I need configure my spring-boot web application to return different templates for same URL. Template should be returned checking roles for current user.
To solve this issue i think should be used UrlBasedViewResolver to create\configure special CustomSecurityBasedInternalResourceViewResolver. It will be really good if someone will show how to implement this idea.
Related
I'm currently developing a Vaadin 8 app with spring boot and as I've read on many posts, the correct way of securing a view is to annotate the class with PreAuthorize. I'm doing that to protect views like this:
#SpringView(name="arinteractions")
#PreAuthorize("hasAuthority('OWNER') or hasAuthority('ADMIN')")
public class ARInteractionsView extends SideMenuViewBase {
The first problem I encountered was that my roles didn't have the ROLE_ prefix so I added that.
Still, spring was allowing the user to enter any view just by typing its URL (which in vaadin is a hashbang like #!interactionview).
Adding this allows the user with access to enter the view, but also users without access. When a user without the roles tries to enter the views he they open. The logs show:
Found view ARStorageBanksView annotated with #PreAuthorize but no access decision manager. Granting access.
And also an exception is thrown:
org.springframework.security.access.AccessDeniedException
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.4.RELEASE.jar:5.0.4.RELEASE]
I tried adding an access decision manager by adding a bean maker method in the security config, but I didn't found any documentation on how to implement this correctly.
Also, adding the access decision manager only made it worse. All views became blocked and the logs showed that the views 'didn't exist'.
What I did to solve was to use the old #Secured annotation. That for some reason is working flawlessly.
Spring security Roles, Authorities, are very confusing. Some of its objects are strings, some are plain objects, the auth scripts are hard to debug, the convetions aren't obvious that are required.
So the question is, what is the correct way of setting up security so that I can use the newer pre-authorize?
I think there is nothing wrong using #Secured, especially if it works. The Vaadin reference application (Bakery) has been implemented using that as well. See more at: https://vaadin.com/start/v8-full-stack-spring
I am trying to secure my Webapplication which is based on a Spring MVC project containing REST controllers and Angular JS pages that get all their data from these controllers.
I am not at all familiar with Spring boot, just with 'classic spring'. I'd like to use the token based authentication which JHipster creates a skeleton for.
What needs to be done to get that security part and migrate it to my current Spring project? I tried copying relevant classes and the Token generation and such works, but the SecurityConfiguration seems to do nothing (no URL's are authenticated while I do say they need to be in the config, the tokenfilter never gets called etc.)
There's possibly some structural/ configurational differences between Spring and Spring boot which cause this?
What needs to be done to get the security mechanism working in a regular Spring application?
What is working:
- token generation
What is not working:
- every REST call goes through no matter if it's behind an .authenticated() URL
- the token filter never checks if there's a token and thus doesn't validate the token
Everything token-wise is okay, everything url-security wise is not at all okay.
(I've been trying to solve this for 3 days now and I just don't see where I'm going wrong.)
All help/ insights/ tips much appreciated as always.
I have a simple web application which I am writing using spring-boot and storm path for user authentication. (I'm actually using spring-boot-starter-stormpath-thymeleaf)
I have a have the following request mapping in my controller
#RequestMapping(value = "/secure", method = RequestMethod.GET)
public String secure(Model mode, HttpServletRequest request) {
Account account = AccountResolver.INSTANCE.getAccount(request);
if (account != null)
return "secure";
else
return "redirect:/login?next=secure";
}
which forces a user to login to view the secure page. It works, but it doesn't feel like it is the most elegant of solutions. Is there a better way? I think a solution with filters should be possible but I cannot figure it out.
The current Stormpath Spring Boot starter does not (yet) have an authentication filter, but it will on future releases for those that want an out-of-the-box experience without having to use Spring Security or Apache Shiro.
That said, we're currently working on natively supporting Spring Security and Apache Shiro as Spring Boot starters that 'just work' with the Stormpath Spring Boot starter. Until we can release those, creating a custom servlet filter as you indicate is the best approach.
