Configuring HTTP pages and HTTPS pages with Spring Security - spring

I have successfully setup an application using Spring Security. When users request the secured pages, Spring automatically redirects these users to a HTTPS page.
<http auto-config="true" use-expressions="true" once-per-request="true" >
<intercept-url pattern="/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/my-account" access="isAuthenticated()" requires-channel="https"/>
<logout />
<form-login login-page="/login" />
<port-mappings>
<port-mapping http="8080" https="8443"/>
<port-mapping http="80" https="443"/>
</port-mappings>
</http>
But when the users navigate, the next other pages that does not have sensitive information are still using HTTPS. I would like these normal pages accessed using just HTTP.
Is any intelligent way to do that? All the other pages that I do not configured as HTTPS channel I would like to be accessed using just HTTP. I tried to use some wildcards but without success.
Extra detail:
HTTPS uses more server CPU. I have a lot of requests on some pages and I would like to avoid this extra cost.

Make your entire site HTTPS. Performance change is minimal these days and you won't screw over your users by exposing their session cookies over HTTP.
https://istlsfastyet.com/

In Spring-Security, you can do this way -
<http auto-config="true" use-expressions="true" once-per-request="true" >
<intercept-url pattern="/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/my-account" access="isAuthenticated()" requires-channel="https"/>
<intercept-url pattern="/**" access="permitAll" requires-channel="http"/>
All other url's besides "/login" and "/my-account" will be served over http.
In addition to this, you must set the secure flag for the cookie.
By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
https://www.owasp.org/index.php/SecureFlag

Related

Decide redirection for Invalid Session in Spring security

I have setup Spring Security on my webapp project.
My application setting for session expiration time is 15 min.
The spring security config is pretty basic and I have
<http use-expressions="true" disable-url-rewriting="true">
<csrf />
<intercept-url pattern="/login/auth" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/contact-us" access="permitAll"/>
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<session-management invalid-session-url="/?invalidSession=1"
session-authentication-error-url="/login?session=fail"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"
expired-url="/login?invalidSession=1"/>
</session-management>
Now the problem I'm having is that for example given the user sends an invalid session id spring always redirects to the homepage with '/?invalidSession=1'.
I'm saying it is a problem due to the fact that if the user, after a certain period of time, tries for example to go to the /contact-us page (which us an unprotected resource) he gets redirected to the homepage.
I think one solution would be that spring creates a new session and then redirects to the previously requested resource instead of always the invalid-session-url.
How do you deal with these situations?

Force SSL based on url pattern in Spring security 3.2?

I am trying to configure my SS3.2 to do something quite simple: reject any HTTP request that's not directed at my login service; and allow access to the login service without authorization.
I have the following in my security.xml:
<http pattern="/login/**" security="none" />
<!--
<intercept-url pattern="/login/**" access="permitAll" requires-channel="https"/>
-->
<http auto-config="true" use-expressions="true">
<custom-filter ref="myCustomFilter" before="BASIC_AUTH_FILTER" />
</http>
Now since the login service will transport authentication information, it obviously needs to be secured by SSL/TLS. But I can't figure out how to force it to use SSL/TLS, while still letting it skip the custom filter.
Any suggestions?

SpringSecurity do not forward to https

Dear All,
We have added Spring Security for our web application. Login url seems like this
https://www.xyz.com/app/login.do
after login it should redirect to other urls with same https protocol. Right now SpringSecurity redirect us to other urls but with http not https.
Please tell us any specific settings are needed.
Thanks,
Op
Within your spring security definitions, inside your intercept-url tag you need to add requires-channel="https"
For example:
<sec:intercept-url pattern="/login.jsp*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/j_spring_security_check*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY"/>

spring security: http if user not authenticate

I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9
The security context is:
<http auto-config='false' use-expressions="true" >
<intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" />
<intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/**" requires-channel="any" />
<form-login login-page="/loginRedirect"
authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler"
authentication-success-handler-ref="pennyAuthSuccessHandler"
default-target-url="/pages/account/orders.xhtml" />
<logout logout-success-url="/" invalidate-session="true"/>
</http>
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated.
If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session.
I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated.
Can I force the HTTP for non-authenticated users?
If I go to a page that requires HTTPS, for the rest of session, it
will use the HTTPS protocol, even if the user is not authenticated.
That's correct because of
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
Also, because of
<intercept-url pattern="/**" requires-channel="any" />
it will stick with HTTPS once the user requested a resource that requires HTTPS. Why would it have to switch back if you say any (HTTPS is as good as any)?
Can I force the HTTP for non-authenticated users?
No, not that I know of. Personally, I don't think this would make much sense either.

POST to login-processing-url yields HTTP/404

Env:
Spring 3.1.3
Spring security: 3.1.3
Spring ldap: 1.3.1
JDK1.6
Problem:
I get a 404 on my login-processing-url.
Details:
I have three http intercept blocks: a public one, the second one used to intercept and
secure URLs for admins (uses authentication manager 1) and the third one for regular users
(uses authentication manager 2).
When the login form in http intercept block 1 post the credentials to the login-processing-url of the form login, it yields 404. I do mot get this - since the form login
announces the login-processing-url, shouldn't that filter chain recognize that URL?
Also, shluld I explicitly do "permitAll" on the login-processing-url of a form or is that
automagically done under the covers?
Lastly, is it problematic to have distinct http interceptor blocks to have distinct
login-processing-urls? (I cannot see why - but I ask anyways).
Configs:
Spring security configuration:
//...
<debug />
<global-method-security secured-annotations="enabled" />
<http pattern="/public/**" security="none"/>
<http use-expressions="true" pattern="/protected/x/support/**" authentication-manager-ref="lAdminAuthManager">
<intercept-url pattern="/protected/x/support/**" access="hasRole('ROLE_ADMIN')"/>
<form-login login-page="/public/login.jsp"
login-processing-url="/protected/x/support/j_spring_security_check"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/login/form?error"
default-target-url="/protected/x/support/index.html"/>
</http>
<http use-expressions="true" entry-point-ref="lUserLoginEntryPoint">
<intercept-url pattern="/protected/x/foo1/**" access="permitAll"/>
<intercept-url pattern="/protected/x/foo2/**" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<custom-filter ref="lUserLoginFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="lPreauthAuthenticationFilter" position="PRE_AUTH_FILTER" />
</http>
//...
Any hints greatly appreciated!
Thanx,
Uma
Any way check the below links . It may help you
Visit http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html
Even a small url conflict in config files will cause 404 error.

Resources