I have two applications, each located on it's own server. Both of them use Spring security with the standart settings.
The problem that I need to access first application through the second one. I need to send password and login to the first application when logging in the second.
Can somebody help with samples or tips please? Thank you.
My spring-security.xml in both applications:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/favicon.ico" security="none" />
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="hey" password="there" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
you should use CAS for this instead of trying to access or pass user/pass across application.
please refer this link to get understanding how to use CAS in this kind of scenario.
Related
I'm working in a spring based web application (version 4.1.6.RELEASE, spring security 4.0.0.RELEASE) and I'm getting the error InvalidCsrfTokenException: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. after submitting a form (POST method). According to the spring's documentation "Spring Security automatically inserts a CSRF form field for any <form:form> tags you use", so why I'm getting this exception?
Thanks in advance.
This is my spring security configuration:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http use-expressions="true" disable-url-rewriting="true">
<headers>
<frame-options/>
<xss-protection/>
<hsts/>
</headers>
<csrf/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<!-- some others urls to intercept -->
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
<session-management>
<concurrency-control max-sessions="1" expired-url="/login" />
</session-management>
</http>
And this is the definition of my form (excluding the fields it contains):
<form:form action="myaction" method="post" enctype="multipart/form-data" id="formId" modelAttribute="myBean">
</form:form>
Any help will be appreciated
The issue is arising because you are using a multi-part form. Please see the accepted answer here:
Spring CSRF token does not work, when the request to be sent is a multipart request
I am trying to ignore security checking (it gets its own encryption setting) on one of the URLs within current Spring application, by using
<sec:intercept-url pattern="/notimportant/url**" security="none" />
but I get
nested exception is org.xml.sax.SAXParseException: cvc
-complex-type.3.2.2: Attribute 'security' is not allowed to appear in element
'sec:intercept-url'.
Here is the namespace setting:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
So how can I avoid authentication for that url exactly
Try it with filters="none" instead of security="none".
<sec:intercept-url pattern="/notimportant/url**" filters="none" />
This is deprecated in Spring 3.1, though, so you can try this
<sec:http pattern="/notimportant/url**" security="none"/>
Check out the documentation for more details.
That's because security is not a valid attribute for element intercept-url. Try with access="IS_AUTHENTICATED_ANONYMOUSLY", like this:
<sec:intercept-url pattern="/notimportant/url**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
HI I am trying to implement Spring Security: Concurrent Session Control to limit one session at a time. I see that I only need
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
I get this from the reference http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-config . The problem that I am facing is that i get this error saying, "Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute" I do not need to use a login page in the configuration here. I saw other posts, but I cannot find a solution to this problem. Please help me with a solution here. I will post my code below.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring- mvc.xsd">
<security:http>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
I'm new to Java EE / Spring and I've been fighting with security for the past two days. I finally have to the point where I can authenticate with Java EE and authorize with Spring. Unfortunately, I can't access the Java EE authentication from Spring to do the authorization.
The general idea for the application is this:
If you're not logged in, Spring security redirects you to the login page
The login page is the only page that is locked by Java EE. It outputs a form for authentication
After successfully logging in, the user is redirected to the home page, which should have the authentication object associated with it.
Note the emphasis on should since it isn't. For whatever reason, the user is coming back as authenticated but anonymous. If I could simply get the username, I could construct the user details.
Here's the relevant snippets from my web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</filter>
<security-constraint>
<web-resource-collection>
<web-resource-name>Home Page Only</web-resource-name>
<description>Rely on Spring for Authorization</description>
<url-pattern>/login</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/loginfailed</form-error-page>
</form-login-config>
</login-config>
And my security-content.xml for spring:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:lang="http://www.springframework.org/schema/lang"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/loginfailed" access="permitAll"/>
<intercept-url pattern="/css/*" access="permitAll"/>
<intercept-url pattern="/resources/*" access="permitAll"/>
<intercept-url pattern="/images/*" access="permitAll"/>
<intercept-url pattern="/js/*" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login default-target-url='/index.jsp'
always-use-default-target='true' login-page="/login"
authentication-failure-url="/loginfailed"
/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="securityRef"/>
</authentication-manager>
<beans:bean id="securityRef"
class="my.custom.authprovider.AuthenticationProviderImpl"/>
</beans:beans>
Any ideas?
If you want to use Java EE authentication you should configure
PreAuthenticatedProcessingFilter (more precisely J2eePreAuthenticatedProcessingFilter).
Also, you need to configure J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource to populate a user granted authorities:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#j2ee-preauth-details
BTW, What advantages do you see to use Java EE Form authentication?
Added after the comment.
If required to use Java EE authentication your approach should be corrected: you should protect the whole application by Java EE authentication.
In this case each request that come to Spring Security will be authenticated by Java EE container and Spring Security can authenticate the request by J2eePreAuthenticatedProcessingFilter.
So the corrected flow
If a user is not logged in, Java EE container redirects the user to the login page
After a successfully authentication, the user is redirected to a page protected by Spring Security. Spring Security can authenticate the request by J2eePreAuthenticatedProcessingFilter.
I'm trying configure Request-Header Authentication using spring 2.0 security, and I'm a complete newbie at it so please bear with me. From the doc, they give an example config file using siteminder.
In my scenario, there will be a username and usergroup in the request header, using keys of CC_USER and CC_USER_GROUP respectively. So I adjusted the file to be as follows (see below).
I know that in the external system the user will already have been authenticated using some type of single sign on, and when control reaches my app, we just need to check the request headers for the CC_USER and CC_USER_GROUP.
Question1: The example below uses a "userDetailsService". Is this something I need to implement? Is this where I will check the request headers for CC_USER and CC_USER_GROUP?
Question2: Is there a complete example I can download somewhere that uses request header authentication? I did a lot of googling, but didn't really find a lot of help.
Question3: I would like to just harcode some dummy users in for testing, like they do in the docs. How would I incorporate the following into my request header configuration?
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
My modified sample config file (based on siteminder file from docs):
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context/spring-context-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<bean id="ssoFilter"
class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
<security:custom-filter position="PRE_AUTH_FILTER" />
<property name="principalRequestHeader" value="CC_USER" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider"
class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<security:custom-authentication-provider />
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
</property>
</bean>
<security:authentication-manager
alias="authenticationManager" />
</beans>
UserDetailsService is just an Interface, you need to implement. It has only one method to load user from DB by username and returns UserDetails object with user info(here you can also keep the user group information). This service have nothing with request headers. I think, the best place to check the request headers - is RequestHeaderPreAuthenticatedProcessingFilter
Are you talking about RequestHeaderAuthenticationFilter? The documentation is very clearly, I think.
Hardcoded users in xml will not work if you implement own user-service