I am using Spring Security 3. I have files unders /js, /css and /img folders and imports them HTML files. I want to serve them with mvc:resource because I can add expire-head easily and I think it gives a url-rewriting ability. However I am so new to Spring Security and don't know the purpose of it and how can I use it?
An example usage at my HTML webpages:
<link rel="stylesheet" href="/css/main.css"/>
The mvc:resources tag has nothing to do with Spring Security - it tells Spring MVC to not pass those resources through the RequestDispatcher servlet, but to serve them up directly. Instead, you want to exclude those same directories from Spring Security resource controls, as follows:
<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/js/**" filters="none"/>
<intercept-url pattern="/img/**" filters="none"/>
See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-minimal for full details.
Related
I have a Java/Spring 3.x webapp that uses ExtJS and I use the Sencha Architect to create the front end which results in an automatically generated app.html file that loads in the JS and CSS resources that looks like this:
<!DOCTYPE html>
<!-- Auto Generated with Sencha Architect -->
<!-- Modifications to this file will be overwritten. -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>ui</title>
<script src="ext/ext-all.js"></script>
<script src="ext/ext-theme-neptune.js"></script>
<link rel="stylesheet" href="ext/resources/ext-theme-neptune/ext-theme-neptune-all.css">
<link rel="stylesheet" href="css/custom.css">
<script type="text/javascript" src="app.js"></script>
</head>
<body></body>
</html>
I want to protect this html file with Spring security and this seems to work except that it is often cached in the browser so that it appears to reload even when the user is not logged in. Here is my Spring XML that configures security for my webapp:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/ui/app.html" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/ui/**" access="permitAll" />
<form-login
login-page="/login"
default-target-url="/ui/app.html"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<csrf/> <!-- enable csrf protection -->
</http>
<authentication-manager>
<authentication-provider >
<user-service>
<user name="test" password="test" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
As you can see I have configured it to protect the ui/app.html resource as well as redirect to that page after log in. This works fine until the browser caches the page and causes confusion when the user is logged out and tries to access the same URL.
I was wondering if Spring MVC could be used to load the page via a controller, perhaps modifying the HTTP headers to force the page to expire, but as this is a page that is normally delivered directly by the servlet container and not MVC I'm not sure how I would configure that.
I'd also like to be able to leave my app.html file in-situ as it uses resources that are relative to it, and it's also easier to leave it there when working with Sencha Architect.
This will prevent browser caching:
<http>
<!-- ... -->
<headers>
<cache-control />
</headers>
</http>
It adds Cache-Control, Pragma and Expires headers for every response. More information can be found in reference documentation, section Security HTTP Response Headers.
Update: This answer was written for version 3.2 of Spring Security. As of version 4, these headers are included by default.
You can choose one of the below which depends on how your application is going to serve the resource requests.
Using Spring Security
http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-cache-control
Using Extjs
http://www.sencha.com/forum/showthread.php?257086-Is-there-a-simple-way-to-disable-caching-for-an-entire-ExtJS-4-application
Using HTML
http://www.htmlgoodies.com/beyond/reference/article.php/3472881
Dear All,
We have added Spring Security for our web application. Login url seems like this
https://www.xyz.com/app/login.do
after login it should redirect to other urls with same https protocol. Right now SpringSecurity redirect us to other urls but with http not https.
Please tell us any specific settings are needed.
Thanks,
Op
Within your spring security definitions, inside your intercept-url tag you need to add requires-channel="https"
For example:
<sec:intercept-url pattern="/login.jsp*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/j_spring_security_check*" requires-channel="https" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY"/>
please take a look at a part of my security-config.xml:
<http use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
[other stuff here]
<intercept-url pattern="/**" access="denyAll" />
</http>
Let's suppose that the context name of my application is koko.
This works fine in Tomcat: When I visit http://tomcat-url:8080/koko/ or http://tomcat-url:8080/koko/home I see a home page asking me to login - after I login I am redirected to http://tomcat-url:8080/koko/and I can see link to the other stuff.
When I try to do the same in JBoss, I visit http://jboss-url:8080/koko/ and I immediately get a login page ! If I visit the http://jboss-url:8080/koko/home I see the homepage asking me to login. Now, after I login I am redirected to the http://jboss-url:8080/koko/ again and I get an Access Denied!! If I manually go to http://jboss-url:8080/koko/home after I've logged in I see the other staff and I am able to navigate normally.
So the problem seems to be that JBoss does not understand the line
<intercept-url pattern="/" access="permitAll" />
or it is overriden by the /** line that follows. However tomcats works fine with at. This shouldn't be dependent on the Application Server since it is completely spring related and the same spring is used for both applications.
Update - solution: Based on #M.Deinum 's answer I added the a new url request mapping named /index.html to my homepage and a permitAll line to that url - and worked fine !
Tomcat and JBoss have their own implementations (customizations) to the Servlet API.
I would guess that JBoss does some pre processing on the URL and instead of / tries to resolve /index.html. This is probaly by default (in JBoss) and based on the welcome-file list defined in the web.xml (or to some default).
It's been a while that I worked with JBoss but maybe you can configure this processing somewhere. Historically JBoss used Tomcat as there provider and customized some the the Valves Tomcat uses (to extends/modify behavior).
Let me explain my problem.
I have implemented a site in AngularJS that is accessed like this:
http://localhost:8080/example/resources/#/
Here we can call different pages, for example a Login page:
http://localhost:8080/example/resources/#/login
admin page:
http://localhost:8080/example/resources/#/admin
user page:
http://localhost:8080/example/resources/#/user
Now, I have implemented spring security in the example in order to catch every call and check if it has ROLE_USER privileges. So far so good, I have done it like this configuration in Spring security context file:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
This configuration checks for every url called, if the user has the proper ROLES, and it works fine, throws 401 Unauthorized page.
The problem I`m having is that when I put the login page to be accessed by everybody I'll do it this way:
<security:http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/login**" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
But I dont know why spring security is not catching this URL. Maybe Angular manages the URL differently.
Finally i have tried deleting the <security:intercept-url pattern="/**" access="ROLE_USER" /> and giving /login** access to ROLE_USER only, but this page was not found. Does anybody know what could be happening here?
Thanks in advance!!!
I wrote a little sample application that illustrates how to integrate AngularJS with Spring Security by exposing the session id as an HTTP header (x-auth-token). The sample also provides some (simple) authorization (returning the roles from the server) so that the client AngularJS application can react to that. This is of course primarily for user-experience (UX) purposes. Always make sure your REST endpoints have property security.
My blog post on this is here.
I have mapped the static resources in my application in spring's configuration xml like this
<mvc:resources mapping="/resources/**" location="/WEB-INF/resources/" />
Now i want that only users who have authentication and authorization can only access images in that folder as far as authentication is concerned i 've achieved that through spring security like this
<sec:intercept-url pattern="/resources/**" access="isAuthenticated()" />
but i dont want authenticated user to access all of the images in that folder he can access only a subset of images stored in that folder based on certain boundations so what i want that for every request to the image done by the user i want to perform security check whether he is permitted to visit that particular image How To Do that ???
The simplest solution is to move all non-secured images into a separate folder and to make the folder not secured:
<!-- This line BEFORE resources/** pattern -->
<sec:intercept-url pattern="/resources/nonsecuredimages/**" access="permitAll"/>
<sec:intercept-url pattern="/resources/**" access="isAuthenticated()" />