I am trying to achieve:
After session timeout the user is redirected to the login page and when he login again he should be redirected to the original url that the user entered.
The problem is:
Multiple redirects are happening in the login page. So, if I type http://localhost:8080/app-web/login in the browser then Fiddler shows me the following:
200 /app-web/login
302 /app-web/0
302 /app-web/0/
200 /app-web/login
As a result, after login it is redirecting me to /app-web/0/
I am using apache tiles. Any help will be appreciated and let me know if you need more info about the configuration.
EDIT
Here are few config:
<http auto-config="true"
use-expressions="true"
disable-url-rewriting="true"
entry-point-ref="ajaxAwareAuthenticationEntryPoint">
<form-login login-processing-url="/resources/j_spring_security_check"
authentication-success-handler-ref="postSuccessAuthHandler"
authentication-failure-handler-ref="postFailureAuthHandler"
login-page="/login"
authentication-failure-url="/login?login_error=t"
default-target-url="/pin"/>
<logout logout-url="/resources/j_spring_security_logout" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/auth/resetForgotPassword" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The login view:
<mvc:view-controller path="/login"/>
Tiles:
<definition name="login" extends="NoNav.Template" >
<put-attribute name="NoNavMainBodyContainer" value="LoginMainBodyContainer.Template" cascade="true" />
</definition>
Related
I have a Spring4 MVC application that is deployed on Wildfly10 and is configured using xml.
I have the following controller defined:
<mvc:view-controller path="/" view-name="/index" />
<mvc:view-controller path="/index" view-name="/index" />
And in Spring security define access:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
If I remove the denyAll to /** intercept-url the application works as intended however adding it causes security to redirect root calls to the login page and not the index page!
Is there a way I can have permitAll access to the root (Redirects to /index) of my application and still denyAll to /** thus covering anything else that is not defined?
By Changing the pattern to <intercept-url pattern="/.+" access="denyAll" /> as commented by Vasan got it working. below is an example of the change
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/.+" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
I'm using Spring Security, trying to set up basic login\logout functionality. Login works ok, I store users in MySQL DB, and I'm able to log in, but I have problem with logging out. On home page I made a logout link, looking like this, but when I click it I get 403 Access denied, and user doesn't get logged out:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
And here is my security-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
And /loggedout is mapped to basic .jsp page, just saying "You have logged out."
Also, when I click logout link when I'm not logged in, it takes me to the login page.
What am I doing wrong?
Add this as the first rule in the <security:http use-expressions="true"> section:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
I just added the
logout-url="/j_spring_security_logout"
to the
security:logout
and it is working as it should now.. But I thought it would work even without this parameter if I use /j_spring_security_logout as logout link.
Add this under the <security:http use-expressions="true"> section:
<security:csrf disabled="true"/>
Worked for me.
I have configured spring security for login form. Everything works fine except session timeout.
When session timeouts I want to redirect to login page. Instead I am redirected to homepage. Below is part of my security xml .Can anyone suggest anything via xml configuration
<http auto-config="true" use-expressions="true">
<!-- This settings is for IE. Default this setting is on migrateSession.
When IE tries to migrate the session, the auth cookie does not migrate, resulting
in a nice login screen again, after you've logged in. This setting ensures
that the session will not be invalidated, and thus IE will still work as
expected. -->
<session-management session-fixation-protection="none" />
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/css/*" access="permitAll" />
<intercept-url pattern="/img/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/lib/**" access="permitAll" />
<intercept-url pattern="/fonts/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/login.jsp" login-processing-url="/j_spring_security_check"
default-target-url="/index.html" always-use-default-target="true"
authentication-failure-url="/login?error=true" username-parameter="username"
password-parameter="password" authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/login.jsp" logout-url="/j_spring_security_logout" invalidate-session="true" />
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<session-management invalid-session-url="/login.jsp" />
<!-- disable csrf protection -->
<csrf disabled="true" />
</http>
I have added timeout in web.xml as
<session-config>
<session-timeout>1</session-timeout>
</session-config>
I am using Spring Controllers to show my jsp views and Spring security.
In security context, all users can access to /login (login.jsp) but only authenticated users can access to /home (home.jsp).
When i remove the session id from browser cookies, the next request in the app should redirect to login page.
My method to show login page in controller is:
#RequestMapping(value = {"/login","/login.do"})
public ModelAndView showLoginForm() {
String username = getUsername();
if(!username.equals("anonymousUser")){
return new ModelAndView("redirect:/home");
}
return new ModelAndView("login");
}
My url is on /home but when i try to redirect to login using this function return new ModelAndView("login") the browsers stay with the same url.
My spring security config
<http entry-point-ref="loginEntryPoint"
use-expressions="true" create-session="always">
<session-management
session-authentication-strategy-ref="sas" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/accessDenied.do" access="permitAll" />
<intercept-url pattern="/app/**" access="permitAll" />
<intercept-url pattern="/signup/createuser" access="permitAll" />
<intercept-url pattern="/changepassword/changefirstpassword" access="permitAll" />
<intercept-url pattern="/recoverpassword/recoverPasswordRequest" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/**" access="authenticated" />
<access-denied-handler error-page="/accessDenied.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="domainFormLoginFilter" />
<logout success-handler-ref="myLogoutSuccessHandler" />
</http>
Why my browser doesnt redirect to login page? tks
First remove your controller and add the following to your security configuration.
<sec:intercept-url pattern="/home" access="isAuthenticated()" />
<sec:intercept-url pattern="/login" access="permitAll()" />
Work with the framework not against or around it...
I just started to read on Spring Security 3.1 and I would like to know how I can enforce user to authenticate through my login page before accessing any pages on my system. On a tutorial I see the following code
<http use-e xpressions="true">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
<intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
From the above configuration I can see that I have to maintain the list of url pattern. Is there a way to simplify this that every user has to login through "/login" before can access any other page ?
EDIT:
I have edited my configuration as below and its working as I expected
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/login" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The url rules are inspected in order, top to bottom. The first one that matches is the one that is used.
In this example, the last line
<intercept-url pattern="/**" access="denyAll" />
Is the "catch all" rule. It applies to all requests ("/**") that didn't match any of the rules above it.
In it's current form, it denies access to everyone, regardless. If you change it to
<intercept-url pattern="/**" access="isAuthenticated()" />
instead, it will required authentication to all pages unless otherwise specified, which will cause spring security to redirect unauthenticated users to the login process.