I'm trying to show a login box in my page only if the user is not authenticated yet.
I'm using Spring Security 3.0.
Do I have to check inside the view (JSP page) through some value I set on the model while processing the request in the Controller or is there another way to achieve this?
Checking inside the JSP seems the most straightforward here. The Spring Security taglib lets you do just that.
See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html
Related
It seems like a simple task but I did not yet find a straight answer how to do it. I'm using Mustache in a small Spring Boot application. In my header partial I'd like to render logout link only when user is authenticated. How can I achieve this?
If you have a mapped object on your view for your logged user like "userObject" you can do it like this:
{{^userObject}}<a href='/login'>Login</a>{{/userObject}}{{#userObject}}<a href='/logout'>logout</a>{{/userObject}}
I'm migrating a Play! 1.2 web application and moving to Spring Boot + Spring MVC. Some views contain URLs to other endpoints. For example, I display the book title on the page and next to it I want to add the URL to go the book's details page (e.g. localhost/books/{id}).
In Play! 1.2 the controllers are static, and there is also a Router which can create the full URL for a method belonging to another controller (Router.getFullUrl("BookController.bookDetails", args)), but how do I achieve this with Spring MVC?
Best regards,
Cristian.
If you are trying to get the app/deployed name automatically in .jsp files to make the urls, then please make use of context path. An example below :
<c:set var="context" value="${pageContext.request.contextPath}" />
<script src="${context}/themes/js/jquery.js"></script>
From your requirement "admin.myapp.com","admin-test.myapp.com" are server names right? Something like http://admin.myapp.com/book/{bookId},http://admin-test.myapp.com/book/{bookId}. In Spring app, relative path in jsp can be accessed using pageContext.request.contextPath
I also found the UriComponentsBuilder and ServletUriComponentsBuilder. They are similar to the Play! Framework router and provide methods for building URI's, handling parameters and the query etc. We chose to annotate the controllers' methods using constants and then use the same constants with the UriComponentsBuilder to build back the path and create the request query for GET requests.
I'm migrating a JSF application from Spring Security 3.2 to 4.0.1. This version changes many default urls, for example the default login url to /login.
The application has its own login page (using JSF AJAX) and it is still displayed when calling /login, but all POST-Requests to this URL (and so all AJAX-Requests from the Login-Page) are captured by the UsernamePasswordAuthenticationFilter and that is trying to process the authentication, causing the request to get redirected to the loginform again.
After looking at the code this url seems to be hard-coded:
public UsernamePasswordAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
So I have to disable this filter completely, or better, avoid it's creation. Can anybody point me how I can do it.
Changing my login page to another url is working, but is not the nice solution.
EDIT: I have created a Bugticket in Spring Security for this: https://jira.spring.io/browse/SEC-2992
EDIT 2: I've found another workaround: If I set the login-processing-url for the form-login to something unused it is working, but seems to be very hacky. There should be a way to disable it completely. Also it should be stated in the migration guide, I lost hours until I found this.
I am going to assume that you are trying to upgrade to Spring Security 4.0.0 (the latest available version is 4.0.1).
Spring Security 3.x used spring_security_login as the default login URL (source: official documentation). This could be set to a custom value as <security:form-login login-page="/login"> and mapped to a controller to render a custom page.
Spring Security 4.x has abandoned spring_security_login and switched to login as the default login URL (source: official Spring Security 4.x migration guide). Therefore, the URL login now goes to the default Spring Security infrastructure, that displays the default, auto-generated login page.
There was a bug in 4.0.0 due to which the default infrastructure was still getting used in cases where the URL /login was manually mapped to a custom controller method. This bug has been fixed in 4.0.1. Do try upgrading to Spring Security 4.0.1 to see if you can use /login as the login URL.
It looks like you could call setFilterProcessesUrl(String) (or, equivalently, setRequiresAuthenticationRequestMatcher(RequestMatcher)) to override the default of /login.
I have a new project and I want to implement spring-security along with other components of spring framekwork.
I plan to implement spring security into 2 levels, Request URL-level and view-level
For Request URL-Level, I'd use the <intercept-url> tag to restrict URL access only for authorized users.
For View-Level security, I'll use it into two parts of the application;
For the web app menu to restrict menus for users who authorized to.
And inside the pages to restrict some parts of the page for users who authorized to.
The confusion I had is regarding implement spring security for menu links.
Hence I need to use spring taglibs <authorize> tag's url attribute (to reuse<intercept-url> patterns/access combination) , then I'll need to write menu links by hand like this:
<security:authorize url="/admin/superadmin/**" >
Super admin page
</security:authorize>
Where I've the following intercept url rule:
<intercept-url pattern="/admin/superadmin/**" access="hasRole('ROLE_SUPER_ADMIN')" />
The point is, I have all the rules in the Database table, and I want to draw links dynamically based on the roles/links saved in the table.
So, the question is how to draw menu links dynamically, and at the same time still use the <authorize> taglib?
The <authorize> tag can do what you need automatically. I assume your menu JSP looks like (without the security part) :
<c:foreach items="${menus}" var="menu">
<a href=${menu.url}>${menu.label}</a>
</c:foreach>
You can simply add security that way :
<c:foreach items="${menus}" var="menu">
<security:authorize url=${menu.url}>
<a href=${menu.url}>${menu.label}</a>
</security:authorize>
</c:foreach>
The Spring security reference manual says that as you use the namespace the authorize tags creates a dummy web request for the supplied URL and invokes the security interceptor to see whether the request would succeed or fail. This allows you to delegate to the access-control setup you defined using intercept-url declarations within the namespace configuration and saves having to duplicate the information (such as the required roles) within your JSPs
In my web application I am using Spring login form (with Spring-security). By default the login form has the fields j_username and j_password. I need to add one more element(checkbox for Terms&Conditions). The current code doesn't have LoginForm as well as LoginController since Spring is internally handling it.
Can anyone please tell how to handle/override this?
I have seen this link Spring security custom login page
But I need to add the new element in LoginForm (which is not existing currently) - where I need to add this new element(in Form - .java file)
Also should I write a new controller (LoginController) or can I use any existing filter as given here? http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#filter-stack
Does the user just have to check the box in order to procede, or does it bind to a backing model object.
If it's the former, I'd just handle it through javascript. If the latter, the easiest way would probably be implementing an Authentication Filter, this area of the documentation might help:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html#form-login-filter