Spring Security: How to get the initial target url - spring

I am using the spring security to restricted urls. I am trying to provide signup and login page, on the same page.
On login spring security transfers to the restricted page. However i am trying to pass the target url to the signup process, so that after signup we can redirect to the restricted page.
How to get the actual URL that user was redirected from.
Any Ideas?

This is how i got the URL from the Spring Security.
SavedRequest savedRequest = (SavedRequest)session.getAttribute(
AbstractProcessingFilter.SPRING_SECURITY_SAVED_REQUEST_KEY);
String requestUrl = savedRequest.getFullRequestUrl();

They moved things around a bit in spring security 3.0, so the above code snippet doesn't work anymore. This does the trick, though:
protected String getRedirectUrl(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if(session != null) {
SavedRequest savedRequest = (SavedRequest) session.getAttribute(WebAttributes.SAVED_REQUEST);
if(savedRequest != null) {
return savedRequest.getRedirectUrl();
}
}
/* return a sane default in case data isn't there */
return request.getContextPath() + "/";
}

with spring security 4.1.4:
#Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
if (savedRequest != null) {
response.sendRedirect(savedRequest.getRedirectUrl());
}
else{
response.sendRedirect("some/path");
}
}

DefaultSavedRequest savedRequest = (DefaultSavedRequest)session.getAttribute("SPRING_SECURITY_SAVED_REQUEST");
String requestURL = savedRequest.getRequestURL(); // URL <br>
String requestURI = savedRequest.getRequestURI(); // URI

Related

HttpServletRequest getting new session

I have an application that does authentication via oauth.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpReq = (HttpServletRequest) request;
HttpServletResponse httpResp = (HttpServletResponse) response;
// Check if already logged in
if (getUser(httpReq) != null) {
chain.doFilter(request, response);
return;
}
// Try to parse auth response
if (procAuthResponse(httpReq)) {
chain.doFilter(request, response);
return;
}
// Go to auth server
sendAuthRequest(httpReq, httpResp);
}
This works fine.
In the method procAuthResponse I am paring the response from the server and to this.
HttpSession session = request.getSession();
session.setAttribute(USER_PRINCIPLE_ATR, userInfo);
It works also well, but there is a session scoped class with the method getCurrent user, that is used by servlets.
public UserInfo getCurrentUser() {
HttpSession session = getHttpSession();
if (session == null) {
LOG.warn("Method getCurrentUser: unable to find a session");
return null;
}
Object user = session.getAttribute(OAuthLoginFilter.USER_PRINCIPLE_ATR);
if (!(user instanceof UserInfo)) {
LOG.warn(String.format("Method getCurrentUser, wrong type for attribute %s", OAuthLoginFilter.USER_PRINCIPLE_ATR));
return null;
}
currentUser = (UserInfo) user;
return currentUser;
}
This method gets called multiple times and it turnes out that on the first call everything works as expected and after that the getHttpSession() returns a different session that does not contain any information that is set in the filter class. It is not a new session every time, the session without the needed information is always the same.
Code of getHttpSession()
private HttpSession getHttpSession() {
Object request = FacesContext.getCurrentInstance().getExternalContext().getRequest();
if (!(request instanceof HttpServletRequest)) {
LOG.warn("not a valid http request");
return null;
}
HttpServletRequest hreq = (HttpServletRequest) request;
return hreq.getSession(false);
}
Do you have any idea why this happens?
Thx for your help
There was still an old filter class, not configured in the web.xml, but annotated with #WebFilter("/*").
I deleted this file and now everything works as expected.

authenticated and anonymous for the same endpoind (spring security)

What i want is, for
localhost:8080/home -> should be open to only authenticated - home page after login
localhost:8080/home?msg=asdsada -> should be open to anonymous - for login errors like wrong password
This is endpoind:
#GetMapping(value = { "/home"})
public ModelAndView getLoginPage(
#RequestParam(value = "msg", required = false) String message) throws IOException
I tried to add this to security config of spring
.regexMatchers("/home").authenticated()
.regexMatchers("/home?msg=.*").permitAll()
So config became like this:
http
.authorizeRequests().antMatchers(anonymousEndpoints).anonymous()
.antMatchers(permittedEndpoints).permitAll()
.regexMatchers("/home").authenticated()
.regexMatchers("/home?msg=.*").anonymous()
.and()
.authorizeRequests().anyRequest().fullyAuthenticated()
But for wrong password, it does not go to endpoind
localhost:8080/home?msg=asdsada
For logged user, it can go to
localhost:8080/home
also it can go to
localhost:8080/home?msg=asdsada
What am I doing wrong? I can also use endpoind to check if logged in or not. Like:
But i want spring scurity to do this. Give 403 forbidden for example.
#GetMapping(value = { "/home"})
public ModelAndView getLoginPage(
#RequestParam(value = "msg", required = false) String message) throws IOException{
Authentication authentication = SecurityUtil.getAuthentication(false);
if (authentication != null) {
logger.info("User: {} already logged in, redirecting to dashboard", authentication.getName());
web.response.sendRedirect("/dashboard");
return null;
}
else{//not logged in
if (msg != null)//and msg is not null so like wrong password
//do smth
}
return null;
}
Don't configure the specific path in Spring Security Config, just analyze it in the controller method. In config set permitAll for this path, but add an authentication or principal parameter in the method signature:
#GetMapping(value = { "/home"})
public ModelAndView getLoginPage(#RequestParam(value = "msg", required = false) String message, Authentication authentication) throws IOException {
if (msg != null) {
...
} else if (!authentication.isAuthenticated()) {
...
}
...
}
P.S. Method arguments: https://docs.spring.io/spring/docs/5.2.x/spring-framework-reference/web.html#mvc-ann-arguments

