Dear fellow Sping'lers,
I stumbled upon a problem with the login of intercept-url's in spring.
I just want to REDIRECT ALL PAGES to my login page IF NOT logged in.
This is the security context I use. However this codes is not allowing me to access any page:
<security:http auto-config="true">
<security:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole(ROLE_USER)" />
</security:http>
Thank's for your help.
Lomu
Changed my configuration according to jonnieM's post:
it's now
<security:http auto-config="true">
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
</security:http>
So I think "IS_AUTHENTICATED_ANONYMOUSLY" did the trick :)
Cheers Lomu
You should apply the <http use-expressions="true"> setting, otherwise the values in <intercept-url>'s access attribute won't be interpreted as Spring EL expressinos.
Related
I have a Spring4 MVC application that is deployed on Wildfly10 and is configured using xml.
I have the following controller defined:
<mvc:view-controller path="/" view-name="/index" />
<mvc:view-controller path="/index" view-name="/index" />
And in Spring security define access:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
If I remove the denyAll to /** intercept-url the application works as intended however adding it causes security to redirect root calls to the login page and not the index page!
Is there a way I can have permitAll access to the root (Redirects to /index) of my application and still denyAll to /** thus covering anything else that is not defined?
By Changing the pattern to <intercept-url pattern="/.+" access="denyAll" /> as commented by Vasan got it working. below is an example of the change
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/.+" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
I'm trying to create an other login page on my application.
The second one is working properly but the first one I just added don't catch the URL correctly and don't redirect to the good page.
The second HTTP configurations is always use.
<security:http pattern="/vcrequest/**" use-expressions="true" realm="NETMG Spring Security" authentication-manager-ref="authenticationManager">
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:form-login
login-processing-url="/resources/j_spring_security_check"
login-page="/vcrequest/view/loginVCR"
default-target-url="/vcrequest/controller/vcrequest/my-request"
authentication-failure-url="/vcrequest/view/loginVCR?login_error=t" />
<security:intercept-url pattern="/vcrequest/view/loginVCR" access="permitAll" />
<security:intercept-url pattern="/vcrequest/**" access="isAuthenticated()" />
<security:http-basic/>
</security:http>
<security:http use-expressions="true" realm="NETMG Spring Security" authentication-manager-ref="authenticationManager">
<security:session-management session-fixation-protection="newSession"/>
<security:logout logout-url="/resources/j_spring_security_logout" />
<security:form-login
login-processing-url="/resources/j_spring_security_check"
login-page="/view/login"
default-target-url="/view/home#agregateShowMode=site"
authentication-failure-url="/view/login?login_error=t" />
<security:intercept-url pattern="/controller/users/**" access="hasRole('ROLE_ADD_USERS')" />
<security:intercept-url pattern="/controller/export/**" access="hasRole('ROLE_EXPORT')" />
<security:intercept-url pattern="/controller/stocks/**" access="hasRole('ROLE_STOCKS')" />
<security:intercept-url pattern="/controller/home/site/edit/**" access="hasAnyRole('ROLE_EDIT_SITE')" />
<security:intercept-url pattern="/controller/home/site/create*" access="hasRole('ROLE_ADD_SITE')" />
<security:intercept-url pattern="/controller/home/site/save*" access="hasAnyRole('ROLE_EDIT_SITE')" />
<security:intercept-url pattern="/controller/home/site/change*" access="hasRole('ROLE_CLOSE_SITE')" />
<security:intercept-url pattern="/controller/home/service/add/**" access="hasRole('ROLE_ADD_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/add*" access="hasRole('ROLE_ADD_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/link/**" access="hasRole('ROLE_LINK_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/edit/**" access="hasAnyRole('ROLE_EDIT_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/save/**" access="hasAnyRole('ROLE_EDIT_SERVICE')" />
<security:intercept-url pattern="/controller/home/service/close/**" access="hasRole('ROLE_CLOSE_SERVICE')" />
<security:intercept-url pattern="/controller/home/link/add/**" access="hasAnyRole('ROLE_ADD_LINK', 'ROLE_ADD_LINK_FOR_REQUEST')" />
<security:intercept-url pattern="/controller/home/link/link*" access="hasRole('ROLE_ADD_LINK')" />
<security:intercept-url pattern="/controller/home/link/edit/**" access="hasAnyRole('ROLE_EDIT_LINK')" />
<security:intercept-url pattern="/controller/home/link/save/**" access="hasAnyRole('ROLE_EDIT_LINK')" />
<security:intercept-url pattern="/controller/home/link/close/**" access="hasRole('ROLE_CLOSE_LINK')" />
<security:intercept-url pattern="/controller/home/device/add/**" access="hasAnyRole('ROLE_ADD_DEVICE', 'ROLE_ADD_DEVICE_FOR_REQUEST')" />
<security:intercept-url pattern="/controller/home/device/link/**" access="hasRole('ROLE_LINK_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/link*" access="hasRole('ROLE_LINK_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/edit/**" access="hasAnyRole('ROLE_EDIT_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/save/**" access="hasAnyRole('ROLE_EDIT_DEVICE')" />
<security:intercept-url pattern="/controller/home/device/close/**" access="hasRole('ROLE_CLOSE_DEVICE')" />
<security:intercept-url pattern="/pages/private/**" access="isAuthenticated()" />
<!-- URLs not secured -->
<security:intercept-url pattern="/resources/**" access="permitAll" />
<security:intercept-url pattern="/css/**" access="permitAll" />
<security:intercept-url pattern="/img/**" access="permitAll" />
<security:intercept-url pattern="/js/**" access="permitAll" />
<security:intercept-url pattern="/view/login" access="permitAll" />
<security:intercept-url pattern="/view/loginVCR" access="permitAll" />
<security:intercept-url pattern="/jamon/**" access="permitAll" />
<security:intercept-url pattern="/view/js-dynamic/**" access="permitAll" />
<!-- All others URLs need at least that the user is authenticated -->
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
I use the following post but without success :
Two realms in same application with Spring Security?
