what does below attribute(IS_AUTHENTICATED_ANONYMOUSLY) means? - spring

I am using spring security. also i am new to spring security. what does below line indicates(). Please help me?
<security:intercept-url pattern="/MyPath/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
Thanks!

Spring Security Anonymus authentication is a nice way to handle not autenticated users with the same concepts like authenticated once
Note that there is no real conceptual difference between a user who is “anonymously authenticated” and an unauthenticated user.
#See Spring Security Reference: Chapter 12 Anonymous Authentication
At least it mean that every url that match /MyPath/** can be accessed without restrictions.

Related

Spring Boot. how to secure some pages but not all the pages

We are creating a spring boot web application to send RSS data to a Ticker Sign (ticker).
The URLs that send RSS data to the ticker sign do not need to be secured with ldap or other credentials.
But we have one page we we update a custom message that we send to the Ticker sign. We want to secure this page with the corporate ldap.
Is it possible to configure spring boot to only require a login for one page and the rest of the pages can remain unsecured.
You can create a role with all permission to access and grant that access just in some methods using Spring security annotation http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
<http use-expressions="true">
<intercept-url pattern="/*"
access="hasRole('admin')"/>
</http>
Then in your free access method
#PreAuthorize("hasRole('admin')")
public void create(Contact contact);
To use this it is very important that you name your URLs wisely i.e. if you want to assign admin role then make a URL look something like /admin/v1/something-here. It will make things readable and simple for you.

Custom AccessDecisionManager in spring security

We are integrating our JSF2 application with Spring Security. We have done the basic setup and its working fine. However we need to implement a custom access decision manager to filter the requests.
For example if user with user privileges try to access a page dedicated to admin, in this case we need to check first whether the user is logged in or not , if logged in get his authorities. I have written a access decision manager and i am still in the process of enhancing it. But when i deploy i am getting below error.
java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: class org.springframework.security.web.FilterInvocation
Any idea what is the reason for the same.
below is sample from my security-config.xml
disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">

How to handle requests if no matching spring security <intercept-url>?

I'm using spring 3.1.1 and spring security 3.1.0. I'd like to enforce a policy that all http requests that are not explicitly configured with an <intercept-url pattern="..." access="..."/> entry are handled in a particular way. For requests that match a configured <intercept-url/> I want to use typical role based access decisions. However, for non-matching requests, I want to either respond with a 404 (not found) (or maybe 403/forbidden). I want to do this so that I and other team members are forced to explicitly configure spring security and associated roles for any new endpoints.
I originally thought that I could use <intercept-url pattern="/**" access="denyAll"/> as the last intercept-url and that spring would do what I wanted. This technique works if the user is already authenticated but is a little strange for unauthenticated/anonymous users. For anonymous users, spring detects (in ExceptionTranslationFilter) that the user is anonymous and starts the authentication process when requests like /missingResource are processed. Typically this means that the user is redirected to a login form and, after logging in, is redirected back to /missingResource. So the user has to login in order to see a 404 (not found) page.
I ended up removing the intercept-url pattern="/**" access="denyAll"/> and writing a custom filter that runs after="FILTER_SECURITY_INTERCEPTOR" and responds with 404 for requests that are not matched by the FilterSecurityInterceptor but it seemed a little complicated. Is there a better or simpler way?
you can define a separate http element for intercept url /** with access ="denyAll" and add a custom entry-point-ref to avoid spring to redirect user to login form, you can use existing entryPoint Http403ForbiddenEntryPoint for showing 403 error response or implement your own by implementing AuthenticationEntryPoint.
Hope it helps.

Spring security with multiple custom filters and roles

I am using Spring security with two filters:
- One filter for x.509 authentication for client certificates. All his filter does is extracts the username from certificate into principle.
- One filter to do header based authentication. The header should have username and roles. In this filter I check to make sure that there is a principal already present in the security context. If present I make sure that it matches whats in the headers. Then I extract the roles from the header and set the granted authorities.
I have a url pattern that I want to be made accessible to roles - 'ROLE_USER'
Now here is the problem. The request only hits the first filter(X.509), the role is missing in this header obviously and access is denied by spring security.
I cannot switch the order of the filters because if I do then X.509 filter provided by spring simply sees that principal is already present and does nothing making it useless.
Is there any way for the role check to be deferred until all filters are processed? Or any other way to achieve what I am trying to do.
Here is my spring security config:
<security:http auto-config="true" entry-point-ref="customEntryPoint">
<security:intercept-url pattern="/user/**" access="ROLE_USER"/>
<security:custom-filter after="EXCEPTION_TRANSLATION_FILTER" ref="x509Filter" />
<security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="headerFilter"/>
</security:http>
where the x509Filter is standard spring security filter configured as:
<beans:bean id="x509PrincipalExtractor" class="org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor">
<beans:property name="subjectDnRegex" value="CN=(.*?),"/>
</beans:bean>
I can provide scrubbed up customHeaderFilter if needed but at this point the control never reaches the filter so it is inconsequential as to what happens in it.
Any help/guidance would be greatly appreciated.
Thanks to the pointer from #Maksym, the problem was resolved by changing 'after' to 'before' in the customHeaderFilter as follows:
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="headerFilter"/>
FilterSecurityInterceptor is responsible for handling security of HTTP resources, including applying role checks. In my case X509Filter would fire setting principal but would not set any authorities. This would cause the interceptor to deny access to the resource and the headerFilter would not even come into the picture.
By setting the position of the headerFilter to before the interceptor allowed the principal and authentication object in the security context to be set up correctly with the given authorities, leading to the expected behavior.

Does Spring Security provide a basic registration solution?

I'm new to Spring Security, I used it only for the authorization. I know, that Spring Security provides authentication and authorization solutions. Of course, in some cases registration is nothing more than checking a validity of email, confirmed password and so on, putting user's data in the database. Is there any Spring Security's code that should be used for the registration? I didn't find any registration tutorials (but there are a lot of login tutorials). Thanks in advance.
By now there is no standardized registration process. You need to write a Service implementing UserDetailsService an pass it to your authentication-manager (here a DAO is used):
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao" />
</authentication-manager>
Check the Spring Security Docs: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/

Resources