set security on Spring security on Spring roo - spring

In my application i want to set free acces to list and require authenticacion to the rest of the views of the reservas directory,this is my code
<intercept-url pattern="/reservas/list.jspx" access="permitAll" />
<intercept-url pattern="/reservas/**" access="isAuthenticated()" />
and i've tried this
<intercept-url pattern="/reservas/**" access="isAuthenticated()" />
<intercept-url pattern="/reservas/list.jspx" access="permitAll" />
with the same result ,the application requires authentication for all the views.What i'm doing wrong with the URL's??

It might be that <intercept-url> syntax is slightly different from using the security annotations. Try this:
<intercept-url pattern="/reservas/**" access="IS_AUTHENTICATED_FULLY" />
or, if you use "remember me" tokens, you would want:
<intercept-url pattern="/reservas/**" access="IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED " />

The /reservas/list.jspx is not the URL for your "reservas" list view. Try to use reservas. The final URL is generated by the #RequestMapping annotation instead by de jspx view route:
<intercept-url pattern="/reservas" access="permitAll" />
<intercept-url pattern="/reservas/**" access="isAuthenticated()" />
Also, you must check that all web resources used in you view doesn't requires authentication (by default the resources/**).

Related

Spring redirect view is not working

I am using Spring Controllers to show my jsp views and Spring security.
In security context, all users can access to /login (login.jsp) but only authenticated users can access to /home (home.jsp).
When i remove the session id from browser cookies, the next request in the app should redirect to login page.
My method to show login page in controller is:
#RequestMapping(value = {"/login","/login.do"})
public ModelAndView showLoginForm() {
String username = getUsername();
if(!username.equals("anonymousUser")){
return new ModelAndView("redirect:/home");
}
return new ModelAndView("login");
}
My url is on /home but when i try to redirect to login using this function return new ModelAndView("login") the browsers stay with the same url.
My spring security config
<http entry-point-ref="loginEntryPoint"
use-expressions="true" create-session="always">
<session-management
session-authentication-strategy-ref="sas" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/accessDenied.do" access="permitAll" />
<intercept-url pattern="/app/**" access="permitAll" />
<intercept-url pattern="/signup/createuser" access="permitAll" />
<intercept-url pattern="/changepassword/changefirstpassword" access="permitAll" />
<intercept-url pattern="/recoverpassword/recoverPasswordRequest" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/**" access="authenticated" />
<access-denied-handler error-page="/accessDenied.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="domainFormLoginFilter" />
<logout success-handler-ref="myLogoutSuccessHandler" />
</http>
Why my browser doesnt redirect to login page? tks
First remove your controller and add the following to your security configuration.
<sec:intercept-url pattern="/home" access="isAuthenticated()" />
<sec:intercept-url pattern="/login" access="permitAll()" />
Work with the framework not against or around it...

Anonymous access of method from Jersey webservice which is secured with spring security and oAuth2

I have one Jersey Rest web service which handles person account CRUD.
I have spring security+ oAuth2 to secure this api , what i am not able to configure is , i wanted to make anonymous of Account create method. i tried to configure intercept url but it does not work method level. so do i need to write separate class for this purpose or i can achieve without it.
Sample class code
public class AccountResource{
createAccount() --- I want this method to be accessed by Anonymous uers so they can create account without generating tokens.
updateAccount() --
findAccount() --
deleteAccont()--
}
Config code which makes secure all calls starting '/services/rest/**'
<http pattern="/services/rest/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/services/rest/**" method="GET" access="ROLE_USER" />
<intercept-url pattern="/services/rest/**" method="POST" access="ROLE_USER" />
<intercept-url pattern="/services/rest/**" method="PUT" access="ROLE_USER" />
<intercept-url pattern="/services/rest/**" method="DELETE" access="ROLE_USER" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
How about changing the configuration for POST requests in your security config to:
<intercept-url pattern="/services/rest/**" access="permitAll" method="POST" />

Spring security not working as expected

I'm using spring security with the below configuration. Every time i try to access the root url i.e. '/', it takes me to '/verify'. Can someone please tell me what I'm missing?
<http auto-config='true' use-expressions='true'>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/verify" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/admin/**" access="hasAnyRole('SUPER','ADMIN')" />
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login login-page="/verify" default-target-url="/home"
username-parameter="user_email" password-parameter="user_password"
always-use-default-target="true" authentication-failure-url="/verify"
authentication-success-handler-ref="authSuccessHandler" />
<logout logout-success-url="/logout" logout-url="/logoutuser" />
<headers>
<cache-control />
<hsts />
</headers>
</http>
My controller
#Controller
public class VerifyController {
#RequestMapping(value = "/verify")
public String userVerification() {
return "index";
}
}
It seems you for the URL pattern "/**" instruct SS to run isAuthenticated()
Could that trigger the redirect to /verify?
I cannot be sure of it, but a common pitfall is to forget to allow access to resource files, images, css, or js that are used by public HTML or JSP pages (eventually through controllers).
If it is your problem, my advice is to put them either under a resources folder, or rather under images, css, and js folders and add corresponding lines in Spring Security config :
<http auto-config='true' use-expressions='true'>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
...
</http>

Spring security url-interceptor

I have the following code:
<intercept-url pattern="/authenticated/**/" access="isAuthenticated()" />
<intercept-url pattern="/authenticated/files/**" access="none" />
I want spring security secure all the links derived from /authenticated except authenticated/files. Is this type of securing possible?
Move more specific condition higher:
<http use-expressions="true">
<intercept-url pattern="/authenticated/files/**" access="permitAll" />
<intercept-url pattern="/authenticated/**" access="isAuthenticated()" />
...
</http>

Spring Security Authenticated User only

I just started to read on Spring Security 3.1 and I would like to know how I can enforce user to authenticate through my login page before accessing any pages on my system. On a tutorial I see the following code
<http use-e xpressions="true">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
<intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
From the above configuration I can see that I have to maintain the list of url pattern. Is there a way to simplify this that every user has to login through "/login" before can access any other page ?
EDIT:
I have edited my configuration as below and its working as I expected
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/login" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The url rules are inspected in order, top to bottom. The first one that matches is the one that is used.
In this example, the last line
<intercept-url pattern="/**" access="denyAll" />
Is the "catch all" rule. It applies to all requests ("/**") that didn't match any of the rules above it.
In it's current form, it denies access to everyone, regardless. If you change it to
<intercept-url pattern="/**" access="isAuthenticated()" />
instead, it will required authentication to all pages unless otherwise specified, which will cause spring security to redirect unauthenticated users to the login process.

Resources