My enhanced Pet Clinic application requires security.
I want to have the following:
Login form - WORKING
HTTPS - WORKING
HTTP requests redirecting to HTTPS - not sure how to do this
HTTP static resources - not sure if this is really necessary
Any advice would be welcome.
My application can be found at https://github.com/arnaldop/enhanced-pet-clinic.
Here's code from my WebSecurityConfigurerAdapter subclass:
private static final String[] UNSECURED_RESOURCE_LIST =
new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
"/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(UNSECURED_RESOURCE_LIST);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
//#formatter:off
http
.authorizeRequests()
.antMatchers(UNSECURED_RESOURCE_LIST)
.permitAll()
.antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.anyRequest()
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.requiresChannel()
.antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
.requiresSecure()
.and()
.exceptionHandling()
.accessDeniedPage("/router?q=unauthorized")
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
;
//#formatter:on
}
Thanks!
For "HTTP requests redirecting to HTTPS - not sure how to do this"
we will need to add the TomcatEmbeddedServletContainerFactory bean to one of our #Configuration classes.
#Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
#Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(initiateHttpConnector());
return tomcat;
}
private Connector initiateHttpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setPort(8080);
connector.setSecure(false);
connector.setRedirectPort(8443);
return connector;
}
for more information please refer this link
Related
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.authorizeRequests()
.antMatchers("/", "/favicon.ico", "/**/*.png", "/**/*.gif", "/**/*.svg", "/**/*.jpg",/**/*.html","/**/*.css", "/**/*.js")
.permitAll()
.antMatchers("/v2/api-docs", "/configuration/ui", "/configuration/security","/webjars/**")
.permitAll().antMatchers("/swagger-resources","/swagger-resources/configuration/ui","/swagger-ui.html").hasRole("SWAG").anyRequest().authenticated()
.antMatchers("/api/all/**").permitAll().antMatchers("/api/Service/**").permitAll()
.antMatchers("/api/Service/Package/**").permitAll()
.antMatchers("api/public/customer/**").hasRole("CUSTOMER1")
.antMatchers(HttpMethod.OPTIONS).permitAll().anyRequest().authenticated().and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(authTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
auth.inMemoryAuthentication()
.withUser("user").password("{noop}password").roles("USER")
.and()
.withUser("manager").password("{noop}password").roles("MANAGER");
}
#Controller
public class HomeController {
#GetMapping("/")
public String root() {
return "index";
}
#GetMapping("/user")
public String userIndex() {
return "swagger-ui.html";
}
#GetMapping("/login")
public String login() {
return "login";
}
#GetMapping("/access-denied")
public String accessDenied() {
return "/error/access-denied";
}
}
so iam trying to authenticate /swagger-ui.html like a simple popup login using inmemory in order to access the api by certain users
when i do with this code i got the following output of the attached image
when i login there is no redirection for authentication
>
I have the below spring configuration :-
#Override
protected void configure(HttpSecurity http) throws Exception
{
http
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint((request, response,
authException) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,
"/api/v2/customers/**").permitAll()
.antMatchers(HttpMethod.OPTIONS,
"/oauth/**").permitAll()
.antMatchers(HttpMethod.GET, "/saml/**").permitAll()
.antMatchers(HttpMethod.GET,
"/api/internal/v2/**").permitAll()
.antMatchers("/**").authenticated()
.antMatchers("/api/admin/**").authenticated()
.and()
.httpBasic()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(SR);
}
I was expecting sessionManagement().maximumSessions(1) to disable multiple login for the same user. It is working, but first user logout the application, so i am trying login in another browser but it showing This account is already using by someone.
Try this. you are not clearing/ closing the previous session properly.
#EnableWebMvcSecurity
#Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/expired").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/expired")
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
}
#Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
// Register HttpSessionEventPublisher
#Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
}
Missing is .expiredUrl("/expired").maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
I want to change the HTTP post login address.
Right now the default "/login" is set and works but I want to change it to "/users/login"
This is my HttpSecurity configuration.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/users/login")
.permitAll()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
The application class is nothing special.
package com.auth0.samples.authapi;
import..
#SpringBootApplication
public class Application {
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
I've got this working when no contextPath is set. But when I set server.contextPath in application.properties, happens that when logging in http://localhost:8080/t2debt_site/login the page redirects to http://localhost:8080/login. What can be happening, please help!
private static final String[] UNSECURED_RESOURCE_LIST =
new String[]{"/", "/resources/**", "/static/**", "/css/**", "/webjars/**",
"/img/**", "/js/**"};
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(UNSECURED_RESOURCE_LIST).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/index")
.failureUrl("/login?error")
.usernameParameter("email")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.deleteCookies("remember-me")
.logoutSuccessUrl("/login")
.permitAll()
.and()
.rememberMe();
}
#Override
public void configure(WebSecurity security) {
//security.ignoring().antMatchers("/css/**","/img/**","/js/**");
//security.ignoring().antMatchers("/static/**");
security.ignoring().antMatchers(UNSECURED_RESOURCE_LIST);
//security.ignoring().antMatchers("/resources/**");
}
#PreAuthorize("hasPermission(#id,'Integer','write')")
#RequestMapping(value="events/{id}/edit",method=RequestMethod.GET)
public String edit(Model model,#PathVariable("id") int id) {
model.addAttribute("event", eventService.getEvent(id));
return "events/edit";
}
Security config
public class SecurityConfig extends WebSecurityConfigurerAdapter{
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/", "/index", "/register", "/regitrationConfirm", "/forgotPassword", "/accountRecovery", "/passwordReset", "/public/**").permitAll()
.antMatchers(HttpMethod.POST, "/register", "/accountRecovery","/passwordReset").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginPage("/login?error")
.permitAll()
.failureHandler(authFailureHandler)
.and()
.rememberMe()
.tokenValiditySeconds(3600)
.key("rememberTracker")
.and()
.logout()
.permitAll()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired");
}
}
i want to redirect or show a custom page to the user if authorization fails. Is there a way to that?
updated with spring security code.
Thanks
I updated you SecurityConfig to add a failureUrl and successHandler
public class SecurityConfig extends WebSecurityConfigurerAdapter{
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/", "/index", "/register", "/regitrationConfirm", "/forgotPassword", "/accountRecovery", "/passwordReset", "/public/**").permitAll()
.antMatchers(HttpMethod.POST, "/register", "/accountRecovery","/passwordReset").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginPage("/login?error")
.permitAll()
.failureUrl("/your-unsuccessful-authentication-url-here")
.successHandler(yourSuccesshandler) //create your success handler to redirect the user to different places depending on his role
//.failureHandler(authFailureHandler) I deleted this line, we just need a redirect
.and()
.rememberMe()
.tokenValiditySeconds(3600)
.key("rememberTracker")
.and()
.logout()
.permitAll()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired");
}
}
The success Handler
public class SuccessAuthenticationHandler implements AuthenticationSuccessHandler{
public SuccessAuthenticationHandler(){
}
#Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication auth) throws IOException, ServletException {
HttpSession session = request.getSession();
User user = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String redirect = "";
if(user != null){
session.setAttribute("username", user.getUsername());
if(user.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"))
|| user.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_SUPER_ADMIN")))
redirect = "admin/";
else if(user.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_YOUR_ROLE")))
redirect = "yourrole/";
}
if(redirect.isEmpty())
redirect = "signin";
response.sendRedirect(redirect);
}
}