Spring security filter called twice - spring

I just realized that the OAuth2AuthenticationProcessingFilter is called twice when accessing the protected resource /me in my OAuth auth server:
An abstract of my xml config:
<http pattern="/me/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" use-expressions="true"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/me/**"
access="hasRole('ROLE_USER') and #oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.hasScope('read')" />
<!-- Protect the resource with oauth by using the resourceServerFilter-->
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
<request-cache ref="requestCache" />
</http>
and
<http access-denied-page="/login?authorization_error=true" disable-url-rewriting="true"
xmlns="http://www.springframework.org/schema/security" use-expressions="true">
<intercept-url pattern="/oauth/**" access="hasRole('ROLE_USER')" />
<!-- /secure/** is protected and for users only. Don't allow oauth2 clients to access protected UI pages.
Put all secured web pages under /secure (e.g. /secure/profile) -->
<intercept-url pattern="/secure/**" access="hasRole('ROLE_USER') and #oauth2.denyOAuthClient()" />
<!-- Allow access to everything else -->
<intercept-url pattern="/**" access="permitAll()" />
<form-login authentication-failure-handler-ref="authenticationFailureHandler"
login-page="/login" login-processing-url="/login.do" authentication-success-handler-ref="customAuthenticationSuccessHandler" />
<!-- See also LogoutFilterPostProcessor -->
<logout logout-url="/logout.do" delete-cookies="JSESSIONID" success-handler-ref="lclSessionCookieDeletingLogoutHandler" />
<anonymous />
<!-- Allow the usage of oauth web expressions (e.g. '#oauth2.denyOAuthClient()') -->
<expression-handler ref="oauthWebExpressionHandler" />
<request-cache ref="requestCache" />
<csrf token-repository-ref="csrfTokenRepository"/>
<remember-me services-ref="persistentTokenBasedRememberMeServices" key="abcdefg"/>
<custom-filter ref="forcePasswordResetFilter" before="REQUEST_CACHE_FILTER" />
</http>
It seems as if the filters from the second <http/> section (e.g. the ForcePasswordResetFilter) are also applied when /me is called - which is not what I'd expect. Any ideas why not only the first <http/> section is considered which matches /me/**?

Related

Spring MVC Security permitAll to / but denyAll to /** not working

I have a Spring4 MVC application that is deployed on Wildfly10 and is configured using xml.
I have the following controller defined:
<mvc:view-controller path="/" view-name="/index" />
<mvc:view-controller path="/index" view-name="/index" />
And in Spring security define access:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
If I remove the denyAll to /** intercept-url the application works as intended however adding it causes security to redirect root calls to the login page and not the index page!
Is there a way I can have permitAll access to the root (Redirects to /index) of my application and still denyAll to /** thus covering anything else that is not defined?
By Changing the pattern to <intercept-url pattern="/.+" access="denyAll" /> as commented by Vasan got it working. below is an example of the change
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/.+" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>

spring session redirect after timeout

I have configured spring security for login form. Everything works fine except session timeout.
When session timeouts I want to redirect to login page. Instead I am redirected to homepage. Below is part of my security xml .Can anyone suggest anything via xml configuration
<http auto-config="true" use-expressions="true">
<!-- This settings is for IE. Default this setting is on migrateSession.
When IE tries to migrate the session, the auth cookie does not migrate, resulting
in a nice login screen again, after you've logged in. This setting ensures
that the session will not be invalidated, and thus IE will still work as
expected. -->
<session-management session-fixation-protection="none" />
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/css/*" access="permitAll" />
<intercept-url pattern="/img/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/lib/**" access="permitAll" />
<intercept-url pattern="/fonts/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/login.jsp" login-processing-url="/j_spring_security_check"
default-target-url="/index.html" always-use-default-target="true"
authentication-failure-url="/login?error=true" username-parameter="username"
password-parameter="password" authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/login.jsp" logout-url="/j_spring_security_logout" invalidate-session="true" />
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<session-management invalid-session-url="/login.jsp" />
<!-- disable csrf protection -->
<csrf disabled="true" />
</http>
I have added timeout in web.xml as
<session-config>
<session-timeout>1</session-timeout>
</session-config>

Spring Security Login and Checking Issue

I am using Spring 4 + Spring Security 3.2 + GWT , after deploying the application on Jboss and call it (http://localhost:8080/login/login.htm) I get this error JBWEB000124: The requested resource is not available.
With Spring 3.1 + spring security 3.1 was workiung fine.
<http auto-config="true">
<intercept-url pattern="/gwt/**" access="ROLE_USER" />
<intercept-url pattern="/**/*.html" access="ROLE_USER" />
<intercept-url pattern="/" access="ROLE_USER" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/ws/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login/login.htm" authentication-failure-url="/login/login.htm?error=true" />
<logout invalidate-session="true" delete-cookies="userid,JSESSIONID" />
<logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout" />
<session-management invalid-session-url="/login/login.htm?invalid=true" session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>
any help?
Thanks

