<bean id="ntlmFilter" class="org.springframework.security.ui.ntlm.NtlmProcessingFilter">
<security:custom-filter position="NTLM_FILTER" />
<property name="stripDomain" value="true" />
<property name="defaultDomain" value="company" />
<property name="domainController" value="192.168.1.1" />
<property name="authenticationManager" ref="_authenticationManager" />
</bean>
may i know how to set failover second controller?
Unfortunately, NTLM isn't supported by Spring 3.
If using a secondary domain controller is a critical requirement for your application, I think you'll need to look into the jcifs source. Even jcifs doesn't want to support NTLM anymore either. But the old libraries are out there. I've hacked around so that my app will invisibly authenticate users whether they're from domainA or domainB. So it's possible, although possibly a bit daunting.
If I understood your question properly, you are looking for a fallback authentication provider, You can setup a list of authentication managers, so that if first one fails, it will automatically check with second one.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ntlmServiceAuthenticationProvider"/>
<security:authentication-provider ref="ldapAuthProvider"/>
</security:authentication-manager>
Related
I am implementing a multitenant application with the spring security saml extention.
I have a Service Provider (SP) for each tenant.
All SPs runs on the same server exposed with SP-specific 2nd level domain:
sp1.myapp.com/myapi/1/
sp1.myapp.com/myapi/2/
In each SP metadata file I have configured the tenant-specific AssertionConsumerService.
When I test the SSO Login, I get a KO on SP side when it gets the response of the Identity Provider (IDP).
On Log side i see only:
ERROR [BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://sp1.myapp.com/myapi/saml/SSO' did not match the recipient endpoint 'https://default.myapp.com/myapi/saml/SSO'
Where the 'https://default.myapp.com/myapi/saml/SSO' is the URL set as serverName of the load balancer context provider:
<bean id="lbContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB" init-method="afterPropertiesSet">
<property name="metadata" ref="metadata" />
<property name="keyManager" ref="keyManager" />
<property name="scheme" value="https" />
<property name="serverName" value="default.myapp.com" />
<property name="contextPath" value="/myapi" />
<property name="serverPort" value="443" />
<property name="includeServerPortInRequestURL" value="true" />
</bean>
Question
In the docs.spring.io/spring-security-saml I see that
Service provider can now define multiple assertion consumer endpoints with same binding
How can I configure it?
Does it conflict with load balancer context provider?
Can I provide multiple AssertionConsumerService with different 2nd level domains without reproduction this conflict?
I already tested:
This question seems to be fixed with the LB, but anyone knows if I can provide multiple serverName to load balancer context provider (maybe with a dynamic pick)?
Disable the checking of the InResponseToField as suggested at ch.13 docs.spring.io/spring-security-saml and for this and this question.
Configure the defaultTargetUrl of the successRedirectHandler (where I am using a custom superclass of org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler) as suggested for this question. In addition this solution is not multitenant.
<bean id="successRedirectHandler" class="org.MySamlAuthenticationSuccessHandler"
init-method="afterPropertiesSet">
<property name="contextPath" value="/myapi" />
<property name="defaultTargetUrl" value="https://default.myapp.com/myapi/saml/SSO"/>
<property name="requireProxyWrapping" value="false"/>
</bean>
Customize SAMLContextProviderLB by extending SamlContextProviderLB.
In custom class, add constructor and initialize with default values.
Override getLocalAndPeerEntity/getLocalEntity/populateLocalEntityId. In each of this method set lbDomain based on domain in requestURL.
above approach worked for me.
I am moving from Spring Security 3.2 to 4.1, and I (still) use xml configuration.
It seems that using the <logout /> element does not allow setting the http method to GET.
Is this true?
If, yes, does it mean I have to create a Controller mapping to "/logout" and log out programmatically from there?
Due to legacy reasons, I have to use GET for my LogOutFilter and XML config. The below works. Note I don't recommend working around the csrf protection but I've had to.
This might help others.
<b:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<b:constructor-arg name="logoutSuccessUrl" value="/loggedOut" />
<b:constructor-arg name="handlers">
<b:list>
<b:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</b:list>
</b:constructor-arg>
<b:property name="logoutRequestMatcher">
<b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<b:constructor-arg name="pattern" value="/logout*"/>
<b:constructor-arg name="httpMethod" value="GET"/>
</b:bean>
</b:property>
</b:bean>
Remember to put the custom filter in the element
<custom-filter before="CSRF_FILTER" ref="logoutFilter" />
The key thing here is that you register your own logoutRequestMatcher
I'm new to Spring security and cas.
In my project I have a cas(CenteralAuthenticationServer) server and a service server.
I want to implement Switch user filter for some users in my application.
Where I should put these lines?
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<property name="userDetailsService" ref="userDetailsService" />
<property name="switchUserUrl" value="/j_spring_security_switch_user" />
<property name="exitUserUrl" value="/j_spring_security_exit_user" />
<property name="targetUrl" value="/index.jsp" />
</bean>
In my cas project or in my web application?