Does anyone know how to solve the issue ??
Maybe having the same login-processing-url on both realms is making the trouble. Have you tried changing first realms login-processing-url to another mapping, such as for example:
<security:form-login
login-processing-url="/anotherresource/j_spring_security_check"
Note: in case you set this parameter to a first realm matching pattern, as
/vcrequest/j_spring_security_check
remember to bypass it in security realm with
<security:intercept-url pattern="/vcrequest/j_spring_security_check"` access="permitAll" />
I'm using Spring Security, trying to set up basic login\logout functionality. Login works ok, I store users in MySQL DB, and I'm able to log in, but I have problem with logging out. On home page I made a logout link, looking like this, but when I click it I get 403 Access denied, and user doesn't get logged out:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
And here is my security-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
And /loggedout is mapped to basic .jsp page, just saying "You have logged out."
Also, when I click logout link when I'm not logged in, it takes me to the login page.
What am I doing wrong?
Add this as the first rule in the <security:http use-expressions="true"> section:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
I just added the
logout-url="/j_spring_security_logout"
to the
security:logout
and it is working as it should now.. But I thought it would work even without this parameter if I use /j_spring_security_logout as logout link.
Add this under the <security:http use-expressions="true"> section:
<security:csrf disabled="true"/>
Worked for me.
I have configured spring security for login form. Everything works fine except session timeout.
When session timeouts I want to redirect to login page. Instead I am redirected to homepage. Below is part of my security xml .Can anyone suggest anything via xml configuration
<http auto-config="true" use-expressions="true">
<!-- This settings is for IE. Default this setting is on migrateSession.
When IE tries to migrate the session, the auth cookie does not migrate, resulting
in a nice login screen again, after you've logged in. This setting ensures
that the session will not be invalidated, and thus IE will still work as
expected. -->
<session-management session-fixation-protection="none" />
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/css/*" access="permitAll" />
<intercept-url pattern="/img/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/lib/**" access="permitAll" />
<intercept-url pattern="/fonts/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/login.jsp" login-processing-url="/j_spring_security_check"
default-target-url="/index.html" always-use-default-target="true"
authentication-failure-url="/login?error=true" username-parameter="username"
password-parameter="password" authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/login.jsp" logout-url="/j_spring_security_logout" invalidate-session="true" />
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
<session-management invalid-session-url="/login.jsp" />
<!-- disable csrf protection -->
<csrf disabled="true" />
</http>
I have added timeout in web.xml as
<session-config>
<session-timeout>1</session-timeout>
</session-config>
I just started to read on Spring Security 3.1 and I would like to know how I can enforce user to authenticate through my login page before accessing any pages on my system. On a tutorial I see the following code
<http use-e xpressions="true">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
<intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
From the above configuration I can see that I have to maintain the list of url pattern. Is there a way to simplify this that every user has to login through "/login" before can access any other page ?
EDIT:
I have edited my configuration as below and its working as I expected
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/loginfailed" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/login" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The url rules are inspected in order, top to bottom. The first one that matches is the one that is used.
In this example, the last line
<intercept-url pattern="/**" access="denyAll" />
Is the "catch all" rule. It applies to all requests ("/**") that didn't match any of the rules above it.
In it's current form, it denies access to everyone, regardless. If you change it to
<intercept-url pattern="/**" access="isAuthenticated()" />
instead, it will required authentication to all pages unless otherwise specified, which will cause spring security to redirect unauthenticated users to the login process.