I am using spring security. I want to allow login only if the browser supports cookies.
If the browser does not support cookies then I do not want allow the user to login.
Please help me to solve this issue?
Try using <http disable-url-rewriting="true">. This will prevent session id being append to the URL.
Related
I have a NextJS app that communicates with a Spring backend, I'm getting the SESSION and X-CSRF cookie correctly but they only last for the browser session, when the browser window is closed and then reopened I want my users to be able to still be in the session and not have to login again every time.
I know that Spring Security has "Remember me" unfortunately I'm using WebFlux Security and ServerHttpSecurity doesn't have the remember me functionality, I saw this issue https://github.com/spring-projects/spring-security/issues/5504 but couldn't understand well what they mean with the solution.
I'm using Spring Session and since we can't have remember me, I don't know what exactly are the best steps to take? Would I have to set the Max Age of both cookies and used them for the days that I want my users to be logged in? Is this the best course of action?
I don't want to migrate to regular Spring Servlet Security unless it was the only way to solve this.
Since RememberMe isn't on WebFlux Security applications therefore the only solution I think of, is with the cookies.
You could modify the session cookie in the webflux application by using this guide from Spring Session, for the CSRF token, you could set the max age on CookieServerCsrfTokenRepository, like it was implemented here and that change is coming in the next Security versions.
By setting the max age, you can still use the same session when you reopen the browser window, unless the server session times out.
I don't know if that's the best solution, but if someone wants to add something else that would be great.
I am using Spring Security for Web application development. I do not want to allow users to do registration while they are already loggedIn in the System.
So suppose, there is url for registration is /registration and for home page is /home.
Now I want to redirect at /home if user tries to hit /registration while session is live. Is it possible using spring-security ? I can check session in controller method and redirect manually...that I know. but is there any config with spring-security? Thanks.
Yes, you can do it with Spring Security only. Add a new security:http element before your existing one as follows:
<security:http pattern="/registration" access-denied-page="/home" entry-point-ref="forbiddenEntryPoint">
<security:intercept-url pattern="/registration" access="ROLE_ANONYMOUS"/>
</security:http>
<bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
The entry point implementation doesn't really matter, because it won't be invoked. It's just mandatory to define it.
System will now monitor URL /registration and when it's hit by a user without ROLE_ANONYMOUS (= an authenticated user) it will serve content from /home instead.
I'm new to Spring3 MVC and I'm working on a web project using it, I has implemented login and logout. I put the user info in session when user login and remove it when he logout.
Now I want to implement that:
if user login, thus he can do whatever, but if he logout and access the page which is in the server, we should redirect to the login page.
I think it's possibly using filter and some configuration in web.xml so I needn't writte much code. I think it's very easy using configuration but I don't know how to implement it.
SO How and What should I config? It's like this question a bit:Looking for a Simple Spring security example
Thanks for your help.
use - return "redirect:LoginPage";
How do Spring sessions work when you login to a form on Spring security as described in this tutorial? http://static.springsource.org/spring-security/site/tutorial.html
Is it cookie based? Im not sure what exactly is going on that allows the user to log in and have it remember and keep you logged in for the remainder of the browsing session.
It is cookie based similar to how the servlet maintains sessions . If cookies are disabled, you would have to resort to URL rewriting .According to the FAQ here.
"All it sees are HTTP requests and it ties those to a particular session according to the value of the the JSESSIONID cookie that they contain. When a user authenticates during a session, Spring Security's concurrent session control checks the number of other authenticated sessions that they have. If they are already authenticated with the same session, then re-authenticating will have no effect. "
also
"If clients have cookies disabled, and you are not rewriting URLs to include the jsessionid, then the session will be lost. Note that the use of cookies is preferred for security reasons, as it does not expose the session information in the URL. "
See here for the Single sign on feature
is it possible to disable session cookies on tomcat just for some web-application url patterns?
All the examples i´ve seen so far disables sesssion cookies for the entire web application, via configuration on context.xml.
Just for contextualization,in my scenario I have a BLAZEDS polling channel that I´d like to have cookies ignored.
TKS.
The easiest way I know of would be to create a Page Filter to remove the session cookie for those url patterns as the request comes in.