I have a pretty standard project with Spring Security.
I have a login form and I need to add 'Remember me' checkbox there. How can I do that?
I can provide some code if necessary.
I think the below links will be very useful,
Remember-Me Authentication
Configuring Spring Security Form Login with Remember-Me Enabled
5 Minute Guide to Spring Security
So this is a complete WAG - but it's how I would do it, at least initially.
I would override the Spring SecurityContextPersistenceFilter so that it only saves the Authentication details (i.e. the SecurityContext) if that box is checked (you would know this by some attribute you included when you POST the Form for login). You could also, possibly, create a new Cookie if the box is checked and check for the existence of said Cookie before you try Authentication - if the cookie exists it contains the UserDetails and will authenticate, otherwise redirect to the login page.
Here is a tutorial from mkyong that is good.
Related
I'm creating a spring mvc (spring 4) with spring security 3.2. I have a login page which works fine, with custom UserDetailsService. I want to add on website a new functionality, adding some demands. When someone add a demand, he will receive an email with a button through he can manage this demand, including the creation of a session for the website. I want to create him an account.. and give him authetincation from this button's url which will be handled by a controller. How should i do that? create an account with some hardcoded password? and how about the authentication provider? User with demand couldn't login through normal login page.
In database that type of accounts will have a different status than the normal accounts. Hope you understand what i need...
You can try creating a common user for all such use cases (called guest or similar). If you have validated a user using the trusted url which they have provided, you can query the database using the hard coded username (guest), and get the authentication details like passoword, roles etc. Then you can programatically authenticate the user. In such a way, user only has to provide you a url, and your code can fetch a real authentication detail from the db.
For the authentication part, you may refer to the below link.
stackoverflow.com/a/15119876/3981536
I am learning Spring and trying to implement Springs Security. I am not able to understand how it works. I read tutorials from which I understood the following:
we have to configure web.xml for delegating proxy and pattern
we need to add intercepts to dispatcher-servlet.xml
When request is made it triggers intercepts but after that I am unable to understand how it works. It would be helpful if somebody could provide a list of steps to be followed. I am using Hibernate and Spring (both with annotations), I want to authenticate users using Hibernate.
A detailed article can be found here: Code Project Or a tutorial with MVC and Spring Security here.
I tried to illustrate the process a little bit:
The user sends a HTTP-Request to the server
The server processes the request according to the web.xml
The web.xml contains a filter (AKA interceptor) and passes the request through this filter.
Because the user is unknown/not authenticated, Spring Security does its best to get more details.Depending on the config, it
sends an HTTP header, so that a login popup pops up in the browser (client side).
redirects to a form where you can enter username and password.
does a lot of hidden interaction between server and browser to guarantee a "Single-Sign-On" (SSO)
Except for SSO the user enters her/his/its credentials and create an additional request.
Spring Security realizes the login attempt and authenticates the user against a
file with user and passwords
a built-in XML structure in a spring config file
a database
an LDAP
When the access is granted, it assignes the necessary roles...
...and redirects to hard-coded "home page". (Spring Security let's you adjust this behaviour.)
In your application you can check the authorization for certain actions
.....
The user clicks on "logout" or the session expires. With the next request the process starts again.
Annotations
I found a tutorial here (Link).
I understood/assume the following facts:
The filters still must be defined in the web.xml.
You can annotate your classes/methods with
#Controller (API)
#Secured (API)
#RequestMapping (API)
I admit that I only gave you a rough overview, because your question is not that specific.
Please let me know what you want to learn in detail (re-recognize users, authenticate against different resources, do a SSO, create a secured area on your webpage,...)
Spring uses a dispatcher servlet for delegating the request. Spring security filters the request and checks if a valid security context is established. If so the request is passed to the dispatcher and it passes the request forward to the corresponding controller. If no security context is established, Spring security intercepts the request which means he could manipulate the request before the diespatcher servlet could process it. During this interception the request dispatcher (Servlet Specification) will be assigned to forward the request to a login page.
I think you don't have to bother with xml anymore. Now you can use Spring Boot + annotation based configuration. One of the best tutorial I found is this one: A good spring security tutorial
There are some good step-by-step tutorials on how to integrate spring security. For example:
For Java config: http://jtuts.com/2016/03/03/spring-security-login-form-integration-example-with-java-configuration/
For XML config: http://jtuts.com/2016/03/02/spring-security-login-form-integration-example-with-xml-configuration/
I am trying to implement a functionality so that user after a successful Login should get redirected to same location from where he/she click the Login button.
I am using Spring MVC and for Login in some cases platform is using Spring security and for some third party Login process we are using out own mechanism.
I am wondering, is there any feature either in Spring MVC or Spring Security so that we can redirect user to same location from where he/she came.
Spring Security has provision to redirect the target URL
Have a look SavedRequestAwareAuthenticationSuccessHandler
There are four scenarios based on which ss decides on the redirect destination.
I agree with what #jittakal has answered. I have also used the SavedRequestAwareAuthenticationSuccessHandler class to redirect to the same view from where user was redirected to the login page.
It is really very easy and awesome feature to use. Go for it. :)
Is it possible to authenticate a user by checking for an existing HttpSession within Spring Security? I would like users to authenticate via CAS at one URL (http://example.com/auth), but not the other URLs. For example, if they go straight to http://example.com/content, then I'd like to check for the HttpSession and return a 401 Unauthorized code if they haven't logged into CAS yet. If they've already gone to the /auth page and logged in, then going to /content will return the content. The main reason for this is to avoid any redirects that CAS causes during authentication.
I am kind of new to Spring Security and can't figure out if I need a custom AuthenticationManager, AuthenticationEntryPoint, both, or something else. The AuthenticationManager doesn't have a way for me to access the HttpSession, and the AuthenticationEntryPoint doesn't seem to be the right place to implement this functionality.
Any ideas?
Spring Security is not using HTTP session.
Instead, you can easily call to this static method:
SecurityContextHolder.getContext().getAuthentication();
Frankly, I believe that you need to configure Spring security correct in order to avoid checking authentication and redirect manually to other page.
I am using the Spring Security default login page and if my user get to a page that he should not be getting to based on role and url he gets the following error on the screen:
org.springframework.security.access.AccessDeniedException: Access is denied to login
How can I make it some Spring goes to the default login with or without a error. please help me out
As documented in the <access-denied-handler> element in the documentation's Appendix B, you can set the errorPage attribute to forward to a custom JSP. This could be your login page or whatever else you want. Keep in mind that at this point, the user is already logged in, so forwarding them to the login page (again) may be confusing.
As Raghuram suggested, you can also implement AccessDeniedHandler yourself, but I'd hold off on doing that unless you really need to.
I don't have the info in front of me, but if I remember correctly when you setup spring security you can give it url patterns to apply the security to. It sounds like your setup is including the login page in the patterns that security is applying to. You need to make sure that it is not. Go back to the spring security doco and you should be able to work this out. Also the spring logs are usually very good at helping with this sort of thing.
What you probably need to do is to override the default AccessDeniedHandlerImpl as documented here.