I'm trying to use https only during login.
The problem is that when the application tries to switch from https to http I end up being redirected to the login form (as if the session is getting destroyed).
Here is the configuration I'm using:
<s:http auto-config="true" access-denied-page="/erro-403"
create-session="never">
<s:port-mappings>
<s:port-mapping http="8080" https="8443" />
</s:port-mappings>
<s:intercept-url pattern="/preferencias" access="IS_AUTHENTICATED_REMEMBERED"
requires-channel="http" />
<s:intercept-url pattern="/admin/**" access="ROLE_SIPAS_ADMIN"
requires-channel="http" />
<s:intercept-url pattern="/area-prestador/**"
access="ROLE_SIPAS_PRESTADOR, ROLE_SIPAS_ATENDENTE, ROLE_SIPAS_ADMIN"
requires-channel="http" />
<s:intercept-url pattern="/**"
access="IS_AUTHENTICATED_ANONYMOUSLY,IS_AUTHENTICATED_REMEMBERED"
requires-channel="https" />
<s:form-login login-page="/login" default-target-url="/"
authentication-failure-url="/login-error" always-use-default-target="false" />
<s:logout logout-url="/logout" logout-success-url="/" />
<s:remember-me />
</s:http>
<s:authentication-manager>
<s:authentication-provider user-service-ref="authenticationMBean">
<s:password-encoder hash="md5" base64="true" />
</s:authentication-provider>
</s:authentication-manager>
The only workaround that I've found is to check the remember-me option.
Any ideas of what am I doing wrong?
Although it's been a long time this question was posted and I am sure the author must have found a solution already, I am posting this answer for future reference.
This issue is discussed in Spring Security FAQs. A quick solution is to add this element to your s:http element:
<s:session-management session-fixation-protection="none"/>
Related
My application can have below URLs:
/siteadmin/homepage/
/siteusers/customer/createCustomer
Below is my spring-security.xml:
<beans:beans>
<http auto-config="true">
<intercept-url pattern="/siteusers***" access="isAuthenticated()" />
<!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
<intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
<form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
login-processing-url="/siteusers/loginprocess/login"
authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="b" password="123456" authorities="ROLE_ADMIN" />
<user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/ it is allowing user 'a' to view the page although his role is not admin. But when I try to hit http://localhost:8080/siteadmin then Spring Security is working fine ie. its showing access denied page.
I want to restrict /admin/* URLs for users who doesn't have Admin role.
See AntPathMatcher:
The mapping matches URLs using the following rules:
? matches one character
* matches zero or more characters
** matches zero or more directories in a path
Some examples:
com/t?st.jsp - matches com/test.jsp but also com/tast.jsp or com/txst.jsp
com/*.jsp - matches all .jsp files in the com directory
com/**/test.jsp - matches all test.jsp files underneath the com path
org/springframework/**/*.jsp - matches all .jsp files underneath the org/springframework path
org/**/servlet/bla.jsp - matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp
Your pattern /siteadmin***misses slashes. Use /siteadmin/**.
I have a Spring rest service, and I'm trying to add security to it. I followed this tutorial, but when I try to access the service directly I get the following error:
There was an unexpected error (type=Internal Server Error,
status=500). Failed to evaluate expression 'ROLE_USER'
Here's my security configuration:
webSecurityConfig.xml
<http entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login
authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler"
/>
<logout />
</http>
<beans:bean id="mySuccessHandler"
class="com.eficid.cloud.security.rest.AuthenticationSuccessHandler"/>
<beans:bean id="myFailureHandler" class=
"org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="temp" password="temp" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
SpringSecurityConfig:
public class SpringSecurityConfig {
public SpringSecurityConfig() {
super();
}
}
I'm also getting this error when trying to use curl to log in:
{
"timestamp":1460399841286,
"status":403,"error":"Forbidden",
"message":"Could not verify the provided CSRF token because your session was not found.",
"path":"/spring-security-rest/login"
}
Do I need to add the csrf token manually to the command? The service has a self-signed certificate, if that makes any difference.
If you don't need CRF to be enabled, then you can disable it in webSecurityConfig.xml file like below:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.html" access="hasRole('ANONYMOUS')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<!-- This form is a default form that used to login
<http-basic/>
-->
<form-login login-page="/login.html"/>
<csrf disabled="true"/>
</http>
If CSRF is enabled, you have to include a _csrf.token in the page you want to login or logout.The below code needs to be added to the form:
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
You need hasRole('ROLE_USER') in the intercept-url element.
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
See the docs for the other expressions, that you can use.
Spring security blocks POST requests.
To enable it you can either:
Add after all you forms requests :
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" class="form-control" />
(For example:
<form id="computerForm" action="addComputer" method="POST">
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" class="form-control" />
)
Or if you use anotation, you can allow POST directly in your code by adding the csrf().disable on your WebSecurityConfigurerAdapter (I havent found the xml equivalent yet) :
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.and().formLogin()
.csrf().disable()
;}
I have a web application using spring 3.2.The login process is done through spring security.When a user gives a url to view the profile of a particular user he will redirect to login page if he is not logged in.I need to go back to the user's profile if he is not successfully logged in.Since I am using angular js my urls are in the form
http://mydomain.com/#/view-profile/71 to view the profile of the user.If I am not logged in it will redirect to login page.In the browser url becomes http://mydomain.com/login#/view-profile/71 but after successful login it is not redirecting to the specified url.How can I make that with angularjs.
