2.
I am trying to implement two login pages with a different authentication manager. This configuration works fine if I use a http-basic form but when using a form-login, I receive a 404 on j_spring_security_check. Any Idea ? Why the j_spring_security_check is not generated by spring on this situation ?
Thanks in advance
<http pattern="/admin/login.html" security="none" />
<http pattern="/user/login.html" security="none" />
<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>
<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>
<debug/>
<authentication-manager id="adminAuthMgr">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<authentication-manager id="userAuthMgr">
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
</user-service>
</authentication-provider>
</authentication-manager>
And my login.jsp
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<div class="container">
<form class="form-signin" role="form" action="<c:url value='/j_spring_security_check' />" method='POST'>
<input type="text" name='j_username' class="form-control" placeholder="Username" required="" autofocus="">
<input type="password" name='j_password' class="form-control" placeholder="Password" required="">
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
<c:if test="${not empty sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}">
<div class="alert alert-danger">
${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
</div>
</c:if>
You can use multiple authentication provider:
-One 'default' Authentication Provider: with 'alias'
-others Authenfication Provider: with 'id'
<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>
<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>
<debug/>
<!--default Authentication Provider -->
<authentication-manager alias="adminAuthMgr">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<authentication-manager id="userAuthMgr">
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
</user-service>
</authentication-provider>
</authentication-manager>
The way spring works is designed is to use one authentication manager with one or more kinds of authentication providers.
As for your example, why not use one authenticationmanager and authentication provider and reference them in both the http tags.
From a security point of view, it should should not compromise anything.
If it was, then nobody would be using spring security.
What I want. I want do spring security auth by springframework tag 'form'.
Example
<!-- JSP -->
<form:form action="login" commandName="?" >
<form:errors path="lastError" ></form:errors>
<form:input path="j_username" />
<form:password path="j_password" />
<form:button value="submit" name="submit" />
</form:form>
<!-- security-context.xml -->
<http use-expressions="true">
<intercept-url pattern="/client/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" login-processing-url="/login"
authentication-failure-handler-ref="authHandler" />
<logout logout-url="/logout" logout-success-url="/" />
</http>
What should be instead of "?" in form commandName or how can I do this wily action?
Thanx for any suggestions.
Put a Loginbean in the commandName that contains the j_username and j_password.
How to make extra validation in Spring Security login form?
I got a problem with my query but I don't know what has caused it so I need your help =)
I got the following exception:
PreparedStatementCallback; bad SQL grammar [select USERNAME as username, PASSWORD as password, from ams.user where USERNAME=?]; nested exception is com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from ams.user where USERNAME='admin'' at line 1
Here's my login.jsp:
<div class="box">
<h1><spring:message code="login.description" /></h1>
<br/>
<form name='f' action="<c:url value='j_spring_security_check' />" method='POST'>
<ol>
<li>
<label><spring:message code="user.user" />:</label>
<em><img src="images/star_red.png" alt="required"></img></em>
<input type='text' name='j_username'>
</li>
<li>
<label><spring:message code="user.password" />:</label>
<em><img src="images/star_red.png" alt="required"></img></em>
<input type='password' name='j_password' />
</li>
<li>
<label> </label>
<input type='hidden' name='remember_me' id="remember_hidden" value="false"/>
<input type='checkbox' id='remember_checkbox' onchange="toggleRememberMe()" class="checkbox"/>
<spring:message code="login.remember" />
</li>
<li>
<label> </label>
<input type="submit" value="<spring:message code="login"/>"/>
</li>
</ol>
<br />
<br />
</form>
<c:if test="${not empty param.login_error}">
<div class="error">
<br />
<spring:message code="login.error" />
<br />
<spring:message code="login.errorReason" />:
<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</div>
</c:if>
</div>
Here's my Security-Context code:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
<security:http auto-config="true">
<security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
<security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
<security:logout logout-success-url="/login/login.do" invalidate-session="true" />
<security:remember-me key="rememberMe"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME as username, PASSWORD as password, from ams.user where USERNAME=?"
authorities-by-username-query="
select distinct user.USERNAME as username, permission.NAME as authority
from ams.user, ams.user_role, ams.role, ams.role_permission, ams.permission
where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.EMAIL=?"/>
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256" />
</bean>
</beans>
Does anyone have an idea what might have caused this error?
Would really appreciate your help on this one =)
There is a comma in the sql after password, remove that
change sql from
select USERNAME as username, PASSWORD as password, from ams.user where USERNAME=?
to
select USERNAME as username, PASSWORD as password from ams.user where USERNAME=?