I have a REST services implemented with custom filter, i would like to disable security for all the requests coming with method OPTIONS. I tried to find the information on the web, but could not fine. Any points would be helpful.
I have the same intercept-url for both, only OPTIONS method requests should be disabled for security. One of the option which is tried:
<security:http entry-point-ref="CSSCustomAuthenticationEntryPoint"
pattern="/**" use-expressions="true" auto-config="false"
create-session="stateless">
<security:intercept-url pattern="/**" access="permitAll"
method="OPTIONS" requires-channel="any" />
<security:custom-filter ref="userAuthenticationProcessingFilter"
position="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
</security:http>
Related
I am trying to update my Spring Security version from 3.0 to 3.2. Following is the current config:
<security:http auto-config="true" realm="Domaine XXX" access-denied-page="/jsps/login/access-denied.action">
<security:http-basic />
<security:intercept-url pattern="/services/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/index.jsp" filters="none" />
<security:intercept-url pattern="/jsps/i18n/**" filters="none" />
<security:intercept-url pattern="/**/Action1.action" filters="none" />
<security:intercept-url pattern="/**/Action2.action" filters="none" />
<security:intercept-url pattern="/**/Action3.action" filters="none" />
<security:intercept-url pattern="/**/Result.action" filters="none" />
<security:intercept-url pattern="/isalive.html" filters="none" />
<security:intercept-url pattern="/**/layout/**" filters="none" />
<security:intercept-url pattern="/**/acc.action" filters="none" />
<security:intercept-url pattern="/**/loadLoginCombo*" filters="none" />
<security:intercept-url pattern="/**/access-denied.action" filters="none" />
<security:intercept-url pattern="/**/logout.action" filters="none" />
<security:intercept-url pattern="/**/*.js" filters="none" />
<security:intercept-url pattern="/**/*.css" filters="none" />
<security:intercept-url pattern="/**/*.ico" filters="none" />
<security:intercept-url pattern="/**/*.gif" filters="none" />
<security:intercept-url pattern="/**/*.jpg" filters="none" />
<security:intercept-url pattern="/**/setLocale.action*" filters="none" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:logout logout-url="/logout.action" invalidate-session="true" logout-success-url="/logout.action" />
<security:form-login login-page="/index.jsp" authentication-failure-url="/access-denied.action" default-target-url="/pageBlank.action" />
<!-- security:concurrent-session-control max-sessions="5" exception-if-maximum-exceeded="true" / -->
</security:http>
When I host the application , I get the following message:
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The use of "filters='none'" is no longer supported. Please define a separate element for the pattern you want to exclude and use the attribute "security='none'".
What exact changes should I make to conform to Spring Security 3.2 standards?
Since Spring Security 3.1 filter="none" is not supported anymore, see Spring Security Reference:
[4] The use of multiple <http> elements is an important feature, allowing the namespace to simultaneously support both stateful and stateless paths within the same application, for example. The previous syntax, using the attribute filters="none" on an intercept-url element is incompatible with this change and is no longer supported in 3.1.
You have to use <http>, see Spring Security Reference:
From Spring Security 3.1 it is now possible to use multiple http elements to define separate security filter chain configurations for different request patterns. If the pattern attribute is omitted from an http element, it matches all requests. Creating an unsecured pattern is a simple example of this syntax, where the pattern is mapped to an empty filter chain [4]. We’ll look at this new syntax in more detail in the chapter on the Security Filter Chain.
and Spring Security Reference:
13.6 Advanced Namespace Configuration
As we saw earlier in the namespace chapter, it’s possible to use multiple http elements to define different security configurations for different URL patterns. Each element creates a filter chain within the internal FilterChainProxy and the URL pattern that should be mapped to it. The elements will be added in the order they are declared, so the most specific patterns must again be declared first. Here’s another example, for a similar situation to that above, where the application supports both a stateless RESTful API and also a normal web application which users log into using a form.
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/restful/**" create-session="stateless">
<intercept-url pattern='/**' access="hasRole('REMOTE')" />
<http-basic />
</http>
<!-- Empty filter chain for the login page -->
<http pattern="/login.htm*" security="none"/>
<!-- Additional filter chain for normal users, matching all other requests -->
<http>
<intercept-url pattern='/**' access="hasRole('USER')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
<logout />
</http>
I have an application which needs 2 security http tags to be deployed in weblogic 10.3.6 server, Spring Framework 3.1.2 & spring-security-3.1.2 version:
1, Form-based-Login: for direct logging in by users using login page.
2. Basic Authentication: Rest WebService calls.
I have added FORM_BASED_LOGIN successfully.-THIS works fine
Appreciate any direction for BASIC Auth for REST WebServices.
For Basic Authentication : Weblogic pops-up an additional pop-up where I have to enter the credentials of weblogic console.
