After successfull login, it doesn't redirects to "index.php". It redirects same page which is "login.php". Is there something wrong with my spring-security.xml page?
By the way when I run the application it redirects me to "login.php" which is good. But It doesn't shows primefaces components but html components. After I succesfully login, It redirects the same page but this time It shows Primefaces components instead of html components.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/pages/login.xhtml*" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('admin')" />
<form-login login-page='/pages/login.xhtml' default-target-url="/pages/index.xhtml"
authentication-failure-url="/pages/login.xhtml"/>
<logout logout-success-url="/pages/logout.xhtml" />
</http>
<!--Authentication Manager Details -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsService">
<!-- <password-encoder hash="md5"/>-->
</authentication-provider>
</authentication-manager>
my web.xml
<welcome-file-list>
<welcome-file>pages/index.xhtml</welcome-file>
</welcome-file-list>
my login page
<p:outputPanel id="loginOutputPanelId" style="border: navy">
<p:panelGrid id="loginInformationPanel" columns="2">
<h:outputText value="Username: "/>
<p:inputText value="#{loginController.userName}"/>
<h:outputText value="Password: "/>
<p:inputText value="#{loginController.password}"/>
</p:panelGrid>
<p:commandButton value="Login" actionListener="#{loginController.login()}"/>
</p:outputPanel>
my loginController.login() method returns "index" string and my faces.config;
<navigation-rule>
<from-view-id>/pages/login.xhtml</from-view-id>
<navigation-case>
<from-outcome>index</from-outcome>
<to-view-id>/pages/index.xhtml</to-view-id>
<redirect />
</navigation-case>
</navigation-rule>
EDIT:
without component it runs without any problem. When i add form-login it says "The webpage at http://localhost:8080/myApplication/pages/login.xhtml has resulted in too many redirects".
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/**" access="hasRole('admin')" />
<logout logout-success-url="/pages/logout.xhtml" />
<form-login login-page="/pages/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
authentication-failure-url="/pages/login.xhtml"/>
</http>
My login page
<p:outputPanel id="loginOutputPanelId" style="border: navy">
<p:panelGrid id="loginInformationPanel" columns="2">
<h:outputText value="Kullanıcı Adı: "/>
<p:inputText id="j_username" required="true" value="#{loginController.userName}"/>
<h:outputText value="Şifre: "/>
<p:inputText id="j_password" required="true" value="#{loginController.password}"/>
</p:panelGrid>
<p:commandButton id="login" type="submit" ajax="false" value="Login" actionListener="#{loginController.login()}"/>
</p:outputPanel>
My new loginController.login() method;
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
.getRequestDispatcher("/j_spring_security_check");
dispatcher.forward((ServletRequest) context.getRequest(),
(ServletResponse) context.getResponse());
FacesContext.getCurrentInstance().responseComplete();
To force spring-security to go to /pages/index.xhtml, you can use property always-use-default-target as this :
<form-login login-page='/pages/login.xhtml'
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/pages/login.xhtml"/>
Otherwise, the login page should be shown automatically by spring security when the user calls a secured resource, and once login done, continue to the secured resource it was originally asked for.
In your case, some confusion seems to come from the fact that you want spring security to handle the login, and you try to handle it yourself with a jsf actionListener and navigation rules.
putting "<form-login [...]" in the configuration essentially tells spring to activate a filter (UsernamePasswordAuthenticationFilter) that will listen to requests made to /j_spring_security_check . If you want spring to handle login, by default your form login must request this url, passing two parameters : j_username and j_password .
This way, spring's UsernamePasswordAuthenticationFilter will kick in and try to authenticate the provided credentials using the UserDetailsService you configured in your AuthenticationProvider.
I think you have to remove your jsf controller for login and use spring-security to handle authentication.
Hope this helps.
PS : make sure your web.xml defines the DelegatingFilterProxy before all other servlet filters :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Please check your Faces Servlet URL pattern in web.xml.
If it contains .jsf like:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
then you must update your code in spring-security.xml like:
<form-login login-page="/pages/login.jsf"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.jsf"
authentication-failure-url="/pages/login.jsf"/>
Related
I want to add a field to my jsp which will be shown only to admin. For this purpose I use tag sec:authorize access="hasRole('Admin')". But when I add it, application throws exception: http://pastebin.com/TcN0k0K0
I use spring 4.1.7.RELEASE, spring-security version 4.0.3.RELEASE. In pom.xml I've added spring-security-taglibs v.4.0.3
here is my jsp code:
<%# taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html>
<body>
<sec:authorize access="hasRole('Admin')">
<p>Must have ROLE_Admin to see this</p>
</sec:authorize>
<form name='registerForm' method='POST' action="/admin/createuser">
...
in database role stored as ROLE_Admin, ROLE_User
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<http use-expressions="true" >
<csrf disabled="true"/>
<intercept-url pattern="/admin" access="hasAnyRole('Admin', 'User')" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<access-denied-handler error-page="/403" />
<form-login login-page='/login' login-processing-url="/login" authentication-failure-url="/403"
default-target-url="/admin"
username-parameter="login" password-parameter="password" />
<logout logout-url="/logout" logout-success-url="/logoutSuccessful" delete-cookies="JSESSIONID" invalidate-session="true" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="myDataSource"
users-by-username-query= "select login, password, 'true' from employee where login=?"
authorities-by-username-query= "select login, role from employee where login =? " />
</authentication-provider>
</authentication-manager>
<beans:import resource="data-source-cfg.xml"/>
</beans:beans>
How to fix this problem?
take a look at this post, the problem you are getting is about the spring version. You have two options:
1 - To keep using spring security 4.0.3 you must upgrade Spring version for 4.2.x.
