My web application is using Spring Security and everything seems fine except for one thing. Once I authenticate a user in one browser they are always authenticated. If I close all instances of a certain broswer (for example Chrom) and open a new instance, I'm not prompted for authentication and proceed directly to the secured resouce. If I bounce my local dev server then I'm prompted as expected. I need a sticky session but not that sticky. Any ideas why Spring doesn't prompt me again after closing all browser instances? I'm using spring-security*3.1.0.M1 and spring-core-3.0.5.RELEASE. Thanks for the assistance!
security context file(removed the xml and schema definitions):
<global-method-security secured-annotations="enabled">
</global-method-security>
<http security="none" pattern="/services/rest-api/1.0/**" />
<http security="none" pattern="/preregistered/**" />
<http access-denied-page="/auth/denied.html">
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/**"
access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS" />
<intercept-url
pattern="/**"
access="ROLE_USER" />
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html?_dc=45" />
<logout logout-url="/auth/logout.html"
logout-success-url="/" />
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<remember-me user-service-ref="userManager" key="valid key here"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager>
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
Related
I am implementing the web logout process using spring security.
When I ran a web project with IDE (e.g., eclipse) in the development environment, I ran the webapp through the ROOT path, so it was processed normally.
However, when I distributed it to the actual environment, I registered the path to my service because I had to register several services in one Tomcat.
For example... http://localhost:8080/ -> http://localhost:8080/operator
As a result of distributing the webapp as above, two problems appeared.
When logging out, move to invalid-session-url.
Duplicate session detection, expired-url ignored and moved to invalid-session-url.
The example below is part of my spring security setting xml file.
When distributing to Tomcat, when adding path to the webapp, is there any part that needs to be set up in session-management?
It works normally in the local environment, so I think that's definitely the problem.
<security:http auto-config="true" use-expressions="true">
<security:csrf disabled="true"/>
<security:intercept-url pattern="/resources/**" access="permitAll" />
<security:intercept-url pattern="/favicon.io" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/callApiService" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:csrf disabled="true"/>
<security:form-login
login-page="/login"
login-processing-url="/loginprocess"
authentication-failure-url="/login?auth=fail"
authentication-success-handler-ref="customLoginSuccessHandler"
default-target-url="/"
/>
<security:logout
delete-cookies="JSESSIONID"
logout-url="/logout"
logout-success-url="/login"
/>
<security:session-management invalid-session-url="/login?auth=invalid">
<security:concurrency-control
max-sessions="1"
error-if-maximum-exceeded="false"
expired-url="/login?auth=expired"
/>
</security:session-management>
</security:http>
I have successfully enabled the '/oauth/check_token' endpoint using spring-security 3.2.* and javaconfig but currently I'm restricted to spring-security 3.1.4 and then i'm stucked to XML config. '/oauth/token' endpoint is working as i wish but I can't get the check_token endpoint to be enabled and I can't find any (non javaconfig) documentation explaining what to do.
Vanila Authorization server config:
<oauth:authorization-server
client-details-service-ref="client-service"
token-services-ref="tokenServices" >
<oauth:refresh-token disabled="false" />
<oauth:client-credentials disabled="false" />
<oauth:password authentication-manager-ref="userAuthenticationManager" />
</oauth:authorization-server>
http security config:
<sec:http
auto-config="true"
pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false"/>
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
</sec:http>
I've tried to add following http config without success.
<sec:http
auto-config="true"
pattern="/oauth/check_token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<sec:intercept-url pattern="/oauth/check_token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false"/>
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
</sec:http>
please, any suggestions. A working example would be great.
best
./Kristofer
You need to create a bean of type CheckTokenEndpoint (org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint).
Use the last version of spring oauth2:
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.10.RELEASE</version>
</dependency>
Ensure what the correct version of xsd is in use in spring security oauth file configuration:
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
Insert the option check-token-enabled="true" in the element authorization-server:
<oauth:authorization-server ... check-token-enabled="true">
...
</oauth:authorization-server>
I have a logout button created which is set up and works, but it's redirecting to my invalid-session-url for some reason. Relevant bit of the security.xml:
<http use-expressions="true">
<form-login login-page="/login"
login-processing-url="/j_spring_security_check"
default-target-url="/view"
always-use-default-target="true"
authentication-failure-url="/login?redirect=login_error" />
<logout logout-success-url="/login?redirect=logout" delete-cookies="JSESSIONID"/>
<session-management invalid-session-url="/login?redirect=session_timeout" />
<intercept-url pattern="/login" access="isAnonymous()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
Not sure why this is happening. I have my session-timeout in web.xml set to 5.
When you logout the first thing that Spring Security does is to invalidates the session, so the invalid-session-url is used. You can set invalidate-session="false" on the logout element or remove <session-management invalid-session-url="/login?redirect=session_timeout" />.
I have searched here, google and springsource for this and could not find a solution that worked for me. I have the below spring-security.xml and when I use the pattern
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
This gives me a 404 error when it redirects to the login page. But this does not happen if I use
<intercept-url pattern="/index*" access="hasRole('ROLE_USER')" />
But obviously this does not secure the rest of the app.
I'm sure this is something simple I am overlooking but the closest thing I could find was this stack overflow question, Which I have already incorperated in my xml file below but still have the same issue. I have tried this without use-expressions="true" and I have tried switching the intercept-url's around (I'm not 100% but I am fairly sure that the /** pattern should be the last one as I believe urls are matched in the same order as declared)
Any advice/help would be great
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" filters="none" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="username" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Update
Just in case it is a factor I'm using Spring and Spring security 3.0.4.RELEASE
Answer
Following Kris's advice I changed
<intercept-url pattern="/login" filters="none" access="permitAll" />
to:
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
This caused a 500 Error due to the exception
SpelEvaluationException: EL1008E:(pos 0): Field or property
'IS_AUTHENTICATED_ANONYMOUSLY' cannot be found on object of
type'org.springframework.security.web.access.expression.WebSecurityExpressionRoot
I solved this by changing the IS_AUTHENTICATED_ANONYMOUSLY to isAnonymous()
<intercept-url pattern="/login" access="isAnonymous()" />
For completeness, here's the real reason this requires a change to isAnonymous().
The <http> element has an attribute use-expressions which defaults to true. In the default situation, you are required then to use "security expressions" instead of role names. If you wish to use only role names in access= declarations, you need to turn off expressions with
<http use-expressions="false"> ... </http>
Adds an AnonymousAuthenticationFilter to the stack and an AnonymousAuthenticationProvider. Required if you are using the IS_AUTHENTICATED_ANONYMOUSLY attribute.
spring secuirty
or use isAnonymous() instead.
Change this <intercept-url pattern="/login" filters="none" access="permitAll" />
to
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
The config looks fine to me. Could it be that the /login page is actually not there? The second config (with /index*) might have only worked, because then the request you made wasn't intercepted, and consequently didn't get redericted to the non-existent /login page. If it was a problem with the config, Spring Security would respond with 403 not 404.
Double-check without any Spring Security configured if the /login url works.
Added the following parameter in context.xml
<Parameter name="channel" value="any"
override="false"/>
I want to read the value of channel in spring configuration xml
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="READ_VALUE_OF_CHANNEL_PARAMETER" />
READ_VALUE_OF_CHANNEL_PARAMETER needs to be replaced.
How to do it?
Found the answer
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="#{contextParameters.channel}" />