SaxParseException when trying to set security="none" in URL interceptor - spring

I am trying to ignore security checking (it gets its own encryption setting) on one of the URLs within current Spring application, by using
<sec:intercept-url pattern="/notimportant/url**" security="none" />
but I get
nested exception is org.xml.sax.SAXParseException: cvc
-complex-type.3.2.2: Attribute 'security' is not allowed to appear in element
'sec:intercept-url'.
Here is the namespace setting:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
So how can I avoid authentication for that url exactly

Try it with filters="none" instead of security="none".
<sec:intercept-url pattern="/notimportant/url**" filters="none" />
This is deprecated in Spring 3.1, though, so you can try this
<sec:http pattern="/notimportant/url**" security="none"/>
Check out the documentation for more details.

That's because security is not a valid attribute for element intercept-url. Try with access="IS_AUTHENTICATED_ANONYMOUSLY", like this:
<sec:intercept-url pattern="/notimportant/url**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

Related

Console errors when refreshing login page after upgrading to JSF 2.2 and RF 4.5.7

I have recently upgraded a web application from JSF 1.2 to JSF 2.2 as well as RF 3.3.3 to RF 4.5.7. I'm currently experiencing console errors when loading the first login.html page. This only happens when either the page is first loaded or when I refresh (F5 or shift F5). When I log in and log out again I don't receive these errors! The URL is exactly the same, e.g. host:port/xxx/login.html
This issue only occurs on this page. I'm using Spring (3.1.0) for the login although not sure if the issue is related. Security config in applicationContext.xml is:
<sec:http auto-config='true' pattern="/login.html*" security="none"/>
<sec:http pattern="/a4j/**" security="none"/>
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/img/**" security="none"/>
<sec:http realm="Name goes here">
<sec:form-login login-processing-url="/j_spring_security_check"
login-page="/login.html"
authentication-failure-url="/login.html?fail"
default-target-url="/main.html"
always-use-default-target="true"/>
<sec:logout logout-url="/logout.html"/>
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
</sec:http>
and in login.xhtml:
<form id="frm-login" action="j_spring_security_check" method="post">
<label class="above">Username<h:inputText id="j_username" /></label>
<rich:jQuery selector="#j_username" query="focus()"/><br/>
<label class="above">Password<h:inputSecret id="j_password" /></label><br/>
<h:commandButton id="submit" name="submit" type="submit" value="Login"> </h:commandButton>
</form>
Before the upgrade this was fine. Using Firebug I have compared the generated HTML between the times where I see console errors and times I don't.
Bad
Good
I believe I have applied all necessary updates such as removing old jar files (including removal of redundant Facelets 1.1.14, view handler references), updating RF code, XHTML page code and namespaces as well as web.xml and faces-config.xml updates.
One thing I do know is that when I comment out the following config I do not receive the error. So somehow this is interfering with the loading of resources on this page.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
Any ideas how to resolve this? Apologies in advance if I have missed some vital information required in helping resolve this.
UPDATE 1:
Images taken when loading page using Network tab on google chrome:
Bad
Good
UPDATE 2:
Good
Bad
Ok I found it (with some helpful pointers from BallusC). After the upgrade I had to update the security config in applicationContext.xml as follows:
<sec:http auto-config='true' pattern="/login.html*" security="none"/>
<sec:http pattern="/a4j/**" security="none"/>
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/img/**" security="none"/>
<sec:http realm="name goes here">
<sec:form-login login-processing-url="/j_spring_security_check"
login-page="/login.html"
authentication-failure-url="/login.html?fail"
default-target-url="/main.html"
always-use-default-target="true"/>
<sec:logout logout-url="/logout.html"/>
<sec:intercept-url pattern="/login.html*" access="ROLE_USER"/>
<sec:intercept-url pattern="/a4j/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/img/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</sec:http>
The root cause of my issue above was having the following entry in applicationContext.xml:
<sec:intercept-url pattern="/**" access="ROLE_USER"/>

