In my security XML the interceptions are included as follow:
<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<security:headers>
<security:cache-control disabled="false"/>
</security:headers>
<security:csrf disabled="true"/>
<security:form-login
login-page="/login"
authentication-failure-url="/login_error"
username-parameter="username"
password-parameter="password"
default-target-url="/home"
always-use-default-target="false"
/>
<security:remember-me key="uniqueAndSecret" token-validity-seconds="604800"
remember-me-parameter="remember-me"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/home" access="hasRole('ROLE_LOGIN')"/>
<security:intercept-url pattern="/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:intercept-url pattern="/clover/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:access-denied-handler error-page="/403"/>
<security:session-management session-fixation-protection="migrateSession" invalid-session-url="/login"
session-authentication-error-url="/logout">
</security:session-management>
<security:logout invalidate-session="true" logout-success-url="/login?logout" logout-url="/logout"
delete-cookies="JSESSIONID"/>
</security:http>
With this settings, http://localhost:8080/admin/clover/business/{businessId}?cloverAppType=kioskthis URL is intercepted but http://localhost:8080/admin/clover/business/{businessId}/order?cloverAppType=kiosk&appName=MainApp this URL is not intercepted (when the user is logged out, that URL can be accessed). With usage of the * wild card, is that URL pattern not intercepted? What can be done to resolve this?
Related
The application I'm working on already has user authentication (it's a desktop application). I need to add basic authentication on the url /teachers.htm so that a third-party can receive data in json format. How can I do this?
Oh, and I can`t use Spring Boot.
security.xml
<security:authentication-manager>
<security:authentication-provider ref="customAuthProvider">
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true" create-session="always">
<security:expression-handler ref="customExpressionHandler" />
<security:intercept-url pattern="/**" access="isAuthenticatedIfRequired()" />
<security:form-login login-page="/login" default-target-url="/index.htm" username-parameter="login" always-use-default-target="true"
password-parameter="password" authentication-failure-url="/login" />
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout.htm" />
<security:session-management session-authentication-strategy-ref="customAuthenticationStrategy" />
</security:http>
CustomAuthenticationProvider
#Override
#Transactional(readOnly = true)
public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
UserInfo user = userDao.findUserByLogin((String) authentication.getPrincipal());
WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
sessionsInfo.addLoggedInUser(details.getSessionId(), user);
return new TRUsernamePasswordAuthenticationToken(user.getId(), user.getLoginName(),
user.getName(), user.getUserType(), user.getUserLanguage(), null, authorities,
organizations, user.getCurrentOrganizationId());
}
There is special tag for that http-basic.
In your case will be something like this:
<security:http use-expressions="true">
<security:intercept-url pattern="/teachers.htm" access="isAuthenticated()" />
<security:http-basic />
</security:http>
Cause I already had authentication in the app, I resolved the issue by making two entry-points in Spring Security. The result:
<security:user-service id="apiUserDetailsService">
<security:user name="user" password="pw" authorities="ROLE_ADMIN" />
</security:user-service>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthProvider">
</security:authentication-provider>
<security:authentication-provider user-service-ref="apiUserDetailsService"/>
</security:authentication-manager>
<security:http entry-point-ref="basicAuthEntryPoint" pattern="/pw/**" use-expressions="true">
<security:intercept-url pattern="/pw/smth.htm" access="hasAnyRole('ROLE_ADMIN')" />
<security:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="basicAuthEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="REST Realm" />
</bean>
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationEntryPoint" ref="basicAuthEntryPoint" />
</bean>
<security:http use-expressions="true" create-session="always">
<security:expression-handler ref="customExpressionHandler"/>
<security:intercept-url pattern="/pages/activationcode.jsp" access="permitAll()"/>
<security:intercept-url pattern="/**/*.css" access="permitAll()"/>
<security:intercept-url pattern="/**" access="isAuthenticatedIfRequired()"/>
<security:form-login login-page="/login" default-target-url="/index.htm" username-parameter="login" always-use-default-target="true"
password-parameter="password" authentication-failure-url="/login"/>
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout.htm"/>
<security:session-management session-authentication-strategy-ref="customAuthenticationStrategy"/>
</security:http>
I developed java application using spring mvc and spring security.
and when i upload and deploy the WAR file on tomcat7 it fails and give me this messages in the url:
manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=982F861CA67920658BC340994D5B7A32
How can i fix the problem and upload my web application properly ?
