I'm using Spring Security. I need to block the access to Login page if user is authenticated. The following line is giving error.
<intercept-url pattern="/user/**" access="!IS_AUTHENTICATED_FULLY" />
Error is unsupported configuration.
either you can use IS_AUTHENTICATED_ANONYMOUSLY (to allow access only if user is authenticated anonymously), or enable expressions and use IsAuthenticated() like given below
<http use-expressions="true">
<intercept-url pattern="/user/**"
access="isAuthenticated()"/>
...
</http>
Related
Trying to create my own access handling logic via spring security. Some actions are controlled by custom logic. So: if the specific condition is satisfied - we allow user to do some action. If not - we should redirect hit to login page, force him to re-login and then continue action.
This is my custom access manager:
#Component("accessManager")
public class AccessManager
{
public boolean hasAccess()
{
// Or true in some cases.
return false;
}
}
My spring config:
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<access-denied-handler error-page="/dataAccessFailure"/>
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" />
<logout logout-url="/resources/j_spring_security_logout" />
<intercept-url pattern="/**" access="isAuthenticated() and #accessManager.hasAccess()" />
<csrf disabled="true"/>
</http>
Now it works like this: When I am trying to access requests like *"/**"* without being Authenticated, it redirects me to login page.
Then I have to log in and after that I can continue processing request.
But if the condition in my custom hasAccess() wethod is NOT satisfied, I can only see dataAccessFailure page.
The main problem is that I need re-login behavior only in case of NO hasAccess() case (not for each AccessDeniedException). In cases like
#PreAuthorize("hasAuthority('MyAuth')")
I have to see dataAccessFailure page.
Thank you.
Fairly new to Spring, so this may be basic.
We've recently transitioned from Spring 3 to 4 and running into some header issues with the new defaults tied to one of our partners business logic
We would like to keep the defaults everywhere except for a specific URL "/stg/strategem/strg/drammin.syg"
Currently we have:
<http use-expressions="true" entry-point-ref="web.AuthenticaionEntryPoint">
<intercept-url pattern="/admin/**" access = "hasAnyRole('GKR_ADMIN', 'GKR_ADMIN_ADV')"/>
<intercept-url pattern="/**" access = "hasAnyRole('GKR_USER')"/>
</http>
How can I configure this so that ["/stg/strategem/strg/drammin.syg"] is still secured but is the only place where the below header configuration applies?
<headers defaults-disabled="true">
<content-type-options />
<hsts include-subdomains="true" max-age-seconds="31536000"/>
<frame-options policy="SAMEORIGIN"/>
<xss-protection block="false"/>
</headers>
UPDATE 1: Was able to make the URL I need headerless more specific
UPDATE 2:
I just tried adding another http block, but I keep getting the Spring Error
A universal match pattern ('/**')
is defined before other patterns in the filter chain, causing them to be ignored.
Regardless of what order I put these blocks in, I've even tried removing the "/**" pattern, this error still comes up.
My attempt:
<http use-expressions="true" entry-point-ref="web.AuthenticaionEntryPoint">
<intercept-url pattern="/admin/**" access = "hasAnyRole('GKR_ADMIN', 'GKR_ADMIN_ADV')"/>
<intercept-url pattern="/**" access = "hasAnyRole('GKR_USER')"/>
</http>
<http use-expressions="true" entry-point-ref="web.AuthenticaionEntryPoint">
<headers defaults-disabled="true">
<content-type-options />
<hsts include-subdomains="true" max-age-seconds="31536000"/>
<frame-options policy="SAMEORIGIN"/>
<xss-protection block="false"/>
</headers>
<intercept-url pattern="/stg/strategem/strg/drammin.syg" access = "hasAnyRole('GKR_ADMIN', 'GKR_ADMIN_ADV', 'GKR_USER')"/>
</http>
UPDATE 3: Was able to find a solution, check it out in the Answers
You should be able to have multiple <http> blocks with different configuration for each. See Spring Security Reference - Multiple Security
Alright folks, I was able to get this working by using a separate HTTP block that had a pattern, but no intercept URL. Trying to make both have security configurations was what caused the issue.
Thanks Zilvinas for pointing me down the right path.
The first block applies header configs to just the specific url. Everything else gets Spring's defaults.
