Spring Security 3.1 intercept urls - spring

I have my configuration of intercept url like
<security:http use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/secure/admission/*" access="hasRole('ROLE_ADMISSIONER')" />
<security:intercept-url pattern="/secure/subdean/*" access="hasRole('ROLE_SUBDEAN')" />
<security:intercept-url pattern="/secure/referent/*" access="hasRole('ROLE_REFERENT')" />
<security:intercept-url pattern="/secure/index.xhtml" access="hasRole('ROLE_REFERENT, ROLE_SUBDEAN')" />
<security:intercept-url pattern="/secure/*" access="hasRole('ROLE_OMNI_ADMIN')" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
But now I have a problem that it is possible to acces url of my application, for example MY_APPLICATION/PririzMaven/secure/admin/updateRole.xhtml with role ROLE_ADMISSIONER, url ..../secure/subdean/* with this same role and so on... but it should by banned to this user.
Do you know where could be a problemme?

Assuming PririzMaven is the context path of your application, /secure/admin/updateRole.xhtml will be matched by the path /** and hence will be accessible to all authenticated users. You have no rule for /secure/admin. Note also that a single '*' does not match subpaths. For example, you should use /secure/admin/** to match everything under this path.
You should also enable debug logging and check how the rules are being applied - you should see the matchers being called against the incoming request URL and will see what is being compared and what is being matched against.
Finally, it's worth adding <security:debug /> at the top of your application context file, which will add other useful debugging information on request handling in a more human-readable format.

Related

Spring Security this kind of http://localhost:8080/WEB/edit-employee/{ID} url not authenticating

I have configured one spring security context for my project by using intecept-url i am able to authenticate all URLS but when i pass some ID over URL authentication is not happening.
<intercept-url pattern="/**" access="isAuthenticated()"/>
Working URLS
http://localhost:8080/WEB/add-employee
http://localhost:8080/WEB/view-employee
Not working URLS
http://localhost:8080/WEB/edit-employee/1
http://localhost:8080/WEB/edit-employee/2
1 and 2 are the ID iam passing over URL the above URL patterns are not working (that means when i passing ID over URL)
And i have tried many combinations in intercept-url but i am not getting the correct result.
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/> <!-- this means all URL in this app will be checked if user is authenticated -->
<!-- We will just use the built-in form login page in Spring -->
<form-login login-page="/" login-processing-url="/j_spring_security_check" default-target-url="/home" authentication-failure-url="/"/>
<logout logout-url="/logout" logout-success-url="/"/> <!-- the logout url we will use in JSP -->
</http>
Delete the line <intercept-url pattern="/edit-employee/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> to disallow anonymous access to that URL.

Force SSL based on url pattern in Spring security 3.2?

I am trying to configure my SS3.2 to do something quite simple: reject any HTTP request that's not directed at my login service; and allow access to the login service without authorization.
I have the following in my security.xml:
<http pattern="/login/**" security="none" />
<!--
<intercept-url pattern="/login/**" access="permitAll" requires-channel="https"/>
-->
<http auto-config="true" use-expressions="true">
<custom-filter ref="myCustomFilter" before="BASIC_AUTH_FILTER" />
</http>
Now since the login service will transport authentication information, it obviously needs to be secured by SSL/TLS. But I can't figure out how to force it to use SSL/TLS, while still letting it skip the custom filter.
Any suggestions?

SpringSecurity do not forward to https

Dear All,
We have added Spring Security for our web application. Login url seems like this
https://www.xyz.com/app/login.do
after login it should redirect to other urls with same https protocol. Right now SpringSecurity redirect us to other urls but with http not https.
Please tell us any specific settings are needed.
Thanks,
Op
Within your spring security definitions, inside your intercept-url tag you need to add requires-channel="https"
For example:
<sec:intercept-url pattern="/login.jsp*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/j_spring_security_check*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY"/>

security intercept url to exclude from universal match pattern

I have intercept url /test/** and now I am trying to create new intercept url as /test/test1 to different access role.
I tried below but not working
<security:http>
<security:intercept-url pattern="/test/**" access="ROLE_TEST" requires-channel="https"/>
<security:http-basic />
</security:http>
<security:http>
<security:intercept-url pattern="/test/test1" access="ROLE_TEST1" requires-channel="https"/>
<security:http-basic />
</security:http>
Don't create a <http> element for every url you want protected that is going to clutter your configuration, next to the fact that it won't work. Simply add it to the first block. Make sure that the /test/test1 mapping comes before /test/**.
<security:http>
<security:intercept-url pattern="/test/test1" access="ROLE_TEST1" requires-channel="https"/>
<security:intercept-url pattern="/test/**" access="ROLE_TEST" requires-channel="https"/>
<security:http-basic />
</security:http>
See the Spring Security reference especially the note.

AngularJS and Spring Security. How to handle AngularJS Urls with Spring Security

Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!
I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.

Resources