At my project I use Spring Security and GWT with url-like internationalization (http://....html?locale=en). Login and logout functions work very well, but here is another hitch: when user login he got localization-like URL (for example http://localhost:8000/Admin/app/Admin.html?locale=en) but after he close window (without logout) and coming back at URL http://localhost:8000/Admin/ he take authorization by Spring Security with session and login at system without "?locale=" param, so he got default language.
The main question is - how can I interrupt between two process (after Spring say - "Ok! it a good user - comin!" and before he throw user a link to coming) so that I can add locale to his URL ?
Thanks.
You can implement a custom AuthenticationSuccessHandler to add parameters to the request on authentication success. See this question.
Related
I have an existing struts application to which an angular/spring application will be combined. Both will exist on different url patterns. But both will be having a same login page which is a jsp. Also, spring security is used in the angular/spring application.
Based on the logged in user, from the login, the user will be redirected to either angular-spring/struts application and the authentication will be done by the respective applications. So I need to send the username and password to angular and then do the login from there.
But I am not able to send the data to angular side and even if I can somehow, Im not sure how to retrieve the data. How can I achieve this ?
Any help is much appreciated. Thanks.
Write rest API so you can get or post data from angular app
Hope this post will help you https://dzone.com/articles/java-8-springboot-angularjs-bootstrap-springdata-j
I have a requirement that needs to have login page at the service provider and I use java web app. Is there any way to use the spring SAML libraries to achieve this behaviour ? If so, what could be the steps? (it seems the default behavior of spring library is to redirect to IDP login page and I am not sure if we can configure to host login page on the service provider and relay that request to IDP)
I think what you're looking for is having two different ways to authenticate, one locally and one through SAML. I believe for having a login form, you would want to separate configurations with different AuthenticationEntryPoints, i.e. go to /login for local or /saml/login/alias/" + spAlias+ "?idp=" + spEntityID for direct login to SAML.
It sounds like right now you have SAML protecting any URL, which by default redirects you to the IDP since it's configured. The first step that I would take is getting user name and password authentication working with logins independently of SAML, then add SAML back in. Be sure to list whatever URL the login form uses as permit all so SAML doesn't kick in.
I have setup an application that uses Spring and the built in Spring Security CAS implementation. Everything seems to be working fine, and the users can login okay and all is fine. That is until you attempt to bookmark a page.
It seems that our system is retaining the ticket query parameter after the CasAuthenticationFilter fires in the Security Filter Chain.
We end up with users having URLs that contain the ticket query parameter in them. If they bookmark a page, and then return to it, they get a ticket doesn't exist error.
Is this expected behavior? I remember looking in the Jasig client implementation and they seem to scrub it there, but not in the Spring Sec impl?
Any thoughts?
Thanks!
Most of the Java-based CAS validation filters support RedirectAfterValidation. This will refresh the page and remove the ticket parameter.
See https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
Do a redirect (to a URL without the ticket parameter) after the user is redirected back to your app for ticket validation.
I am implementing Spring Security login and I am trying to understand something, here is the scenario I want to implement:
For initial login show login page and let user in.
If after some inactivity session expired and user makes some action show him popup window to authenticate (js-based popup in browser). Continue with the action like there was no login form.
Implementing form is easy, but how do I make the popup work - let's say I make the request to some protected URL after session expired, how do I make sure it's not forwarded to login page, but to my login handler that shows popup window?
Another issue - I need to integrate with SiteMinder, so I would need to read the Login/Password combination and after it's read, forward to SiteMinder for authentication, after that's done I want to return without forwarding.
Answer to SiteMinder issue:
Siteminder is generally installed on a Webserver behind your servlet container.
Also, Siteminder manages the authentication and an application does not have access to a user password at all.
To integrate with Siteminder use this filter:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295.
Answer to the login with the popup issue: since you need to integrate with Siteminder, I would not recommend to implement the login via the popup.
The sample given on the above springsource website is quite primitive and can break in several use cases. Using the SM_USER header alone has several caveats, see my answer here: How to validate SM_USER header in Spring Security preauthentication for siteminder
CA SSO aka SiteMinder, as well as other traditional html-form-request-response SSO systems, have a hard time dealing with Single Page Applications and protecting the web services that you invoke via AJAX, without breaking the flow of your application.
I'm new to Spring3 MVC and I'm working on a web project using it, I has implemented login and logout. I put the user info in session when user login and remove it when he logout.
Now I want to implement that:
if user login, thus he can do whatever, but if he logout and access the page which is in the server, we should redirect to the login page.
I think it's possibly using filter and some configuration in web.xml so I needn't writte much code. I think it's very easy using configuration but I don't know how to implement it.
SO How and What should I config? It's like this question a bit:Looking for a Simple Spring security example
Thanks for your help.
use - return "redirect:LoginPage";