Develop Reference

HTTPSessions and Spring - spring

I'm developing a web application using spring.
Here's the problem, say I have these three urls,
www.sample.com/login.do
www.sample.com/homePage.do
www.sample.com/about.jsp
What I want to do is about.jsp page should be able to access even if user is logged in or not. And if user is not logged in and try to access homePage.do he should be redirected to login.do page and vice versa.
I think for this to work I need HTTPSessions, but I don't know how to manage HTTPSessions in Spring.
Can I accomplish this using some filters? If so can you please guide me through it?
I'm hoping to use Spring MVC and/or Spring Annotations.

Use Spring Security!
Your spring config file will be look a bit like
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="login.do" access="permitAll"/>
<security:intercept-url pattern="about.jsp" access="permitAll"/>
<security:intercept-url pattern="homePage.do" access="isAuthenticated"/>
<security:form-login
login-page="login.jsp"
authentication-failure-url="login?error=true"
default-target-url="homePage.do"/>
</security:http>
<security:authentication-manager>
...
</security:authentication-manager>

Related

I found this:
<security:http auto-config="true">
<security:form-login .../>
<security:logout .../>
<security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</security:http>
From my understanding we have to place this in web.xml, but we aren't using web.xml, we are using the java configuration. How can I achieve this? Is there anything I can perhaps add in application.properties?

What you are showing is a spring security file. Spring security can be configured either using an XML file (like the one you're showing) or through Java configuration (see here: http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html).
However your question is: can I enable HTTPS only.
You can also do that through other ways.
In Tomcat for example you can do that by configuring server.xml (http://www.itworld.com/article/2769041/development/how-to-configure-tomcat-to-always-require-https.html and https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html).
There are similar ways for other JavaEE servers.
You can also use a SecurityConstraint in your web.xml (or Java based Web config) so that it defines CONFIDENTIAL or INTEGRAL like in (XML fragment but you can do it via Java based config):
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

I have configured one spring security context for my project by using intecept-url i am able to authenticate all URLS but when i pass some ID over URL authentication is not happening.
<intercept-url pattern="/**" access="isAuthenticated()"/>
Working URLS
http://localhost:8080/WEB/add-employee
http://localhost:8080/WEB/view-employee
Not working URLS
http://localhost:8080/WEB/edit-employee/1
http://localhost:8080/WEB/edit-employee/2
1 and 2 are the ID iam passing over URL the above URL patterns are not working (that means when i passing ID over URL)
And i have tried many combinations in intercept-url but i am not getting the correct result.
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/> <!-- this means all URL in this app will be checked if user is authenticated -->
<!-- We will just use the built-in form login page in Spring -->
<form-login login-page="/" login-processing-url="/j_spring_security_check" default-target-url="/home" authentication-failure-url="/"/>
<logout logout-url="/logout" logout-success-url="/"/> <!-- the logout url we will use in JSP -->
</http>

Delete the line <intercept-url pattern="/edit-employee/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> to disallow anonymous access to that URL.

Dear All,
We have added Spring Security for our web application. Login url seems like this
https://www.xyz.com/app/login.do
after login it should redirect to other urls with same https protocol. Right now SpringSecurity redirect us to other urls but with http not https.
Please tell us any specific settings are needed.
Thanks,
Op

Within your spring security definitions, inside your intercept-url tag you need to add requires-channel="https"
For example:
<sec:intercept-url pattern="/login.jsp*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/j_spring_security_check*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY"/>

please take a look at a part of my security-config.xml:
<http use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
[other stuff here]
<intercept-url pattern="/**" access="denyAll" />
</http>
Let's suppose that the context name of my application is koko.
This works fine in Tomcat: When I visit http://tomcat-url:8080/koko/ or http://tomcat-url:8080/koko/home I see a home page asking me to login - after I login I am redirected to http://tomcat-url:8080/koko/and I can see link to the other stuff.
When I try to do the same in JBoss, I visit http://jboss-url:8080/koko/ and I immediately get a login page ! If I visit the http://jboss-url:8080/koko/home I see the homepage asking me to login. Now, after I login I am redirected to the http://jboss-url:8080/koko/ again and I get an Access Denied!! If I manually go to http://jboss-url:8080/koko/home after I've logged in I see the other staff and I am able to navigate normally.
So the problem seems to be that JBoss does not understand the line
<intercept-url pattern="/" access="permitAll" />
or it is overriden by the /** line that follows. However tomcats works fine with at. This shouldn't be dependent on the Application Server since it is completely spring related and the same spring is used for both applications.
Update - solution: Based on #M.Deinum 's answer I added the a new url request mapping named /index.html to my homepage and a permitAll line to that url - and worked fine !

Tomcat and JBoss have their own implementations (customizations) to the Servlet API.
I would guess that JBoss does some pre processing on the URL and instead of / tries to resolve /index.html. This is probaly by default (in JBoss) and based on the welcome-file list defined in the web.xml (or to some default).
It's been a while that I worked with JBoss but maybe you can configure this processing somewhere. Historically JBoss used Tomcat as there provider and customized some the the Valves Tomcat uses (to extends/modify behavior).

Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!

I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.