is it mandatory to configure both in my application? - spring

I am using spring security for authentication. i have applicationContext-security.xml and custom login page(login.jsp). i have to implement remember me functionality. i have configured below two things. is it mandatory to configure both or one is enough? Please help me.
login.jsp:
<input type="checkbox" name="_spring_security_remember_me" />Remember Me
security.xml:
<remember-me key="_spring_security_remember_me"/>
are both above lines mandatory? also is _spring_security_remember_me convention is mandatory? Thanks!

The checkbox in the JSP is used to let the user choose if a remember-me cookie should be set or not, allowing for transparent authentication later. Spring excepts such a request parameter to decide if the cookie must be set or not.
The key in the security.xml is used to generate a more difficult to guess hash to store in the cookie. You should put something only known by you. It's a secret key. See http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#remember-me

Related

Creating custom Authentication entry point for form login

I have a form login entry point currently defined like so:
<form-login login-page="/spring/login"
login-processing-url="/spring/login"
authentication-failure-url="/spring/loginfail"
default-target-url="/spring/loginsuccess"
always-use-default-target="true" />
This works just fine but I want to convert it into a custom authentication entry point. I have a class that extends LoginUrlAuthenticationEntryPoint which gets called when authentication is needed.
My question is: How do I support POSTing the username/password using this pattern?
When I remove the form-login block I get a POST not supported error. I guess since I can no longer define the login-processing-url, where do I post the credentials so that Spring Security can perform the authentication?
I think I figured this out. I misunderstood how this works. The form-login AuthenticationEntryPoint should be a singular entry point in the application. The AuthenticationEntryPoints mapped to other patterns should simply re-direct to the URL which is mapped to the entry point containing the form-login entry point IF form-login is required, otherwise we could handle this differently.

How to implement view-based spring security for links?

I have a new project and I want to implement spring-security along with other components of spring framekwork.
I plan to implement spring security into 2 levels, Request URL-level and view-level
For Request URL-Level, I'd use the <intercept-url> tag to restrict URL access only for authorized users.
For View-Level security, I'll use it into two parts of the application;
For the web app menu to restrict menus for users who authorized to.
And inside the pages to restrict some parts of the page for users who authorized to.
The confusion I had is regarding implement spring security for menu links.
Hence I need to use spring taglibs <authorize> tag's url attribute (to reuse<intercept-url> patterns/access combination) , then I'll need to write menu links by hand like this:
<security:authorize url="/admin/superadmin/**" >
Super admin page
</security:authorize>
Where I've the following intercept url rule:
<intercept-url pattern="/admin/superadmin/**" access="hasRole('ROLE_SUPER_ADMIN')" />
The point is, I have all the rules in the Database table, and I want to draw links dynamically based on the roles/links saved in the table.
So, the question is how to draw menu links dynamically, and at the same time still use the <authorize> taglib?
The <authorize> tag can do what you need automatically. I assume your menu JSP looks like (without the security part) :
<c:foreach items="${menus}" var="menu">
<a href=${menu.url}>${menu.label}</a>
</c:foreach>
You can simply add security that way :
<c:foreach items="${menus}" var="menu">
<security:authorize url=${menu.url}>
<a href=${menu.url}>${menu.label}</a>
</security:authorize>
</c:foreach>
The Spring security reference manual says that as you use the namespace the authorize tags creates a dummy web request for the supplied URL and invokes the security interceptor to see whether the request would succeed or fail. This allows you to delegate to the access-control setup you defined using intercept-url declarations within the namespace configuration and saves having to duplicate the information (such as the required roles) within your JSPs

How to Check whether a valid session is still existing at IDP?