2 - To keep using your current spring version you must downgrade to the Spring security 4.0.2
Best Regards
I'm trying to implement two security realms using spring security. I am using Spring security 3.1.4 RELEASE and Spring 3.2.0 RELEASE. In my web application there are two users and they should be authenticate separately. Therefore I tried to use multiple http elements to filter url pattern and redirect to corresponding login page.
Here is my Spring-security.xml.
<beans:beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd" xmlns:beans="http://www.springframework.org/schema/beans">
<security:http pattern="/admin/**" auto-config="true" use-expressions="true">
<security:form-login login-page="/admin/login" default-target-url="/admin/dashboard"
authentication-failure-url="/admin/loginfailed"/>
<security:logout logout-success-url="/admin/logout"/>
<security:intercept-url pattern="/admin/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/admin/login" access="permitAll"/>
<security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
</security:http>
<security:http pattern="/customer/**" auto-config="true" use-expressions="true">
<security:form-login login-page="/customer/login" default-target-url="/customer/reports"
authentication-failure-url="/customer/loginfailed"/>
<security:logout logout-success-url="/customer/logout"/>
<security:intercept-url pattern="/customer/j_spring_security_check" access="permitAll"/>
<security:intercept-url pattern="/customer/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/customer/login" access="permitAll"/>
<security:intercept-url pattern="/customer/*" access="hasRole('ROLE_ADMIN')"/>
</security:http>
<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<beans:property name="jndiName">
<beans:value>java:/myDS</beans:value>
</beans:property>
</beans:bean>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT login_name AS username, password, 1 AS enabled
FROM tbl_user WHERE login_name=?"
authorities-by-username-query="SELECT login_name , CASE role_id WHEN 2 THEN 'ROLE_USER' WHEN 1 THEN 'ROLE_ADMIN'ELSE '' END AS authority
FROM tbl_user WHERE login_name=?"
/>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
Here is my web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Here is my login.jsp
enter code here
<c:url value="/j_spring_security_check" var="url" />
<form c role="form" action="${url}" method='POST'>
<div>
<label>Email</label>
<div >
<input type="email" name="j_username" id="inputEmail3"
placeholder="Email">
</div>
</div>
<div >
<labe>Password</label>
<div>
<input type="password" name="j_password" id="inputPassword3"
placeholder="Password">
</div>
</div>
<div class="form-group">
<div>
<button type="submit">Sign in</button>
</div>
</div>
</form>
When I remove the url patterns in the http elements, it's perfectly works. Actually I can't remove both url patterns. I tried by removing "/customer/**" and it works for customer login. But when url pattern is present, j_spring_security_check 404 not fount error occurred.
According to the spring security documentation, we can add multiple http elements with different url patterns.
Please help me to find a solution for this.
You can add as many http elements as you want, BUT you will also have to change the login-url accordingly. Currently you haven't changed anything leaving the default /j_spring_security_check in place. Whereas you want a /admin/j_spring_security_check and /customer/j_spring_security_check.
To enable this you will need to configure the login-processing-url on the <form-login /> element, just like you specified the login-page attributes. Do this for each http element.
<security:form-login login-page="/admin/login" login-processing-url="/admin/j_spring_security_check" default-target-url="/admin/dashboard" authentication-failure-url="/admin/loginfailed" />
I'm using spring security 3.1.4 and i would like to limit the number of session per user to 1 but if someone tries to log in it will close the old session and open a new one (instead of not allowing to log in) how can i do this?
EDIT:
this is what i added to the xmls:
web.xml
<listener>
<listener-class>
com.net.filter.session.SessionListener
</listener-class>
</listener>
SessionListener extends HttpSessionEventPublisher
security.xml
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
<security:session-management>
<security:concurrency-control
max-sessions="1"/>
</security:session-management>
<security:form-login
authentication-success-handler-ref="playerAuthenticationSuccessHandler" />
<security:logout logout-url="/player/logout"
success-handler-ref="playerLogoutSuccessHandler" delete-cookies="JSESSIONID" />
</security:http>
<bean id="bCryptPasswordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<security:authentication-manager>
<security:authentication-provider
ref="authenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
were playerAuthenticationSuccessHandler, authenticationProvider and playerLogoutSuccessHandler extends the spring defaults.