[EDITED]
My code:
<http auto-config="true" use-expressions="true">
<csrf/>
<!-- custom login -->
<form-login login-page="/login" login-processing-url="/login" username-parameter="custom_email"
password-parameter="custom_password" authentication-failure-url="/login?error=true"/>
<remember-me key="remember-me"/>
<!-- css and js-->
<intercept-url pattern="resources/cms/**" access="permitAll"/>
<intercept-url pattern="resources/home/**" access="permitAll"/>
<intercept-url pattern="/wro/**" access="permitAll"/>
<intercept-url pattern="/cms/**" requires-channel="any" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/account/**" requires-channel="any" access="isAuthenticated()"/>
<intercept-url pattern="/cart/**" requires-channel="any" access="isAuthenticated()"/>
<intercept-url pattern="/checkout/**" requires-channel="any" access="isAuthenticated()"/>
<logout logout-url="/logout" logout-success-url="/login"/>
<!--<csrf disabled="true"/>-->
</http>
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
Edit your Spring-security.xml
<http auto-config="true" use-expressions="true">
...
<csrf disabled="true"/>
</http>
I am struggling with spring security authentication using database. Simply saying it doesn't work - i can't login on my user, it always redirects me to accessdenied.
application-security.xml
<http auto-config="true" use-expressions="true">
<csrf disabled="true"/>
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login" default-target-url="/AddUser.html" authentication-failure-url="/accessdenied" />
<logout logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username,password,enabled from user_authentication where username=?"
authorities-by-username-query="select u1.username, u2.role from user_authentication u1, user_authorization u2 where u1.user_id = u2.user_id and u1.username =?" />
</authentication-provider>
</authentication-manager>
I have user = 'abcd' with password 'abcd'. Database query select u1.username, u2.role from user_authentication u1, user_authorization u2 where u1.user_id = u2.user_id and u1.username ='abc' returns 'abcd' with 'ROLE_ADMIN'. My login form must be ok (everything was ok when i was using hardcoded username and password in my application-security.xml). Also datasource is fine - it works for CRUD operations. Any ideas what might be wrong?
In the form-login:
<form-login login-page="/login"
default-target-url="/AddUser.html"
authentication-failure-url="/accessdenied" />
you dont't have any parameters like:
username-parameter="username"
password-parameter="password"
So just add them:
<form-login login-page="/login"
default-target-url="/AddUser.html"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/accessdenied" />
I implement Spring Security in a project. I want to put a custom object(domain object) in session at the time of login, so that I can check the user details from HttpServletRequest object in any controller.
Please help me, how to do it?
My Spring security file is :
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/forgotPassword/**" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/listSensorData"
authentication-failure-url="/login?login_error=1"
username-parameter="username"
password-parameter="password"
login-processing-url="/loginSSuser"
></form-login>
<logout logout-success-url="/login" invalidate-session="true" logout-url="/logout" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="SsmsUserDetService" >
</authentication-provider>
</authentication-manager>
I have configured and working application with authentication provided by Spring Security. Here is configuration of authentication:
<http pattern="/login" security="none"/>
<http pattern="/datastore/list" security="none"/>
<http auto-config="true" use-expressions="true">
<logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login" />
<form-login login-page="/login" authentication-failure-url="/login?success=false" default-target-url="/" />
<intercept-url pattern="/repository/**" access="isAuthenticated()" />
<intercept-url pattern="/solr/**" access="isAuthenticated()" />
<intercept-url pattern="/WebISG/**" access="isAuthenticated()" />
<intercept-url pattern="/datastore/**" access="isAuthenticated()" />
<intercept-url pattern="/*" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="c2rAuthenticationProvider" />
</authentication-manager>
Now i need to add to this service ability to use OAuth so that users will be able to use every one of these to methods and write the same URLs. Is it possible?