Develop Reference

Infinite Loop in spring security login

I have a Spring MVC 3.1.0 web application, and I am implementing Spring Security for the first time.
secure-config.xml:
<http>
<intercept-url pattern="/lhome" access="ROLE_USER" />
<access-denied-handler error-page="/WEB-INF/views/403.jsp"/>
<form-login login-page="/login" default-target-url="/home" authentication-failure-url="/login.jsp" always-use-default-target="true"/>
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<logout logout-success-url="/home"/>
</http>
<authentication-manager alias="authenticationManager" >
<authentication-provider user-service-ref="customMongoSecurityService" />
</authentication-manager>
I am using AJAX based login. When I give correct credentials or hit /lhome it redirects to the /login page instead of the home page.
How can I solve the problem?

Once Spring grants you an access, it will return your request with a session key. You will need to carry the session key for the subsequent requests.
Or you can configure the Spring to use http basic
<http>
...
<http-basic/>
</http>
By this way, you have to send the user name and password over for each request (less secure for public web site).

Spring session management in mvc, Spring security session vs http session

After successful login i want to proceed with further request processing with new url. But the url is invoking exposed service in spring mvc where security configuration doesn't check the session authentication for coming url.Please take a look below code.
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/**" access="isAuthenticated()" /> -->
<intercept-url pattern="/home*" access="isAuthenticated()" />
<intercept-url pattern="/admin*" access="isAuthenticated()" />
<form-login login-page="/" default-target-url="/home"
authentication-failure-url="/accessdenied" always-use-default-target="false"/>
<logout logout-success-url="/" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<session-management invalid-session-url="/" session-authentication-error-url="/login.jsp?error=alreadyLogin">
<concurrency-control max-sessions="1" expired-url="/login.jsp?error=sessionExpiredDuplicateLogin" error-if-maximum-exceeded="false"/>
</session-management>
<remember-me />
</http>
When jsp page submits login authentication J_security_check the target url invoked which subsequently calls interceptor pattern /home* and authenticates the login credentials.
if i'm calling the exposed service before login "/address/userid/" it directly invokes the service method how to make it session bound, if session exist get the data otherwise not.
how different spring security session from http session,how to maintain spring security session like http session in spring mvc.
if i'm adding <intercept-url pattern="/**" access="isAuthenticated()" /> it doesn't work, it doesn't show login jsp as well.Where i am doing wrong please clarify.
How to distinguish userid/pwd in authentication manager as per given below, as single ? takes first parameter.
<authentication-manager>
<authentication-provider>
<!-- <user-service> <user name="admin" password="secret" authorities="ROLE_ADMIN,ROLE_USER"/>
</user-service> -->
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USER_NAME,USER_PWD, 'true' as enabled from LOGIN_USER where USER_NAME=?"
authorities-by-username-query="select LOGIN_USER.USER_NAME , LOGIN_USER.ROLE_ID as authorities from LOGIN_USER
where LOGIN_USER.USER_NAME =?" />
</authentication-provider>
</authentication-manager>
I have come across few sites it describes only login spring security session management.i couldn't get clarity.Thanks in advance.

i implemented using interceptor handler to check URI & session attributes which works fine but looking for better options in spring framework.

Using Spring Security 3.1 to secure the same RESTful resources with both form-login and http-basic security

I have a java web application running on Tomcat 7.
I am using Spring 3.2 with Spring Security 3.1 on the backend, and am exposing an API via RESTful URLs following the /api/** pattern.
The UI for the web application is built using BackboneJS. I am using Backbone models mapped directly to the RESTful URLS.
The UI is locked down using form-login authentication, so the user is always redirected to the login screen if they have are not currently authenticated.
I am now attempting to expose the same RESTful URLs to another external service using http-basic authentication. Unfortunately, when securing the same URL pattern, it seems Spring will not allow me to use more than one filter chain. Whichever is defined first in the configuration file seems to take precedence.
I would hate to have to map to separate URL patterns for the same RESTful resources, but it seems like I may not have a choice.
Here is the important sample of my (currently broken) spring security configuration:
<!-- configure basic http authentication -->
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_USER"/>
<http-basic/>
</http>
<!-- configure form-login authentication -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
My question is:
Is it possible to configure two different types of security (http-basic and form-login) for the same URL patterns using Spring Security? Is there a best practice for this type of scenario?
Thank you.

