I wrote following code in my project-security.xml file.
<security:http name="dbservice" pattern="/pages" use-expressions="true" entry-point-ref="WMSecAuthEntryPoint" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/pages/Test" access="hasAnyRole('ROLE_admin')"/>
</security:http>
<security:http name="common" auto-config="false" use-expressions="true" entry-point-ref="WMSecAuthEntryPoint" disable-url-rewriting="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/app.variables.json" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/topnav/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/rightnav/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/leftnav/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/header/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/footer/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/pages/Main/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/index.html" access="isAuthenticated()"/>
<security:request-cache ref="nullRequestCache"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="WMSecAuthFilter"/>
<security:intercept-url pattern="/app.css" access="permitAll"/>
<security:intercept-url pattern="/config.js" access="permitAll"/>
<security:intercept-url pattern="/config.json" access="permitAll"/>
<security:intercept-url pattern="/app.js" access="permitAll"/>
<security:intercept-url pattern="/types.js" access="permitAll"/>
<security:intercept-url pattern="/login.html" access="permitAll"/>
<security:intercept-url pattern="/pages/Login/**" access="permitAll"/>
<security:intercept-url pattern="/pages/Common/**" access="permitAll"/>
<security:intercept-url pattern="/themes/**" access="permitAll"/>
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:intercept-url pattern="/**/app/build/application/**" access="permitAll"/>
<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/services/security/**" access="permitAll"/>
<security:intercept-url pattern="/securityService.json" access="permitAll"/>
<security:intercept-url pattern="/" access="isAuthenticated()"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:remember-me key="WM_APP_KEY" services-ref="rememberMeServices"/>
</security:http>
The problem is that pattern "/pages/Test" does not get restricted for all users (users other than admin). They can access this url.
Whereas when I put
this line in "common" http section then it works.
Note that I want to make it work in above scenario only as I can manage my urls section wise.
Related
I'm trying to create an other login page on my application.
The second one is working properly but the first one I just added don't catch the URL correctly and don't redirect to the good page.
The second HTTP configurations is always use.
<security:http pattern="/vcrequest/**" use-expressions="true" realm="NETMG Spring Security" authentication-manager-ref="authenticationManager">
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:form-login
login-processing-url="/resources/j_spring_security_check"
login-page="/vcrequest/view/loginVCR"
default-target-url="/vcrequest/controller/vcrequest/my-request"
authentication-failure-url="/vcrequest/view/loginVCR?login_error=t" />
<security:intercept-url pattern="/vcrequest/view/loginVCR" access="permitAll" />
<security:intercept-url pattern="/vcrequest/**" access="isAuthenticated()" />
<security:http-basic/>
</security:http>
<security:http use-expressions="true" realm="NETMG Spring Security" authentication-manager-ref="authenticationManager">
<security:session-management session-fixation-protection="newSession"/>
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:form-login
login-processing-url="/resources/j_spring_security_check"
login-page="/view/login"
default-target-url="/view/home#agregateShowMode=site"
authentication-failure-url="/view/login?login_error=t" />
<security:intercept-url pattern="/controller/users/**" access="hasRole('ROLE_ADD_USERS')" />
<security:intercept-url pattern="/controller/export/**" access="hasRole('ROLE_EXPORT')" />
<security:intercept-url pattern="/controller/stocks/**" access="hasRole('ROLE_STOCKS')" />
<security:intercept-url pattern="/controller/home/site/edit/**" access="hasAnyRole('ROLE_EDIT_SITE')" />
<security:intercept-url pattern="/controller/home/site/create*" access="hasRole('ROLE_ADD_SITE')" />
<security:intercept-url pattern="/controller/home/site/save*" access="hasAnyRole('ROLE_EDIT_SITE')" />
<security:intercept-url pattern="/controller/home/site/change*" access="hasRole('ROLE_CLOSE_SITE')" />
<security:intercept-url pattern="/controller/home/service/add/**" access="hasRole('ROLE_ADD_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/add*" access="hasRole('ROLE_ADD_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/link/**" access="hasRole('ROLE_LINK_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/edit/**" access="hasAnyRole('ROLE_EDIT_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/save/**" access="hasAnyRole('ROLE_EDIT_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/close/**" access="hasRole('ROLE_CLOSE_SERVICE')" />
<security:intercept-url pattern="/controller/home/link/add/**" access="hasAnyRole('ROLE_ADD_LINK', 'ROLE_ADD_LINK_FOR_REQUEST')" />
<security:intercept-url pattern="/controller/home/link/link*" access="hasRole('ROLE_ADD_LINK')" />
<security:intercept-url pattern="/controller/home/link/edit/**" access="hasAnyRole('ROLE_EDIT_LINK')" />
<security:intercept-url pattern="/controller/home/link/save/**" access="hasAnyRole('ROLE_EDIT_LINK')" />
<security:intercept-url pattern="/controller/home/link/close/**" access="hasRole('ROLE_CLOSE_LINK')" />
<security:intercept-url pattern="/controller/home/device/add/**" access="hasAnyRole('ROLE_ADD_DEVICE', 'ROLE_ADD_DEVICE_FOR_REQUEST')" />
<security:intercept-url pattern="/controller/home/device/link/**" access="hasRole('ROLE_LINK_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/link*" access="hasRole('ROLE_LINK_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/edit/**" access="hasAnyRole('ROLE_EDIT_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/save/**" access="hasAnyRole('ROLE_EDIT_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/close/**" access="hasRole('ROLE_CLOSE_DEVICE')" />
<security:intercept-url pattern="/pages/private/**" access="isAuthenticated()" />
<!-- URLs not secured -->
<security:intercept-url pattern="/resources/**" access="permitAll" />
<security:intercept-url pattern="/css/**" access="permitAll" />
<security:intercept-url pattern="/img/**" access="permitAll" />
<security:intercept-url pattern="/js/**" access="permitAll" />
<security:intercept-url pattern="/view/login" access="permitAll" />
<security:intercept-url pattern="/view/loginVCR" access="permitAll" />
<security:intercept-url pattern="/jamon/**" access="permitAll" />
<security:intercept-url pattern="/view/js-dynamic/**" access="permitAll" />
<!-- All others URLs need at least that the user is authenticated -->
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
I use the following post but without success :
Two realms in same application with Spring Security?
