Develop Reference

How I can block all pages except loginpage?

I want to block all pages except the login and error page with Spring Security, but if I do pattern="/*" it will lock absolutely all pages and result in an endless redirect. How I can lock all pages except login and error page for authorization?
<http auto-config="true">
<intercept-url pattern="/" access="ROLE_USER"/>
<form-login
login-page="/login"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="root" password="root" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>

you can intercept login and error page first with access ANONYMOUSLY then intercept all pages, interception ordered based on order you write it, like
<http>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
in spring security documentation here

Spring Security Basic Authentication in Weblogic by using Adapter

I have an application which needs 2 security http tags to be deployed in weblogic 10.3.6 server, Spring Framework 3.1.2 & spring-security-3.1.2 version:
1, Form-based-Login: for direct logging in by users using login page.
2. Basic Authentication: Rest WebService calls.
I have added FORM_BASED_LOGIN successfully.-THIS works fine
Appreciate any direction for BASIC Auth for REST WebServices.
For Basic Authentication : Weblogic pops-up an additional pop-up where I have to enter the credentials of weblogic console.
To fix this I have found 2 approaches:
1. Updating the server config.xml file with the below tag:
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
Reference: Spring Security HTTP Basic Authentication
Adding an adapter and applicationContext-acegi-security.xml
and WeblogicAuthenticationFilter
I like to do the 2nd approach as it does not involve any changes to server configuration.
It would be great if any one could point me in the right direction or an example to achieve this.
Reference: http://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/web.1111/e14453/security.htm
Update : Adding my current spring-security configuration:
<http create-session="stateless" entry-point-ref="basicAuthEntryPoint" pattern="/api/**" use-expressions="true">
<intercept-url pattern="/api/listbyorderid" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/api/listbycustomerid" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</http>
<http auto-config="false" use-expressions="true" access-denied-page="/security/denied" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/security/login" access="permitAll" />
<intercept-url pattern="/layouts/*" access="permitAll"/>
<intercept-url pattern="/tiles/*" access="permitAll"/>
<intercept-url pattern="/jquery/*" access="permitAll"/>
<intercept-url pattern="/css/*" access="permitAll"/>
<intercept-url pattern="/admin/css/*" access="permitAll"/>
<intercept-url pattern="/admin/images/*" access="permitAll"/>
<intercept-url pattern="/admin/ico/*" access="permitAll"/>
<intercept-url pattern="/admin/jquery/*" access="permitAll"/>
<logout invalidate-session="true" logout-url="/j_spring_security_logout" success-handler-ref="logoutSuccessHandler" delete-cookies="JSESSIONID"/>
<!-- Custom filter to deny unwanted users even though registered -->
<custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<!-- Custom filter for username, password and domain. The real customization is done in the customAuthenticationManager -->
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
</http>
Thanks in Advance.

Spring Security supports this out of the box. You can take a look at helloworld-jc for a Java Based Configuration or helloworld-xml for an xml based configuration. Given you are on servlet 2.5 with weblogic 10.3.6 you will want to use the XML sample.

question mark ? in spring intercept-url (for resource versioning, query strings, ...)

spring security file:
<intercept-url pattern="/login**" access="permitAll" />
<intercept-url pattern="/resources**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/login"/>
<form-login
login-page="/login"
default-target-url="/planning/view"
authentication-failure-url="/login?error"
login-processing-url="/login?process"
/>
<logout logout-success-url="/login" />
</http>
I want to deny access to all pages except:
- login and login processing pages
- resources folder and subfolders
I should have the correct rules after searching a bit but they don't seem to work. I am not able to see the login?error page and it's not willing to login my user.

spring security: http if user not authenticate

I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9
The security context is:
<http auto-config='false' use-expressions="true" >
<intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" />
<intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/**" requires-channel="any" />
<form-login login-page="/loginRedirect"
authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler"
authentication-success-handler-ref="pennyAuthSuccessHandler"
default-target-url="/pages/account/orders.xhtml" />
<logout logout-success-url="/" invalidate-session="true"/>
</http>
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated.
If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session.
I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated.
Can I force the HTTP for non-authenticated users?

If I go to a page that requires HTTPS, for the rest of session, it
will use the HTTPS protocol, even if the user is not authenticated.
That's correct because of
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
Also, because of
<intercept-url pattern="/**" requires-channel="any" />
it will stick with HTTPS once the user requested a resource that requires HTTPS. Why would it have to switch back if you say any (HTTPS is as good as any)?
Can I force the HTTP for non-authenticated users?
No, not that I know of. Personally, I don't think this would make much sense either.

Unexpected redirect to login page after successful login

I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):

First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.