I've got a Java EE application which uses Spring Security for authentication (configured with Java config). The same application contains a websocket server implemented with javax.websocket package.
My question is how to turn off Spring Security authentication for any incoming websocket connections without turning off HTTP authentication?
You can have all requests matching a particular pattern bypass the security filter. For example, if your WS endpoint is
/websocket you can add this to your configuration:
<http pattern="/websocket/**" security="none" />
I don't like to configure Spring programmatically so I don't know how this is done with Java code, but after a 10,000 feet look at the
classes I think it's maybe done with a WebSecurity + WebSecurityConfigurerAdapter setup.
Related
I am in desperate need of help. So as a prerequisite I am tasked with creating a simple web application. The application requirements are to create a simple web form that collects user data and then sends an email verification to the user that just provided information. The difficult aspect of this project is CAS Integration with the Marist College CAS authentication system. A requirement of this project was that I use Spring Boot to create the project. At the moment I have already implemented Spring Security to authenticate users. I have been trying everything online to integrate CAS with my existing project. I was hoping that someone on StackOverflow may have more knowledge on how to integrate CAS with SpringSecurtiy. Also please don't be harsh on me I have never used the spring framework before this project and this is all new to me. The Url of the CAS server is "https://login.marist.edu/cas/". I have looked into https://github.com/apereo/java-cas-client spring support I just don't know how to integrate it with my current application. Thank you to anyone in advance that lends me a hand with this.
As I previously stated I would provide the solution to the problem that I experienced during the processes of integrating a spring application with the Marist CAS 2.0 Authentication System. As Stated above there is a Spring Boot AutoConfiguration that can be used. While this may not be the best method for securing your application it satisfied my needs for the project that I was working on. The Steps to configure your spring application with CAS 2.0 are bellow.
Add Maven Dependency
Maven:
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
Add the following required properties in Spring Boot's application.properties or application.yml
cas.server-url-prefix=https://cashost.com/cas
cas.server-login-url=https://cashost.com/cas/login
cas.client-host-url=https://casclient.com
3)Annotate Spring Boot application (or any #Configuration class) with #EnableCasClient annotation
#SpringBootApplication
#Controller
#EnableCasClient
public class MyApplication { .. }
4)For CAS3 protocol (authentication and validation filters) - which is default if nothing is specified
cas.validation-type=CAS3
For CAS2 protocol (authentication and validation filters)
cas.validation-type=CAS
For SAML protocol (authentication and validation filters)
cas.validation-type=SAML
How can I support both HTTP and https at the same time in Spring MVC web project deployed on tomcat7 (and 8). I have configured every thing at Tomcat level.
HTTPS work if I use the following code by extending WebSecurityConfigurerAdapter
.and().requiresChannel().anyRequest().requiresSecure()
but then it does not allow HTTP, I need to support both HTTP AND HTTPS at the same time for same endpoint
example:
http://example.com/hello-world
https://example.com/hello-world
Changing your https configuration from .anyRequest() to a specific secure url eg. http.requiresChannel().antMatchers("/secure*").requiresSecure(); and making the rest Insecure as follows http.requiresChannel().anyRequest().requiresInsecure(); will solve the issue.
This instructs Spring to use HTTP for all requests that are not explicitly configured to use HTTPS.
I have a Spring MVC application secured with Spring Security. The majority of the application uses simple HTTP to save resources, but a small part processes more confidential information and requires an HTTPS channel.
Extract from the security-config.xml :
<sec:http authentication-manager-ref="authenticationManager" ... >
...
<sec:intercept-url pattern="/sec/**" requires-channel="https"/>
<sec:intercept-url pattern="/**" requires-channel="http"/>
</sec:http>
All worked fine until we decided to migrate it to the main server, where the application servers run behind reverse proxies. And as now HTTPS is processed by the reverse proxies the application server only sees HTTP requests, and disallows access to the /sec/** hierarchy.
After some research, I found that the proxies add a X-Forwarded-Proto: https header (*), but in Spring Security HttpServletRequest.isSecure() is used to determine the channel security offered (extract from SecureChannelProcessor javadoc).
How can I tell Spring Security that a X-Forwarded-Proto: https header is enough for a secure request?
I know I could report that part on proxies configuration, but the proxies administrator really does not like that solution, because there are many application behind the proxies and the configuration could grow to a non manageable state.
