Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!
I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.
Related
When using Spring Security how does this code work - specifically why is the basic authentication used together with form login, aren't they mutually exclusive ? In what situation does it make sense to use both of them like in the sample code below:
<http>
<intercept-url pattern='/login.jsp' access='permitAll' />
<intercept-url pattern='/**' access='ROLE_USER' />
<http-basic />
<form-login login-page='/login.jsp' always-use-default-target='true' />
</http>
I suppose that you can use them separately.
But using them together allows us to secure Rest services using Basic Auth and
Web Pages using form login.
I have configured one spring security context for my project by using intecept-url i am able to authenticate all URLS but when i pass some ID over URL authentication is not happening.
<intercept-url pattern="/**" access="isAuthenticated()"/>
Working URLS
http://localhost:8080/WEB/add-employee
http://localhost:8080/WEB/view-employee
Not working URLS
http://localhost:8080/WEB/edit-employee/1
http://localhost:8080/WEB/edit-employee/2
1 and 2 are the ID iam passing over URL the above URL patterns are not working (that means when i passing ID over URL)
And i have tried many combinations in intercept-url but i am not getting the correct result.
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/> <!-- this means all URL in this app will be checked if user is authenticated -->
<!-- We will just use the built-in form login page in Spring -->
<form-login login-page="/" login-processing-url="/j_spring_security_check" default-target-url="/home" authentication-failure-url="/"/>
<logout logout-url="/logout" logout-success-url="/"/> <!-- the logout url we will use in JSP -->
</http>
Delete the line <intercept-url pattern="/edit-employee/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> to disallow anonymous access to that URL.
Dear All,
We have added Spring Security for our web application. Login url seems like this
https://www.xyz.com/app/login.do
after login it should redirect to other urls with same https protocol. Right now SpringSecurity redirect us to other urls but with http not https.
Please tell us any specific settings are needed.
Thanks,
Op
Within your spring security definitions, inside your intercept-url tag you need to add requires-channel="https"
For example:
<sec:intercept-url pattern="/login.jsp*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/j_spring_security_check*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY"/>
Env:
Spring 3.1.3
Spring security: 3.1.3
Spring ldap: 1.3.1
JDK1.6
Problem:
I get a 404 on my login-processing-url.
Details:
I have three http intercept blocks: a public one, the second one used to intercept and
secure URLs for admins (uses authentication manager 1) and the third one for regular users
(uses authentication manager 2).
When the login form in http intercept block 1 post the credentials to the login-processing-url of the form login, it yields 404. I do mot get this - since the form login
announces the login-processing-url, shouldn't that filter chain recognize that URL?
Also, shluld I explicitly do "permitAll" on the login-processing-url of a form or is that
automagically done under the covers?
Lastly, is it problematic to have distinct http interceptor blocks to have distinct
login-processing-urls? (I cannot see why - but I ask anyways).
Configs:
Spring security configuration:
//...
<debug />
<global-method-security secured-annotations="enabled" />
<http pattern="/public/**" security="none"/>
<http use-expressions="true" pattern="/protected/x/support/**" authentication-manager-ref="lAdminAuthManager">
<intercept-url pattern="/protected/x/support/**" access="hasRole('ROLE_ADMIN')"/>
<form-login login-page="/public/login.jsp"
login-processing-url="/protected/x/support/j_spring_security_check"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/login/form?error"
default-target-url="/protected/x/support/index.html"/>
</http>
<http use-expressions="true" entry-point-ref="lUserLoginEntryPoint">
<intercept-url pattern="/protected/x/foo1/**" access="permitAll"/>
<intercept-url pattern="/protected/x/foo2/**" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<custom-filter ref="lUserLoginFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="lPreauthAuthenticationFilter" position="PRE_AUTH_FILTER" />
</http>
//...
Any hints greatly appreciated!
Thanx,
Uma
Any way check the below links . It may help you
Visit http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html
Even a small url conflict in config files will cause 404 error.
I'm developing a web application using spring.
Here's the problem, say I have these three urls,
www.sample.com/login.do
www.sample.com/homePage.do
www.sample.com/about.jsp
What I want to do is about.jsp page should be able to access even if user is logged in or not. And if user is not logged in and try to access homePage.do he should be redirected to login.do page and vice versa.
I think for this to work I need HTTPSessions, but I don't know how to manage HTTPSessions in Spring.
Can I accomplish this using some filters? If so can you please guide me through it?
I'm hoping to use Spring MVC and/or Spring Annotations.
Use Spring Security!
Your spring config file will be look a bit like
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="login.do" access="permitAll"/>
<security:intercept-url pattern="about.jsp" access="permitAll"/>
<security:intercept-url pattern="homePage.do" access="isAuthenticated"/>
<security:form-login
login-page="login.jsp"
authentication-failure-url="login?error=true"
default-target-url="homePage.do"/>
</security:http>
<security:authentication-manager>
...
</security:authentication-manager>