I have a decent login system working with Spring 3 security.
If a user tries to access a secure page prior to login, he is bounced to the login page, and then upon successful login, he is redirected back to the page that he tried to access previously. This is almost exactly what I want.
What I ALSO want is a special error message to appear on the login page explaining to the user that he has been redirected there because he has tried to access a secure area. How can I do this (without showing that error message on the login page for people who haven't previously tried to access a secure page)?
Thanks!
P.S. I have read http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html#getting-started and many posts on this site and others but have not found the solution.
Are you using jsp? Then something like this might be useful.
Would you like to customize your error message from Spring Security? Take a look here.
On your login jsp page you can retrieve HTTP header referer (e.g. with jstl - ${header['referer']}) which would tell you what page user tried to access before being redirected to this login page.
Displaying a error message in the login page it is something done authomaticaly by Spring. You can see how it is discussed here. I think that this is more about displaying login error as "Bad credentials" but take it in mind anyway.
For your case, displaying a error message related with access denied can be done just defining the access denied page in the spring security configuration.
Usually, you can see something like this:
<http auto-config="true" access-denied-page="/403.jsp">
....
</http>
but also you can do this and control in the login jsp if myError variable comes in the request:
<http auto-config="true" access-denied-page="/login.jsp?myError=access-denied">
....
</http>
I don't think any of the answers here provide a clean generic solution to the original problem. I do not understand OP's solution and it may be specific to his situation.
When a user clicks on a secure URL, spring redirects the user to the login page. The original request is stored in the session. And spring doesn't pass any of the parameters in the original request to the login page.
You can add something like the following to the login.jsp:
<%
if((SavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST") != null && ((SavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST")).getParameterMap().get("LOGINMSG") != null){
out.println('<%= ((SavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST")).getParameterMap().get("LOGINMSG")[0]%>');
}
%>
Where LOGINMSG is the custom end user login message that you appended to the original secure URL.
I hope the spring security team would chime in and validate ( or invalidate ) this approach.
Related
Need some idea on the process to land in a page after I login to my web portal. My requirement is I will enter Url of a particular page in to the browser, then system will check is the user is login to the system, if yes it will land on the page I have entered but if not then system will take me to the login page and after successful login I will be landed in to the page I have entered in the browser.
So, please tell me how to do it in plain servlet/Jsp model, Spring and Struts 1 and Struts 2.
Any post will be helpful
I know about basic jsp/servlet model.
Write a Servlet filter which will intercept every request from the brwoser, there check is the user is logged in or not. If logged in your normal flow will continue but if not then redirect to the login page. When you are redirecting to the login page, make sure you send the url hit by browser in the response. Now in client side hold the url send in response and after eneter credentials in login page when user will submit the record send the url (Hold in the client side from response) in the request and after successful login use Servelet Request dispatcher to land in the url.
I am not sure but spring-security has this feature and struts 2. But implementation process can be share by others who are familiar on this technologies. But in struts 1 it's not available and you have to do it manually.
it will very easy with spring security you just need to secure some path pattern. you doesn't need to add some code in your jsp or controller, example
for url /admin/* need administrator role
for url /user/* need user role
for url /public/* no need login (anynomous)
it just need configure at your spring-security.xml
you can start here
I have used LDAP authentication using spring and it is working.
Now I want to show the details of authenticated user on jsp page without using scriplets. User details should be picked from http session. But I am not getting the right way to proceed further.
If anyone knows the solution then please share with me.
Thanks
Use the Spring taglib
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html
You can then access the user principal (containing DN, groups, etc) with
<sec:authentication property="principal.<whatever>" />
I am using Spring Security 3.1.x and trying to achieve the following scenario:
a page is secured with isFullyAuthenticated()
the current user is only authenticated with Remember Me, so not fully authenticated
the user navigates to this fully authenticated page - this should not be permitted (and it's not)
however, the user should not get the 403 page - instead, the user should be prompted to login via the Login form
after logging in, the user should be allowed to proceed to the page he previously requested, since now he's a fully authenticated user
My Spring Security config is:
<http use-expressions="true">
<intercept-url pattern="/admin/full_auth_only.html" access="isFullyAuthenticated()" />
<form-login login-page="/login.html" default-target-url="/authenticated.html" />
<logout />
<remember-me key="someAppKey" />
</http>
And I tried to add:
<access-denied-handler error-page="/login.html" />
However, the problem is now that, when visiting the page, I am indeed prompted by the Login form, only the URL doesn't correspond to login; instead it's the URL of the fully authenticated page:
http://localhost:8080/spring-security/admin/full_auth_only.html
Which then breaks the authentication process, which fails when trying to access the (invalid) URL:
http://localhost:8080/spring-security/admin/j_spring_security_check
This should have been:
http://localhost:8080/spring-security/j_spring_security_check
Any help on this is appreciated - I think the usecase is very common and so I would prefer using the namespace support instead of going in a custom direction.
Thanks.
Eugen.
I couldn't reproduce your issue with version 3.1.3.RELEASE of Spring Security. Which version do you use?
Authentication requests are intercepted by the AbstractAuthenticationProcessingFilter that checks if the URL of the request ends with a pre-configured value (that defaults to /j_spring_security_check). Any URL with that ending will trigger an authentication attempt. You can see the related code here.
This means that the URL you said is invalid should in fact be processed without problems.
The code linked above hasn't been changed since very early versions (2.x), so there should be some other issues in your case.
If you could share your configuration and some debug level logs, that would help to reveal what's the real problem.
1.Remove any welcome-file-list if you have in web.xml.
2.Make sure always-use-default-target is not set to false in form-login tag or remove it all together.
3.And make sure you have permitted every one to access your login page. something like this <intercept-url pattern="/login.htm" access="permitAll()"/>
That should work.
it sounds like the cookie was not set, and the following requests sent were all treated as the first requests without a session ID, so spring security asked for login every time even though you had logged in.
If you were using google chrome, and tested the application in your local machine using the localhost address, the cookie might not be set. And it is a known issue with Google chrome.
You can try 127.0.0.1 instead to test. Or try another web browser like Internet Explorer.
I have a asp.net site that uses federated security for authenticating the user. Therefore a user navigates to the url which is redirected to a login page and if successful gets routed back to the main application. What I need to do is somehow have the main application allow some code to be ran before being redirected to the login page. This is because the intial request may have some query string parameters that I need to store in the users session as the request back to the main application is dropping them.
Is this possible... any thoughts or examples would be greatly appreciated!
I am not sure whether this may help:
You can turn off the WIF’s built-in redirection of unauthenticated sessions by modifying web.config file:
<microsoft.identityModel>
<service>
......
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false"
......
and once your reconstruct your query string, you can update audienceUri and realm.
I'm new to Spring3 MVC and I'm working on a web project using it, I has implemented login and logout. I put the user info in session when user login and remove it when he logout.
Now I want to implement that:
if user login, thus he can do whatever, but if he logout and access the page which is in the server, we should redirect to the login page.
I think it's possibly using filter and some configuration in web.xml so I needn't writte much code. I think it's very easy using configuration but I don't know how to implement it.
SO How and What should I config? It's like this question a bit:Looking for a Simple Spring security example
Thanks for your help.
use - return "redirect:LoginPage";