Are you also using the Stormpath Servlet as well?
If so, you could do what you need following this piece of documentation. This way you will only need to declare which are the resources of your application that you want to secure and Stormpath's authc filter will prompt for authentication when required.
If you're using Spring MVC, you should use Spring Security and have Stormpath acting as an authentication provider. Then use the standard Spring Security tools to declare access rules and inject the current user where needed.
Is there a way using the latest verions of Spring Roo to having this RequestMapping URL/value in this manner(s):
localhost/application/[generated-code]/menu
localhost/application/[generated-code]/settings
localhost/application/admin
generated-code is supplied to a column in the accounts table.
menu, settings and admin are Controllers having the class names MenuController, SettingController and AdminController respectively.
OPTIONAL: Since both menu and settings to share the same URL mapping, is there a way to have such validation on an abstract controller to implement the abstraction OOP concept.
The idea was to put additional security feature to end-user by supplying them them their login URL and login account. The plan was in the application named: application both the admin users and end users share the same application build.
Is this feature possible using Spring-Roo, Spring MVC, and Spring Security? How can such be implemented?
UPDATED
#CodeChip comment to use #PathVariable can be a solution. But as stated in the question and on comment to #CodeChip suggestion, creating an abstract controller is a optimal approach.
I'm developing a Java EE application (JSF2 + richfaces+ Facelets + Tomcat).
What's the best way to perform authentication when using JSF?
Or should I make my own ?
People usually pick between ( in no specific order) :
JAAS ( wich is Java/Java EE default security framework )
Spring Security
Custom Made Security
I never used Spring Security but the documentation is huge, i gave up trying that once because of time constraint. JAAS have the advantages of being simple and work out of the box with Tomcat.
I've seen custom security built on top of JAAS too.
What you really have to do is figure out what you will especifically need in your application and check wich frameworks suits your needs better.
Without knowing your business needs, if you only need Authentication (User login) i would say JAAS is the most simple way to go as is it not application intrusive and you wont need to add Spring dependencies if you are not already using it.
Go for Spring Security
Here is how to integrate it with JSF
Edit:
http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
I think that Leonardo answered it correctly, but you could also consider Central Authentication Service(CAS) for enterprise wide security. It is a little more complex to configure, but the benefits are tremendous. It also supports an enormous number of out of the box authentication mechanisms from LDAP to NTLM. CAS also provides extension for custom authentication.
If you choose to use Java EE containers, and wish to use form based authentication, I have published a couple of examples for use with JSF 1.2 and 2.0 and j_security_check
JSF 1.2 Facelets Form Based Authentication (j_security_check)
JSF 2.x Facelets Form Based Authentication (j_security_check)
In addition, the Servlet 3.0 API provides login and authentication based on the container via the HttpServletRequest API.
JBoss Seam integrates EJB 3, Facelets, JSF, and hibernate really nicely. Also provides validation of data and some security stuff too. If you use it for all its features, it is really sweet. If you try to pick and choose only certain things out of it, then it is still cool, but you have a few work arounds. But I've been impressed with what I've seen of Seam so far.
Apart from the mentioned frameworks there's also Seam Security which integrates nicely with CDI through an Extension.
You can try Apache Shiro, which gives authentication, authorization and many other.
For simple authentication , a very simple approach is to check for valid user object in the template using JSTL, and show the login form if not.
for exmaple , assume your template is webapp/WEB-INF/templates/default.xhtml , inside the template:
<html...>
.
.
<h:body>
<c:if test="#{mbSecurity.validUser}">
.
. authenticated template sections goes here
.
</c:if>
<c:if test="#{not mbSecurity.validUser}">
<ui:include src="/WEB-INF/inc/login-form.xhtml" />
</c:if>
</h:body>
</html>
Advantages: Zero dependencies & zero-configurations, also if the session is expired, after the login, the user will back to the original page which he was in .