Should I tell tomcat to use this filter in web.xml?
Is there any implementation example?
Should I create java class to implement this fitler?
Add it in your web application (dispatcher-servlet.xml). Check this example if you need.
switch user link
I have this segment of XML:
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/statics/**" />
<bean class="com.company.website.servlet.StaticsHandlerInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<mvc:mapping path="/data/**" />
<bean class="com.company.website.servlet.AJAXHandlerInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<mvc:mapping path="/**" />
<bean class="com.company.website.servlet.PageHandlerInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
I have three different interceptors for a reason, though the StaticsHandlerInterceptor is just the preHandle method returning true (for all of my static content (js, css, etc)). The second one is for AJAX requests. The third one is for actual pages. What I see happening is the statics and the AJAX interceptors being called when they are supposed to be; however, with them, the page interceptor is always being called. I only want the page interceptor to be called for pages. How do I make that happen?
Assuming you use a consistent naming scheme for your pages, use that - e.g. if your externally-visible page URLs end with .html, specify:
<mvc:mapping path="/**/*.html" />
It's not very RESTful to have "extensions" like that though - you might prefer to use a scheme like:
GET of /user/{id} = returns User object for user {id}, JSON format
POST to /user/{id} = updates User object from JSON object
GET to /user/page/{id} = returns HTML page for user {id}
etc etc
Then you can use a nice readable, semantic mapping like:
<mvc:mapping path="/**/page/**" />
which will work to any "depth" of URL structure.
Edit: OK so it seems that using the mvc:interceptors style of bean declaration isn't going to give you the expressiveness you need to specify exclusion by pattern rather than inclusion.
From what I can make out in this blog, using the more-verbose HandlerMapping approach will allow you to invert the match logic - you can specify what not to match on to get what you need:
<bean id="nonStaticNonDataMapper" class="org.springplugins.web.IgnoreSelectedAnnotationHandlerMapping">
<property name="order">
<value>0</value>
</property>
<property name="urls">
<list>
<value>/statics/**</value>
<value>/data/**</value>
</list>
</property>
<property name="interceptors">
<list>
<bean class="com.company.website.servlet.PageHandlerInterceptor" />
</list>
</property>
(Apologies for the formatting of the above snippet, Markdown thinks the /** is a comment :-)
mvc:interceptors now supports excluding a particular mapping. Currently it's only available in Spring 3.2.0.M2. You can find more about it at the JIRA item (that is now resolved): https://jira.springsource.org/browse/SPR-6570
I am using both Spring security and Spring i18n. This is my security config:
<security:http access-denied-page="/denied.htm">
<security:form-login login-page="/login.htm"
authentication-failure-url="/login.htm?login_error=true" />
<security:intercept-url pattern="/denied.htm" filters="none"/>
<security:intercept-url pattern="/login.htm*" filters="none"/>
<security:intercept-url pattern="/*" access="IS_AUTHENTICATED_FULLY" />
<security:logout/>
</security:http>
Besides that, I have set authenticationManager for database with MD5 encoding for password. Security work just fine. My i18n config is:
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages" />
</bean>
It works fine with reading locales from web browser's HTTP request, but I want it to change locale if I click on the link on the page (adds ?lang=hr parameter to current page). So when I add this, locale doesn't change at all:
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
<property name="defaultLocale" value="en"/>
</bean>
<bean id="handlerMapping" class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping">
<property name="interceptors">
<ref bean="localeChangeInterceptor" />
</property>
</bean>
So I have few questions.
Why the locale interception suddenly doesn't work and how to fix it?
How to read the current chosen locale for user's session from java class? I have java class where I need to fetch spring's message from message_en.properties or message_hr.properties file. Jasper report.
I need to add some interceptor (or something like that) to restrain user with default password only to work with /changePassword.htm page. What is the simplest solution?
Many thanks
Why the locale interception suddenly doesn't work and how to fix
it?
I guess: To "fix" you local interceptor, you should check, that the local interceptor can be invoked even if the user is not logged in.
_2. How to read the current chosen locale for user's session from java
class?
Use the RequestContext.getLocale() method.
#see http://static.springsource.org/spring/docs/2.0.x/reference/mvc.html#mvc-localeresolver
added
The best place (in design/architecure) to obtain the local form the request is the web controller. If you are using Spring 3.0 you can obtain the HttpServletRequest directly if you put an parameter of this type to your Controller Request Handler Method. But you have an better choise: just add a Local parameter to your controller handler method
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-ann-requestmapping-arguments
_3. I need to add some interceptor (or something like that) to restrain user
with default password only to work
with /changePassword.htm page. What is
the simplest solution?
One way (may not the simplest, and a one that needs documentation) is to give a user with the default passwort not the full set of priveleges (ony the privileges that he need to set the new password), after chaning tha password, give the user the full set of privileges, which allow him to do all the other stuff.
Try registering localeChangeInterceptor this way. It worked for me.
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"></property>
</bean>
</mvc:interceptors>