i'm using spring security and AspectJ to log application's behavior. I need to capture a successful login and log it. My spring security configuration:
<security:http auto-config="true" authentication-manager-ref="authenticationManager" use-expressions="true">
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/loginFailed" access="permitAll"/>
<security:intercept-url pattern="/viewUserAccounts" access="hasRole('ROLE_ANTANI')" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<security:form-login
login-page="/login"
authentication-failure-url="/loginFailed"
login-processing-url="/loginAttempt"
password-parameter="password"
username-parameter="username"
/>
</security:http>
How can i define the right pointcut?
here's a solution to grab the results form the AuthenticationManager;
the context part (simplified version of what you have)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="test" password="test" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<aop:aspectj-autoproxy proxy-target-class="true"/>
<bean class="de.incompleteco.spring.aspect.UsernamePasswordAuthenticationFilterAspect"/>
</beans>
and the pointcut
package de.incompleteco.spring.aspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.security.core.Authentication;
#Aspect
public class AuthenticationManagerAspect {
#AfterReturning(pointcut="execution(* org.springframework.security.authentication.AuthenticationManager.authenticate(..))"
,returning="result")
public void after(JoinPoint joinPoint,Object result) throws Throwable {
System.out.println(">>> user: " + ((Authentication) result).getName());
}
}
this will allow you to access the authentication object after it's come back from the AuthenticationManager.
Related
I am migrating my spring security from 3.1.4 to 4.1.5. I am using RequestMatcher in my security config to filter out urls.I updated RequestMatcher to the correct package as suggested in Migration document to org.springframework.security.web.util.matcher.RequestMatcher.
I am pointing request-matcher-ref in to point the a custom class which implements RequestMatcher. But i am getting the following error in intellij - Cannot resolve required base class 'org.springframework.security.web.util.RequestMatcher'.
How to resolve this issue.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<security:debug/>
<bean id="preflightRequestMatcher" class="com.genesyslab.rcs.security.RequestMethodMatcher">
<constructor-arg index="0" value="OPTIONS"/>
<constructor-arg index="1" value="true"/>
</bean>
<bean id="regularRequestMatcher" class="com.genesyslab.rcs.security.RequestMethodMatcher">
<constructor-arg index="0" value="OPTIONS"/>
<constructor-arg index="1" value="false"/>
</bean>
<security:http auto-config="false" create-session="never" request-matcher-ref="preflightRequestMatcher" >
<security:intercept-url pattern="/**" access="ROLE_ANONYMOUS, IS_AUTHENTICATED_FULLY"/>
<security:http-basic />
</security:http>
<security:http pattern="/contact-centers/*/user-recordings/*/play/**" security="none" auto-config="false" create-session="always"/>
<security:http pattern="/contact-centers/*/user-screen-recordings/*/play/**" security="none" auto-config="false" create-session="always"/>
<security:http auto-config="false" create-session="always" request-matcher-ref="regularRequestMatcher">
<security:intercept-url pattern="/loginsession" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/logoutsession" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/keepalivesession" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/recordings/**" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/contact-centers/*/recordings/**" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/screen-recordings/**" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/certificates" access="ROLE_RECORD_KEY_READ,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/certificatepems" access="ROLE_RECORD_KEY_READ,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/checkcertificate" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/checkkey" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/addcertificateandkey" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/removecertificateandkey" access="ROLE_RECORD_KEY_UPLOAD,ROLE_DEFAULT_USER" />
<security:intercept-url pattern="/version" access="ROLE_ANONYMOUS, IS_AUTHENTICATED_FULLY" />
<!-- All URLs should be covered above, it's error if we match this one -->
<security:intercept-url pattern="/**" access="ROLE_NOMATCH" />
<security:session-management>
<security:concurrency-control max-sessions="999999" error-if-maximum-exceeded="false"/>
</security:session-management>
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider ref='rcsAuthenticationProvider'/>
</security:authentication-manager>
RequestMethodMatcher.java
import lombok.AllArgsConstructor;
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
#AllArgsConstructor
public class RequestMethodMatcher implements RequestMatcher
{
final private String method;
final private boolean matchIfEqual;
#Override
public boolean matches(HttpServletRequest request) {
return method.equalsIgnoreCase(request.getMethod()) == matchIfEqual;
}
}
I try to implement concurrency-control in Spring security 4.0.4 I use form-login for auth. Here is my security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd ">
<security:http auto-config="true" >
<security:custom-filter ref="myFilter" before="FORM_LOGIN_FILTER"/>
<security:intercept-url pattern="/Welcome**" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/admin**" access="hasRole('ADMINISTRATOR')"/>
<security:intercept-url pattern="/Welcome**" access="isAuthenticated()"/>
<security:intercept-url pattern="/hello" access="isAuthenticated()"/>
<security:intercept-url pattern="/logout" access="isAnonymous()"/>
<security:intercept-url pattern="/student" access="hasRole('STUDENT')"/>
<security:intercept-url pattern="/failurl" access="hasRole('STUDENT1')"/>
<security:session-management invalid-session-url="/access" session-fixation-protection="newSession" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/access"/>
</security:session-management>
<security:logout logout-success-url="/access" delete-cookies="JSESSIONID" />
<security:form-login login-processing-url="/j_spring_security_check"
login-page="/access"
default-target-url="/hello"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/fail"
/>
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
<security:csrf />
</security:http>
<bean id="myFilter" class="com.www.sec.MyFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<!-- <security:password-encoder hash="sha-256"/> -->
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password,enabled from user_details where username=?"
