i have a spring configuration,
i want to access <intercept-url pattern="/trusted/**" filters = "none" />
without filter
is there any way to access
i take this error when i use filters = "none"
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Config
uration problem: The use of "filters='none'" is no longer supported. Please defi
ne a separate element for the pattern you want to exclude and use the att
ribute "security='none'".|Offending resource: ServletContext resource [/WEB-INF/
spring-servlet.xml]
<http access-denied-page="/login.jsp" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/photos" access="ROLE_USER,SCOPE_READ" />
<intercept-url pattern="/photos/**" access="ROLE_USER,SCOPE_READ" />
<!-- <intercept-url pattern="/trusted/**" access="ROLE_USER,SCOPE_TRUST" />-->
<intercept-url pattern="/trusted/**" filters = "none" />
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/oauth/**" access="ROLE_USER" />
<intercept-url pattern="/request_token_authorized.jsp" access="ROLE_USER,DENY_OAUTH" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY,DENY_OAUTH" />
<form-login authentication-failure-url="/login.jsp" default-target-url="/index.jsp" login-page="/login.jsp"
login-processing-url="/login.do" />
<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
<anonymous />
<custom-filter ref="oauth2ProviderFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>
you need to add a extra http element:
<http pattern="/trusted/**" secure="none">
</http>
Related
I have a Spring4 MVC application that is deployed on Wildfly10 and is configured using xml.
I have the following controller defined:
<mvc:view-controller path="/" view-name="/index" />
<mvc:view-controller path="/index" view-name="/index" />
And in Spring security define access:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/**" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
If I remove the denyAll to /** intercept-url the application works as intended however adding it causes security to redirect root calls to the login page and not the index page!
Is there a way I can have permitAll access to the root (Redirects to /index) of my application and still denyAll to /** thus covering anything else that is not defined?
By Changing the pattern to <intercept-url pattern="/.+" access="denyAll" /> as commented by Vasan got it working. below is an example of the change
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
...
<intercept-url pattern="/.+" access="denyAll" />
<form-login login-page="/login" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/loginfailed"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/index" />
<access-denied-handler ref="customAccessDeniedHandler"/>
My spring security configuration is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<debug/>
<http auto-config="true" use-expressions="true" disable-url-rewriting="true" >
<!-- RESOURCES -->
<intercept-url pattern="/pages/login/login.jsp" access="permitAll" />
<intercept-url pattern="/login*" access="isAuthenticated()" />
<intercept-url pattern="/pages/login*" access="permitAll" />
<intercept-url pattern="/pages/user*" access="hasAnyRole('ADMIN')" />
<intercept-url pattern="/user**" access="hasAnyRole('ADMIN')" />
<intercept-url pattern="/new.version**" access="hasAnyRole('ADMIN')" />
<intercept-url pattern="/pages/version**" access="hasAnyRole('ADMIN','OPERATIONS')" />
<intercept-url pattern="/ver.htm?method=**" access="hasAnyRole('ADMIN','OPERATIONS')" />
<intercept-url pattern="/rep.htm?method=**" access="hasAnyRole('ADMIN','OPERATIONS')" />
<intercept-url pattern="/upload.htm?method=**" access="hasAnyRole('ADMIN','OPERATIONS')" />
<intercept-url pattern="/pages/rep**" access="hasAnyRole('ADMIN','OPERATIONS')" />
<intercept-url pattern="/pages/upload**" access="hasAnyRole('ADMIN','OPERATIONS')" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/image/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/include/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<!-- <intercept-url pattern="/images/**" access="permitAll" /> -->
<custom-filter ref="requestParamEncodingFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
<form-login
login-page="/pages/login/login.jsp"
default-target-url="/login.htm?method=login"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-url="/pages/login/login.jsp?login_error=1"
/>
<logout logout-success-url="/pages/login/login.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />
<session-management session-fixation-protection="newSession" invalid-session-url="/pages/login/login.jsp" />
<csrf/> //csrf is enabled here
<headers>
<cache-control/>
<xss-protection/>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
<authentication-manager>
<authentication-provider ref="customAuthProvider"/>
</authentication-manager>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<beans:bean class="com.test.component.security.MyInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
<beans:bean class="com.test.component.security.RequestParamEncodingFilter" id="requestParamEncodingFilter"/>
I am uploading a CSV file on JSP page and I have used Spring security but on uploading it is showing Unauthorised access page error 403 page when my csrf tag is enabled in spring security configuration. If I disable it my file is successfully uploaded.
No need to put csrf tag
Since it is enabled by default if you are using spring 4
As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration.
Check the link.
for spring 3 check link
This is my Spring Security configuration:
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login"
authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
.......
I add this: <intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" to avoid to enter in that section.. but I can enter into monitoring after loggin as "normal" user...
Why??
The order of <intercept-url .../> does matter. As the new intercept-url pattern="/monitoring" comes after pattern="/**" it it ignored because all URLs for monitoring have already been processed by <intercept-url pattern="/**" access="isAuthenticated()" />.
You should write :
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/**" access="isAuthenticated()" />
As a general rule intercept-url pattern="/**" must always be last
I have the following code:
<intercept-url pattern="/authenticated/**/" access="isAuthenticated()" />
<intercept-url pattern="/authenticated/files/**" access="none" />
I want spring security secure all the links derived from /authenticated except authenticated/files. Is this type of securing possible?
Move more specific condition higher:
<http use-expressions="true">
<intercept-url pattern="/authenticated/files/**" access="permitAll" />
<intercept-url pattern="/authenticated/**" access="isAuthenticated()" />
...
</http>
I am using Spring 4 + Spring Security 3.2 + GWT , after deploying the application on Jboss and call it (http://localhost:8080/login/login.htm) I get this error JBWEB000124: The requested resource is not available.
With Spring 3.1 + spring security 3.1 was workiung fine.
<http auto-config="true">
<intercept-url pattern="/gwt/**" access="ROLE_USER" />
<intercept-url pattern="/**/*.html" access="ROLE_USER" />
<intercept-url pattern="/" access="ROLE_USER" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/ws/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login/login.htm" authentication-failure-url="/login/login.htm?error=true" />
<logout invalidate-session="true" delete-cookies="userid,JSESSIONID" />
<logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout" />
<session-management invalid-session-url="/login/login.htm?invalid=true" session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>
any help?
Thanks