Dose anyone knows how I can change spring security default login url: spring-security-login?
I know that there is an attribute with form-login tag, named login-processing-url, but I don't want to have custom login page. Just I want to change the login url to something like "login.htm".
It seems that the login-processing-url attribute just works when you have specified a custom login form.
I have tried this:
<http use-expressions="true">
<access-denied-handler error-page="/accessDenied.htm" />
<intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/redirect.jsp" access="permitAll" />
<form-login login-processing-url="/login.htm" />
<logout/>
</http>
but it doesn't work. Still it shows "spring-security-login" as login url.
Thanks
What you want is login-page:
<form-login login-page="/login.htm" />
Related
I have configured one spring security context for my project by using intecept-url i am able to authenticate all URLS but when i pass some ID over URL authentication is not happening.
<intercept-url pattern="/**" access="isAuthenticated()"/>
Working URLS
http://localhost:8080/WEB/add-employee
http://localhost:8080/WEB/view-employee
Not working URLS
http://localhost:8080/WEB/edit-employee/1
http://localhost:8080/WEB/edit-employee/2
1 and 2 are the ID iam passing over URL the above URL patterns are not working (that means when i passing ID over URL)
And i have tried many combinations in intercept-url but i am not getting the correct result.
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/> <!-- this means all URL in this app will be checked if user is authenticated -->
<!-- We will just use the built-in form login page in Spring -->
<form-login login-page="/" login-processing-url="/j_spring_security_check" default-target-url="/home" authentication-failure-url="/"/>
<logout logout-url="/logout" logout-success-url="/"/> <!-- the logout url we will use in JSP -->
</http>
Delete the line <intercept-url pattern="/edit-employee/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> to disallow anonymous access to that URL.
I have a spring security application. Its working well. When I enter wrong credentials it redirect to spring_security_login?login_error where it show spring default login page. What I want is if user enter wrong credentials its should response with some custom message rather than redirecting to some link.
Here is my config
<http auto-config="true">
<form-login
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you just want to redirect the user to a custom URL use the authentication-failure-url attribute of <form-login>:
<http auto-config="true">
<form-login
authentication-failure-url="/myCustomLoginFailureURL"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you want full control over what happens on login failures, use the authentication-failure-handler-ref attribute:
<beans:bean id="authenticationFailureHandler" class="my.company.AuthenticationFailureHandler" />
<http auto-config="true">
<form-login
authentication-failure-handler-ref="authenticationFailureHandler"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
Note that my.company.AuthenticationFailureHandler needs to implement org.springframework.security.web.authentication.AuthenticationFailureHandler.
I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):
First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.
i want to secure everything except the root.. my security looks like this:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/"/>
<intercept-url access="isAuthenticated()" pattern="/**"/>
<form-login authentication-failure-url="/" login-page="/" default-target-url="/dashboard"/>
<logout invalidate-session="true" logout-success-url="/"/>
</http>
my login page is included in the root..
i'm getting a "The page isn't redirecting properly" error..
please can anybody help with this problem?
thnx
Add bypass security check for login page
Imagine the user A have multiple logins (are logged in) in diferent machines. When he logs out in one machine, the other sessions should automatically redirect to login page.
how i can implement this in spring security?
For now, i have tis http configuration on security.xml
<http auto-config="true" use-expressions="true">
<anonymous />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.do" />
<logout logout-url="/j_spring_security_logout"
success-handler-ref="myLogoutSuccessHandler" />
<remember-me data-source-ref="dataSource" />
</http>
I would recomment you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too
Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.