I am using Filters in my login application. I want some pages only
accessed by admin. I have kept those pages in admin folder and
implemented filters in my project. But pages are still accessible
through URL by other users.
Where I am going wrong?
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginFilter implements Filter {
#Override
public void init(FilterConfig config) throws ServletException {
// If you have any <init-param> in web.xml, then you could get them
// here by config.getInitParameter("name") and assign it as field.
}
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
if (session == null || session.getAttribute("user") == null) {
response.sendRedirect(request.getContextPath() + "/Login.xhtml"); // No logged-in user found, so redirect to login page.
} else {
chain.doFilter(req, res); // Logged-in user found, so just continue request.
}
}
#Override
public void destroy() {
// If you have assigned any expensive resources as field of
// this Filter class, then you could clean/close them here.
}
}
Theoretically there are 2 possible reasons for this:
The filter doesn't run at all
The filter doesn't protect the pages of the application.
I know it sounds trivially but could you specify whether the filter runs at all, and if yes, do you come to chain.doFilter(req,res) ?
Related
I am working on a basic spring boot api using mysql as database
I created an endpoint for signup user("/users") which is bcrypt the password
while login i created a authentication filter which is adding jwt token in the header of response
but while accesing endpoint ("/login") i am getting 403 error,
I have already configured the ant match for request named "/login"
**Web Security Configuration **
package com.mukul.app.mobileappws.security;
import com.mukul.app.mobileappws.security.FIlter.AuthenticationFilter;
import com.mukul.app.mobileappws.services.UserService;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
#Configuration
#EnableWebSecurity
public class ConfigurationSecurity extends WebSecurityConfigurerAdapter {
UserService userService;
BCryptPasswordEncoder bcrypt;
ConfigurationSecurity(UserService u, BCryptPasswordEncoder b) {
this.userService = u;
this.bcrypt = b;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
// http.authorizeRequests().antMatchers(HttpMethod.POST,
// "/users").permitAll().anyRequest()
// .authenticated();
//
AuthenticationFilter af = new AuthenticationFilter(authenticationManager());
http.csrf().disable();
http.authorizeRequests().antMatchers(HttpMethod.POST,
"/users").permitAll();
http.authorizeRequests().antMatchers("/login").permitAll();
http.authorizeRequests().anyRequest()
.authenticated();
http.addFilter(af);
}
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(bcrypt);
}
}
Authentication filter
package com.mukul.app.mobileappws.security.FIlter;
import java.io.IOException;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.mukul.app.mobileappws.security.SecurityConstants;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
public class AuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authManager;
public AuthenticationFilter(AuthenticationManager am) {
this.authManager = am;
}
#Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
final String email = request.getParameter("email");
final String password = request.getParameter("password");
return authManager.authenticate(new UsernamePasswordAuthenticationToken(email, password));
}
#Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication auth) throws IOException, ServletException {
// generate token
User u = (User) auth.getPrincipal();
String email = u.getUsername();
String token = Jwts.builder()
.setSubject(email)
.setExpiration(new Date(System.currentTimeMillis() + SecurityConstants.EXPIRE))
.signWith(SignatureAlgorithm.HS512, SecurityConstants.SECRET)
.compact();
response.addHeader(SecurityConstants.HEADER, SecurityConstants.PREFIX + token);
super.successfulAuthentication(request, response, chain, auth);
}
}
enter image description here
I think your configuration is okay.
http.addFilter(authFilter) will put filter at appropriate position by examining the filter type.
In your case, I suspect issue is not triggering login request properly. As per the content in given repo, I ran the project and used embedded H2 instead of full blown database.
This is how you need to trigger your request if you are reading from request.getParameter(parameterName). Please note that I have received 404 error because Spring is trying to redirect me to '/' post successful login which doesn't exist. :)
With Spring Security I always had problem with CSRF on login, because the page doesn't have the CSRF token and POST is not allowed without it, try to check with it.
