I have recently implemented a token-based security configuration in my Spring Server and it works fine when authenticating for the first time and making requests.
I'm using a software written in Python that will make an authentication request first and after that send multiple requests to save data in the Database.
The issue I'm having is: after running the script, (which, remember, executes very well for the first time), I can no longer authenticate when running it again.
I've tried adding some things like .logout() and removing the session cookies from the SecurityFilterChain but to no avail. How can I enable multiple authentications per session for the same user in Spring?
Below is my SecurityFilterChain bean in SecurityConfig.java:
#Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeHttpRequests()
.requestMatchers("/**/auth/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.logout()
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.rememberMe()
.and()
.authenticationProvider(authenticationProvider())
.addFilterBefore(
jwtAuthFilter,
UsernamePasswordAuthenticationFilter.class
);
return http.build();
}
Related
I am using Spring Security. Once I load the login page jsessionid is created without logging in. How to clear the session before login?
I have implemented on Spring Security API. In that I am calling as method config().
http
.authorizeRequests()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/?page=1")
.loginProcessingUrl("/login")
.usernameParameter("ssoId")
.passwordParameter("password")
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout")
.deleteCookies("remember-me")
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.rememberMe()
.rememberMeServices(rememberMeServices())
.key("remember-me")
.tokenRepository(tokenRepository)
.tokenValiditySeconds(1 * 60 * 60).and().csrf().and()
.exceptionHandling()
.accessDeniedPage("/Access_Denied");
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(1)
//.maxSessionsPreventsLogin(true) //added
.expiredUrl("/login?sessionExpired")
.and()
.invalidSessionUrl("/login?invalidSession");
The session needs to cleared properly before login as well as after login. At same time same login page needs to loaded one tab, if I am passing new tab access the same URL is loaded without asking the user credentials its logged in now.
I need to make one rest endpoint available globally without any authentication, based on the response of the first service will prepare token and will based for authentication for the second service. As having spring-security, application always asks to implement the BASIC or FORM login, i don't have this use case in my application.
Even i have this route in websecurityconfig to PERMITALL, still need some authentication to contact the application
http
.authorizeRequests()
.antMatchers("/v1/test").permitAll()
.anyRequest().authenticated(;
It would be better if you can share your code, here is the code configuring spring security.
In following code: antMatchers with permitAll are accessible without authentication and antMatchers with role ROLE_USER are accessible after user logs in.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home", "/user/register").permitAll()
.antMatchers("/user/**").access("hasRole('ROLE_USER')")
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.defaultSuccessUrl("/dashboard")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling()
.accessDeniedPage("/403");
}
I have a spring security application where i want every redirect to be secure(https) i have written the below code for that. But it is giving me "ERR_TOO_MANY_REDIRECTS" on the browser. Can anyone please help.
http
.authorizeRequests()
.anyRequest().hasRole("QA")
.and()
.addFilterBefore(oidcAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/openid_connect_login")).and().requiresChannel().anyRequest().requiresSecure();
In your code you added .anyRequest().hasRole("QA") line .This lines means anyRequest must be authenticated and has role "QA". You should permit at least one page or url.
Try this
http
.authorizeRequests()
.antMatchers("/openid_connect_login/**").permitAll()
.anyRequest().authenticated()
.anyRequest().hasRole("QA")
.and()
.addFilterBefore(oidcAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/openid_connect_login")).and().requiresChannel().anyRequest().requiresSecure();
I have a Spring Boot application with Spring Security. A new endpoint /health is to be configured so it is accessible via basic HTTP authentication. The current HttpSecurity configuration is as follows:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers(HttpMethod.OPTIONS, "/**")
.and()
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
How do I add base auth for /health? I figure I need something like this, but I don't think this is completely correct, and I don't really understand where exactly to add it:
.authorizeRequests()
.antMatchers(
// Health status
"/health",
"/health/"
)
.hasRole(HEALTH_CHECK_ROLE)
.and()
.httpBasic()
.realmName(REALM_NAME)
.authenticationEntryPoint(getBasicAuthEntryPoint())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
I found these resources to be helpful, but not sufficient:
http://www.baeldung.com/spring-security-basic-authentication
http://websystique.com/spring-security/secure-spring-rest-api-using-basic-authentication/
The solution is to implement multiple configurations, as explained here:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
EDIT 2021-12-11:
archive link of reference: https://web.archive.org/web/20210126145444/https://docs.spring.io/spring-security/site/docs/current/reference/html5/#multiple-httpsecurity
A similar question linking to an example is here:
https://stackoverflow.com/a/18864786/1568224
My login/authentication logic is based on jhipster and implements remember-me filter. I would like to allow all users (no authentication required) access to the configuration endpoint, /configuration. It seems that the correct way to do so is to add the following to the filter chain:
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.and()
.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.addFilterBefore(new SimpleCORSFilter(), ChannelProcessingFilter.class)
.exceptionHandling()
.and()
.rememberMe()
.rememberMeServices(rememberMeServices)
.rememberMeParameter("remember-me")
.key(securityRememberMeKey)
.and()
.formLogin()
.loginProcessingUrl("/api/v1/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("some")
.passwordParameter("some")
.permitAll()
.and()
.logout()
.logoutUrl("/api/v1/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/api/v1/configuration").permitAll()
.antMatchers("/api/v1/generalEvent*").permitAll()
.antMatchers("/api/v1/account").permitAll()
.antMatchers("/api/v1/register").permitAll()
.antMatchers("/api/v1/activate").permitAll()
.antMatchers("/api/v1/authenticate").permitAll()
.antMatchers("/api/v1/account/reset_password/init").permitAll()
.antMatchers("/api/v1/account/reset_password/finish").permitAll()
.anyRequest().authenticated();
}
As one can see the /configuration endpoint has permitAll() which allows the user to get the configuration with no authentication but the remember-me filter will still be called which is an undesired result. is there a way to avoid the remember-me filter?