Instead of restricting one session per user,it is restricting one session for
whole application.
So if one user is logged in noone can login .
Here is my configuration
<session-management invalid-session-url="/login">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" />
</session-management>
And i even added listener in web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check"
login-page="/login" default-target-url="/index"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
authentication-failure-url="/login?login_error=t" />
<logout invalidate-session="true"
logout-url="/resources/j_spring_security_logout" success-handler-ref="myLogoutSuccessHandler"/>
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/**" access="permitAll" />
<session-management invalid-session-url="/login">
<concurrency-control error-if-maximum-exceeded="true"
max-sessions="1" />
</session-management>
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customDaoAuthenticationProvider">
</authentication-provider>
</authentication-manager>
<beans:bean id="myAuthenticationSuccessHandler" class="com.test.connect.web.login.MyAuthenticationSuccessHandler"/>
<beans:bean id="myLogoutSuccessHandler" class="com.test.connect.web.login.MyLogoutSuccessHandler"/>
</beans:beans>
Based upon the configuration you provided, which includes a custom AuthenticationProvider, and the problem you are having I would guess that you are returning a custom UserDetails implementation that does not properly implement the equals and hashCode methods.
Please ensure that you have properly implemented equals and hashCode on any custom UserDetails implementation as these methods are used to look up if a user contains active sessions.
Just want to highlight here, make sure the equals and hashCode methods return is true. if the methods is not returning true it will not kill or terminate the existing session.
i want to use spring security from spring in m web application so here's the configuration:
This is the spring-security.xml :
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/authentication" login-processing-url="/static
/j_spring_security_check" authentication-failure
url="/login?login_error=t" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service id="userService"
data-source-ref="DataSource"
users-by-username-query="select name, password, true from person where name=?"
authorities-by-username-query="select name,'ROLE_USER' from person where
name=?" />
</authentication-provider>
</authentication-manager>
Web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns
/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>OTV_JSF_PrimeFaces_Spring_Hibernate</display-name>
<!-- Spring Context Configuration' s Path definition -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- The Bootstrap listener to start up and shut down Spring's root
WebApplicationContext. It is registered to Servlet Container -->
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
<!-- Project Stage Level -->
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<!-- Welcome Page -->
<welcome-file-list>
<welcome-file>/home.xhtml</welcome-file>
</welcome-file-list>
<!-- JSF Servlet is defined to container -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Mapping with servlet and url for the http requests. -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class> org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
here's the application :
When i run the application , this URL is opened
http://localhost:8089/MVNOONPProject/authentication and i get this error :
`The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in
a way that will never complete.`
I'm sure it's a problem with the web.xml . But i didn't find how to solve it .
Thank you in advance
It usually makes sense to protect only proper web pages which would be JSF rendered ones here. For sure you should not intercept all urls or else login won't be possible. This assumes you have a working login page under /authentication.
<http auto-config="true" use-expressions="false">
<intercept-url pattern="/**/*.faces" access="ROLE_USER" />
<intercept-url pattern="/**/*.jsf" access="ROLE_USER" />
<intercept-url pattern="/**/*.xhtml" access="ROLE_USER" />
<form-login login-page="/authentication" login-processing-url="/static
/j_spring_security_check" authentication-failure
url="/login?login_error=t" />
</http>
Try 2 things
Add
< intercept-url pattern="/authentication" access="IS_AUTHENTICATED_ANONYMOUSLY" />
Add default-target-url in your form-login tag
default-target-url='/home.xhtml'
One more thing you are using a custom login page and your http auto-config="true" change it to false if you are using custom login page
So your security config should be like this (login-processing-url is also not needed)
<http auto-config="false" use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
< intercept-url pattern="/authentication" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/authentication" authentication-failure
url="/login?login_error=t" default-target-url='/home.xhtml'/>
Thats because , you spring security configuration redirects cyclically.
try this ,
<http auto-config="true" use-expressions="false">
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/authentication" login-processing-url="/static
/j_spring_security_check" authentication-failure
url="/login?login_error=t" />
</http>
Edit
<http auto-config="true" use-expressions="false">
<intercept-url pattern="/authentication" filters="none"/>
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/authentication" login-processing-url="/static
/j_spring_security_check" authentication-failure
url="/login?login_error=t" />
</http>
Since the pattern="/**" intercepts all URL requests including login page itself, any user has to be logged in even to access the login page.. so after hours of trying, following did the trick for me..
<intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/home"
authentication-failure-url="/login?error=true" />
Notice,
the order of intercept-url tags
pattern="/**" basically intercepts all url request, even resources like css and image file. that's why the second line is needed.
Other answers were quite close but weren't working with Spring MVC 3.2.3.RELEASE version
I think this might cause other problems in the future, so the better approach might be,
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<intercept-url pattern="/user*" access="ROLE_USER, ROLE_ADMIN" />
<form-login
login-page="/login"
default-target-url="/home"
authentication-failure-url="/login?error=true" />