i want to secure everything except the root.. my security looks like this:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/"/>
<intercept-url access="isAuthenticated()" pattern="/**"/>
<form-login authentication-failure-url="/" login-page="/" default-target-url="/dashboard"/>
<logout invalidate-session="true" logout-success-url="/"/>
</http>
my login page is included in the root..
i'm getting a "The page isn't redirecting properly" error..
please can anybody help with this problem?
thnx
Add bypass security check for login page
Related
This is my spring-security.xml
<http auto-config="true" path-type="ant">
<intercept-url pattern="/myaccount.html*" access="ROLE_CUSTOMER"/>
<intercept-url pattern="/viewpage.html*" access="ROLE_CUSTOMER"/>
<form-login login-page="/login.html"
authentication-success-handler-ref="ssoAuthenticationSuccessHandler"
login-processing-url="/j_security_check" default-target-url="/login.html"
authentication-failure-handler-ref="authenticationFailureHandler"/>
<logout invalidate-session="true" success-handler-ref="ssoLogoutHandler" delete-cookies="JSESSIONID,loggedIn,_bt,slc_f,slc_t,_px_i,attempt_auto_login"/>
<session-management session-fixation-protection="none"/>
</http>
If user access some URL I want to intercept him to login. After it needs to be redirected to the original requested page by user.
Above xml helps me to intercept when user access viewpage.html but after login success it is not taking me to viewpage.html. Instead it takes me to myaccount.html always.
SavedRequestAwareAuthenticationSuccessHandler is used as a default implementation class for AuthenticationSuccessHandler.
This should work as you expect.
I'm not sure what authentication-success-handler-ref="ssoAuthenticationSuccessHandler" is suppose to do, but try looking in to SavedRequestAwareAuthenticationSuccessHandler and see if you can get any clue.
Dose anyone knows how I can change spring security default login url: spring-security-login?
I know that there is an attribute with form-login tag, named login-processing-url, but I don't want to have custom login page. Just I want to change the login url to something like "login.htm".
It seems that the login-processing-url attribute just works when you have specified a custom login form.
I have tried this:
<http use-expressions="true">
<access-denied-handler error-page="/accessDenied.htm" />
<intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/redirect.jsp" access="permitAll" />
<form-login login-processing-url="/login.htm" />
<logout/>
</http>
but it doesn't work. Still it shows "spring-security-login" as login url.
Thanks
What you want is login-page:
<form-login login-page="/login.htm" />
After I successfully login when I try to login with another browser It redirects me to authentication-failure-url. Why it doesn't redirect to expired-url?
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" invalidate-session="true" delete-cookies="JSESSIONID"/>
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml?error=true"/>
<custom-filter before="FORM_LOGIN_FILTER" ref="customAjaxControlFilter" />
<session-management invalid-session-url="/login.xhtml?error=sessionExpired" session-authentication-error-url="/login.xhtml?error=alreadyLogin">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login.xhtml?error=expired"/>
</session-management>
EDIT: By the way, After I successfully logout it redirects me to invalid-session-url. I don't understand what is going on.
This is the expected behaviour. From the manual:
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used.
This is what happens if you set error-if-maximum-exceeded="true".
The expired-url parameter is used if you haven't set error-if-maximum-exceeded="true". In that case, the new login will be allowed, the original session will be marked as expired and if you try to use it, you will be redirected to this URL.
Env:
Spring 3.1.3
Spring security: 3.1.3
Spring ldap: 1.3.1
JDK1.6
Problem:
I get a 404 on my login-processing-url.
Details:
I have three http intercept blocks: a public one, the second one used to intercept and
secure URLs for admins (uses authentication manager 1) and the third one for regular users
(uses authentication manager 2).
When the login form in http intercept block 1 post the credentials to the login-processing-url of the form login, it yields 404. I do mot get this - since the form login
announces the login-processing-url, shouldn't that filter chain recognize that URL?
Also, shluld I explicitly do "permitAll" on the login-processing-url of a form or is that
automagically done under the covers?
Lastly, is it problematic to have distinct http interceptor blocks to have distinct
login-processing-urls? (I cannot see why - but I ask anyways).
Configs:
Spring security configuration:
//...
<debug />
<global-method-security secured-annotations="enabled" />
<http pattern="/public/**" security="none"/>
<http use-expressions="true" pattern="/protected/x/support/**" authentication-manager-ref="lAdminAuthManager">
<intercept-url pattern="/protected/x/support/**" access="hasRole('ROLE_ADMIN')"/>
<form-login login-page="/public/login.jsp"
login-processing-url="/protected/x/support/j_spring_security_check"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/login/form?error"
default-target-url="/protected/x/support/index.html"/>
</http>
<http use-expressions="true" entry-point-ref="lUserLoginEntryPoint">
<intercept-url pattern="/protected/x/foo1/**" access="permitAll"/>
<intercept-url pattern="/protected/x/foo2/**" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<custom-filter ref="lUserLoginFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="lPreauthAuthenticationFilter" position="PRE_AUTH_FILTER" />
</http>
//...
Any hints greatly appreciated!
Thanx,
Uma
Any way check the below links . It may help you
Visit http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html
Even a small url conflict in config files will cause 404 error.
I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):
First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.