I have added filter as answered for question in below link
Spring Boot Data Rest + CORS not being enabled properly for OPTIONS/DELETE
My modified code is :
import java.io.IOException;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.thymeleaf.util.StringUtils;
public class CorsFilterUtil implements Filter {
final Logger LOGGER = Logger.getLogger(CorsFilterUtil.class);
private static final Pattern PATTERN = Pattern.compile("^[a-zA-Z0-9 ,-_]*$");
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
String origin;
String credentialFlag;
if (request.getHeader("Origin") == null) {
origin = "*";
credentialFlag = "false";
} else {
origin = request.getHeader("Origin");
credentialFlag = "true";
}
// need to do origin.toString() to avoid findbugs error about response splitting
response.addHeader("Access-Control-Allow-Origin", origin.toString());
response.setHeader("Access-Control-Allow-Credentials", credentialFlag);
System.out.println("##########################################"+request.getMethod()+"##########################################");
if ("OPTIONS".equals(request.getMethod())) {
LOGGER.info("Received OPTIONS request from origin:" + request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Methods", "GET,POST,HEAD,OPTIONS,PUT,DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
String headers = StringUtils.trim(request.getHeader("Access-Control-Request-Headers"));
if (!PATTERN.matcher(headers).matches()) {
throw new ServletException("Invalid value provided for 'Access-Control-Request-Headers' header");
}
response.setHeader("Access-Control-Allow-Headers", headers); // allow any headers
}
chain.doFilter(request, response);
}
#Override
public void init(FilterConfig filterConfig) {
// Do nothing
}
#Override
public void destroy() {
// Do nothing
}
}
I have tried doFilter with below 2 scenarios.
chain.doFilter(req, res);
chain.doFilter(request, response);
But I am getting same 403 for OPTIONS.
Please let me know what should I add to work this.
You can create a class to configure CORS options. Below is sample configuration to add all mappings to the Cors registry. You would fine tune with your requirements.
You can check out an example with explanations on https://spring.io/guides/gs/rest-service-cors/ web page.
#Configuration
#EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("GET", "POST", "PUT", "DELETE", "HEAD")
.allowedOrigins("*")
.allowedHeaders("*");
}
}
Newbie question... I'm building my first Spring Boot restful service. My restful service design requires some data to be returned in the response header.
How do I set response header values inside my controller class method?
From the Spring Documentation:
#RequestMapping("/handle")
public ResponseEntity<String> handle() {
URI location = ...;
HttpHeaders responseHeaders = new HttpHeaders();
responseHeaders.setLocation(location);
responseHeaders.set("MyResponseHeader", "MyValue");
return new ResponseEntity<String>("Hello World", responseHeaders, HttpStatus.CREATED);
}
Source: https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/http/ResponseEntity.html
Unlike the other answer, don't use HttpServletResponse. You don't wanna be working with low-level Servlet APIs if you can avoid it. Return a ResponseEntity or HttpEntity.
HttpHeaders headers = new HttpHeaders();
headers.add("1", "uno");
return new ResponseEntity<>(headers, HttpStatus.OK);
I was looking for an answer, and I don't like to have to create a response entity. I found the solution on the spring-forums, so credits to the writer.
In short, you can request the response in the method-declaration, so this can be populated.
A simple example:
#RequestMapping(value="/car/{carId}", method = RequestMethod.Get)
#ResponseBody
public Car getCarById(#PathVariable("carId") String Id, HttpServletResponse response) {
response.setHeader("X-Special-Header", myCar.getEcoLabel());
//get the car
return myCar;
}
Hope this helps others as well.
http://forum.spring.io/forum/spring-projects/web-services/102652-setting-header-values-with-spring-rest-controller
To set Response Header there are multiple ways:
As mentioned by #Matias Elorriaga, you can use this to add header to single response.
Or, To add header to all responses you can also add java Filters.
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
#javax.servlet.annotation.WebFilter(urlPatterns = {"/*"})
#Component
public class ResponseHeaderFilter implements javax.servlet.Filter {
#Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse) response;
res.setHeader("My-Custom-Header", "Header-Value-Here");
chain.doFilter(request, response);
}
#Override
public void init(FilterConfig filterConfig) throws ServletException {
}
#Override
public void destroy() {
}
}
Or, In Spring 5, you can also have WebFilter to add headers to all responses.
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
#Component
public class ResponseHeaderWebFilter implements WebFilter {
#Override
public Mono filter(ServerWebExchange exchange, WebFilterChain chain) {
exchange.getResponse().getHeaders().add("My-Custom-Header", "My-Value-Here");
return chain.filter(exchange);
}
}
Please how do I keep the home session alive when a user refreshes the browser ?
Because after login, the home page session is alive. But when I refresh the browser, it takes me back to login page.
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
*
* #author Maxwell
*/
#WebFilter(filterName = "sessionFilter", urlPatterns = {"/*"})
public class sessionFilter implements Filter {
#Override
public void init(FilterConfig filterConfig) throws ServletException {
}
#Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req1 =(HttpServletRequest)request;
HttpServletResponse res1 =(HttpServletResponse)response;
String session = (String)req1.getSession().getAttribute("pnumber");
String currentPath = req1.getRequestURL().toString();
if(session != null)
{
if(currentPath.contains("login.xhtml"))
{
res1.sendRedirect(req1.getContextPath()+"/home.xhtml");
System.out.println("it is nt empty");
}
else
{
chain.doFilter(request, response);
}
//System.out.println("it is nt empty");
}
else
{
if(currentPath.contains("home"))
{
res1.sendRedirect(req1.getContextPath()+"/login.xhtml");
System.out.println("somefin is wrong");
}
else
{
chain.doFilter(request, response);
}
//System.out.println("somefin is wrong");
}
}
#Override
public void destroy() {
}
}
Please how do I keep the home session alive when a user refreshes the browser?