Does anyone know how to solve the issue ??
Maybe having the same login-processing-url on both realms is making the trouble. Have you tried changing first realms login-processing-url to another mapping, such as for example:
<security:form-login
login-processing-url="/anotherresource/j_spring_security_check"
Note: in case you set this parameter to a first realm matching pattern, as
/vcrequest/j_spring_security_check
remember to bypass it in security realm with
<security:intercept-url pattern="/vcrequest/j_spring_security_check"` access="permitAll" />
I'm using Spring Security, trying to set up basic login\logout functionality. Login works ok, I store users in MySQL DB, and I'm able to log in, but I have problem with logging out. On home page I made a logout link, looking like this, but when I click it I get 403 Access denied, and user doesn't get logged out:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
And here is my security-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
And /loggedout is mapped to basic .jsp page, just saying "You have logged out."
Also, when I click logout link when I'm not logged in, it takes me to the login page.
What am I doing wrong?
Add this as the first rule in the <security:http use-expressions="true"> section:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
I just added the
logout-url="/j_spring_security_logout"
to the
security:logout
and it is working as it should now.. But I thought it would work even without this parameter if I use /j_spring_security_logout as logout link.
Add this under the <security:http use-expressions="true"> section:
<security:csrf disabled="true"/>
Worked for me.
This is my Spring Security configuration:
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login"
authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
.......
I add this: <intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" to avoid to enter in that section.. but I can enter into monitoring after loggin as "normal" user...
Why??
The order of <intercept-url .../> does matter. As the new intercept-url pattern="/monitoring" comes after pattern="/**" it it ignored because all URLs for monitoring have already been processed by <intercept-url pattern="/**" access="isAuthenticated()" />.
You should write :
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/**" access="isAuthenticated()" />
As a general rule intercept-url pattern="/**" must always be last
Dear fellow Sping'lers,
I stumbled upon a problem with the login of intercept-url's in spring.
I just want to REDIRECT ALL PAGES to my login page IF NOT logged in.
This is the security context I use. However this codes is not allowing me to access any page:
<security:http auto-config="true">
<security:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole(ROLE_USER)" />
</security:http>
Thank's for your help.
Lomu
Changed my configuration according to jonnieM's post:
it's now
<security:http auto-config="true">
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
</security:http>
So I think "IS_AUTHENTICATED_ANONYMOUSLY" did the trick :)
Cheers Lomu
You should apply the <http use-expressions="true"> setting, otherwise the values in <intercept-url>'s access attribute won't be interpreted as Spring EL expressinos.
I just started to read on Spring Security 3.1 and I would like to know how I can enforce user to authenticate through my login page before accessing any pages on my system. On a tutorial I see the following code
<http use-e xpressions="true">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
<intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
From the above configuration I can see that I have to maintain the list of url pattern. Is there a way to simplify this that every user has to login through "/login" before can access any other page ?
EDIT:
I have edited my configuration as below and its working as I expected
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/login" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The url rules are inspected in order, top to bottom. The first one that matches is the one that is used.
In this example, the last line
<intercept-url pattern="/**" access="denyAll" />
Is the "catch all" rule. It applies to all requests ("/**") that didn't match any of the rules above it.
In it's current form, it denies access to everyone, regardless. If you change it to
<intercept-url pattern="/**" access="isAuthenticated()" />
instead, it will required authentication to all pages unless otherwise specified, which will cause spring security to redirect unauthenticated users to the login process.