I an currently using Spring Security 3.2 with XML config, but I'm ready to accept answers based on Java config and/or more recent version.
(*) Of course, the proxies remove the header if it was present in incoming request, so the application can be confident in it.
Kind of a followup to NeilMcGuigan's answer that showed that the solution was servlet container side.
Tomcat is even better. There is a valve dedicated to masking the side effects of a reverse proxy. Extract from Tomcat documentation for Remote IP Valve:
Another feature of this valve is to replace the apparent scheme (http/https), server port and request.secure with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").
Example of the valve configuration :
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.0\.10|192\.168\.0\.11"
remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
That way with no other configuration of the application itself, the call to Request.isSecure() will return true if the request contains a header field of X-Forwarded-Proto=https.
I had thought of two other possibilities, but definitively prefere that one :
use a filter active before Spring Security ChannelProcessingFilter to wrap the request with a HttpServletRequestWrapper overriding isSecure() to process a X-Forwarded-Proto header - need writing and testing the filter and the wrapper
use a Spring BeanPostProcessor to look for a ChannelProcessingFilter and manually inject a ChannelDecisionManager able to consider the X-Forwarded-Proto header - really too low level
Spring Boot makes it dead simple (at least with embedded Tomcat).
1. Add the following lines to your application.properties:
server.forward-headers-strategy=native
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
2. Do the following trick with your HttpSecurity configuration.
// final HttpSecurity http = ...
// Probably it will be in your `WebSecurityConfigurerAdapter.configure()`
http.requiresChannel()
.anyRequest().requiresSecure()
Source is Spring Boot reference guide
84.3 Enable HTTPS When Running behind a Proxy Server
Please also check the answer below for a specifics related to Spring Boot 2.2
If your site is HTTPS and you're running Apache Tomcat behind another system that's handling TLS termination, you can tell Tomcat to "pretend" that it's handling the TLS termination.
This makes request.isSecure() return true;
To do so, you need to add secure="true" to your Connector config in server.xml.
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
See also the scheme attribute.
I am using Spring4 with Spring Security 3.2.4.
I have some http configurations in my security configuration in order to host form based authentication and REST services (with authentication) together.
For the pages and REST services which require app-authentication everything works fine with my current configuration but for the pages which does not require authentication, such as login and register, the anonymous authentication is not initialised somehow. Speaking in Java:
SecurityContextHolder.getContext().getAuthentication() returns null.
I expect that anonymous authentication is initialised as the documentation (http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#introduction) refers:
Anonymous authentication support is provided automatically when using the HTTP configuration Spring Security 3.0 and can be customized (or disabled) using the element. You don’t need to configure the beans described here unless you are using traditional bean configuration.
Does anyone have an idea why does it not happen although the documentation refers? (Beside the fact, that the documentation for 3.2.4 refers to 3.0 version and some of the given configuration suggestions refer deprecated implementation)
I am using BlazeDS and Spring Security and have set up my application using a Spring Security filter chain and Dispatcher Servlet in my web.xml and in my application-context.xml I have set up the following...
<s:http
auto-config="true"
access-decision-manager-ref="accessDecisionManager"/>
<s:authentication-manager>
<s:authentication-provider
user-service-ref="userService"/>
</s:authentication-manager>
<f:message-broker>
<f:secured/>
</f:message-broker>
<s:global-method-security
access-decision-manager-ref="accessDecisionManager">
<s:protect-pointcut
expression="execution(* com.my.app.Server.*(..))"
access="ROLE_USER"/>
</s:global-method-security>
This generally works. The Spring message broker correctly allows me to access my java Server class and the 'secured' tag works and allows me to log into the channel set using my custom authentication manager (via userService). I can call remote methods on the Server class no problem.
However, I cannot get the global method security to work at all. I cannot get Spring to invoke my accessDecisionManager, or even to deny access to methods on the Server class, no matter which access role I use. Does anybody know how I can get this to work?
Incidentally, my Server class is not a Spring bean or anything like that, it is just a standard Java class as would be used in standard Flex remoting. Would this make a difference?
I'm using Spring Security 3 and Flex 4.5
Point cuts and aspects only works for Spring beans, if it is plain java object spring cannot intercept any method calls as it is not proxied. Please create a spring bean for your server class and it should be working fine.
Once you created the spring bean you can expose the bean through blaze DS using flex:remoting-destination