I'm using the latest release of Spring Blzeds integration which has some features making it easier to secure invocations on destination objects. However the basic setup I use which uses the ChannelSet login approach form the flex side looses the authentication information (sessions) on each page refresh. Here's the configuration I'm using:
<http entry-point-ref="preAuthenticatedEntryPoint" >
</http>
<beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
<beans:bean id="userAccountManager" class="com.comp.service.managers.jpa.UserAccountJpaManager" />
<beans:bean id="userService" class="com.comp.auth.JpaUserDetailsService" />
<beans:bean id="defaultPasswordEncoder" class="com.comp.auth.DefaultPasswordEncoder" />
<authentication-provider user-service-ref="userService">
<password-encoder ref="defaultPasswordEncoder"/>
</authentication-provider>
<flex:message-broker>
<flex:secured />
</flex:message-broker>
<bean id="testService" class="com.comp.service.TestService">
<flex:remoting-destination channels="comp-amf" />
<security:intercept-methods>
<security:protect method="say*" access="ROLE_USER" />
</security:intercept-methods>
</bean>
Is there another way to configure/implement this so I could get persistent sessions (remember me). Is it possible to do the logins from flex over standard HTTP POST (like forms) and still get the same level of granularity for protecting remote object calls?
Try adding this to your config:
<http entry-point-ref="preAuthenticatedEntryPoint" create-session="always">
Related
When I make an implementation for
org.springframework.security.core.userdetails.UserDetailsService
and use the statement
sessionRegistry.registerNewSession(user.getUsername(), user);
within it after successful authentication, then the
sessionRegistry.getAllPrincipals();
list is not empty (but when I log out from application the session still remain within list) otherwise this list will be empty. how can I make the session registration (and also unregistration during user log out or session expiration) within sessionRegistry automatically? my spring config is as below:
<sec:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsf">
<sec:form-login login-page="/login.jsf" />
<sec:session-management session-authentication-strategy-ref="sas" />
</sec:http>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository"
ref="scr" />
<property name="sessionAuthenticationStrategy"
ref="sas" />
</bean>
<bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<property name="maximumSessions" value="10" />
</bean>
Most likely you have forgotten to add an HttpSessionEventPublisher to your web.xml.
Another possibility is that the principal in question has other sessions still active which haven't timed-out or been invalidated. You have a maximum session value of 10. Try setting that to "1" instead for testing.
Also, version 3.0.5 is out of date. You should use the latest version and keep up to date with patches to avoid vulnerabilities.
I am having trouble displaying a logout link in a JSP page only if the user is authenticated. Here is the exception I have at this line of the JSP page:
<sec:authorize access="isAuthenticated()">
Exception:
Stacktrace:
....
root cause
javax.servlet.jsp.JspException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.
org.springframework.security.taglibs.authz.AuthorizeTag.getExpressionHandler(AuthorizeTag.java:100)
org.springframework.security.taglibs.authz.AuthorizeTag.authorizeUsingAccessExpression(AuthorizeTag.java:58)
Here is my application-context-Security.xml:
<http auto-config='true' >
<intercept-url pattern="/user/**" access="ROLE_User" />
<logout logout-success-url="/hello.htm" />
</http>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
I understand that I could use use-expression="true" in the http tag but that means I would have to use expression in the intercept-url tags and in the java code. Is there a workaround?
You can just add one to your application context
<bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
but the easiest way is just to enable expressions in your <http> configuration, and one will be added for you. This only means that you have to use expressions within that block, not in Java code such as method #Secured annotations.
We have two web applications. Both are enabled with CAS authentication. We can navigate from web application(Application A) to another one(Application B). Some times sessionManagementFilter is redirecting to session expired page ,when user navigating from Application A to B.We are getting session invalid page for Application B. Here is our spring configuration settings in applicationContext-security.xml file.
Any idea what is the causing the issue. Prompt response is appreciable.
<http entry-point-ref="casProcessingFilterEntryPoint" >
<custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
<custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
<logout logout-url="/j_spring_security_logout.xhtml" logout-success-url="calltoolSecurity{CAS_URL}/logout" invalidate-session="true" />
</http>
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<!-- this permits redirection to session timeout page from javascript/ajax or http -->
<beans:property name="invalidSessionStrategy" ref="actInvalidSessionStrategy" />
</beans:bean>
<beans:bean id="actInvalidSessionStrategy" class="com.avivausa.api.web.JsfRedirectStrategy">
<beans:constructor-arg name="invalidSessionUrl" value="/pages/system/errorSessionExpired.xhtml" />
</beans:bean>
Please make sure that both application using the same CAS server to login.
I spent a lot of time to solve this problem, yet still couldn't get it work.
I am using Spring Security. The application will run on multiple servers. I use the option "remember me" on login to save persistent logins in my database.