InvalidCsrfTokenException when submitting a form

I'm working in a spring based web application (version 4.1.6.RELEASE, spring security 4.0.0.RELEASE) and I'm getting the error InvalidCsrfTokenException: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. after submitting a form (POST method). According to the spring's documentation "Spring Security automatically inserts a CSRF form field for any <form:form> tags you use", so why I'm getting this exception?
Thanks in advance.
This is my spring security configuration:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http use-expressions="true" disable-url-rewriting="true">
<headers>
<frame-options/>
<xss-protection/>
<hsts/>
</headers>
<csrf/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<!-- some others urls to intercept -->
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
<session-management>
<concurrency-control max-sessions="1" expired-url="/login" />
</session-management>
</http>
And this is the definition of my form (excluding the fields it contains):
<form:form action="myaction" method="post" enctype="multipart/form-data" id="formId" modelAttribute="myBean">
</form:form>
Any help will be appreciated
The issue is arising because you are using a multi-part form. Please see the accepted answer here:
Spring CSRF token does not work, when the request to be sent is a multipart request

Concurrent Session Control - Spring Security

HI I am trying to implement Spring Security: Concurrent Session Control to limit one session at a time. I see that I only need
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
I get this from the reference http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-config . The problem that I am facing is that i get this error saying, "Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute" I do not need to use a login page in the configuration here. I saw other posts, but I cannot find a solution to this problem. Please help me with a solution here. I will post my code below.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring- mvc.xsd">
<security:http>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>

Spring - Java EE User still null after authentication

I'm new to Java EE / Spring and I've been fighting with security for the past two days. I finally have to the point where I can authenticate with Java EE and authorize with Spring. Unfortunately, I can't access the Java EE authentication from Spring to do the authorization.
The general idea for the application is this:
If you're not logged in, Spring security redirects you to the login page
The login page is the only page that is locked by Java EE. It outputs a form for authentication
After successfully logging in, the user is redirected to the home page, which should have the authentication object associated with it.
Note the emphasis on should since it isn't. For whatever reason, the user is coming back as authenticated but anonymous. If I could simply get the username, I could construct the user details.
Here's the relevant snippets from my web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</filter>
<security-constraint>
<web-resource-collection>
<web-resource-name>Home Page Only</web-resource-name>
<description>Rely on Spring for Authorization</description>
<url-pattern>/login</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/loginfailed</form-error-page>
</form-login-config>
</login-config>
And my security-content.xml for spring:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:lang="http://www.springframework.org/schema/lang"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/loginfailed" access="permitAll"/>
<intercept-url pattern="/css/*" access="permitAll"/>
<intercept-url pattern="/resources/*" access="permitAll"/>
<intercept-url pattern="/images/*" access="permitAll"/>
<intercept-url pattern="/js/*" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login default-target-url='/index.jsp'
always-use-default-target='true' login-page="/login"
authentication-failure-url="/loginfailed"
/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="securityRef"/>
</authentication-manager>
<beans:bean id="securityRef"
class="my.custom.authprovider.AuthenticationProviderImpl"/>
</beans:beans>
Any ideas?
If you want to use Java EE authentication you should configure
PreAuthenticatedProcessingFilter (more precisely J2eePreAuthenticatedProcessingFilter).
Also, you need to configure J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource to populate a user granted authorities:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#j2ee-preauth-details
BTW, What advantages do you see to use Java EE Form authentication?
Added after the comment.
If required to use Java EE authentication your approach should be corrected: you should protect the whole application by Java EE authentication.
In this case each request that come to Spring Security will be authenticated by Java EE container and Spring Security can authenticate the request by J2eePreAuthenticatedProcessingFilter.
So the corrected flow
If a user is not logged in, Java EE container redirects the user to the login page
After a successfully authentication, the user is redirected to a page protected by Spring Security. Spring Security can authenticate the request by J2eePreAuthenticatedProcessingFilter.

Access spring security from second application

I have two applications, each located on it's own server. Both of them use Spring security with the standart settings.
The problem that I need to access first application through the second one. I need to send password and login to the first application when logging in the second.
Can somebody help with samples or tips please? Thank you.
My spring-security.xml in both applications:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/favicon.ico" security="none" />
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="hey" password="there" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
you should use CAS for this instead of trying to access or pass user/pass across application.
please refer this link to get understanding how to use CAS in this kind of scenario.

Resources