I'm using for first time spring security (3.2.0.RELEASE) and spring webflow (2.4.0.RC1).
I have some pages where user can login (through a modal window). This logins should not redirect user, instead modal window should be closed and actual page is refreshed in order to show the name of logged user.
In addition, in my web there is a webflow, in this webflow is where an order is created. As a last view-state the user must be logged in order to save the order. So if user is not logged at this point, I redirect him to a login page. If user logs in successfully, his order should keep "alive" and user should be redirected to finish view-state.
How can I configure (I'm using java config) the security of my site ?
I used another approach. I always redirect to same page when a user is authenticated and I've added a special view-state to control registration if user is not logged.
Related
I am trying to implement a custom authentication mechanism in Spring.
I have an authentication mechanism, that works like this:
User visits any subpage of my page http://mypage
User gets redirected to http://mypage/login, because my WebSecurityConfigurerAdapter is configured, that any Request (except to /login and /redirect, has to be authenticated)
On the Login page a custom login mechanism happens, where I authenticate the user on an external site, that redirects the user's browser to the external page and then back to another subpage of my page: /redirect with custom data in the response
On /redirect I set the Authentication of the user, depending on the custom data and add a GrantedAuthority ROLE_FIRST
After this step the user is redirected to subpage /home, which is only visible to authenticated users with GrantedAuthority ROLE_FIRST.
If the user clicks on a button on /home a GrantedAuthority ROLE_SECOND is added to the current Authentication of the user and the user is redirected to /secret
The user is then authenticated with two factors (external login, buttonclick) and can see the content of /secret, which requires an authentication with GrantedAuthority ROLE_SECOND
So far so good, but I now want to redirect the user to the initial URL he tried to access. So if the user visited http://mypage/random in the first step, the user should be redirected to /random instead of /secret in the last step.
The problem is, I am loosing the URL in the step with the external login, because there is happening a external redirect and I can't pass the URL to the external service.
How can I manage this?
Bonus Question: What if the URL /random would be the URL to an OAuth2 Token interface instead? Would that change anything?
I am working on a application having spring framework and implemented shiro filter for security.
Login url of my application login page is "localhost:8082/".
but I have changed the url manually "localhost:8082/socialProfile?by=Followers" at time of login.
What I was expecting, after login, instead of scheduling my application home page "http://localhost:8082/dashboard", It should schedule "socialProfile?by=Followers" page.
But it is scheduling "localhost:8082/dashboard" page.
Is there any way to get desired result ?
When user directly accessing some restricted url, for the first time, with out login, spring security redirects to login page. If the login is success, the user is redirected to the requested page.Between the user login success and page redirection to requested page, how to initialize user specific settings in http session. What events are available to set the session with logged in user details.
EDIT:
My intention is not save the user details in the session. Depends on the user, i have to change the displayed content before it goes to some other page after login.
You shouldn't do that - it's a waste of server memory and will affect scalability. Get out of the habit of storing lots of unnecessary data in the session.
The Authentication class that the plugin uses caches the id of the User/Person domain class instance that was used during login. So it's easy to reload the domain class instance - just call def user = springSecurityService.currentUser. This approach has the added benefit of avoiding lazy loading exceptions and other problems with detached Hibernate objects.
Need some idea on the process to land in a page after I login to my web portal. My requirement is I will enter Url of a particular page in to the browser, then system will check is the user is login to the system, if yes it will land on the page I have entered but if not then system will take me to the login page and after successful login I will be landed in to the page I have entered in the browser.
So, please tell me how to do it in plain servlet/Jsp model, Spring and Struts 1 and Struts 2.
Any post will be helpful
I know about basic jsp/servlet model.
Write a Servlet filter which will intercept every request from the brwoser, there check is the user is logged in or not. If logged in your normal flow will continue but if not then redirect to the login page. When you are redirecting to the login page, make sure you send the url hit by browser in the response. Now in client side hold the url send in response and after eneter credentials in login page when user will submit the record send the url (Hold in the client side from response) in the request and after successful login use Servelet Request dispatcher to land in the url.
I am not sure but spring-security has this feature and struts 2. But implementation process can be share by others who are familiar on this technologies. But in struts 1 it's not available and you have to do it manually.
it will very easy with spring security you just need to secure some path pattern. you doesn't need to add some code in your jsp or controller, example
for url /admin/* need administrator role
for url /user/* need user role
for url /public/* no need login (anynomous)
it just need configure at your spring-security.xml
you can start here
I'm using Spring MVC for a personal webpage with a local Tomcat 6 server. I'm using a default Tomcat configuration(what eclipse would setup by default).
In my controllers(using one controller for each page, and creating Session beans to pass information between them) I have two methods, one for capturing a POST and one for capturing a GET Request Method. The page logic will have the user click a submit button and will use a "redirect:abc.htm" return to send them to a new page or back to the GET method.
I'm not explicitly handling cookies, but do have all the information in Session Beans and am using Spring Security to handle security/user management.
I have a spring security configuration to redirect the user back to the login page if they are not authorized. I also have an ExceptionHandler catching HttpSessionRequiredException, though this is not what is triggering when I expire the user sessions(it's using the logic of my Spring Security configuration).
When the session is expired(I'm doing this through Tomcat manager) the user is redirected back to the login page. They are redirected after they try to do something(click a submit, or revisit any page except login.htm).
My issue is that once they get back to the initial page that their session expired at, if at the time of expiration they clicked a submit button, it is redirecting them past the initial page and handling the POST event from the submit.
Example:
User is logged in, and on the main page
User Session Expires
User, on the main page, click a submit button
User is redirected back to the login.htm page
User logs in and navigates back to the main page.
Instead of following the logic of the GET for the main page, they are treated to the POST of the main page, and I'm not sure where the POST variables are coming from.
Is there any way to trace where this error is coming from or what exactly is causing it?
This is done by spring-security. Spring security stores the request details in the session before redirecting the user to the login page. On successful login it will retrieve the request details from the session and redirect to that.
You can set the always-use-default-target attribute of the form-login configuration to override this behavior.