Develop Reference

CSRF needs to be disabled for /login spring security

All of my REST interfaces work fine with csrf protection enabled but I need to disable csrf for /login otherwise I get an 403 Forbidden. I use spring security, the login path is available through spring security.
http.csrf().disable()
How to disable csrf protection for particular pages in my website?
Or if it is not a problem to disable CSRF on the login page the problem would also be fixed
EDIT:
.csrf().ignoringAntMatchers("/login")
The login route always needs an login body so there should be no CSRF attack potential, isn't?

if you don't use spring mvc form tags , you can't use spring security csrf support automatically, probably you use plain html form tags that's why you get http 403, you need to manually include csrf token in your form submission.
Either you need to use spring mvc form tags like this
<%# taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
…
<form:form action="" method="POST">
…
</form:form>
or adding csrf token in your plain html form submission manually.
<form action="" method="POST">
<input type="hidden" name="${_csrf.parameterName}" value = "${_csrf.token}" />
…
</form>

Try this out:
Change in Spring-Security.xml:
<security:http use-expressions="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/auth/**" access="hasAnyRole('ROLE_USER')" />
<security:form-login login-page="/login" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-url="/login" login-processing-url="/j_spring_security_check" />
<security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<security:csrf request-matcher-ref="csrfSecurityRequestMatcher" />
</security:http>
CsrfSecurityRequestMatcher
public class CsrfSecurityRequestMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private RegexRequestMatcher unprotectedMatcher = new RegexRequestMatcher("/ext/**", null);
#Override
public boolean matches(HttpServletRequest request) {
if(allowedMethods.matcher(request.getMethod()).matches()){
return false;
}
return !unprotectedMatcher.matches(request);
}
}

j_spring_security_check returning 404 on Tomcat but works on Jetty

I have a basic Spring security setup with Form based login. When submitting my login action to j_spring_security_check it works on Jetty but fails with 404 code on Tomcat (7 & 8). I am using Spring 3.2.
So submitting to server:port/app/j_spring_security_check returns 404 response.
My security http setup looks like the following:
<security:http >
<security:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password" />
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="springAccessManagerAuthenticationFilter"/>
<security:intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:session-management></security:session-management>
<security:headers>
<security:cache-control/>
<security:xss-protection/>
<security:hsts/>
<security:frame-options/>
<security:content-type-options/>
</security:headers>
</security:http>
The login page looks like the following:
<%# include file="/WEB-INF/jsp/tags.jsp"%>
<%#page session="false" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Login</title>
</head>
<body id="login">
<form method="POST" action="<c:url value='j_spring_security_check' />"
id="loginForm" autocomplete="off">
Username : <input id="username" type="text" size="15" maxlength="60" name="j_username"><br><br>
Password : <input id="password" type="password" size="15" maxlength="60" name="j_password"><br><br>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
<input value="Login" type="submit" id="submit" name="_eventId_nextpage">
</form>
</body>
</html>
My web.xml has the SpringSecurityFilterChain:
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

I finally figured this out as being a typo in web.xml on the default filter.
I had:
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/logout</url-pattern>
<url-pattern>/j_security_check</url-pattern>
</servlet-mapping>
j_security_check should have been j_spring_security_check

Using Spring Security, how to stay on the login page after a successful login?

Using Spring Security, how can I stay on the login page after a successful login?
This part of my Spring config file:
<http auto-config="true" use-expressions="true">
<form-login authentication-failure-url="/index.jsp?failed=true" default-target-url="/index.jsp" />
<logout logout-success-url="/index.jsp" />
</http>
And I have a jsp fragment file /WEB-INF/jsp/subhead.jspf:
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%# taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<c:url var="postLoginUrl" value="j_spring_security_check" />
<c:url var="logoutUrl" value="j_spring_security_logout"/>
<c:if test="${param.failed == true}">Login Failed...</c:if>
<security:authorize access="isAnonymous()">
<form action="${postLoginUrl}" method="post">
Username: <input type="text" name="j_username"/>
Password: <input type="password" name="j_password" />
<input type="submit" value="Log in"/>
</form>
</security:authorize>
<security:authorize access="isAuthenticated()">
Hi, <security:authentication property="principal.username"/> Log out
</security:authorize>
I have a page say test.jsp:
<html>
<body>
<%# include file="/WEB-INF/jsp/subhead.jspf" %>
</body>
</html>
How can I make
login success
login failed
logout
all redirect back to the login page (test.jsp)?
For now, they will all redirect to /index.jsp.