Session Tracking Login in spring mvc

I'm new using spring mvc in general. I'm generating login page and my problem is that it always redirects me to the notLoggedIn prompt after I've tried to log in.
The controller:
#RequestMapping(value="/login", method= RequestMethod.POST) //login
public String logIn(HttpServletRequest request, HttpServletResponse response, ModelMap map) {
HttpSession session= request.getSession();
request.getSession().setAttribute("isLoggedIn", "true");
String uname=request.getParameter("userid");
String pword=request.getParameter("password");
boolean exists=logInService.checkLogIn(uname, pword);
if(exists){
session.setAttribute("userid", uname);
return "Users"; //return to next success login jsp
} else {
return "Interface2"; //return to Invalid username and password jsp
}
}
The interceptor:
#Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
HttpSession session= request.getSession();
if(session.getAttribute("userid")!=null && session.getAttribute("isLoggedIn")!=null ){
System.out.println("Logged In");
}
else{
response.sendRedirect(request.getContextPath()+"/modulename/notLoggedIn");
System.out.println("Not logged in");
return false;
}
return true;
}
Your interceptor blocks every http request and does some check but it should actually allow and not check for login http request. Following changes are just to get the use case work. Refer note at the bottom for suggestions.
#Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
HttpSession session= request.getSession();
if(session.getAttribute("userid")!=null && session.getAttribute("isLoggedIn")!=null ){
//user has already logged in . so therefore can access any resource
System.out.println("Logged In");
return true;
}
//if code reaches here means that user is not logged in
//allow login http request. modify checks accordingly. like you can put strict equals.
if (request.getRequestURI().endsWith("/login")){
//user is not logged in but is trying to login. so allow only login requests
return true;
}
else{
//user is not logged in and is trying to access a resource. so redirect him to login page
response.sendRedirect(request.getContextPath()+"/modulename/notLoggedIn");
System.out.println("Not logged in");
return false;
}
}
Note: You can reorder your login http request check to avoid login request for already logged in user.

Why OAuth2AccessTokenSupport always send POST request ??

I'm working with a Spring Boot + Spring Security OAuth2 to consume the Restful Oauth2 service.
Our Oauth2 service is always expects HTTP GET But OAuth2AccessTokenSupport always sending HTTP POST.
Result:
resulted in 405 (Method Not Allowed); invoking error handler
protected OAuth2AccessToken retrieveToken(AccessTokenRequest request, OAuth2ProtectedResourceDetails resource,
MultiValueMap<String, String> form, HttpHeaders headers) throws OAuth2AccessDeniedException {
try {
this.authenticationHandler.authenticateTokenRequest(resource, form, headers);
this.tokenRequestEnhancer.enhance(request, resource, form, headers);
AccessTokenRequest copy = request;
ResponseExtractor delegate = getResponseExtractor();
ResponseExtractor extractor = new ResponseExtractor(copy, delegate) {
public OAuth2AccessToken extractData(ClientHttpResponse response) throws IOException {
if (response.getHeaders().containsKey("Set-Cookie")) {
this.val$copy.setCookie(response.getHeaders().getFirst("Set-Cookie"));
}
return ((OAuth2AccessToken) this.val$delegate.extractData(response));
}
};
return ((OAuth2AccessToken) getRestTemplate().execute(getAccessTokenUri(resource, form), getHttpMethod(),
getRequestCallback(resource, form, headers), extractor, form.toSingleValueMap()));
} catch (OAuth2Exception oe) {
throw new OAuth2AccessDeniedException("Access token denied.", resource, oe);
} catch (RestClientException rce) {
throw new OAuth2AccessDeniedException("Error requesting access token.", resource, rce);
}
}
<b>protected HttpMethod getHttpMethod() {
return HttpMethod.POST;
}</b>
protected String getAccessTokenUri(OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form) {
String accessTokenUri = resource.getAccessTokenUri();
if (this.logger.isDebugEnabled()) {
this.logger.debug(new StringBuilder().append("Retrieving token from ").append(accessTokenUri).toString());
}
StringBuilder builder = new StringBuilder(accessTokenUri);
String separator;
if (getHttpMethod() == HttpMethod.GET) {
separator = "?";
if (accessTokenUri.contains("?")) {
separator = "&";
}
for (String key : form.keySet()) {
builder.append(separator);
builder.append(new StringBuilder().append(key).append("={").append(key).append("}").toString());
separator = "&";
}
}
return builder.toString();
}
Can Anyone explain me why OAuth2AccessTokenSupport always returns POST and
How to send HTTP GET request
To enable GET requests for the token endpoint, you need to add the following in your AuthorizationServerConfigurerAdapter:
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}
As for why only POST by default: I think that is due to GET requests potentially sending username and password information as request params (this is certainly the case for password grant). These may well be visible in web server logs, while POST body data is not.
Indeed the RFC for OAuth2 declares that the client must use HTTP POST when requesting an access token (https://www.rfc-editor.org/rfc/rfc6749#section-3.2)

