Spring security 3.2.0 > <security:form-login /> deprecated - spring

I have a problem with spring security 3.2.0 RC1
I'm using the tags to connect me
<security:http>
<security:intercept-url pattern="/paginas/**" access="ROLE_ADMIN"/>
<security:form-login login-page="/publico/login.xhtml" always-use-default-target="true"
default-target-url="/paginas/funcionario.xhtml" authentication-failure-url="/publico/login.xhtml?login_error=1"/>
<security:logout invalidate-session="true" logout-success-url="/publico/login.xhtml"/>
<security:remember-me/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSourceMySQL"
users-by-username-query="select usuario, senha, ativo from funcionario where usuario = ?"
authorities-by-username-query="select f.usuario, f.permissao from funcionario f where f.usuario = ?"/>
</security:authentication-provider>
</security:authentication-manager>
<security:form-login />
This says "Method 'setFilterProcessesUrl' is marked deprecated"
<security:logout />
This says "Method 'setFilterProcessesUrl' is marked deprecated"
Could someone tell me any alternative?
Thanks!

I'm not sure if this answer can help you.
However, the warning message generated by IDE is not a big problem because you did not use the deprecated method.
I'm using spring security too and I also can see the same warning message but the service is working perfectly.
I'm sorry if the answer is not you wanted.

Related

Spring security don't asks for login and password [duplicate]

My application can have below URLs:
/siteadmin/homepage/
/siteusers/customer/createCustomer
Below is my spring-security.xml:
<beans:beans>
<http auto-config="true">
<intercept-url pattern="/siteusers***" access="isAuthenticated()" />
<!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
<intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
<form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
login-processing-url="/siteusers/loginprocess/login"
authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="b" password="123456" authorities="ROLE_ADMIN" />
<user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/ it is allowing user 'a' to view the page although his role is not admin. But when I try to hit http://localhost:8080/siteadmin then Spring Security is working fine ie. its showing access denied page.
I want to restrict /admin/* URLs for users who doesn't have Admin role.
See AntPathMatcher:
The mapping matches URLs using the following rules:
? matches one character
* matches zero or more characters
** matches zero or more directories in a path
Some examples:
com/t?st.jsp - matches com/test.jsp but also com/tast.jsp or com/txst.jsp
com/*.jsp - matches all .jsp files in the com directory
com/**/test.jsp - matches all test.jsp files underneath the com path
org/springframework/**/*.jsp - matches all .jsp files underneath the org/springframework path
org/**/servlet/bla.jsp - matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp
Your pattern /siteadmin***misses slashes. Use /siteadmin/**.

How to handle simultaneous logins?

In my webapp the login page is http://localhost:8080/vsingh/login
I am able to do below
Open tab1 and open the login page
Open tab2 and open the login page
In tab1 login with USER1. User is redirected to homepage. Now open tab2 and login with USER2. Now user is redirected to homepage of USER1.
How can I logout USER1 automatically in this case? Any pointers are appreciated.
PS: I do redirect automatically to homepage is user is already logged in and hits the login page, however in this case, the tab was already open before the user attempted login
#RequestMapping("/login")
public String login() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken) && auth != null) {
return "redirect:userHome";
}
return "login";
}
Spring Security XML
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/*" access="permitAll" />
<access-denied-handler error-page="/login"/>
<form-login login-page="/login"
authentication-failure-handler-ref="customAuthFailureHandler"
username-parameter="username" password-parameter="password"
authentication-success-forward-url="/userHomeX" />
<csrf />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USERNAME, RTRIM(PASSWORD) AS PASSWORD, CASE WHEN ENABLED=1 AND ADMIN_LOCK = 0 THEN 1 ELSE 0 END AS ENABLED FROM JWBDATABASE.JWBSCHEMA.USERS WHERE USERNAME=?"
authorities-by-username-query="SELECT USERNAME,USER_ROLE AS ROLE FROM JWBDATABASE.JWBSCHEMA.USERS WHERE USERNAME=?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
<beans:bean id="customAuthFailureHandler"
class="com.vj.authenticationManager.CustomAuthFailureHandler">
</beans:bean>
Why it is not duplicate?
Question is not about allowing multiple logins in different tabs but somehow force a single login for all tabs. If someone logins thru an already open login page with a different userid, either the old one should be forced logged out or throw an error on new login with some message

Spring security logout - add a message only when logout triggered from a logged in user

