I have exposed some webservices in a RESTful manner. In my first form user needs to login and login credentials is sent in Authorization header in the following manner:
Authorization :Basic adajajffjfksal
Now in my security-context.xml I have secured the URL in the following way:
<http pattern="/login" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_AUTHENTICATED" />
<http-basic />
</http>
After successful login I have another form from which some paramaters will be passed to the server on behalf of the User. Will session be created? Do I have to pass user credentials in Authorization header again? Will this login request be sessionless due to 'create-session="stateless"'?
This piece of security-context.xml has little sense if any
<http pattern="/login" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_AUTHENTICATED" />
<http-basic />
</http>
It contains pattern="/login", so the whole block is only considered by spring security for the sole url /login. In other words it is ignored for any other urls.
It contains create-session="stateless", so it will not create any session.
The result is that if you explicitely call /login URL with proper basic authentication headers, you will be successfully authenticated and the session will immediately be closed. So you will not be authenticated for following requests.
Related
Trying to create my own access handling logic via spring security. Some actions are controlled by custom logic. So: if the specific condition is satisfied - we allow user to do some action. If not - we should redirect hit to login page, force him to re-login and then continue action.
This is my custom access manager:
#Component("accessManager")
public class AccessManager
{
public boolean hasAccess()
{
// Or true in some cases.
return false;
}
}
My spring config:
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<access-denied-handler error-page="/dataAccessFailure"/>
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" />
<logout logout-url="/resources/j_spring_security_logout" />
<intercept-url pattern="/**" access="isAuthenticated() and #accessManager.hasAccess()" />
<csrf disabled="true"/>
</http>
Now it works like this: When I am trying to access requests like *"/**"* without being Authenticated, it redirects me to login page.
Then I have to log in and after that I can continue processing request.
But if the condition in my custom hasAccess() wethod is NOT satisfied, I can only see dataAccessFailure page.
The main problem is that I need re-login behavior only in case of NO hasAccess() case (not for each AccessDeniedException). In cases like
#PreAuthorize("hasAuthority('MyAuth')")
I have to see dataAccessFailure page.
Thank you.
I have a Spring MVC 3.1.0 web application, and I am implementing Spring Security for the first time.
secure-config.xml:
<http>
<intercept-url pattern="/lhome" access="ROLE_USER" />
<access-denied-handler error-page="/WEB-INF/views/403.jsp"/>
<form-login login-page="/login" default-target-url="/home" authentication-failure-url="/login.jsp" always-use-default-target="true"/>
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<logout logout-success-url="/home"/>
</http>
<authentication-manager alias="authenticationManager" >
<authentication-provider user-service-ref="customMongoSecurityService" />
</authentication-manager>
I am using AJAX based login. When I give correct credentials or hit /lhome it redirects to the /login page instead of the home page.
How can I solve the problem?
Once Spring grants you an access, it will return your request with a session key. You will need to carry the session key for the subsequent requests.
Or you can configure the Spring to use http basic
<http>
...
<http-basic/>
</http>
By this way, you have to send the user name and password over for each request (less secure for public web site).
I want to use authentication via LDAP and Rememberme. If a user is authenticated via Rememberme, but the page requires full authentication, the user should be redirected to the login page.
This is my configuration so far
<security:http access-decision-manager-ref="de.test.security.core_accessDecisionManager">
<security:intercept-url pattern="/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" />
<security:intercept-url pattern="/*" access="IS_AUTHENTICATED_FULLY" />
<security:form-login login-page='/login.html' authentication-failure-url="/login.html?error=true" />
<security:logout delete-cookies="JSESSIONID" />
<security:access-denied-handler error-page="/login.html" />
<security:remember-me services-ref="de.test.security.auth.rememberme_services" key="${de.test.security.auth.rememberme_key}" />
</security:http>
the problem is, every access deny leads to a redirect to login.html, but I just want a redirect when authentication fully is needed and the user has just authenticated via Rememberme.
Can anyone tell me how I can achieve such behaviour?
After successful login i want to proceed with further request processing with new url. But the url is invoking exposed service in spring mvc where security configuration doesn't check the session authentication for coming url.Please take a look below code.
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/**" access="isAuthenticated()" /> -->
<intercept-url pattern="/home*" access="isAuthenticated()" />
<intercept-url pattern="/admin*" access="isAuthenticated()" />
<form-login login-page="/" default-target-url="/home"
authentication-failure-url="/accessdenied" always-use-default-target="false"/>
<logout logout-success-url="/" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<session-management invalid-session-url="/" session-authentication-error-url="/login.jsp?error=alreadyLogin">
<concurrency-control max-sessions="1" expired-url="/login.jsp?error=sessionExpiredDuplicateLogin" error-if-maximum-exceeded="false"/>
</session-management>
<remember-me />
</http>
When jsp page submits login authentication J_security_check the target url invoked which subsequently calls interceptor pattern /home* and authenticates the login credentials.
if i'm calling the exposed service before login "/address/userid/" it directly invokes the service method how to make it session bound, if session exist get the data otherwise not.
how different spring security session from http session,how to maintain spring security session like http session in spring mvc.
if i'm adding <intercept-url pattern="/**" access="isAuthenticated()" /> it doesn't work, it doesn't show login jsp as well.Where i am doing wrong please clarify.
How to distinguish userid/pwd in authentication manager as per given below, as single ? takes first parameter.
<authentication-manager>
<authentication-provider>
<!-- <user-service> <user name="admin" password="secret" authorities="ROLE_ADMIN,ROLE_USER"/>
</user-service> -->
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USER_NAME,USER_PWD, 'true' as enabled from LOGIN_USER where USER_NAME=?"
authorities-by-username-query="select LOGIN_USER.USER_NAME , LOGIN_USER.ROLE_ID as authorities from LOGIN_USER
where LOGIN_USER.USER_NAME =?" />
</authentication-provider>
</authentication-manager>
I have come across few sites it describes only login spring security session management.i couldn't get clarity.Thanks in advance.
i implemented using interceptor handler to check URI & session attributes which works fine but looking for better options in spring framework.
I'm using Spring Security. I need to block the access to Login page if user is authenticated. The following line is giving error.
<intercept-url pattern="/user/**" access="!IS_AUTHENTICATED_FULLY" />
Error is unsupported configuration.
either you can use IS_AUTHENTICATED_ANONYMOUSLY (to allow access only if user is authenticated anonymously), or enable expressions and use IsAuthenticated() like given below
<http use-expressions="true">
<intercept-url pattern="/user/**"
access="isAuthenticated()"/>
...
</http>