I am using Spring Security for Web application development. I do not want to allow users to do registration while they are already loggedIn in the System.
So suppose, there is url for registration is /registration and for home page is /home.
Now I want to redirect at /home if user tries to hit /registration while session is live. Is it possible using spring-security ? I can check session in controller method and redirect manually...that I know. but is there any config with spring-security? Thanks.
Yes, you can do it with Spring Security only. Add a new security:http element before your existing one as follows:
<security:http pattern="/registration" access-denied-page="/home" entry-point-ref="forbiddenEntryPoint">
<security:intercept-url pattern="/registration" access="ROLE_ANONYMOUS"/>
</security:http>
<bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
The entry point implementation doesn't really matter, because it won't be invoked. It's just mandatory to define it.
System will now monitor URL /registration and when it's hit by a user without ROLE_ANONYMOUS (= an authenticated user) it will serve content from /home instead.
Related
I have a system running on Tomcat, with HTML/JSP in front-end, and java/Spring/Struts in backend.
I made a login-feature where the user enters his username and password.
In backend, I validate the username and password to the stored user in DB.
If match, I store the username in HTTPsession:
session.setAttribute( "username", name );
Then, on every class-action in backend, I add the following code:
HttpSession session = request.getSession();
if(session.getAttribute("username") == null) {
return mapping.findForward("invalidUser");
}
the invalidUSer-mapping redirects the user back to the login-page.
How secure is this?
Is there a way to check the httpsession without adding my validation-code to every class?
Do you guys have tips (or examples/tutorials) on how to do this differently? The system is already created and in production, so I do not want to do too many architecural changes.
As you are already using Spring in your project, you may want to look into Spring Security to replace your bespoke security mechanisms. You can configure it to protect certain resources within your application, authenticate against bespoke database back-ends, LDAP directories, etc. This will allow you to remove all manual checking of the session to see if the user is authenticated, and will redirect anonymous users to the specified login page when they attempt to access protected resources.
Along with the spring security filter definition in web.xml, the configuration can be specified in a single spring-security.xml file (imported into your root app config) using the security:http namespace to define the login page, protected resources, logout page, security headers etc. You could use a org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl instance configured as a bean to define the user service which can be referenced by the authentication-provider - see the docs, its very flexible.
Hope that's useful.
I am using spring security. I want to allow login only if the browser supports cookies.
If the browser does not support cookies then I do not want allow the user to login.
Please help me to solve this issue?
Try using <http disable-url-rewriting="true">. This will prevent session id being append to the URL.
I'm using for first time spring security (3.2.0.RELEASE) and spring webflow (2.4.0.RC1).
I have some pages where user can login (through a modal window). This logins should not redirect user, instead modal window should be closed and actual page is refreshed in order to show the name of logged user.
In addition, in my web there is a webflow, in this webflow is where an order is created. As a last view-state the user must be logged in order to save the order. So if user is not logged at this point, I redirect him to a login page. If user logs in successfully, his order should keep "alive" and user should be redirected to finish view-state.
How can I configure (I'm using java config) the security of my site ?
I used another approach. I always redirect to same page when a user is authenticated and I've added a special view-state to control registration if user is not logged.
I am using Spring Security 3.1.x and trying to achieve the following scenario:
a page is secured with isFullyAuthenticated()
the current user is only authenticated with Remember Me, so not fully authenticated
the user navigates to this fully authenticated page - this should not be permitted (and it's not)
however, the user should not get the 403 page - instead, the user should be prompted to login via the Login form
after logging in, the user should be allowed to proceed to the page he previously requested, since now he's a fully authenticated user
My Spring Security config is:
<http use-expressions="true">
<intercept-url pattern="/admin/full_auth_only.html" access="isFullyAuthenticated()" />
<form-login login-page="/login.html" default-target-url="/authenticated.html" />
<logout />
<remember-me key="someAppKey" />
</http>
And I tried to add:
<access-denied-handler error-page="/login.html" />
However, the problem is now that, when visiting the page, I am indeed prompted by the Login form, only the URL doesn't correspond to login; instead it's the URL of the fully authenticated page:
http://localhost:8080/spring-security/admin/full_auth_only.html
Which then breaks the authentication process, which fails when trying to access the (invalid) URL:
http://localhost:8080/spring-security/admin/j_spring_security_check
This should have been:
http://localhost:8080/spring-security/j_spring_security_check
Any help on this is appreciated - I think the usecase is very common and so I would prefer using the namespace support instead of going in a custom direction.
Thanks.
Eugen.
I couldn't reproduce your issue with version 3.1.3.RELEASE of Spring Security. Which version do you use?
Authentication requests are intercepted by the AbstractAuthenticationProcessingFilter that checks if the URL of the request ends with a pre-configured value (that defaults to /j_spring_security_check). Any URL with that ending will trigger an authentication attempt. You can see the related code here.
This means that the URL you said is invalid should in fact be processed without problems.
The code linked above hasn't been changed since very early versions (2.x), so there should be some other issues in your case.
If you could share your configuration and some debug level logs, that would help to reveal what's the real problem.
1.Remove any welcome-file-list if you have in web.xml.
2.Make sure always-use-default-target is not set to false in form-login tag or remove it all together.
3.And make sure you have permitted every one to access your login page. something like this <intercept-url pattern="/login.htm" access="permitAll()"/>
That should work.
it sounds like the cookie was not set, and the following requests sent were all treated as the first requests without a session ID, so spring security asked for login every time even though you had logged in.
If you were using google chrome, and tested the application in your local machine using the localhost address, the cookie might not be set. And it is a known issue with Google chrome.
You can try 127.0.0.1 instead to test. Or try another web browser like Internet Explorer.
I'm new to Spring3 MVC and I'm working on a web project using it, I has implemented login and logout. I put the user info in session when user login and remove it when he logout.
Now I want to implement that:
if user login, thus he can do whatever, but if he logout and access the page which is in the server, we should redirect to the login page.
I think it's possibly using filter and some configuration in web.xml so I needn't writte much code. I think it's very easy using configuration but I don't know how to implement it.
SO How and What should I config? It's like this question a bit:Looking for a Simple Spring security example
Thanks for your help.
use - return "redirect:LoginPage";