authorities-by-username-query=
"select username,user_role from user_role where username =?" />
</security:authentication-provider>
</security:authentication-manager>
</beans>
Listener:
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
when we run it in different browsers, log in in both but I have 2 sessions active. It seems that concurrency control doesn't work.
How to implement concurrency control with using form-login?
Can anyone please show me how to migrate keycloak and spring security. I already follow step in http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#spring-security-adapter. but it dint work. Do i need to write my own provider?
my original spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd"
>
<http use-expressions="true">
<intercept-url pattern="/index" access="isAuthenticated()" />
<intercept-url pattern="/tasks" access="isAuthenticated()" />
<intercept-url pattern="/dashboard" access="isAuthenticated()" />
<intercept-url pattern="/resetPassword" access="isAuthenticated()" />
<intercept-url pattern="/settings/**" access="isAuthenticated()" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/sam/**" access="hasRole('mym_security_permission-002')" />
<intercept-url pattern="/admin/**" access="hasRole('mym_security_permission-005')" />
<intercept-url pattern="/committee/**" access="isAuthenticated()" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/attachment/download/**" access="isAuthenticated()" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
login-processing-url="/perform_login"
authentication-failure-url="/login?error"
authentication-success-handler-ref="customAuthenticationSuccessHandler"
username-parameter="username"
password-parameter="password"
always-use-default-target="true"
/>
<!--success-handler-ref="customLogoutSuccessHandler" -->
<logout
logout-url="/perform_logout"
delete-cookies="true"
invalidate-session="true"
/>
<!-- enable csrf protection -->
<csrf/>
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
<authentication-manager alias="authenticationManager" erase-credentials="false">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
</beans:beans>
i change this xml to xml that provided by keycloak user guide. And i put keycloak.json in web-inf.
After i make the configuration on keycloak. i try to access my page then error page like below will appear:
We're sorry ...
Invalid parameter: redirect_uri
return url:http://localhost:8080/auth/realms/Meeting/protocol/openid-connect/auth?response_type=code&client_id=mym-apps&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FApp%2Fsso%2Flogin&state=0%2Fd21c7ae9-b041-43e5-8135-8150e9895ee5&login=true
i already resolved this problem. I just fix my “valid redirect URIs” to http://localhost:8080/app/* and /app/*
please add web orgins in keycloak client
I have a Spring 3.2.4 application that allows public users (without login) to search in a form. I want to add CSRF Protection to this form, so I add this declaration in my applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:http auto-config='true'>
<security:intercept-url pattern="/**" access="permitAll" />
<security:csrf/>
</security:http>
<bean id="anonymousProcessingFilter"
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
<bean id="filterInvocationInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="objectDefinitionSource">
<security:filter-invocation-definition-source>
<security:intercept-url pattern="/**" access='ROLE_ANONYMOUS,ROLE_USER'/>
</security:filter-invocation-definition-source>
</property>
</bean>
But I got this error when compiling the project, but of course I don't need any kind of authenticationManager since there is no authenticated users in the application
org.xml.sax.SAXParseException; lineNumber: 43; columnNumber: 52; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:filter-invocation-definition-source'.:org.xml.sax.SAXParseException:cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:filter-invocation-definition-source'.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<!-- Override default login and logout pages -->
<security:form-login login-page="/login.html"
login-processing-url="/loginProcess"
default-target-url="/index.jsp"
authentication-failure-url="/login.html?login_error=1" />
<security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" />
</security:http>
<security:authentication-manager>
<security:authentication-provider >
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
I'm trying to cope with Spring Security and I think I got it work so far but can somebody explain to me a few things here? In particular I would like to know why I need to use this beans: prefix in this configuration file:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<beans:import resource="applicationContext-jooq.xml"/>
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
<http auto-config="true" >
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
</http>
<authentication-manager >
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<!-- BEGIN Services -->
<beans:bean id="loginService" class="com.mz.server.web.service.LoginService">
<beans:constructor-arg>
<beans:ref bean="dsl" />
</beans:constructor-arg>
</beans:bean>
<!-- END Services -->
</beans:beans>
Another thing I'd like to understand is the difference between
<intercept-url pattern="/" .. />
<intercept-url pattern="/*" .. />
<intercept-url pattern="/**" .. />
You mixxed up your xml-header where spring-security is your root-header now.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd"
........> </beans>
Second Question:
The difference between * and ** is that the * only describes the same folder, while ** is recursive. I am not sure about a / without regex, but i think it won't protect.