I'm using for first time spring security (3.2.0.RELEASE) and spring webflow (2.4.0.RC1).
I have a webflow where there is a view-stat which needs a user authenticated:
<view-state id="finish" model="order">
<secured attributes="ROLE_USER" />
<on-render>
<render fragments="body" />
</on-render>
</view-state>
If user is not already authenticated is redirected to a login page. I'm wondering if would be possible: user insert his credentials into login page and if he has success, redirect him to "finish" view-state again with all information of flow.
It's posible?
Yes it is possible. In spring-security.xml specify the flow URL in "default-target-url" attribute.
If the URL to your flow is something like screen/finish, then the configuration would be like below
<http auto-config="true" >
<form-login login-page="/login.jsp"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.jsp?error=t"
default-target-url="screen/finish"
always-use-default-target="true" />
<!--other configurations -->
</http>
Related
I have configured one spring security context for my project by using intecept-url i am able to authenticate all URLS but when i pass some ID over URL authentication is not happening.
<intercept-url pattern="/**" access="isAuthenticated()"/>
Working URLS
http://localhost:8080/WEB/add-employee
http://localhost:8080/WEB/view-employee
Not working URLS
http://localhost:8080/WEB/edit-employee/1
http://localhost:8080/WEB/edit-employee/2
1 and 2 are the ID iam passing over URL the above URL patterns are not working (that means when i passing ID over URL)
And i have tried many combinations in intercept-url but i am not getting the correct result.
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/> <!-- this means all URL in this app will be checked if user is authenticated -->
<!-- We will just use the built-in form login page in Spring -->
<form-login login-page="/" login-processing-url="/j_spring_security_check" default-target-url="/home" authentication-failure-url="/"/>
<logout logout-url="/logout" logout-success-url="/"/> <!-- the logout url we will use in JSP -->
</http>
Delete the line <intercept-url pattern="/edit-employee/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> to disallow anonymous access to that URL.
I have a spring security application. Its working well. When I enter wrong credentials it redirect to spring_security_login?login_error where it show spring default login page. What I want is if user enter wrong credentials its should response with some custom message rather than redirecting to some link.
Here is my config
<http auto-config="true">
<form-login
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you just want to redirect the user to a custom URL use the authentication-failure-url attribute of <form-login>:
<http auto-config="true">
<form-login
authentication-failure-url="/myCustomLoginFailureURL"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you want full control over what happens on login failures, use the authentication-failure-handler-ref attribute:
<beans:bean id="authenticationFailureHandler" class="my.company.AuthenticationFailureHandler" />
<http auto-config="true">
<form-login
authentication-failure-handler-ref="authenticationFailureHandler"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
Note that my.company.AuthenticationFailureHandler needs to implement org.springframework.security.web.authentication.AuthenticationFailureHandler.
Dose anyone knows how I can change spring security default login url: spring-security-login?
I know that there is an attribute with form-login tag, named login-processing-url, but I don't want to have custom login page. Just I want to change the login url to something like "login.htm".
It seems that the login-processing-url attribute just works when you have specified a custom login form.
I have tried this:
<http use-expressions="true">
<access-denied-handler error-page="/accessDenied.htm" />
<intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/redirect.jsp" access="permitAll" />
<form-login login-processing-url="/login.htm" />
<logout/>
</http>
but it doesn't work. Still it shows "spring-security-login" as login url.
Thanks
What you want is login-page:
<form-login login-page="/login.htm" />
Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!
I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.
I am using Webflow 2.3.0.RELEASE and Spring 3.1.2.RELEASE with Spring security and Freemarker.
It all works well except that when I logout the session is not destroyed.
e.g. when I click the logout link on the screen, I can see the logout screen successfully with url like this:
http://localhost/mart/adminflow.html;jsessionid=855454DFGDFG54501DSF548036?execution=e1s1
If I copy this url and paste into a new window, it just works with me still logged in.
I am not too sure what code to share, but I can share.
Any advice/
Thanks
UPDATE 1:
The logout link :
<a class="link_a" href="../j_spring_security_logout">
Security config:
<security:global-method-security secured-annotations="enabled" />
<bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<security:http use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
<security:logout logout-success-url="logout.htm?_eventId=logout" />
<security:session-management invalid-session-url="logout.htm?_eventId=logout" />
</security:http>