How to set, get and validate sessions in JSF like PHP $_SESSION[''] [duplicate]

I would like to block the access of some page even if the user knows the url of some pages.
For example, /localhost:8080/user/home.xhtml (need to do the login first) if not logged then redirect to /index.xhtml.
How do that in JSF ? I read in the Google that's needed a filter, but I don't know how to do that.
You need to implement the javax.servlet.Filter class, do the desired job in doFilter() method and map it on an URL pattern covering the restricted pages, /user/* maybe? Inside the doFilter() you should check the presence of the logged-in user in the session somehow. Further you also need to take JSF ajax and resource requests into account. JSF ajax requests require a special XML response to let JavaScript perform a redirect. JSF resource requests need to be skipped otherwise your login page won't have any CSS/JS/images anymore.
Assuming that you've a /login.xhtml page which stores the logged-in user in a JSF managed bean via externalContext.getSessionMap().put("user", user), then you could get it via session.getAttribute("user") the usual way like below:
#WebFilter("/user/*")
public class AuthorizationFilter implements Filter {
private static final String AJAX_REDIRECT_XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<partial-response><redirect url=\"%s\"></redirect></partial-response>";
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURL = request.getContextPath() + "/login.xhtml";
boolean loggedIn = (session != null) && (session.getAttribute("user") != null);
boolean loginRequest = request.getRequestURI().equals(loginURL);
boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER + "/");
boolean ajaxRequest = "partial/ajax".equals(request.getHeader("Faces-Request"));
if (loggedIn || loginRequest || resourceRequest) {
if (!resourceRequest) { // Prevent browser from caching restricted resources. See also https://stackoverflow.com/q/4194207/157882
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
}
chain.doFilter(request, response); // So, just continue request.
}
else if (ajaxRequest) {
response.setContentType("text/xml");
response.setCharacterEncoding("UTF-8");
response.getWriter().printf(AJAX_REDIRECT_XML, loginURL); // So, return special XML response instructing JSF ajax to send a redirect.
}
else {
response.sendRedirect(loginURL); // So, just perform standard synchronous redirect.
}
}
// You need to override init() and destroy() as well, but they can be kept empty.
}
Additionally, the filter also disabled browser cache on secured page, so the browser back button won't show up them anymore.
In case you happen to use JSF utility library OmniFaces, above code could be reduced as below:
#WebFilter("/user/*")
public class AuthorizationFilter extends HttpFilter {
#Override
public void doFilter(HttpServletRequest request, HttpServletResponse response, HttpSession session, FilterChain chain) throws ServletException, IOException {
String loginURL = request.getContextPath() + "/login.xhtml";
boolean loggedIn = (session != null) && (session.getAttribute("user") != null);
boolean loginRequest = request.getRequestURI().equals(loginURL);
boolean resourceRequest = Servlets.isFacesResourceRequest(request);
if (loggedIn || loginRequest || resourceRequest) {
if (!resourceRequest) { // Prevent browser from caching restricted resources. See also https://stackoverflow.com/q/4194207/157882
Servlets.setNoCacheHeaders(response);
}
chain.doFilter(request, response); // So, just continue request.
}
else {
Servlets.facesRedirect(request, response, loginURL);
}
}
}
See also:
Our Servlet Filters wiki page
How to handle authentication/authorization with users in a database?
Using JSF 2.0 / Facelets, is there a way to attach a global listener to all AJAX calls?
Avoid back button on JSF web application
JSF: How control access and rights in JSF?
While it's of course legitimate to use a simple Servlet filter, there are alternatives like
Spring Security
Java EE Security
Apache Shiro

Resources