Here is the Spring Security intercept-url configuration:
<intercept-url pattern="/**.html"
access="ROLE_USER" requires-channel="https" />
I want to make requires-channel="any" for local environment.
Is it possible to add absolute URL in the pattern?
You can use Spring bean definition profiles to achieve that.
<beans profile="local">
</beans>
It's a new feature. Take a look at the entry in Spring Source blog: http://blog.springsource.com/2011/02/11/spring-framework-3-1-m1-released/
Related
I found this:
<security:http auto-config="true">
<security:form-login .../>
<security:logout .../>
<security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</security:http>
From my understanding we have to place this in web.xml, but we aren't using web.xml, we are using the java configuration. How can I achieve this? Is there anything I can perhaps add in application.properties?
What you are showing is a spring security file. Spring security can be configured either using an XML file (like the one you're showing) or through Java configuration (see here: http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html).
However your question is: can I enable HTTPS only.
You can also do that through other ways.
In Tomcat for example you can do that by configuring server.xml (http://www.itworld.com/article/2769041/development/how-to-configure-tomcat-to-always-require-https.html and https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html).
There are similar ways for other JavaEE servers.
You can also use a SecurityConstraint in your web.xml (or Java based Web config) so that it defines CONFIDENTIAL or INTEGRAL like in (XML fragment but you can do it via Java based config):
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
I am using GWT and url for my incharge page as
http://www.example.com/backend.html?locale=en&gwt.codesvr=127.0.0.1%3A9997#incharge
I would like to check this url with Spring Role Authorization. I used in my spring-security.xml as below
<sec:http auto-config="false" entry-point-ref="authenticateFilterEntryPoint" access-denied-page="/unSecure.html">
<sec:intercept-url pattern="#incharge" access="ROLE_ADMIN"/>
<sec:logout logout-url="/logout.html" logout-success-url="/login.html" invalidate-session="true"/>
<sec:form-login login-page="/login.html"
login-processing-url="/login_check"
authentication-failure-url="/login.html?error=1"/>
<sec:session-management invalid-session-url="/login.html">
<sec:concurrency-control max-sessions="50" error-if-maximum-exceeded="true"/>
</sec:session-management>
<sec:remember-me key="TBdqj219ab910lsAc12" token-validity-seconds="604800"/>
</sec:http>
But always pass and spring security filter was not bind. Please help me how to check user's role when given url contain #incharge ?
It was long time since I do not use Spring, but seeing this link, the pattern attr looks like powerful.
I am just guessing but probably if you do something like:
pattern="^.*#incharge$", should work.
From my point of view the pattern is the key here. I am not sure if Spring internally respects the hash, but it is worth to try.
:)
I am using spring security and have an auth-ref-handler. Inside of it I need to get a property yet that property is not getting set. If I do the same code in my spring MVC controller REST handler method, it works?
spring-security.xml
<context:property-placeholder location="file:/TcatServer6/myapp/properties/myapp/myapp.properties" />
<beans:bean id="adsh" class="com.mycompany.security.ADAuthenticationSuccessHandler"/>
<http auto-config="true">
<intercept-url pattern="/agent/**" access="ROLE_AGENT" />
<intercept-url pattern="/supervisor/**" access="ROLE_SUPERVISOR" />
<form-login
login-page="/r/views/login.html"
authentication-failure-url="/r/views/loginfailed.html"
authentication-success-handler-ref="adsh"
/>
<logout logout-success-url="/logout" />
</http>
In ADAuthenticationSuccessHandler:
#Autowired
#Value("${acr_url}")
private String acrURL;
I have the EXACT same code in one of my spring MVC controllers and it works! In my AuthenticationSuccessHandler it always gets null?
Spring is turning out to be a configuration nightmare with all these things working inconsistently.
Update: Based on the feedback and my test, I think this may be a bug in Spring. Try it for yourself. Just try to get a property out of a property file using the #Autowire or #Value annotations within a Spring AuthenticationSuccessHandler in your spring-security.xml...can someone else try it and see if they get similar results?
In our application we are using Spring Security and we observed that if the role names are not prefixed with ROLE , it does not work.
Our roles are configured in DB and there is no restriction on the name given to a role.
Is there any work around to avoid the ROLE prefix to roles?
You can find a solution here: Spring Security – adding a custom Role Prefix, according to which you just need to configure the RoleVoter:
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
See also Spring Security Role Prefix and Custom User Details Service.
As for me, I haven't noticed this behavior.
In my project I'm using Spring Security 3.1.4.RELEASE with Spring 3.2.3.RELEASE. And my securityContext.xml contains the following lines:
<security:http auto-config="false" use-expressions="true" access-denied-page="/denied.do"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/index.do" access="hasAnyRole('PROJECT_REVIEW', 'PROJECT_ADMINISTRATOR')"/>
<!-- Skipped -->
<security:intercept-url pattern="/**" access="hasAnyRole('PROJECT_REVIEW', 'PROJECT_ADMINISTRATOR')"/>
<!-- Skipped -->
</security:http>
So, I'm using my custom roles PROJECT_REVIEW, PROJECT_ADMINISTRATOR. And it works fine.
Could you please tell what error do you get?
I want to integrate LDAP in my spring application.
Requirement:- On request it should divert to my login page then ask for user/password. Then on submit it should authentication from LDAP.
Thanks
There is a special project in Spring called Spring Security for this purpose. The core functionality is built as a set of servlet API filters. There are multiple connectors for user's database (LDAP, DB, Active Directory, etc.) Here you can see how to add a basic conf. Your conf may looks like this:
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout />
</http>
Note that I prefer SpEL expressions for security rules. And here you can see how to add LDAP.
Hope it helps.
Along with that you also need other LDAP configuration like this
<ldap-server url="ldap://localhost:10389/dc=example,dc=com" />
<authentication-manager alias="authenticationManager"
erase-credentials="true">
<ldap-authentication-provider
user-dn-pattern="uid={0},ou=people" group-search-base="ou=groups"
group-search-filter="(members={0})">
</ldap-authentication-provider>
</authentication-manager>