In app.js I have given like this
$routeProvider.when('/view-profile/:id',
{
templateUrl: '/partials/editor/view-profile.htm',
action: 'kc.view-profile',
resolve: {
loadData: ViewCtrl.loadUserProfile
}
}
);
And for authentication in security.xml it is written like
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/login" login-processing-url="/j_security_check" authentication-failure-url="/login?error=true"/>
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
<intercept-url pattern="/assets/**" access="permitAll" />
<intercept-url pattern="/application/signin/**" access="permitAll" />
<intercept-url pattern="/application/signup/**" access="permitAll" />
<intercept-url pattern="/application/manage/**" access="ROLE_EDITOR" />
<interce
pt-url pattern="/application/**" access="isAuthenticated()" />
<!--<intercept-url pattern="/application/connect/**" access="permitAll" />-->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
Spring Security doesn't support Ajax login out-of-the-box, that's why your application isn't working correctly.
You can have a look at this sample application that handles Ajax login/logout with AngularJS + Spring Security:
https://github.com/jhipster/jhipster-sample-app
I had to implement some specific Ajax handlers, as you can see here:
https://github.com/jhipster/jhipster-sample-app/tree/master/src/main/java/com/mycompany/myapp/security
I have a problem with spring security 3.2.0 RC1
I'm using the tags to connect me
<security:http>
<security:intercept-url pattern="/paginas/**" access="ROLE_ADMIN"/>
<security:form-login login-page="/publico/login.xhtml" always-use-default-target="true"
default-target-url="/paginas/funcionario.xhtml" authentication-failure-url="/publico/login.xhtml?login_error=1"/>
<security:logout invalidate-session="true" logout-success-url="/publico/login.xhtml"/>
<security:remember-me/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSourceMySQL"
users-by-username-query="select usuario, senha, ativo from funcionario where usuario = ?"
authorities-by-username-query="select f.usuario, f.permissao from funcionario f where f.usuario = ?"/>
</security:authentication-provider>
</security:authentication-manager>
<security:form-login />
This says "Method 'setFilterProcessesUrl' is marked deprecated"
<security:logout />
This says "Method 'setFilterProcessesUrl' is marked deprecated"
Could someone tell me any alternative?
Thanks!
I'm not sure if this answer can help you.
However, the warning message generated by IDE is not a big problem because you did not use the deprecated method.
I'm using spring security too and I also can see the same warning message but the service is working perfectly.
I'm sorry if the answer is not you wanted.
I have this problem:
in a java web-app (with spring and spring-security 3.1.4) there's a sso authentication; this means the user authenticates as soon as he log in on his pc.
The configuration is this:
<sec:http>
<sec:logout />
<sec:form-login login-page="/login.jsp" default-target-url="/" />
<sec:anonymous username="guest" granted-authority="ROLE_GUEST" />
<sec:custom-filter ref="headersFilter" after="SECURITY_CONTEXT_FILTER" />
<sec:custom-filter ref="jaasFilter" after="SERVLET_API_SUPPORT_FILTER" />
</sec:http>
and this works (actually login.jsp doesn't exist because the user is already logged in as I said above).
Now the problem is that I want to have a "backdoor";this means there should be a login page for me and my team to test and mantain the app.
It should work like this:
-I call localhost/wepapp/myloginpage and I should see the myloginpage.jsp (this works now);
-I click on "login" button and I enter in the second " element" and if the login is ok then I should get redirected to "/" (this doesn't work and I'm simply redirected on "login");
-with the configuration below it seems that I can see "/" without authentication, too, if I call it (localhost/wepapp)
I tried this configuration but it doesn't work, I mean I can see "/" without authentication and I get redirected to login (I also tried other small variations but same result, more or less):
<sec:http pattern="/myloginpage">
<sec:logout />
<sec:form-login login-page="/myloginpage" default-target-url="/" />
</sec:http>
<sec:http pattern="/login">
<sec:logout />
<sec:form-login login-page="/login" default-target-url="/" />
<sec:anonymous username="guest" granted-authority="ROLE_GUEST" />
<sec:custom-filter ref="headersFilter" after="SECURITY_CONTEXT_FILTER" />
<sec:custom-filter ref="jaasFilter" after="SERVLET_API_SUPPORT_FILTER" />
</sec:http>
My myloginpage.jsp:
<form action="login" method="POST">
<table>
<tr>
<td>
Name
</td>
<td>
<input type="text" name="name">
</td>
</tr>
.........
</form>
I also have the controller for myloginpage:
#Controller
public class Myloginpage {
publicMyloginpage() {
}
#RequestMapping("/myloginpage")
public String home() {
return "myloginpage";
}
}
Thankx,
Adrian
It seems you are missing the <intercept-url> tags to configure access to certain paths.
<sec:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />