i have a spring boot application with simple form login. The login works correctly.
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login")
.permitAll();
I also have internationalization through a CookieLocaleResolver and LocaleChangeInterceptor. This also works when logged in.
My Problem is:
The user can't change the locale while he is on the login page.
Login Page: https://localhost/login
Link to change the locale: https://localhost/login?locale=en
But the user is redirected again to https://localhost/login and locale stays the same.
Is there a way to allow parameters at the login page?
Thanks for your help!
Had the same problem, fixed with the following:
http
.authorizeRequests()
.antMatchers("/login/**")//Basically I'm allowing parameters for login so locale can be added and read.
.permitAll()
.anyRequest()
.fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login")
.permitAll();
I think the problem has to do that when you change the locale this is send as a parameter and since the conf is not allowing for parameters withing /login it refreshes and shows the login page to try to authenticate you.
Related
I am having a spring boot application where users can log in and access the login. After logging in, the users can still access the login page. I want the logged users don't have access to the login page, instead redirect them to the home page. How can I do this?? I am using spring security to authenticate the users.
This is my current configuration:
http
.authorizeRequests()
.antMatchers("/css/**","/js/**","/register/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll()
If you don't want to use filter, in your login controller #GetRequest("/login") check the user details by principal.getName() and return home view if it's not null.
I'm working on project with spring boot and Vue, I need to protect my endpoints. The user will have specific role, admin role or typical user role. When I search for tutorials how to configure JWT and spring security I'm getting articles with disabled cors by cors().disable() only . And that's my question.. May I send request from my front Vue app via axios if cors in spring backend is disabled? Is it right approach to disable it? A lot of my requests from api were blocked by cors so I enabled it but I didn't implement user roles and it made me confused what to do now because I have to do it... Another problem is when I implemented httpSecurity.csrf().disable().authorizeRequests().antMatchers("/authenticate", "/register","/login").permitAll(). and tried to call /authenticate from another device in same network then spring blocked it but it shouldn't be blocked.. On the top of controller I have #CrossOrigin(origins="*", maxAge=3600) and #RestController so I don't know why my request is blocked.
Help me please if You have some ideas.
Best regards!
Set this in top of every controller
#CrossOrigin(origins = "*")
#RestController
And set the code in SecuriyConfig as follows. It worked for me.
httpSecurity.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.ttf",
"/**/*.woff",
"/**/*.woff2",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.jpeg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/authenticate", "/register","/login")
.permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll()
.anyRequest()
.authenticated();
I have Auth server with OAuth support with #EnableResourceServer.
App configuration
Security configuration
Authorization server
I can GET to /login and fill form.
When i sent POST to /login, i have 401
Error after POST /login
You might get help from my leaning experiment. I was also facing the same issue and adding HttpMethod.POST in antMatchers helped me and you should use .authorizeRequests() at the beginnings
http
.csrf().disable()
.authorizeRequests().antMatchers("/login","/home","/failure").permitAll()
.antMatchers(HttpMethod.POST,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/home",true)
.failureUrl("/failure")
.and()
.logout().logoutUrl("/logout").permitAll();
I want to have a homepage followed by login page,Since the login page is not authorised the page becomes UnSecured as per my understanding.The code for this as below:
Home.html
<h2>1. Visit <a th:href="#{/admin}">Admin page (Spring Security protected, Need Admin Role)</a></h2>`enter code here`
<h2>2. Visit <a th:href="#{/user}">User page (Spring Security protected, Need User Role)</a></h2>
<h2>3. Visit <a th:href="#{/about}">Normal page</a></h2>
Here the login page will become unsecured because it is not authorised by spring boot security.How can I tackle the below scenario
http.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/home", "/about").permitAll()
.antMatchers("/admin/**").hasAnyRole("ADMIN")
.antMatchers("/user/**").hasAnyRole("USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
'
Please help.Is this possible using Spring Boot Security using the above method?
I solved this issue by setting the following properties in application.properties
server.use-forward-headers=true
I'm using Spring Security 5.0.4 with Spring Boot 2.0.1
I have a working security configuration:
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/index.html", "/#", "/reader.html").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("/app/**", "/assets/**", "/translations/**", "/vendor/**").permitAll()
.antMatchers("/login**").permitAll()
.anyRequest().authenticated() // everything else needs authentication
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.permitAll();
It works as expected: When I provide good credentials I'm logged in, it forwards me to /index.html. When I provide bad credentials, it forwards me back to /login with ?error query param.
But, if I complete it with a custom failureForwardUrl() or successForwardUrl() for example:
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.successForwardUrl("/home")
.failureForwardUrl("/login?fail=true")
.permitAll()
it behaves strangely.
If I provide bad credentials, it forwards me back to /login without any query parameters. If I provide good credentials, then I receive a HTTP 405 Method Not Allowed status (POST to /login)
This configuration worked in Spring Security 4.x.
What could be the problem? Thanks!
I figured out that I mixed up .failureUrl("/login?error") with .failureForwardUrl("/login?error"). Facepalm.