Spring security repeated redirects

I am using spring security in my application. I want the user to be logged in first before accessing any pages on the server, hence i am taking the redirect approach. But the redirect seems to be in an infinite loop cause it redirects me to the login page no matter how many times i submit the page. I tried debugging and the request always hits the GET instead of the POST method as i expected. I am using LDAP authentication using the details entered by the user on the form. Here is the code in the security context xml . Can someone point me in the right direction.
<http pattern="/resources/**" security="none" />
<http auto-config="true">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/dashboard"
authentication-failure-url="/loginfailed" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
When i remove the
<form-login login-page="/login" default-target-url="/dashboard"
authentication-failure-url="/loginfailed" />
it defaults to spring login page and it works but i have to use the user credentials from the configuration xml as opposed to LDAP credentials.
Edit**
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%#taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<c:set var="contextPath" value="${pageContext.request.contextPath}" />
<link rel="stylesheet" href="${contextPath}/resources/css/styles.css" type="text/css">
<h2 style="text-align:center">Login to continue to Application</h2>
<div align="center" class="div">
<form:form method="POST" modelAttribute="login" action="authenticate">
<table>
<tr>
<td><form:label path="username" class="label">Username:</form:label></td>
<td><form:input path="username" class="input"/></td>
<td><form:errors path="username" class="error" /></td>
</tr>
<tr>
<td><form:label path="password" class="label">Password:</form:label></td>
<td><form:password path="password" class="input"/></td>
<td><form:errors path="password" class="error"/></td>
</tr>
<tr>
<td colspan="2" align="right"><input type="submit"
value="Login" class="button"/></td>
</tr>
</table>
</form:form>
</div>
thanks
Sree

#sri
as mentioned in your code i can see that you have intercepted the URL "/login*"
now any url with login at the end will be intercepted by spring security and after that you have to put the correct credentials....
now After giving credentials your are redirected to page /login
now its clear that again our url is ending with login hence it is intercepted again by spring security ...
thats why the loop continues....
Possible Solution
this may work for you,
just put the following code below <http pattern="/resources/**" security="none" /> tag as shown:
code:
<http pattern="/resources/**" security="none" />
<http pattern="/Login.html" security="none" />

Ok. Finally i got to a working state. Here are the changes i made to the security context xml
<intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
the url regex change. And also the action in my login.jsp is now
action="/login/authenticate"
and finally the controller request mapping path is updated.
Hope this helps anyone who has a similar issue. I am yet to discover if this is the right approach to achieve it but works for now.
-Sree

Call to j_spring_security_logout not working

I'm trying to setup the logut of my application with j_spring_security_logout but for some reason it's not working, I keep getting a 404 error.
I'm calling the function like this:
<img border="0" id="logout" src="./img/logout.png" />
I have in WebContent/jsp/ my application main page, and the login and logout pages are in WebContent/login/.
I've also checked this other post Problem with Spring security's logout but the solution given there is not working for me.
Here you can see my web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And here my spring-security.xml
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
<form-login login-page="/login/login.jsp"
authentication-failure-url="/login/errorLogin.jsp"/>
<logout logout-success-url="/" logout-url="/login/logout.jsp" />
</http>
<beans:bean id="myAuthenticationProvider"
class="myapp.web.authentication.WSAuthenticationProvider">
</beans:bean>
<authentication-manager>
<authentication-provider ref="myAuthenticationProvider"/>
</authentication-manager>
Thanks in advance.

the logout-url refers to a virtual URL, you need not have any resource by that name. You can do either this:
<logout logout-success-url="/" logout-url="/j_spring_security_logout" />
and the link on your page like this
<c:url value="/j_spring_security_logout" var="logoutUrl" />
Log Out
OR this:
<logout logout-success-url="/" logout-url="/logout" />
and the link as follows:
<c:url value="/logout" var="logoutUrl" />
Log Out
You were mixing both thats why you were getting 404 error.

check whether csrf is enabled. If csrf enabled, need to use post method to logout, add csrf token as hidden field. then use JavaScript to post the form to logout

With spring security 4 Logout has to be done through form button. CSRF token has to be submitted along. j_spring_security_logout does not work any longer. After spending one day i got following to be working.
Step 1: In your JSP page
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Logout"/>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
Step 2
<security:http use-expressions="true">
<security:form-login login-page="/login" authentication-failure-url="/login?error=true" />
<security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout" />
</security:http>
Step 3 In your login controller
//Logout mapping
#RequestMapping("/logout")
public String showLoggedout(){
return "logout";
}
Step 4 You must have one logout.jsp
Important to see that it will land onto login page after logout.
<security:form-login login-page="/login" authentication-failure-url="/login?error=true" />
So this login page must be there with corresponding mappping to login.jsp or whatever to map in your controller.

also heres what your controller should look like
#RequestMapping("/logout")
public String logoutUrl(){
return "logout";
}

first set security-context.xml the following code...
<security:logout logout-success-url="/"
invalidate-session="true" />
then add this code to your jsp file..
<script>
function formSubmit() {
document.getElementById("logoutForm").submit();
}
</script>
<c:url var="logoutUrl" value="/logout" />
Logout
</li>
<form action="${logoutUrl}" method="post" id="logoutForm">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>

In JAVA-BASED Spring MVC config, you have to configure it in your security config class:
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.servletApi().rolePrefix("");
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
This answer is doubled from, and is working on my case:
Spring Security Java Config not generating logout url