After successful login i want to proceed with further request processing with new url. But the url is invoking exposed service in spring mvc where security configuration doesn't check the session authentication for coming url.Please take a look below code.
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/**" access="isAuthenticated()" /> -->
<intercept-url pattern="/home*" access="isAuthenticated()" />
<intercept-url pattern="/admin*" access="isAuthenticated()" />
<form-login login-page="/" default-target-url="/home"
authentication-failure-url="/accessdenied" always-use-default-target="false"/>
<logout logout-success-url="/" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<session-management invalid-session-url="/" session-authentication-error-url="/login.jsp?error=alreadyLogin">
<concurrency-control max-sessions="1" expired-url="/login.jsp?error=sessionExpiredDuplicateLogin" error-if-maximum-exceeded="false"/>
</session-management>
<remember-me />
</http>
When jsp page submits login authentication J_security_check the target url invoked which subsequently calls interceptor pattern /home* and authenticates the login credentials.
if i'm calling the exposed service before login "/address/userid/" it directly invokes the service method how to make it session bound, if session exist get the data otherwise not.
how different spring security session from http session,how to maintain spring security session like http session in spring mvc.
if i'm adding <intercept-url pattern="/**" access="isAuthenticated()" /> it doesn't work, it doesn't show login jsp as well.Where i am doing wrong please clarify.
How to distinguish userid/pwd in authentication manager as per given below, as single ? takes first parameter.
<authentication-manager>
<authentication-provider>
<!-- <user-service> <user name="admin" password="secret" authorities="ROLE_ADMIN,ROLE_USER"/>
</user-service> -->
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USER_NAME,USER_PWD, 'true' as enabled from LOGIN_USER where USER_NAME=?"
authorities-by-username-query="select LOGIN_USER.USER_NAME , LOGIN_USER.ROLE_ID as authorities from LOGIN_USER
where LOGIN_USER.USER_NAME =?" />
</authentication-provider>
</authentication-manager>
I have come across few sites it describes only login spring security session management.i couldn't get clarity.Thanks in advance.
i implemented using interceptor handler to check URI & session attributes which works fine but looking for better options in spring framework.
Related
I have migrated spring security from 2.5 to 3.2.3. If I access a URL that should redirect to login page in case of no/invalid session. At the moment, when I deploy the application on tomcat and access any URL without logging in, first time it works and redirects to login page. After first time, if I access the same URL again without logging in in a sequence, it allows the URL and application crashes. Below is my custom filter conf:
<sec:http auto-config="true" pattern="/**" path-type="ant" authentication-manager-ref="authenticationManagerAlias">
<sec:form-login always-use-default-target="true" default-target-url="/interceptor.do" authentication-failure-url="/login.do?code=auth" />
<sec:access-denied-handler ref="accessDeniedHandler"/>
<sec:session-management invalid-session-url="/login.do"> </sec:session-management>
<sec:logout invalidate-session="true" logout-success-url="/login.do"/>
<sec:custom-filter after="SECURITY_CONTEXT_FILTER" ref="securityContextFilter"/>
<sec:custom-filter after="LOGOUT_FILTER" ref="customLogoutFilter"/>
<sec:custom-filter after="PRE_AUTH_FILTER" ref="preAuthFilter"/>
<sec:custom-filter after="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER" ref="exceptionTranslationFilter"/>
<sec:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurityInterceptor"/>
</sec:http>
Please help me solve the issue.
I have a Spring MVC 3.1.0 web application, and I am implementing Spring Security for the first time.
secure-config.xml:
<http>
<intercept-url pattern="/lhome" access="ROLE_USER" />
<access-denied-handler error-page="/WEB-INF/views/403.jsp"/>
<form-login login-page="/login" default-target-url="/home" authentication-failure-url="/login.jsp" always-use-default-target="true"/>
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<logout logout-success-url="/home"/>
</http>
<authentication-manager alias="authenticationManager" >
<authentication-provider user-service-ref="customMongoSecurityService" />
</authentication-manager>
I am using AJAX based login. When I give correct credentials or hit /lhome it redirects to the /login page instead of the home page.
How can I solve the problem?
