spring security file:
<intercept-url pattern="/login**" access="permitAll" />
<intercept-url pattern="/resources**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/login"/>
<form-login
login-page="/login"
default-target-url="/planning/view"
authentication-failure-url="/login?error"
login-processing-url="/login?process"
/>
<logout logout-success-url="/login" />
</http>
I want to deny access to all pages except:
- login and login processing pages
- resources folder and subfolders
I should have the correct rules after searching a bit but they don't seem to work. I am not able to see the login?error page and it's not willing to login my user.
Related
I want to block all pages except the login and error page with Spring Security, but if I do pattern="/*" it will lock absolutely all pages and result in an endless redirect. How I can lock all pages except login and error page for authorization?
<http auto-config="true">
<intercept-url pattern="/" access="ROLE_USER"/>
<form-login
login-page="/login"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="root" password="root" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
you can intercept login and error page first with access ANONYMOUSLY then intercept all pages, interception ordered based on order you write it, like
<http>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
in spring security documentation here
I have setup Spring Security on my webapp project.
My application setting for session expiration time is 15 min.
The spring security config is pretty basic and I have
<http use-expressions="true" disable-url-rewriting="true">
<csrf />
<intercept-url pattern="/login/auth" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/contact-us" access="permitAll"/>
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<session-management invalid-session-url="/?invalidSession=1"
session-authentication-error-url="/login?session=fail"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"
expired-url="/login?invalidSession=1"/>
</session-management>
Now the problem I'm having is that for example given the user sends an invalid session id spring always redirects to the homepage with '/?invalidSession=1'.
I'm saying it is a problem due to the fact that if the user, after a certain period of time, tries for example to go to the /contact-us page (which us an unprotected resource) he gets redirected to the homepage.
I think one solution would be that spring creates a new session and then redirects to the previously requested resource instead of always the invalid-session-url.
How do you deal with these situations?
My web applications is secured with Spring-security and now I'm trying to setup two different login pages. Here is my configuration:
<http use-expressions="true" pattern="/mobile/**">
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ONE','ROLE_TWO')" requires-channel="http"/>
<form-login login-page="/loginm" login-processing-url="/loginm_check" default-target-url="/mobile/menu" authentication-failure-url="/loginmfailed" />
<logout logout-url="/logoutm" logout-success-url="/loginm" />
</http>
<http use-expressions="true">
<intercept-url pattern="/main.html" access="isAuthenticated()" requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login_check" default-target-url="/main.html" authentication-failure-url="/loginfailed"/>
<logout logout-url="/logout" logout-success-url="/login" />
</http>
The second form works well. But the first form doesn't seem to work at all. The server returns 404 for the login-processing-url="/loginm_check".
I'm using the latest Spring-Security 3.1.4.RELEASE.
Can anyone help with this?
Thanks
I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9
The security context is:
<http auto-config='false' use-expressions="true" >
<intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" />
<intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/**" requires-channel="any" />
<form-login login-page="/loginRedirect"
authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler"
authentication-success-handler-ref="pennyAuthSuccessHandler"
default-target-url="/pages/account/orders.xhtml" />
<logout logout-success-url="/" invalidate-session="true"/>
</http>
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated.
If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session.
I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated.
Can I force the HTTP for non-authenticated users?
If I go to a page that requires HTTPS, for the rest of session, it
will use the HTTPS protocol, even if the user is not authenticated.
That's correct because of
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
Also, because of
<intercept-url pattern="/**" requires-channel="any" />
it will stick with HTTPS once the user requested a resource that requires HTTPS. Why would it have to switch back if you say any (HTTPS is as good as any)?
Can I force the HTTP for non-authenticated users?
No, not that I know of. Personally, I don't think this would make much sense either.
I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):
First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.