I'm using Spring Security, trying to set up basic login\logout functionality. Login works ok, I store users in MySQL DB, and I'm able to log in, but I have problem with logging out. On home page I made a logout link, looking like this, but when I click it I get 403 Access denied, and user doesn't get logged out:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
And here is my security-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
And /loggedout is mapped to basic .jsp page, just saying "You have logged out."
Also, when I click logout link when I'm not logged in, it takes me to the login page.
What am I doing wrong?
Add this as the first rule in the <security:http use-expressions="true"> section:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
I just added the
logout-url="/j_spring_security_logout"
to the
security:logout
and it is working as it should now.. But I thought it would work even without this parameter if I use /j_spring_security_logout as logout link.
Add this under the <security:http use-expressions="true"> section:
<security:csrf disabled="true"/>
Worked for me.
Related
I have a Spring4 MVC application that is deployed on Wildfly10 and is configured using xml.
I have the following controller defined:
<mvc:view-controller path="/" view-name="/index" />
<mvc:view-controller path="/index" view-name="/index" />
And in Spring security define access:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
If I remove the denyAll to /** intercept-url the application works as intended however adding it causes security to redirect root calls to the login page and not the index page!
Is there a way I can have permitAll access to the root (Redirects to /index) of my application and still denyAll to /** thus covering anything else that is not defined?
By Changing the pattern to <intercept-url pattern="/.+" access="denyAll" /> as commented by Vasan got it working. below is an example of the change
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/.+" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
I'm trying to create an other login page on my application.
The second one is working properly but the first one I just added don't catch the URL correctly and don't redirect to the good page.
The second HTTP configurations is always use.
<security:http pattern="/vcrequest/**" use-expressions="true" realm="NETMG Spring Security" authentication-manager-ref="authenticationManager">
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:form-login
login-processing-url="/resources/j_spring_security_check"
login-page="/vcrequest/view/loginVCR"
default-target-url="/vcrequest/controller/vcrequest/my-request"
authentication-failure-url="/vcrequest/view/loginVCR?login_error=t" />
<security:intercept-url pattern="/vcrequest/view/loginVCR" access="permitAll" />
<security:intercept-url pattern="/vcrequest/**" access="isAuthenticated()" />
<security:http-basic/>
</security:http>
<security:http use-expressions="true" realm="NETMG Spring Security" authentication-manager-ref="authenticationManager">
<security:session-management session-fixation-protection="newSession"/>
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:form-login
login-processing-url="/resources/j_spring_security_check"
login-page="/view/login"
default-target-url="/view/home#agregateShowMode=site"
authentication-failure-url="/view/login?login_error=t" />
<security:intercept-url pattern="/controller/users/**" access="hasRole('ROLE_ADD_USERS')" />
<security:intercept-url pattern="/controller/export/**" access="hasRole('ROLE_EXPORT')" />
<security:intercept-url pattern="/controller/stocks/**" access="hasRole('ROLE_STOCKS')" />
<security:intercept-url pattern="/controller/home/site/edit/**" access="hasAnyRole('ROLE_EDIT_SITE')" />
<security:intercept-url pattern="/controller/home/site/create*" access="hasRole('ROLE_ADD_SITE')" />
<security:intercept-url pattern="/controller/home/site/save*" access="hasAnyRole('ROLE_EDIT_SITE')" />
<security:intercept-url pattern="/controller/home/site/change*" access="hasRole('ROLE_CLOSE_SITE')" />
<security:intercept-url pattern="/controller/home/service/add/**" access="hasRole('ROLE_ADD_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/add*" access="hasRole('ROLE_ADD_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/link/**" access="hasRole('ROLE_LINK_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/edit/**" access="hasAnyRole('ROLE_EDIT_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/save/**" access="hasAnyRole('ROLE_EDIT_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/close/**" access="hasRole('ROLE_CLOSE_SERVICE')" />
<security:intercept-url pattern="/controller/home/link/add/**" access="hasAnyRole('ROLE_ADD_LINK', 'ROLE_ADD_LINK_FOR_REQUEST')" />
<security:intercept-url pattern="/controller/home/link/link*" access="hasRole('ROLE_ADD_LINK')" />
<security:intercept-url pattern="/controller/home/link/edit/**" access="hasAnyRole('ROLE_EDIT_LINK')" />
<security:intercept-url pattern="/controller/home/link/save/**" access="hasAnyRole('ROLE_EDIT_LINK')" />
<security:intercept-url pattern="/controller/home/link/close/**" access="hasRole('ROLE_CLOSE_LINK')" />
<security:intercept-url pattern="/controller/home/device/add/**" access="hasAnyRole('ROLE_ADD_DEVICE', 'ROLE_ADD_DEVICE_FOR_REQUEST')" />
<security:intercept-url pattern="/controller/home/device/link/**" access="hasRole('ROLE_LINK_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/link*" access="hasRole('ROLE_LINK_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/edit/**" access="hasAnyRole('ROLE_EDIT_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/save/**" access="hasAnyRole('ROLE_EDIT_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/close/**" access="hasRole('ROLE_CLOSE_DEVICE')" />
<security:intercept-url pattern="/pages/private/**" access="isAuthenticated()" />
<!-- URLs not secured -->
<security:intercept-url pattern="/resources/**" access="permitAll" />
<security:intercept-url pattern="/css/**" access="permitAll" />
<security:intercept-url pattern="/img/**" access="permitAll" />
<security:intercept-url pattern="/js/**" access="permitAll" />
<security:intercept-url pattern="/view/login" access="permitAll" />
<security:intercept-url pattern="/view/loginVCR" access="permitAll" />
<security:intercept-url pattern="/jamon/**" access="permitAll" />
<security:intercept-url pattern="/view/js-dynamic/**" access="permitAll" />
<!-- All others URLs need at least that the user is authenticated -->
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
I use the following post but without success :
Two realms in same application with Spring Security?