The second block applies security measures. (including to the specific url since I have a /** wildcard)
<http pattern="/stg/strategem/strg/drammin.syg">
<headers defaults-disabled="true">
<content-type-options />
<hsts include-subdomains="true" max-age-seconds="31536000"/>
<frame-options policy="SAMEORIGIN"/>
<xss-protection block="false"/>
</headers>
</http>
<http use-expressions="true" entry-point-ref="web.AuthenticaionEntryPoint">
<intercept-url pattern="/admin/**" access = "hasAnyRole('GKR_ADMIN', 'GKR_ADMIN_ADV')"/>
<intercept-url pattern="/**" access = "hasAnyRole('GKR_USER')"/>
</http>
i am using spring security 3.1.4. for some reason, access to resources is not being filtered correctly. my security xml file looks like the following.
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
...
</http>
as you can see, what i want to express with this configuration is that a USER can access any resource unless they are accessing resources mapped to /admin/something.
when i log in as a user with ROLE_USER only (verified in the database, as i am using the jdbc-user-service), i can still point my browser to
/myapp/admin/default
and see all the contents.
i then change my security xml to look like the following.
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
...
</http>
when i log in as a user with ROLE_USER, then i get a HTTP 403 Access is denied.
my questions are
how come /admin/** (ROLE_ADMIN) does not override /** (ROLE_USER) ?
which filter (or where in the code precisely) does the actual check of roles and resources? i took a look at FilterSecurityInterceptor but the code seems to just be passing objects around.
how do i fix this problem? do i have to define /user/** for ROLE_USER and /admin/** for ROLE_ADMIN ? it looks like that's a possible solution.
any help is appreciated.
Try putting the admin pattern before the more general /** pattern. From the docs (http://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-web-filters.html) the most specific patterns need to be declared higher in the list of patterns.
<http auto-config="true">
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
...
</http>
I don't know how to configure spring security to specify different ROLEs for overlaping URLs.
<sec:intercept-url pattern="/app/ws**" access="ROLE_WEBSERVICE"/>
<sec:intercept-url pattern="/app**" access="ROLE_ADMIN"/>
I need to accept user with role ROLE_WEBSERVICE on /app/ws** even if this user does not have user ROLE_ADMIN.
Could you point me to the correct place of documentation? I could not find it. Thanks.
If you switch to an expression rule instead of the vanilla RoleVoter you get more flexibility, e.g.
<http use-expressions="true">
...
<intercept-url pattern="/app/ws**" access="hasRole('ROLE_WEBSERVICE') and hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/app**" access="hasRole('ROLE_ADMIN')"/>
...
I have a java web application running on Tomcat 7.
I am using Spring 3.2 with Spring Security 3.1 on the backend, and am exposing an API via RESTful URLs following the /api/** pattern.
The UI for the web application is built using BackboneJS. I am using Backbone models mapped directly to the RESTful URLS.
The UI is locked down using form-login authentication, so the user is always redirected to the login screen if they have are not currently authenticated.
I am now attempting to expose the same RESTful URLs to another external service using http-basic authentication. Unfortunately, when securing the same URL pattern, it seems Spring will not allow me to use more than one filter chain. Whichever is defined first in the configuration file seems to take precedence.
I would hate to have to map to separate URL patterns for the same RESTful resources, but it seems like I may not have a choice.
Here is the important sample of my (currently broken) spring security configuration:
<!-- configure basic http authentication -->
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_USER"/>
<http-basic/>
</http>
<!-- configure form-login authentication -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
My question is:
Is it possible to configure two different types of security (http-basic and form-login) for the same URL patterns using Spring Security? Is there a best practice for this type of scenario?
Thank you.
Why don't you just merge the two <http> elements like this:
<http pattern="/api/**" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic/>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
This would set up both a UsernamePasswordAuthenticationFilter and a BasicAuthenticationFilter in the same filter chain which could serve the ui client, and the external service as well.
Not possible out of the box to apply 2 different filter chain for a single URL pattern.
But it is a advisable to have unique URL patterns as UI and API, as you would have to apply a completely different filter chain in future.
For example the SecurityContextRepository hold the session information and is retrieved for each request. You don't want to apply the same for UI and API access through basic auth
Try to replace pattern="/" by pattern="/api/" in API config:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/api/**" access="ROLE_USER"/>
<http-basic/>
</http>