Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.
Related
I'm writing a pretty simple ecommerce app with spring boot and thymeleaf and I found out that users can see any order by changing the id in URL.
For example:
User placed an order with ID 5, so he can see his order on url: /order/details/5
But if the user changed url to f.e /order/details/4 he can see details of order that he shouldn't be able to see.
Is there a simple way to block it with Spring security?
First off, let's get some lingo out of the way:
Authentication - The act of proving someone's identity. E.g., you login with a username, but you need a password to prove that it's you.
Authorization - Is the act of granting a user permission to perform an action.
Those terms are important when reading the Spring Security Documentation.
I assume that you already authenticate user and now you want to authorize them to view, e.g., their own orders, but not those of other users.
But I guess the orders are stored in a database. So you'll probably have to authenticate in your service layer. Meaning Spring Security takes care of authentication and you have the user available. When you fetch some order, you also need to make sure that the authenticated user is the owner.
Another thing to consider is using UUIDs as primary key. That makes it much harder to guess an ID but this is absolutely no replacement for authorization! Seriously. It is not. Security by obscurity is broken.
I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security
I am using Spring Security 3.0.2 on a web site where users can log into their account. The account landing page has a button that takes you to a second page. Various users report that they have trouble getting to that second page because they are asked to log in again and again when they press the button. I cannot reproduce the problem myself, and it seems to work for most people. However, enough people have complained about the issue that I take them seriously. What could be the cause for such a spurious malfunction?
I see some possible cases maybe some of them would produce a 403 and not a redirect :
the second page is protected by a intercept-url with a list of role and some user doesn't have the required role. Maybe your account has some "admin" role which allow you to access any page that why you can not reproduce it
same problem but whith method #Secured with role that some users doesn't have
maybe these user aren't accepting cookie
maybe you have multiple domain the cookie is created for the domain www.domain.com then the user is redirected to another domain like www1.domain.com where the cookie doesn't apply.
maybe you have some kind of miss configuration in the load balancing the session is created on the 1st server, then the 2nd page is handled by the 2nd server where the session doesn't exists
maybe somewhere in the code you call session.invalidate()
hope it helps
I want to know how can I force a user to log in the the application again if the page is being opened in new tab or new browser.
Edit:-
My apologies I misunderstood the requirement.
I am authenticating the user in my log-in page but not anywhere else. So what is happening because of that, even if i log out of application and type url say bla.com/apple I can access my application.
I figured to prevent this from happening, I have to write a base controller that checks for the right user. Am I moving in the right direction.
Thanks
Addressing the edit -
Authentication can be handled per controller or on individual actions. Simple place the [Authorize] attribute appropriately. This assumes however that somewhere an authentication token is being set. [Authorize] checks against the HttpContext's current User (an IPrincipal).
You mentioned above that you're just validating against a local username and password, in one place, so I'm guessing that no token (session, cookie) are being set?
You have a few options here to get that token stored and persisted across requests:
ASP.Net integrated membership provider (Intro)
A custom MembershipProvider (Example)
Full-on custom flow. (Example)
Each has ups and downs and depends on how exactly you want to handle on-boarding your users. It's hard to answer more specifically because it can be a very large topic (and a very broad question).
Here's the official pages for MVC security.
I am using spring and spring security in our application, and authentication is done through ldap. after authentication role is check with database, and according to role he was able access specific role pages. I want to add some disclaimer message in web app. after user log-in in application then disclaimer message is display. if user accept disclaimer then he will able to access application , else login window is displayed. Is there some way to call Spring handler , or maybe there is a better solution ?
We handle this scenario with an extra custom spring security filter.
e.g it checks if the disclaimer has been already accepted and if not redirects to a disclaimer page.