Does anyone know how to solve the issue ??
Maybe having the same login-processing-url on both realms is making the trouble. Have you tried changing first realms login-processing-url to another mapping, such as for example:
<security:form-login
login-processing-url="/anotherresource/j_spring_security_check"
Note: in case you set this parameter to a first realm matching pattern, as
/vcrequest/j_spring_security_check
remember to bypass it in security realm with
<security:intercept-url pattern="/vcrequest/j_spring_security_check"` access="permitAll" />
I am using Spring Controllers to show my jsp views and Spring security.
In security context, all users can access to /login (login.jsp) but only authenticated users can access to /home (home.jsp).
When i remove the session id from browser cookies, the next request in the app should redirect to login page.
My method to show login page in controller is:
#RequestMapping(value = {"/login","/login.do"})
public ModelAndView showLoginForm() {
String username = getUsername();
if(!username.equals("anonymousUser")){
return new ModelAndView("redirect:/home");
}
return new ModelAndView("login");
}
My url is on /home but when i try to redirect to login using this function return new ModelAndView("login") the browsers stay with the same url.
My spring security config
<http entry-point-ref="loginEntryPoint"
use-expressions="true" create-session="always">
<session-management
session-authentication-strategy-ref="sas" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/accessDenied.do" access="permitAll" />
<intercept-url pattern="/app/**" access="permitAll" />
<intercept-url pattern="/signup/createuser" access="permitAll" />
<intercept-url pattern="/changepassword/changefirstpassword" access="permitAll" />
<intercept-url pattern="/recoverpassword/recoverPasswordRequest" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/**" access="authenticated" />
<access-denied-handler error-page="/accessDenied.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="domainFormLoginFilter" />
<logout success-handler-ref="myLogoutSuccessHandler" />
</http>
Why my browser doesnt redirect to login page? tks
First remove your controller and add the following to your security configuration.
<sec:intercept-url pattern="/home" access="isAuthenticated()" />
<sec:intercept-url pattern="/login" access="permitAll()" />
Work with the framework not against or around it...
Dear fellow Sping'lers,
I stumbled upon a problem with the login of intercept-url's in spring.
I just want to REDIRECT ALL PAGES to my login page IF NOT logged in.
This is the security context I use. However this codes is not allowing me to access any page:
<security:http auto-config="true">
<security:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole(ROLE_USER)" />
</security:http>
Thank's for your help.
Lomu
Changed my configuration according to jonnieM's post:
it's now
<security:http auto-config="true">
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
</security:http>
So I think "IS_AUTHENTICATED_ANONYMOUSLY" did the trick :)
Cheers Lomu
You should apply the <http use-expressions="true"> setting, otherwise the values in <intercept-url>'s access attribute won't be interpreted as Spring EL expressinos.
I just started to read on Spring Security 3.1 and I would like to know how I can enforce user to authenticate through my login page before accessing any pages on my system. On a tutorial I see the following code
<http use-e xpressions="true">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
<intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
From the above configuration I can see that I have to maintain the list of url pattern. Is there a way to simplify this that every user has to login through "/login" before can access any other page ?
EDIT:
I have edited my configuration as below and its working as I expected
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/login" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The url rules are inspected in order, top to bottom. The first one that matches is the one that is used.
In this example, the last line
<intercept-url pattern="/**" access="denyAll" />
Is the "catch all" rule. It applies to all requests ("/**") that didn't match any of the rules above it.
In it's current form, it denies access to everyone, regardless. If you change it to
<intercept-url pattern="/**" access="isAuthenticated()" />
instead, it will required authentication to all pages unless otherwise specified, which will cause spring security to redirect unauthenticated users to the login process.