Once Spring grants you an access, it will return your request with a session key. You will need to carry the session key for the subsequent requests.
Or you can configure the Spring to use http basic
<http>
...
<http-basic/>
</http>
By this way, you have to send the user name and password over for each request (less secure for public web site).
I want to use authentication via LDAP and Rememberme. If a user is authenticated via Rememberme, but the page requires full authentication, the user should be redirected to the login page.
This is my configuration so far
<security:http access-decision-manager-ref="de.test.security.core_accessDecisionManager">
<security:intercept-url pattern="/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" />
<security:intercept-url pattern="/*" access="IS_AUTHENTICATED_FULLY" />
<security:form-login login-page='/login.html' authentication-failure-url="/login.html?error=true" />
<security:logout delete-cookies="JSESSIONID" />
<security:access-denied-handler error-page="/login.html" />
<security:remember-me services-ref="de.test.security.auth.rememberme_services" key="${de.test.security.auth.rememberme_key}" />
</security:http>
the problem is, every access deny leads to a redirect to login.html, but I just want a redirect when authentication fully is needed and the user has just authenticated via Rememberme.
Can anyone tell me how I can achieve such behaviour?
I have a java web application running on Tomcat 7.
I am using Spring 3.2 with Spring Security 3.1 on the backend, and am exposing an API via RESTful URLs following the /api/** pattern.
The UI for the web application is built using BackboneJS. I am using Backbone models mapped directly to the RESTful URLS.
The UI is locked down using form-login authentication, so the user is always redirected to the login screen if they have are not currently authenticated.
I am now attempting to expose the same RESTful URLs to another external service using http-basic authentication. Unfortunately, when securing the same URL pattern, it seems Spring will not allow me to use more than one filter chain. Whichever is defined first in the configuration file seems to take precedence.
I would hate to have to map to separate URL patterns for the same RESTful resources, but it seems like I may not have a choice.
Here is the important sample of my (currently broken) spring security configuration:
<!-- configure basic http authentication -->
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_USER"/>
<http-basic/>
</http>
<!-- configure form-login authentication -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
My question is:
Is it possible to configure two different types of security (http-basic and form-login) for the same URL patterns using Spring Security? Is there a best practice for this type of scenario?
Thank you.
Why don't you just merge the two <http> elements like this:
<http pattern="/api/**" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic/>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
This would set up both a UsernamePasswordAuthenticationFilter and a BasicAuthenticationFilter in the same filter chain which could serve the ui client, and the external service as well.
Not possible out of the box to apply 2 different filter chain for a single URL pattern.
But it is a advisable to have unique URL patterns as UI and API, as you would have to apply a completely different filter chain in future.
For example the SecurityContextRepository hold the session information and is retrieved for each request. You don't want to apply the same for UI and API access through basic auth
Try to replace pattern="/" by pattern="/api/" in API config:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/api/**" access="ROLE_USER"/>
<http-basic/>
</http>
I have the following configuration with multiple <http.../> elements (in order to separately support REST authetication via basic auth, and user form login):
<security:http auto-config="false" pattern="/service/**" create-session="never"
entry-point-ref="basicAuthenticationEntryPoint" >
<security:intercept-url pattern="/service/**" requires-channel="any" access="ROLE_REST_SERVICE" />
<security:custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthenticationFilter" />
</security:http>
<security:http auto-config="false" pattern="/**"
entry-point-ref="loginUrlAuthenticationEntryPoint" >
<security:logout logout-url="/logout" />
<security:anonymous enabled="false"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<security:custom-filter position="ANONYMOUS_FILTER" ref="anonymousAuthFilter" />
</security:http>
In each of my two filters requiring authentication (FORM_LOGIN_FILTER, and BASIC_AUTH_FILTER) I reference two different authentication managers.
But I get an error that I've already registered an authentication manager.
Why would I use one authentication manager when I know before hand which Authentication provider is going to be needed for each filter?
Should I not use the authentication manager and just start my AuthenticationProvider as a bean and pass it into the filter directly as the AuthenticationManager?
In spring security 3.1 you can have multiple http elements, each with their own authentication manager.
The only thing you need to do is add the following attribute authentication-manager-ref="your ref" to the http element.