I am using spring security and have an auth-ref-handler. Inside of it I need to get a property yet that property is not getting set. If I do the same code in my spring MVC controller REST handler method, it works?
spring-security.xml
<context:property-placeholder location="file:/TcatServer6/myapp/properties/myapp/myapp.properties" />
<beans:bean id="adsh" class="com.mycompany.security.ADAuthenticationSuccessHandler"/>
<http auto-config="true">
<intercept-url pattern="/agent/**" access="ROLE_AGENT" />
<intercept-url pattern="/supervisor/**" access="ROLE_SUPERVISOR" />
<form-login
login-page="/r/views/login.html"
authentication-failure-url="/r/views/loginfailed.html"
authentication-success-handler-ref="adsh"
/>
<logout logout-success-url="/logout" />
</http>
In ADAuthenticationSuccessHandler:
#Autowired
#Value("${acr_url}")
private String acrURL;
I have the EXACT same code in one of my spring MVC controllers and it works! In my AuthenticationSuccessHandler it always gets null?
Spring is turning out to be a configuration nightmare with all these things working inconsistently.
Update: Based on the feedback and my test, I think this may be a bug in Spring. Try it for yourself. Just try to get a property out of a property file using the #Autowire or #Value annotations within a Spring AuthenticationSuccessHandler in your spring-security.xml...can someone else try it and see if they get similar results?
Related
I am using GWT and url for my incharge page as
http://www.example.com/backend.html?locale=en&gwt.codesvr=127.0.0.1%3A9997#incharge
I would like to check this url with Spring Role Authorization. I used in my spring-security.xml as below
<sec:http auto-config="false" entry-point-ref="authenticateFilterEntryPoint" access-denied-page="/unSecure.html">
<sec:intercept-url pattern="#incharge" access="ROLE_ADMIN"/>
<sec:logout logout-url="/logout.html" logout-success-url="/login.html" invalidate-session="true"/>
<sec:form-login login-page="/login.html"
login-processing-url="/login_check"
authentication-failure-url="/login.html?error=1"/>
<sec:session-management invalid-session-url="/login.html">
<sec:concurrency-control max-sessions="50" error-if-maximum-exceeded="true"/>
</sec:session-management>
<sec:remember-me key="TBdqj219ab910lsAc12" token-validity-seconds="604800"/>
</sec:http>
But always pass and spring security filter was not bind. Please help me how to check user's role when given url contain #incharge ?
It was long time since I do not use Spring, but seeing this link, the pattern attr looks like powerful.
I am just guessing but probably if you do something like:
pattern="^.*#incharge$", should work.
From my point of view the pattern is the key here. I am not sure if Spring internally respects the hash, but it is worth to try.
:)
I want to integrate LDAP in my spring application.
Requirement:- On request it should divert to my login page then ask for user/password. Then on submit it should authentication from LDAP.
Thanks
There is a special project in Spring called Spring Security for this purpose. The core functionality is built as a set of servlet API filters. There are multiple connectors for user's database (LDAP, DB, Active Directory, etc.) Here you can see how to add a basic conf. Your conf may looks like this:
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout />
</http>
Note that I prefer SpEL expressions for security rules. And here you can see how to add LDAP.
Hope it helps.
Along with that you also need other LDAP configuration like this
<ldap-server url="ldap://localhost:10389/dc=example,dc=com" />
<authentication-manager alias="authenticationManager"
erase-credentials="true">
<ldap-authentication-provider
user-dn-pattern="uid={0},ou=people" group-search-base="ou=groups"
group-search-filter="(members={0})">
</ldap-authentication-provider>
</authentication-manager>
Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!
I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.
Here is the Spring Security intercept-url configuration:
<intercept-url pattern="/**.html"
access="ROLE_USER" requires-channel="https" />
I want to make requires-channel="any" for local environment.
Is it possible to add absolute URL in the pattern?
You can use Spring bean definition profiles to achieve that.
<beans profile="local">
</beans>
It's a new feature. Take a look at the entry in Spring Source blog: http://blog.springsource.com/2011/02/11/spring-framework-3-1-m1-released/
<http >
<intercept-url pattern="/a.jsp" access="hasRole('ROLE_X')"/>
</http>
in spring security3.0.7 or 3.1
it is Ok. only 'ROLE_X' can see a.jsp page.
but:
<global-method-security >
<protect-pointcut expression="execution(* test.Test.o1*(..))" access="hasRole('ROLE_X')"/>
</global-method-security>
it is not working,eneryone can use the method test.Test.o1~~
when pre-post-annotations="enabled"
#PreAuthorize("hasRole('ROLE_X')")
it is also not working,eneryone can use the method test.Test.o1~~
i'm so sad~~
any advise or used 'global-method-security' demo , ths.
You need to place this annotation in servlet config.
http://static.springsource.org/spring-security/site/faq/faq.html#faq-method-security-in-web-context
See also:
Can Spring Security use #PreAuthorize on Spring controllers methods?