Spring security with multiple login pages

I am using Spring security to secure login to the application admin section with a username and password. But now my client need to have another login screen for the application clients section, where they will have their own usernames / passwords to login to the clients section. So far I've already implemented the admin section login successfully with the following spring-security.xml settings:
<security:http auto-config="true" use-expressions="true">
<security:form-login login-page="/login"
default-target-url="/admin/dashboard" always-use-default-target="true"
authentication-failure-url="/login/admin?error_msg=wrong username or password" />
<security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')" />
<security:logout logout-success-url="/login"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="adminServiceImpl">
</security:authentication-provider>
</security:authentication-manager>
I've searched the web a lot trying to find how I can add the client section login screen, intercept-url(s), security authentication provider but couldn't find any info, so can someone please help me with any link to any tutorial / example, guide on how to do so?
Thanks
According to the Spring Security docs:
From Spring Security 3.1 it is now possible to use multiple http
elements to define separate security filter chain configurations for
different request patterns. If the pattern attribute is omitted from
an http element, it matches all requests.
Each element creates a filter chain within the internal FilterChainProxy and the URL pattern that should be mapped to it. The elements will be added in the order they are declared, so the most specific patterns must again be declared first.
So, essentially you need two <http> elements each with a different pattern attribute.
There's a detailed tutorial here: https://blog.codecentric.de/en/2012/07/spring-security-two-security-realms-in-one-application/
I would use only one security:http, but register two UsernamePasswordLoginFilters.
This solution would be appropriate if the two Login-Pages belog to the same security-realm. (So if it does not matter on which Login-Page the user logs in). Of course you can still use roles to restrict the access for different parts of your application for different types of users.
This solution should be quite easy, because you will not need to handle two security:http sections.
The major drawback of this is: that you will have to decide on which of the two login pages a NOT logged in user gets redirected if he try to access an page that requires a login.
Example project of Spring MVC App with multiple login forms.
Three types of pages Normal/Member/Admin.
If you try to access member page you are brought to Member Login form.
If you try to access admin page you go to the Admin Login form.
https://github.com/eric-mckinley/springmultihttploginforms
Done using the ant regex request matcher in the seucrity xml config file.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security secured-annotations="enabled" />
<http name="member" pattern="/member/*" request-matcher="ant" auto-config="true" use-expressions="false">
<csrf disabled="true"/>
<intercept-url pattern="/member/home" access="ROLE_MEMBER" />
<intercept-url pattern="/member/account" access="ROLE_MEMBER" />
<intercept-url pattern="/member/orders" access="ROLE_MEMBER" />
<form-login login-page="/member-login" always-use-default-target="false"/>
<logout logout-url="/logout" logout-success-url="/home"/>
</http>
<http name="admin" request-matcher="regex" auto-config="true" use-expressions="false">
<csrf disabled="true"/>
<intercept-url pattern="/admin/home" access="ROLE_ADMIN" />
<intercept-url pattern="/admin/users" access="ROLE_ADMIN" />
<form-login login-page="/admin-login" always-use-default-target="false"/>
<logout logout-url="/logout" logout-success-url="/home"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="password" authorities="ROLE_ADMIN" />
<user name="member" password="password" authorities="ROLE_MEMBER" />
<user name="super" password="password" authorities="ROLE_ADMIN,ROLE_MEMBER" />
</user-service>
</authentication-provider>
</authentication-manager>
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<!-- <intercept-url pattern="/welcome/**" access="permitAll" /> <intercept-url
pattern="/admin*" access="hasRole('ROLE_ADMIN')" /> -->
<intercept-url access="hasRole('ROLE_USER')" pattern="/main*" />
<intercept-url pattern="/main*" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/login-success"
authentication-failure-url="/loginError" />
<!-- <session-management invalid-session-url="/login" session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management> -->
<logout logout-success-url="/login" delete-cookies="JSESSIONID" />
<csrf disabled="true" />
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
</http>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/mobile/" access="permitAll" />
<intercept-url pattern="/mobile/login" access="permitAll" />
<!-- <intercept-url pattern="/welcome/**" access="permitAll" /> <intercept-url
pattern="/admin*" access="hasRole('ROLE_ADMIN')" /> -->
<intercept-url access="hasRole('ROLE_USER')" pattern="/main*" />
<intercept-url pattern="/main*" access="hasRole('ROLE_USER')" />
<form-login login-page="/mobile/login" default-target-url="/mobile/login-success"
always-use-default-target="true" authentication-failure-url="/mobile/login?error"
username-parameter="username" password-parameter="password" />
<logout delete-cookies="JSESSIONID" logout-success-url="/mobile/login" />
<csrf disabled="true" />
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
Here I have need two login forms common for all users. I have configured tag element as mentioned above in spring-security.xml.But it is not working. Please suggest me a solution

Thread: how to bypass <intercept-url pattern="/trusted/**"

i have a spring configuration,
i want to access <intercept-url pattern="/trusted/**" filters = "none" />
without filter
is there any way to access
i take this error when i use filters = "none"
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Config
uration problem: The use of "filters='none'" is no longer supported. Please defi
ne a separate element for the pattern you want to exclude and use the att
ribute "security='none'".|Offending resource: ServletContext resource [/WEB-INF/
spring-servlet.xml]
<http access-denied-page="/login.jsp" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/photos" access="ROLE_USER,SCOPE_READ" />
<intercept-url pattern="/photos/**" access="ROLE_USER,SCOPE_READ" />
<!-- <intercept-url pattern="/trusted/**" access="ROLE_USER,SCOPE_TRUST" />-->
<intercept-url pattern="/trusted/**" filters = "none" />
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<intercept-url pattern="/request_token_authorized.jsp" access="ROLE_USER,DENY_OAUTH" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY,DENY_OAUTH" />
<form-login authentication-failure-url="/login.jsp" default-target-url="/index.jsp" login-page="/login.jsp"
login-processing-url="/login.do" />
<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
<anonymous />
<custom-filter ref="oauth2ProviderFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>
you need to add a extra http element:
<http pattern="/trusted/**" secure="none">
</http>

Resources