Develop Reference

getPrincipal() method returns anonymous user

I'm trying to get the connected user via spring security method
public static User getConnectedUser() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
User currentUser=auth.getPrincipal();
}
When i invoke this method from a webservice get method using postman it returns anonymousUser even if am logged in.
Here is my spring security configuration:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/app/admin/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/app/passwordHint*" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_ANONYMOUS')"/>
<intercept-url pattern="/app/requestRecoveryToken*" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_ANONYMOUS')" />
<intercept-url pattern="/app/updatePassword*" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_ANONYMOUS')" />
<intercept-url pattern="/app/signup*" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_ANONYMOUS')"/>
<intercept-url pattern="/app/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
</http>
Even when i added this line <intercept-url pattern="/*" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> to the above configuration it returns the anonymousUser.
Here is the url i request from postman.
http://localhost:8080/myApp/services/api/seal/

Yor intercept-url are all not match because your path begins with services not with app.
If your context root is myApp, your configuration should be:
<intercept-url pattern="/services/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>

How can I allow GET requests without authentication but secure other HTTP methods?

I've created a webservice with spring roo and added spring security to the project. Everything works fine so far but now I want to allow to access entities information via HTTP GET requests without any authentication. The other HTTP methods like POST, PUT etc. should stay secure.
My applicationContext-security.xml looks like the following but when I do a HTTP GET on "/releaseupdates/" with a "Accept: application/json" header it always returns the login page (I think spring security redirects to the login page internally):
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/releaseupdates/**" access="permitAll" method="GET" />
<intercept-url pattern="/releaseupdates/**" access="hasRole('ROLE_ADMIN')" method="POST" />
<intercept-url pattern="/releaseupdatestatuses/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>

There is also an annotation #PreAuthorize which could be your friend here. The annotation could be at class or method level on your Controllers.
Here's an example:
#Controller
#RequestMapping("/releaseupdates")
public class ReleaseUpdateController {
#RequestMapping(method=RequestMethod.GET)
public String unprotectedGetRequest() {
//do something, no protection
}
#PreAuthorize("hasRole('ROLE_ADMIN')")
#RequestMapping(method=RequestMethod.POST)
public String securePostRequest() {
//do something, secured
}
}

Where does Spring Security get its default http configuration from?

I'm using Spring Security 3.2.4 and trying to determine where it gets its default configuration from. For example, when using the following configuration:
<http use-expressions="true">
<intercept-url pattern="/secure/login" access="permitAll" />
<intercept-url pattern="/secure/logout" access="permitAll" />
<intercept-url pattern="/secure/denied" access="permitAll" />
<session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>
</session-management>
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/secure/login" default-target-url="/" authentication-failure-url="/secure/denied" />
<logout logout-url="/secure/logout" logout-success-url="/" />
<expression-handler ref="defaultWebSecurityExpressionHandler" />
</http>
Something in a Spring configuration somewhere, is telling Spring to instantiate the LoginUrlAuthenticationEntryPoint and set the login-page to "/secure/login", etc. I realize that it is the form-login tag that is doing this magic for me, but where within Spring is the form-login tag translated to mean the LoginUrlAuthenticationEntryPoint, etc?
Similarly, by default, Spring will instantiate a filter chain of name org.springframework.security.filterChains, but can't find where that bean is defined. I presume it is in an xml configuration file within one of the Spring Security jars, but I can't find it anywhere.
Where are all these defaults configured?

Check out SecurityNamespaceHandler and work your way down from there. As you can see, it is in the spring-security-config artifact, in package org.springframework.security.config.

Using Spring Security 3.1 to secure the same RESTful resources with both form-login and http-basic security

I have a java web application running on Tomcat 7.
I am using Spring 3.2 with Spring Security 3.1 on the backend, and am exposing an API via RESTful URLs following the /api/** pattern.
The UI for the web application is built using BackboneJS. I am using Backbone models mapped directly to the RESTful URLS.
The UI is locked down using form-login authentication, so the user is always redirected to the login screen if they have are not currently authenticated.
I am now attempting to expose the same RESTful URLs to another external service using http-basic authentication. Unfortunately, when securing the same URL pattern, it seems Spring will not allow me to use more than one filter chain. Whichever is defined first in the configuration file seems to take precedence.
I would hate to have to map to separate URL patterns for the same RESTful resources, but it seems like I may not have a choice.
Here is the important sample of my (currently broken) spring security configuration:
<!-- configure basic http authentication -->
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_USER"/>
<http-basic/>
</http>
<!-- configure form-login authentication -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
My question is:
Is it possible to configure two different types of security (http-basic and form-login) for the same URL patterns using Spring Security? Is there a best practice for this type of scenario?
Thank you.

Why don't you just merge the two <http> elements like this:
<http pattern="/api/**" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic/>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
This would set up both a UsernamePasswordAuthenticationFilter and a BasicAuthenticationFilter in the same filter chain which could serve the ui client, and the external service as well.

Not possible out of the box to apply 2 different filter chain for a single URL pattern.
But it is a advisable to have unique URL patterns as UI and API, as you would have to apply a completely different filter chain in future.
For example the SecurityContextRepository hold the session information and is retrieved for each request. You don't want to apply the same for UI and API access through basic auth

Try to replace pattern="/" by pattern="/api/" in API config:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/api/**" access="ROLE_USER"/>
<http-basic/>
</http>

Spring Security oddity in <intercept-url> when specifying method

I've been playing around with Spring Security a bit and noticed the following oddity.
When I specify the <http> block like this in my security context XML.
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8181"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_ROLE2"/>
<intercept-url pattern="/url3**" access="ROLE_ROLE3" />
<!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>
All the urls seem to trigger a HTTP basic authentication pop up when I hit the various URLs with the browser.
This is good and what I expected, but when I add a method parameter to 1 of the intercept URLs like this:
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8181"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_ROLE2" method="GET"/>
<intercept-url pattern="/url3**" access="ROLE_ROLE3" />
<!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>
The basic authentication is turned off for all the URLs except the one I've explicitly set the method on (/url2).
Is this how it's supposed to work, because it seems a little goofy to me. Is this a bug?

Now I have tested url1 with https and it works. I got redirected and then the login dialog showed up.
Setting logging level to DEBUG it prints:
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:196 - Converted URL to lowercase, from: '/url1/'; to: '/url1/'
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url2**; matched=false
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url1**; matched=true
DEBUG AbstractSecurityInterceptor,http-8443-1:250 - Secure object: FilterInvocation: URL: /url1/; ConfigAttributes: [ROLE_USER]
DEBUG XmlWebApplicationContext,http-8443-1:244 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext#17af46e]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /url1/]
DEBUG ExceptionTranslationFilter,http-8443-1:150 - Authentication exception occurred; redirecting to authentication entry point
This is the configuration:
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8443"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_TELLER" method="GET"/>
<intercept-url pattern="/url3**" access="ROLE_SUPERVISOR" />
</http>