I have used LDAP authentication using spring and it is working.
Now I want to show the details of authenticated user on jsp page without using scriplets. User details should be picked from http session. But I am not getting the right way to proceed further.
If anyone knows the solution then please share with me.
Thanks
Use the Spring taglib
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html
You can then access the user principal (containing DN, groups, etc) with
<sec:authentication property="principal.<whatever>" />
Related
I have an existing struts application to which an angular/spring application will be combined. Both will exist on different url patterns. But both will be having a same login page which is a jsp. Also, spring security is used in the angular/spring application.
Based on the logged in user, from the login, the user will be redirected to either angular-spring/struts application and the authentication will be done by the respective applications. So I need to send the username and password to angular and then do the login from there.
But I am not able to send the data to angular side and even if I can somehow, Im not sure how to retrieve the data. How can I achieve this ?
Any help is much appreciated. Thanks.
Write rest API so you can get or post data from angular app
Hope this post will help you https://dzone.com/articles/java-8-springboot-angularjs-bootstrap-springdata-j
I have a requirement that needs to have login page at the service provider and I use java web app. Is there any way to use the spring SAML libraries to achieve this behaviour ? If so, what could be the steps? (it seems the default behavior of spring library is to redirect to IDP login page and I am not sure if we can configure to host login page on the service provider and relay that request to IDP)
I think what you're looking for is having two different ways to authenticate, one locally and one through SAML. I believe for having a login form, you would want to separate configurations with different AuthenticationEntryPoints, i.e. go to /login for local or /saml/login/alias/" + spAlias+ "?idp=" + spEntityID for direct login to SAML.
It sounds like right now you have SAML protecting any URL, which by default redirects you to the IDP since it's configured. The first step that I would take is getting user name and password authentication working with logins independently of SAML, then add SAML back in. Be sure to list whatever URL the login form uses as permit all so SAML doesn't kick in.
I'm new to Spring3 MVC and I'm working on a web project using it, I has implemented login and logout. I put the user info in session when user login and remove it when he logout.
Now I want to implement that:
if user login, thus he can do whatever, but if he logout and access the page which is in the server, we should redirect to the login page.
I think it's possibly using filter and some configuration in web.xml so I needn't writte much code. I think it's very easy using configuration but I don't know how to implement it.
SO How and What should I config? It's like this question a bit:Looking for a Simple Spring security example
Thanks for your help.
use - return "redirect:LoginPage";
At my project I use Spring Security and GWT with url-like internationalization (http://....html?locale=en). Login and logout functions work very well, but here is another hitch: when user login he got localization-like URL (for example http://localhost:8000/Admin/app/Admin.html?locale=en) but after he close window (without logout) and coming back at URL http://localhost:8000/Admin/ he take authorization by Spring Security with session and login at system without "?locale=" param, so he got default language.
The main question is - how can I interrupt between two process (after Spring say - "Ok! it a good user - comin!" and before he throw user a link to coming) so that I can add locale to his URL ?
Thanks.
You can implement a custom AuthenticationSuccessHandler to add parameters to the request on authentication success. See this question.
I have a decent login system working with Spring 3 security.
If a user tries to access a secure page prior to login, he is bounced to the login page, and then upon successful login, he is redirected back to the page that he tried to access previously. This is almost exactly what I want.
What I ALSO want is a special error message to appear on the login page explaining to the user that he has been redirected there because he has tried to access a secure area. How can I do this (without showing that error message on the login page for people who haven't previously tried to access a secure page)?
Thanks!
P.S. I have read http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html#getting-started and many posts on this site and others but have not found the solution.
Are you using jsp? Then something like this might be useful.
Would you like to customize your error message from Spring Security? Take a look here.
On your login jsp page you can retrieve HTTP header referer (e.g. with jstl - ${header['referer']}) which would tell you what page user tried to access before being redirected to this login page.
Displaying a error message in the login page it is something done authomaticaly by Spring. You can see how it is discussed here. I think that this is more about displaying login error as "Bad credentials" but take it in mind anyway.
For your case, displaying a error message related with access denied can be done just defining the access denied page in the spring security configuration.
Usually, you can see something like this:
<http auto-config="true" access-denied-page="/403.jsp">
....
</http>
but also you can do this and control in the login jsp if myError variable comes in the request:
<http auto-config="true" access-denied-page="/login.jsp?myError=access-denied">
....
</http>
I don't think any of the answers here provide a clean generic solution to the original problem. I do not understand OP's solution and it may be specific to his situation.
When a user clicks on a secure URL, spring redirects the user to the login page. The original request is stored in the session. And spring doesn't pass any of the parameters in the original request to the login page.
You can add something like the following to the login.jsp:
<%
if((SavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST") != null && ((SavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST")).getParameterMap().get("LOGINMSG") != null){
out.println('<%= ((SavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST")).getParameterMap().get("LOGINMSG")[0]%>');
}
%>
Where LOGINMSG is the custom end user login message that you appended to the original secure URL.
I hope the spring security team would chime in and validate ( or invalidate ) this approach.