Because after login, the home page session is alive. But when I refresh the browser, it takes me back to login page.
is there any warning or error in the console when refreshing the page? Well, for session management in JSF, I'd do the following:
1) I'd use a ManagedBean #SessionScoped, where I'll keep the user info into a SessionMap once s/he has logged in:
public void login(){
//your code
if(validations){
FacesContext fc = FacesContext.getCurrentInstance();
fc.getExternalContext().getSessionMap().put("loggedUser", User);
//User is the entity which contains the current user info.
//You can use any data to keep in the SessionMap ;-)
}
}
2) When the user clicks on logout, you have invalidate the session:
FacesContext fc = FacesContext.getCurrentInstance();
fc.getExternalContext().invalidateSession();
3) Now if you want to validate the session when the user types the URL directly without logging in from the login page:
public void validateSession(){
FacesContext fc = FacesContext.getCurrentInstance();
User currentUser = (User) fc.getExternalContext().getSessionMap().get("loggedUser");
if(currentUser==null){
//shows a message 'Session has caducated'
fc.getExternalContext().redirect("./login.xhtml");
}
}
Then you just call the method before rendering the view:
<f:event type="preRenderView" listener="#{loginBean.validateSession()}" />
4) If you'd like to get the current user data from any managedBean, you have to get it from the SessionMap:
FacesContext fc = FacesContext.getCurrentInstance();
User user = (User) fc.getExternalContext().getSessionMap().get("loggedUser");
Hope this helps ;-)
On login failure I want to redirect the user to an error page and display a meaningful error message. Is it possible to add Flash Attributes that will be passed to the subsequent request?
The code presented below doesn't work. RequestContextUtils.getOutputFlashMap() returns null.
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler
{
#Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException
{
FlashMap outputFlashMap = RequestContextUtils.getOutputFlashMap(request);
if (outputFlashMap != null)
{
outputFlashMap.put("error", "Error message");
}
response.sendRedirect(request.getContextPath() + "/error");
}
}
I encountered this same problem with Spring 4.3.17 and finally found a solution by stepping through the spring-webmvc code and making educated guesses about how to integrate Flash Attributes outside the normal framework. SessionFlashMapManager is the key to getting this to work. I believe this method should work for Spring 3.1.1+.
package org.myorg.spring.security;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.FlashMap;
import org.springframework.web.servlet.FlashMapManager;
import org.springframework.web.servlet.support.SessionFlashMapManager;
#Component
public final class FlashAuthenticationFailureHandler implements AuthenticationFailureHandler
{
/**
* Flash attribute name to save on redirect.
*/
public static final String AUTHENTICATION_MESSAGE = "FLASH_AUTHENTICATION_MESSAGE";
public FlashAuthenticationFailureHandler()
{
return;
}
#Override
public void onAuthenticationFailure(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException exception) throws IOException, ServletException
{
if (exception != null)
{
final FlashMap flashMap = new FlashMap();
// Don't send the AuthenticationException object itself because it has no default constructor and cannot be re-instantiated.
flashMap.put(AUTHENTICATION_MESSAGE, exception.getMessage());
final FlashMapManager flashMapManager = new SessionFlashMapManager();
flashMapManager.saveOutputFlashMap(flashMap, request, response);
}
response.sendRedirect(request.getHeader("referer"));
return;
}
}
Then in the controller(s) that requires the flash attribute, simply add a ModelAttribute with the same name:
#RequestMapping(value = {"/someview"}, method = RequestMethod.GET)
public String getSomePage(final Authentication authentication, #ModelAttribute(FlashAuthenticationFailureHandler.AUTHENTICATION_MESSAGE) final String authenticationMessage, final Model model) throws Exception
{
if (authenticationMessage != null)
{
model.addAttribute("loginMessage", authenticationMessage);
}
return "myviewname";
}
Then the page attribute containing the message can be accessed in your JSP as follows:
<c:if test="${not empty loginMessage}">
<div class="alert alert-danger"><c:out value="${loginMessage}" /></div>
</c:if>
I'd guess it's null because you are calling the function from the filter chain, whereas the flash map is maintained by Spring's DispatcherServlet which the request hasn't passed through at this point.
Why not just use a parameter? i.e
response.sendRedirect(request.getContextPath()+"/error?error=" + "Error Message");