Why don't you just merge the two <http> elements like this:
<http pattern="/api/**" use-expressions="true">
<intercept-url pattern="/ui/login" access="permitAll" />
<intercept-url pattern="/ui/logout" access="permitAll" />
<intercept-url pattern="/ui/loginfailed" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic/>
<custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
<form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
<logout logout-success-url="/ui/logout" />
<session-management invalid-session-url="/ui/login"/>
</http>
This would set up both a UsernamePasswordAuthenticationFilter and a BasicAuthenticationFilter in the same filter chain which could serve the ui client, and the external service as well.

Not possible out of the box to apply 2 different filter chain for a single URL pattern.
But it is a advisable to have unique URL patterns as UI and API, as you would have to apply a completely different filter chain in future.
For example the SecurityContextRepository hold the session information and is retrieved for each request. You don't want to apply the same for UI and API access through basic auth

Try to replace pattern="/" by pattern="/api/" in API config:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/api/**" access="ROLE_USER"/>
<http-basic/>
</http>

Spring Security 3.1.0.RC1: With multiple <http.../> elements why can I only register one authentication manager?

I have the following configuration with multiple <http.../> elements (in order to separately support REST authetication via basic auth, and user form login):
<security:http auto-config="false" pattern="/service/**" create-session="never"
entry-point-ref="basicAuthenticationEntryPoint" >
<security:intercept-url pattern="/service/**" requires-channel="any" access="ROLE_REST_SERVICE" />
<security:custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthenticationFilter" />
</security:http>
<security:http auto-config="false" pattern="/**"
entry-point-ref="loginUrlAuthenticationEntryPoint" >
<security:logout logout-url="/logout" />
<security:anonymous enabled="false"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<security:custom-filter position="ANONYMOUS_FILTER" ref="anonymousAuthFilter" />
</security:http>
In each of my two filters requiring authentication (FORM_LOGIN_FILTER, and BASIC_AUTH_FILTER) I reference two different authentication managers.
But I get an error that I've already registered an authentication manager.
Why would I use one authentication manager when I know before hand which Authentication provider is going to be needed for each filter?
Should I not use the authentication manager and just start my AuthenticationProvider as a bean and pass it into the filter directly as the AuthenticationManager?

In spring security 3.1 you can have multiple http elements, each with their own authentication manager.
The only thing you need to do is add the following attribute authentication-manager-ref="your ref" to the http element.

Spring Security oddity in <intercept-url> when specifying method

I've been playing around with Spring Security a bit and noticed the following oddity.
When I specify the <http> block like this in my security context XML.
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8181"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_ROLE2"/>
<intercept-url pattern="/url3**" access="ROLE_ROLE3" />
<!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>
All the urls seem to trigger a HTTP basic authentication pop up when I hit the various URLs with the browser.
This is good and what I expected, but when I add a method parameter to 1 of the intercept URLs like this:
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8181"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_ROLE2" method="GET"/>
<intercept-url pattern="/url3**" access="ROLE_ROLE3" />
<!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>
The basic authentication is turned off for all the URLs except the one I've explicitly set the method on (/url2).
Is this how it's supposed to work, because it seems a little goofy to me. Is this a bug?

Now I have tested url1 with https and it works. I got redirected and then the login dialog showed up.
Setting logging level to DEBUG it prints:
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:196 - Converted URL to lowercase, from: '/url1/'; to: '/url1/'
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url2**; matched=false
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url1**; matched=true
DEBUG AbstractSecurityInterceptor,http-8443-1:250 - Secure object: FilterInvocation: URL: /url1/; ConfigAttributes: [ROLE_USER]
DEBUG XmlWebApplicationContext,http-8443-1:244 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext#17af46e]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /url1/]
DEBUG ExceptionTranslationFilter,http-8443-1:150 - Authentication exception occurred; redirecting to authentication entry point
This is the configuration:
<http>
<http-basic/>
<port-mappings>
<port-mapping http="8080" https="8443"/>
</port-mappings>
<intercept-url pattern="/url1**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/url2**" access="ROLE_TELLER" method="GET"/>
<intercept-url pattern="/url3**" access="ROLE_SUPERVISOR" />
</http>