To fix this I have found 2 approaches:
1. Updating the server config.xml file with the below tag:
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
Reference: Spring Security HTTP Basic Authentication
Adding an adapter and applicationContext-acegi-security.xml
and WeblogicAuthenticationFilter
I like to do the 2nd approach as it does not involve any changes to server configuration.
It would be great if any one could point me in the right direction or an example to achieve this.
Reference: http://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/web.1111/e14453/security.htm
Update : Adding my current spring-security configuration:
<http create-session="stateless" entry-point-ref="basicAuthEntryPoint" pattern="/api/**" use-expressions="true">
<intercept-url pattern="/api/listbyorderid" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/api/listbycustomerid" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</http>
<http auto-config="false" use-expressions="true" access-denied-page="/security/denied" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/security/login" access="permitAll" />
<intercept-url pattern="/layouts/*" access="permitAll"/>
<intercept-url pattern="/tiles/*" access="permitAll"/>
<intercept-url pattern="/jquery/*" access="permitAll"/>
<intercept-url pattern="/css/*" access="permitAll"/>
<intercept-url pattern="/admin/css/*" access="permitAll"/>
<intercept-url pattern="/admin/images/*" access="permitAll"/>
<intercept-url pattern="/admin/ico/*" access="permitAll"/>
<intercept-url pattern="/admin/jquery/*" access="permitAll"/>
<logout invalidate-session="true" logout-url="/j_spring_security_logout" success-handler-ref="logoutSuccessHandler" delete-cookies="JSESSIONID"/>
<!-- Custom filter to deny unwanted users even though registered -->
<custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<!-- Custom filter for username, password and domain. The real customization is done in the customAuthenticationManager -->
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
</http>
Thanks in Advance.
Spring Security supports this out of the box. You can take a look at helloworld-jc for a Java Based Configuration or helloworld-xml for an xml based configuration. Given you are on servlet 2.5 with weblogic 10.3.6 you will want to use the XML sample.
I have setup Spring Security on my webapp project.
My application setting for session expiration time is 15 min.
The spring security config is pretty basic and I have
<http use-expressions="true" disable-url-rewriting="true">
<csrf />
<intercept-url pattern="/login/auth" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/contact-us" access="permitAll"/>
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<session-management invalid-session-url="/?invalidSession=1"
session-authentication-error-url="/login?session=fail"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"
expired-url="/login?invalidSession=1"/>
</session-management>
Now the problem I'm having is that for example given the user sends an invalid session id spring always redirects to the homepage with '/?invalidSession=1'.
I'm saying it is a problem due to the fact that if the user, after a certain period of time, tries for example to go to the /contact-us page (which us an unprotected resource) he gets redirected to the homepage.
I think one solution would be that spring creates a new session and then redirects to the previously requested resource instead of always the invalid-session-url.
How do you deal with these situations?
Env:
Spring 3.1.3
Spring security: 3.1.3
Spring ldap: 1.3.1
JDK1.6
Problem:
I get a 404 on my login-processing-url.
Details:
I have three http intercept blocks: a public one, the second one used to intercept and
secure URLs for admins (uses authentication manager 1) and the third one for regular users
(uses authentication manager 2).
When the login form in http intercept block 1 post the credentials to the login-processing-url of the form login, it yields 404. I do mot get this - since the form login
announces the login-processing-url, shouldn't that filter chain recognize that URL?
Also, shluld I explicitly do "permitAll" on the login-processing-url of a form or is that
automagically done under the covers?
Lastly, is it problematic to have distinct http interceptor blocks to have distinct
login-processing-urls? (I cannot see why - but I ask anyways).
Configs:
Spring security configuration:
//...
<debug />
<global-method-security secured-annotations="enabled" />
<http pattern="/public/**" security="none"/>
<http use-expressions="true" pattern="/protected/x/support/**" authentication-manager-ref="lAdminAuthManager">
<intercept-url pattern="/protected/x/support/**" access="hasRole('ROLE_ADMIN')"/>
<form-login login-page="/public/login.jsp"
login-processing-url="/protected/x/support/j_spring_security_check"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/login/form?error"
default-target-url="/protected/x/support/index.html"/>
</http>
<http use-expressions="true" entry-point-ref="lUserLoginEntryPoint">
<intercept-url pattern="/protected/x/foo1/**" access="permitAll"/>
<intercept-url pattern="/protected/x/foo2/**" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<custom-filter ref="lUserLoginFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="lPreauthAuthenticationFilter" position="PRE_AUTH_FILTER" />
</http>
//...
Any hints greatly appreciated!
Thanx,
Uma
Any way check the below links . It may help you
Visit http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html
Even a small url conflict in config files will cause 404 error.
I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):
First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.