If a user is connected to server 1, he has a session id in cookies browser. I turn on another server and this user makes authentication and the cookies browser have this session id and the session id of server 1 connection.
When this user logs out in one server or another server, he should be redirected to login page in all servers.
I tried to remove cookies from browser without success. How can I make this work? Any help?
Example scenario: In gmail, if you have 2 tabs open in your account and if you log out from one of them, other tab automatically logs out too. The server 1 doesn't know the information of server 2.. I think my problem is here but I don't know how I can solve this.
This is my security config:
<http auto-config="false" use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<remember-me data-source-ref="dataSource" />
<form-login login-page="/login.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-authentication-strategy-ref="sas" />
</http>
<!-- <logout logout-url="/j_spring_security_logout" logout-success-url="/" invalidate-session="true" /> -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.do" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="rememberMeServices"/>
<beans:ref bean="logoutHandler"/>
</beans:list>
</beans:constructor-arg>
<!-- <beans:property name="filterProcessesUrl" value="/login.do" /> -->
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/login.do" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="jdbcUserService" />
</authentication-manager>
Here are 3 solutions for your multiple-server scenario:
Use sticky sessions on your load balancer so the user keeps going back to the same server. Then you just invalidate the session when they log out. This is usually coupled with a session failover solution (Tomcat example) so if a server goes down a user can get redirected to a new server that picks up their old session.
Use a distributed cache for sessions (for example Terracotta Web Sessions). Then when they logout invalidate the session and it will be invalidated everywhere.
Another solution is to use a customized Spring Security TokenBasedRememberMeServices as your "login" cookie. If the user does not select remember me, go ahead and set the cookie, but make it a browser session cookie instead of a persistent cookie. All servers will recognize the user and create a session for it. When the user logs out, drop the cookie. You'll also need a custom RememberMeAuthenticationFilter that looks for a authentication token in the session and a missing RememberMe cookie, invalidating the session and clearing security context if that is the case.
I would recommend you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too
Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.
The same query has been discussed at Invalid a session when user makes logout (Spring).
I have a web application secured with Spring Security that needs two separate login forms. These two login forms need to be totally independent. I mean different login form, different url paths, be able to have a different authentication manager for each one too.
I have looked all over google and there are some ways to do this, but I have read and see some changes the last couple of weeks should make it easy to do this in the latest snapshot versions of the code.
First of all, as this bug is complete SEC-1171 we can now have multiple namespace elements to support multiple filter chain configurations.
Secondly, as this other bug shows SEC-1847 we are now able to select a custom authentication manager for each http tag.
The problem is that I have downloaded, compiled and everything but my xsd doesn't allow me to create a custom auth manager for each http tag, I also get errors whenever I try to change the login processing url or whenever I try to use a remember me key for each login form.
I started doing something like this:
<!-- Configure realm for administration users -->
<http pattern="/admin/**" auto-config="true" disable-url-rewriting="true" >
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<form-login login-page="/adminLogin.htm" default-target-url="/"
login-processing-url="/loginProcessing"
authentication-failure-url="/adminLogin.htm?error" />
<logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<remember-me key="******" user-service-ref="userDetailsService" />
</http>
<!-- Configure realm for standard users -->
<http auto-config="true" disable-url-rewriting="true">
<intercept-url pattern="/user/**" access="ROLE_USER" />
<form-login login-page="/login.htm" default-target-url="/"
login-processing-url="/loginProcessing"
authentication-failure-url="/login.htm?error" />
<logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<remember-me key="******" user-service-ref="userDetailsService" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService" >
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
<authentication-provider>
<password-encoder ref="passwordEncoder"/>
<user-service>
<user name="ned" password="****" authorities="ROLE_USER" />
<user name="tom" password="****" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
I am using the latest snapshot of Spring Security 3.1.
As I said the ideal would be to be able to have two different login forms totally independent using the "new" way that was changed recently on these bugs.
Anybody has worked with this or has any idea?
Thanks in advance.
As you can see in commit log of October 30th'11 (2f67bb3) for SEC-1847, the authentication-manager-ref attribute can be added in http and global-method-security.
Ritesh, you are right, however, if I try to configure authentication-manager-ref in the http element, the follow exception occurs: org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute 'authentication-manager-ref' is not allowed to appear in element 'security:http'.
In header of my security.xml, I'm using http://www.springframework.org/schema/security/spring-security-3.1.xsd. If I browse to this URL, the xsd loaded declares the attribute authentication-manager-ref to the http element, but the xsd in spring-security-config-3.1.0.RC2.jar doesn't.
I created an issue in springsource jira-> https://jira.springsource.org/browse/SEC-1879 .
I replaced the xsd contained in spring-security-config-3.1.0.RC3.jar with a correct one and org.xml.sax.SAXParseException doesn't occur anymore, but it's not possible to declare two authentication-manager beans in security.xml.