After I successfully login when I try to login with another browser It redirects me to authentication-failure-url. Why it doesn't redirect to expired-url?
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" invalidate-session="true" delete-cookies="JSESSIONID"/>
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml?error=true"/>
<custom-filter before="FORM_LOGIN_FILTER" ref="customAjaxControlFilter" />
<session-management invalid-session-url="/login.xhtml?error=sessionExpired" session-authentication-error-url="/login.xhtml?error=alreadyLogin">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login.xhtml?error=expired"/>
</session-management>
EDIT: By the way, After I successfully logout it redirects me to invalid-session-url. I don't understand what is going on.
This is the expected behaviour. From the manual:
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used.
This is what happens if you set error-if-maximum-exceeded="true".
The expired-url parameter is used if you haven't set error-if-maximum-exceeded="true". In that case, the new login will be allowed, the original session will be marked as expired and if you try to use it, you will be redirected to this URL.
Related
I have a spring security application. Its working well. When I enter wrong credentials it redirect to spring_security_login?login_error where it show spring default login page. What I want is if user enter wrong credentials its should response with some custom message rather than redirecting to some link.
Here is my config
<http auto-config="true">
<form-login
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you just want to redirect the user to a custom URL use the authentication-failure-url attribute of <form-login>:
<http auto-config="true">
<form-login
authentication-failure-url="/myCustomLoginFailureURL"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you want full control over what happens on login failures, use the authentication-failure-handler-ref attribute:
<beans:bean id="authenticationFailureHandler" class="my.company.AuthenticationFailureHandler" />
<http auto-config="true">
<form-login
authentication-failure-handler-ref="authenticationFailureHandler"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
Note that my.company.AuthenticationFailureHandler needs to implement org.springframework.security.web.authentication.AuthenticationFailureHandler.
I have setup Spring Security on my webapp project.
My application setting for session expiration time is 15 min.
The spring security config is pretty basic and I have
<http use-expressions="true" disable-url-rewriting="true">
<csrf />
<intercept-url pattern="/login/auth" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/contact-us" access="permitAll"/>
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<session-management invalid-session-url="/?invalidSession=1"
session-authentication-error-url="/login?session=fail"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"
expired-url="/login?invalidSession=1"/>
</session-management>
Now the problem I'm having is that for example given the user sends an invalid session id spring always redirects to the homepage with '/?invalidSession=1'.
I'm saying it is a problem due to the fact that if the user, after a certain period of time, tries for example to go to the /contact-us page (which us an unprotected resource) he gets redirected to the homepage.
I think one solution would be that spring creates a new session and then redirects to the previously requested resource instead of always the invalid-session-url.
How do you deal with these situations?
My web applications is secured with Spring-security and now I'm trying to setup two different login pages. Here is my configuration:
<http use-expressions="true" pattern="/mobile/**">
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ONE','ROLE_TWO')" requires-channel="http"/>
<form-login login-page="/loginm" login-processing-url="/loginm_check" default-target-url="/mobile/menu" authentication-failure-url="/loginmfailed" />
<logout logout-url="/logoutm" logout-success-url="/loginm" />
</http>
<http use-expressions="true">
<intercept-url pattern="/main.html" access="isAuthenticated()" requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login_check" default-target-url="/main.html" authentication-failure-url="/loginfailed"/>
<logout logout-url="/logout" logout-success-url="/login" />
</http>
The second form works well. But the first form doesn't seem to work at all. The server returns 404 for the login-processing-url="/loginm_check".
I'm using the latest Spring-Security 3.1.4.RELEASE.
Can anyone help with this?
Thanks
I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):
First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.
Imagine the user A have multiple logins (are logged in) in diferent machines. When he logs out in one machine, the other sessions should automatically redirect to login page.
how i can implement this in spring security?
For now, i have tis http configuration on security.xml
<http auto-config="true" use-expressions="true">
<anonymous />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.do" />
<logout logout-url="/j_spring_security_logout"
success-handler-ref="myLogoutSuccessHandler" />
<remember-me data-source-ref="dataSource" />
</http>
I would recomment you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too
Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.