How can I overwrite default login logout pages of Spring Security. I will put my own login.html and logout.html files and don't use jsp files just works with static contents at that side.
Specify them in your security-context.xml (or whatever you've called yours) like this:
<form-login login-page="/login.htm" authentication-failure-url="/login.htm?login_error=1" default-target-url="/home/index.htm" />
But I think you'll find it difficult to write a login page that works with Spring Security and doesn't use JSP.
Here's an example JSP page you can start from: http://loianegroner.com/2010/01/spring-security-login-and-logout-form-jsp/
Related
We are creating a spring boot web application to send RSS data to a Ticker Sign (ticker).
The URLs that send RSS data to the ticker sign do not need to be secured with ldap or other credentials.
But we have one page we we update a custom message that we send to the Ticker sign. We want to secure this page with the corporate ldap.
Is it possible to configure spring boot to only require a login for one page and the rest of the pages can remain unsecured.
You can create a role with all permission to access and grant that access just in some methods using Spring security annotation http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
<http use-expressions="true">
<intercept-url pattern="/*"
access="hasRole('admin')"/>
</http>
Then in your free access method
#PreAuthorize("hasRole('admin')")
public void create(Contact contact);
To use this it is very important that you name your URLs wisely i.e. if you want to assign admin role then make a URL look something like /admin/v1/something-here. It will make things readable and simple for you.
My Spring Web project with Spring Security works successfully. I want to separate "view" of the project by creating a new static web project. It will have a login screen, access to pages by user's role etc.
my spring-security.xml file
<http auto-config="true">
<intercept-url pattern=“/restricted” access="ROLE_ADMIN" />
<form-login login-page="/login"
default-target-url="/welcome"
authentication-failure-url=“/fail” />
<logout logout-success-url="/login" />
</http>
In addition to this, i have REST controllers that return JSON data; but they are stricted if user's role is not ROLE_ADMIN (.../restricted/getlist)
What do i have to do in static web page (client) side?
Thank you.
You can use Spring security tags :
<sec:authorize access="hasRole('ROLE_ADMIN')">
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html
I am new in spring framework and little confused in managing the directory structure according to the role of user like admin (all jsp will be inside admin directory), how to make login according to the user role like admin will have access only to the admin directory and the session of the user it's time out etc.
I have used this website as reference for login management using hibernate :-
http://fruzenshtein.com/spring-mvc-security-mysql-hibernate/
what i want to do is to protect the user from seeing the pages, which they do not have permission in spring and my project is managing the directory as their role like admin - admin directory, user - user directory and other user - other directory and home pages, when admin will login he will have access to the pages inside admin.
Using hibernate security framework how can i do this.
You have to use SPRING security framework to achive that.
just add whatever filter you want to add in spring-security.xml.
For example: add
<intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<intercept-url pattern="/user/*" access="ROLE_USER" />
It will create check that accessing controller mapping starting with /admin* will require admin login.
Go through spring security docs then configure security with help of below link:
Steps for configuring spring security
I was reading many tutorials and none of them is working for me...
I use Spring 3.1.x with Spring Security. I have a bunch of secured url and many unsecured. Now, when the user is logged in and tries to logout I want him to stay in the same page as he was before so I use this:
<beans:bean id="logoutSuccessHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<beans:property name="useReferer" value="true"/>
</beans:bean>
This works fine, however when the user logs out from the secured page it redirects him to the login page, and I would like to redirect to home page.. How can I achieve this?
Thanks in advance!
Since you have custom logic for redirecting, you need a custom LogoutSuccessHandler.
In this handler, you need to add this logic:
String refererUrl = request.getHeader("Referer");
String normalizedRefererUrl = ...; // "Normalize" (if needed) the URL so it is in the form that you need.
if (requiresAuthentication(normalizedRefererUrl, authentication)) {
response.sendRedirect(request.getContextPath()); // home page
} else {
response.sendRedirect(refererUrl); // or normalizedUrl
}
In your requiresAuthentication() method, you need to use some part of Spring Security that determined if the URL needs authentication.
You can use a WebInvocationPrivilegeEvaluator reference there. You get a hold of it through Spring through autowiring by class (since there will be a bean implementing WebInvocationPrivilegeEvaluator).
The evaluator has a method that you can use, isAllowed(uri, authentication).
<security:http auto-config="true">
<security:form-login login-page="/spring/login"
login-processing-url="/spring/loginProcess"
default-target-url="/spring/main"
authentication-failure-url="/spring/login?login_error=1" />
<security:logout logout-url="/spring/logout" logout-success-url="/spring/logout-success" />
</security:http>
logout-success-url from the docs or for a custom succeshandler
as per documentation for spring security if you don't specify logout-success-url then it should be redirecting /. check this configuration and may be you can use SimpleRedirectInvalidSessionStrategy
We are using Spring Security for managing authentication. The issue we are seeing is that when a user's session is timed out between bringing up a GET form and hitting the save button that does a POST, they are sent to the login page but spring is saving the original post information in the session.
Our app does not bring them back to the original URL after login, but instead sends them back to a common starting page. This works fine, but when the user happens to return to the page they had originally tried to POST to (the form GET and POST are the same URLs) Spring tries to resubmit the POST automatically which is not what we want.
Is there a way to completely disable the SavedRequest storing logic in Spring?
I guess this jira issue of spring security describes your problem and how to handle this.
Based on Nathan's comment on Raghuram's answer, with namespaced XML it's something like this:
<security:http>
<security:request-cache ref="nullRequestCache" />
<!-- ... -->
</security:http>
<bean id="nullRequestCache" class="org.springframework.security.web.savedrequest.NullRequestCache" />
There are two scenarios:
1) If you want that after relogin, user should always get forwarded to the default target URL instead of the orginal requested URL then put always-use-default-target="true" in your security.xml like
<http auto-config="true">
.....
<form-login login-page="/login" always-use-default-target="true" default-target-url="/xyz"
authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
</http>
1) If you want that on session timeout after relogin, user should forward to the orginal requested URL but you do not want to resubmit the form then put session-fixation-protection="newSession" in your security.xml like
<http auto-config="true">
<session-management session-fixation-protection="newSession"/>
.....
</http>
Please put session-management tag as first line in http configuration.
It looks like the session-fixation-protection="newSession" attribute on (2.0) or (3.0) will also resolve the issue
With Spring 4.2.5 I ran into this too.
My case was almost identical: display GET form, wait for session timeout, then POST the form. In my app after re-authentication a start page is displayed. However, if the user then navigates to this GET form, and POSTs it, then the previous POST parameters are remembered and concatenated to the current request, resulting in comma separated values in the #RequestParam variables.
I dumped the session in my authentication controller and indeed I saw a "SPRING_SECURITY_SAVED_REQUEST" named key.
The spring documentation says that by default a "SavedRequestAwareAuthenticationSuccessHandler" is used for retrieving the saved request data from the session and apply it to the request.
I tried to use a do-nothing successHandler but couldn't make it work.
I also tried applying
http.sessionManagement().sessionFixation().newSession();
to the security config but that didn't help.
However
http.requestCache().requestCache(new NullRequestCache());
solved the issue.