Lets say my logout URL is: app/logout.
I need to show a message - "You are succesfully logged out" in logout page only when logout was triggred by clikcing the logout button.
The message should not be displayed if the user enters this URL directly. Any idea how to implement this?
Controller:
#RequestMapping(value ="/logout", method = RequestMethod.GET)
public ModelAndView logout(HttpServletRequest request, HttpServletResponse response) {
ModelAndView model = new ModelAndView();
//some code here to distingish
model.addObject("msg", "You are succesfully logged out!");
model.setViewName("login");
return model;
}
Spring-Security.xml:
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config="true" create-session="ifRequired" use-expressions="true">
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>
<form-login
login-page="/login"
default-target-url="/home"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
As it is for Spring Security, I think that the simplest way is to use spring security to restrict /logout to authenticated users.
Using the namespace it would be :
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>
Using Java configuration, it would be :
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/logout").authenticated()
...
}
Add #RequestParam(value = "foo", required = false) Boolean foo
Add this additional parameter to logout button, if foo exist and is true do your logic

spring security and angularjs redirecting back to given url after login

I have a web application using spring 3.2.The login process is done through spring security.When a user gives a url to view the profile of a particular user he will redirect to login page if he is not logged in.I need to go back to the user's profile if he is not successfully logged in.Since I am using angular js my urls are in the form
http://mydomain.com/#/view-profile/71 to view the profile of the user.If I am not logged in it will redirect to login page.In the browser url becomes http://mydomain.com/login#/view-profile/71 but after successful login it is not redirecting to the specified url.How can I make that with angularjs.
In app.js I have given like this
$routeProvider.when('/view-profile/:id',
{
templateUrl: '/partials/editor/view-profile.htm',
action: 'kc.view-profile',
resolve: {
loadData: ViewCtrl.loadUserProfile
}
}
);
And for authentication in security.xml it is written like
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/login" login-processing-url="/j_security_check" authentication-failure-url="/login?error=true"/>
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
<intercept-url pattern="/assets/**" access="permitAll" />
<intercept-url pattern="/application/signin/**" access="permitAll" />
<intercept-url pattern="/application/signup/**" access="permitAll" />
<intercept-url pattern="/application/manage/**" access="ROLE_EDITOR" />
<interce
pt-url pattern="/application/**" access="isAuthenticated()" />
<!--<intercept-url pattern="/application/connect/**" access="permitAll" />-->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
Spring Security doesn't support Ajax login out-of-the-box, that's why your application isn't working correctly.
You can have a look at this sample application that handles Ajax login/logout with AngularJS + Spring Security:
https://github.com/jhipster/jhipster-sample-app
I had to implement some specific Ajax handlers, as you can see here:
https://github.com/jhipster/jhipster-sample-app/tree/master/src/main/java/com/mycompany/myapp/security

SSL only during login with spring security

I'm trying to use https only during login.
The problem is that when the application tries to switch from https to http I end up being redirected to the login form (as if the session is getting destroyed).
Here is the configuration I'm using:
<s:http auto-config="true" access-denied-page="/erro-403"
create-session="never">
<s:port-mappings>
<s:port-mapping http="8080" https="8443" />
</s:port-mappings>
<s:intercept-url pattern="/preferencias" access="IS_AUTHENTICATED_REMEMBERED"
requires-channel="http" />
<s:intercept-url pattern="/admin/**" access="ROLE_SIPAS_ADMIN"
requires-channel="http" />
<s:intercept-url pattern="/area-prestador/**"
access="ROLE_SIPAS_PRESTADOR, ROLE_SIPAS_ATENDENTE, ROLE_SIPAS_ADMIN"
requires-channel="http" />
<s:intercept-url pattern="/**"
access="IS_AUTHENTICATED_ANONYMOUSLY,IS_AUTHENTICATED_REMEMBERED"
requires-channel="https" />
<s:form-login login-page="/login" default-target-url="/"
authentication-failure-url="/login-error" always-use-default-target="false" />
<s:logout logout-url="/logout" logout-success-url="/" />
<s:remember-me />
</s:http>
<s:authentication-manager>
<s:authentication-provider user-service-ref="authenticationMBean">
<s:password-encoder hash="md5" base64="true" />
</s:authentication-provider>
</s:authentication-manager>
The only workaround that I've found is to check the remember-me option.
Any ideas of what am I doing wrong?
Although it's been a long time this question was posted and I am sure the author must have found a solution already, I am posting this answer for future reference.
This issue is discussed in Spring Security FAQs. A quick solution is to add this element to your s:http element:
<s:session-management session-fixation-protection="none"/>

Resources