The application I'm working on already has user authentication (it's a desktop application). I need to add basic authentication on the url /teachers.htm so that a third-party can receive data in json format. How can I do this?
Oh, and I can`t use Spring Boot.
security.xml
<security:authentication-manager>
<security:authentication-provider ref="customAuthProvider">
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true" create-session="always">
<security:expression-handler ref="customExpressionHandler" />
<security:intercept-url pattern="/**" access="isAuthenticatedIfRequired()" />
<security:form-login login-page="/login" default-target-url="/index.htm" username-parameter="login" always-use-default-target="true"
password-parameter="password" authentication-failure-url="/login" />
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout.htm" />
<security:session-management session-authentication-strategy-ref="customAuthenticationStrategy" />
</security:http>
CustomAuthenticationProvider
#Override
#Transactional(readOnly = true)
public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
UserInfo user = userDao.findUserByLogin((String) authentication.getPrincipal());
WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
sessionsInfo.addLoggedInUser(details.getSessionId(), user);
return new TRUsernamePasswordAuthenticationToken(user.getId(), user.getLoginName(),
user.getName(), user.getUserType(), user.getUserLanguage(), null, authorities,
organizations, user.getCurrentOrganizationId());
}
There is special tag for that http-basic.
In your case will be something like this:
<security:http use-expressions="true">
<security:intercept-url pattern="/teachers.htm" access="isAuthenticated()" />
<security:http-basic />
</security:http>
Cause I already had authentication in the app, I resolved the issue by making two entry-points in Spring Security. The result:
<security:user-service id="apiUserDetailsService">
<security:user name="user" password="pw" authorities="ROLE_ADMIN" />
</security:user-service>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthProvider">
</security:authentication-provider>
<security:authentication-provider user-service-ref="apiUserDetailsService"/>
</security:authentication-manager>
<security:http entry-point-ref="basicAuthEntryPoint" pattern="/pw/**" use-expressions="true">
<security:intercept-url pattern="/pw/smth.htm" access="hasAnyRole('ROLE_ADMIN')" />
<security:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="basicAuthEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="REST Realm" />
</bean>
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationEntryPoint" ref="basicAuthEntryPoint" />
</bean>
<security:http use-expressions="true" create-session="always">
<security:expression-handler ref="customExpressionHandler"/>
<security:intercept-url pattern="/pages/activationcode.jsp" access="permitAll()"/>
<security:intercept-url pattern="/**/*.css" access="permitAll()"/>
<security:intercept-url pattern="/**" access="isAuthenticatedIfRequired()"/>
<security:form-login login-page="/login" default-target-url="/index.htm" username-parameter="login" always-use-default-target="true"
password-parameter="password" authentication-failure-url="/login"/>
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout.htm"/>
<security:session-management session-authentication-strategy-ref="customAuthenticationStrategy"/>
</security:http>
Related
In my security XML the interceptions are included as follow:
<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<security:headers>
<security:cache-control disabled="false"/>
</security:headers>
<security:csrf disabled="true"/>
<security:form-login
login-page="/login"
authentication-failure-url="/login_error"
username-parameter="username"
password-parameter="password"
default-target-url="/home"
always-use-default-target="false"
/>
<security:remember-me key="uniqueAndSecret" token-validity-seconds="604800"
remember-me-parameter="remember-me"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/home" access="hasRole('ROLE_LOGIN')"/>
<security:intercept-url pattern="/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:intercept-url pattern="/clover/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:access-denied-handler error-page="/403"/>
<security:session-management session-fixation-protection="migrateSession" invalid-session-url="/login"
session-authentication-error-url="/logout">
</security:session-management>
<security:logout invalidate-session="true" logout-success-url="/login?logout" logout-url="/logout"
delete-cookies="JSESSIONID"/>
</security:http>
With this settings, http://localhost:8080/admin/clover/business/{businessId}?cloverAppType=kioskthis URL is intercepted but http://localhost:8080/admin/clover/business/{businessId}/order?cloverAppType=kiosk&appName=MainApp this URL is not intercepted (when the user is logged out, that URL can be accessed). With usage of the * wild card, is that URL pattern not intercepted? What can be done to resolve this?
I use spring Security. I'm trying to redirect from profile.jsp. And have
Access to the specified resource has been forbidden.
So, as i understand it's because of access failure somewhere. Page i want redirect to is also profile.jsp. So, i change options and i want to reload page. But have an exception
I've watched many similar on other topics, but still cant resolve
spring configuration
<http auto-config="true">
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/chat" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<form-login login-page="/login" default-target-url="/chat" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsServiceImpl">
<password-encoder ref="encoder"></password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsServiceImpl"
class="com.chat.my.service.UserDetailsServiceImpl"></beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11"/>
</beans:bean>
Try to add
<intercept-url pattern="/login*" access="isAnonymous()" />
Could be that your login page also expect to be authenticated because of your
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
I use spring security to implement security on my site:
....
<security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>
<security:form-login
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<security:intercept-url pattern="/api/**"/>
<security:anonymous enabled="false"/>
<security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
success-handler-ref="logoutSuccessHandler"
/>
<security:csrf disabled="true"/>
<security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
</security:http>
....
<security:authentication-manager>
<security:authentication-provider ref="XXXXLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="XXXXUserDetailsService"/>
</security:authentication-manager>
....
I use web sockets on my site and sometimes it is useful to login through web sockets.
I have not ideas where to dig. Please share your expertise.
I implement Spring Security in a project. I want to put a custom object(domain object) in session at the time of login, so that I can check the user details from HttpServletRequest object in any controller.
Please help me, how to do it?
My Spring security file is :
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/forgotPassword/**" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/listSensorData"
authentication-failure-url="/login?login_error=1"
username-parameter="username"
password-parameter="password"
login-processing-url="/loginSSuser"
></form-login>
<logout logout-success-url="/login" invalidate-session="true" logout-url="/logout" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="SsmsUserDetService" >
</authentication-provider>
</authentication-manager>
I have configured and working application with authentication provided by Spring Security. Here is configuration of authentication:
<http pattern="/login" security="none"/>
<http pattern="/datastore/list" security="none"/>
<http auto-config="true" use-expressions="true">
<logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login" />
<form-login login-page="/login" authentication-failure-url="/login?success=false" default-target-url="/" />
<intercept-url pattern="/repository/**" access="isAuthenticated()" />
<intercept-url pattern="/solr/**" access="isAuthenticated()" />
<intercept-url pattern="/WebISG/**" access="isAuthenticated()" />
<intercept-url pattern="/datastore/**" access="isAuthenticated()" />
<intercept-url pattern="/*" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="c2rAuthenticationProvider" />
</authentication-manager>
Now i need to add to this service ability to use OAuth so that users will be able to use every one of these to methods and write the same URLs. Is it possible?