I've implemented SSO using Spring Security SAML. Here is what currently working for me:
When I try to access any resource at SP, I'm redirected to my IdP(idp.ssocircle.com in my case) if I'm not logged in already. After successful authentication at IDP, I'm redirected back to SP and authorize the incoming SAML response and create a session for the respective user. Everything is cool till here!
But when I log out from my IDP(by clicking logout from idp.ssocircle.com externally), I shouldn't be able to access my SP which is not happening in my case.
Now what I'm thinking to do is may be write a new filter which checks for a valid session at IDP before processing any request on SP. I've searched a lot but couldn't find any solution to my problem.
Please give inputs on how can I implement this filter or is there any other way of doing this? Any suggestions are appreciated.
Does your IDP support and correctly initialize Single Logout? If so it could be related to this issue, just update to latest Spring SAML version or change property invalidateHttpSession in your logout handler to true:
<bean id="logoutSessionHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true"/>
</bean>

Disable SpringSecurity's SavedRequest storing logic

We are using Spring Security for managing authentication. The issue we are seeing is that when a user's session is timed out between bringing up a GET form and hitting the save button that does a POST, they are sent to the login page but spring is saving the original post information in the session.
Our app does not bring them back to the original URL after login, but instead sends them back to a common starting page. This works fine, but when the user happens to return to the page they had originally tried to POST to (the form GET and POST are the same URLs) Spring tries to resubmit the POST automatically which is not what we want.
Is there a way to completely disable the SavedRequest storing logic in Spring?
I guess this jira issue of spring security describes your problem and how to handle this.
Based on Nathan's comment on Raghuram's answer, with namespaced XML it's something like this:
<security:http>
<security:request-cache ref="nullRequestCache" />
<!-- ... -->
</security:http>
<bean id="nullRequestCache" class="org.springframework.security.web.savedrequest.NullRequestCache" />
There are two scenarios:
1) If you want that after relogin, user should always get forwarded to the default target URL instead of the orginal requested URL then put always-use-default-target="true" in your security.xml like
<http auto-config="true">
.....
<form-login login-page="/login" always-use-default-target="true" default-target-url="/xyz"
authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
</http>
1) If you want that on session timeout after relogin, user should forward to the orginal requested URL but you do not want to resubmit the form then put session-fixation-protection="newSession" in your security.xml like
<http auto-config="true">
<session-management session-fixation-protection="newSession"/>
.....
</http>
Please put session-management tag as first line in http configuration.
It looks like the session-fixation-protection="newSession" attribute on (2.0) or (3.0) will also resolve the issue
With Spring 4.2.5 I ran into this too.
My case was almost identical: display GET form, wait for session timeout, then POST the form. In my app after re-authentication a start page is displayed. However, if the user then navigates to this GET form, and POSTs it, then the previous POST parameters are remembered and concatenated to the current request, resulting in comma separated values in the #RequestParam variables.
I dumped the session in my authentication controller and indeed I saw a "SPRING_SECURITY_SAVED_REQUEST" named key.
The spring documentation says that by default a "SavedRequestAwareAuthenticationSuccessHandler" is used for retrieving the saved request data from the session and apply it to the request.
I tried to use a do-nothing successHandler but couldn't make it work.
I also tried applying
http.sessionManagement().sessionFixation().newSession();
to the security config but that didn't help.
However
http.requestCache().requestCache(new NullRequestCache());
solved the issue.

custom spring security form

I would like to add captcha to spring security form, how can I implement this?
I have declared my custom form login like: <form-login login-page="/login" /> now I need to override authentication filter to verify captcha, how to do it?
#misha, take a look at this article: Spring Security 3: Integrating reCAPTCHA Service.
This uses two filters to make reCAPTCHA integration as seamless and unobstrusive as possible. That means your existing Spring Security implementation will not break. No need to touch existing classes.
There's no need to override your existing implementation. You can add CAPTCHA to your existing implementation.
I guess you can override attemptAuthentication method as following (pseudo code):
1. get captcha response
2. verify captcha response
3. if invalid response, throw some kind of AuthenticationException (may be named as CaptchaFailedException) that you can check in your custom AuthenticationFailureHandler
4. if valid response, call super.attemptAuthentication(request,response)

Resources