I use spring Security. I'm trying to redirect from profile.jsp. And have
Access to the specified resource has been forbidden.
So, as i understand it's because of access failure somewhere. Page i want redirect to is also profile.jsp. So, i change options and i want to reload page. But have an exception
I've watched many similar on other topics, but still cant resolve
spring configuration
<http auto-config="true">
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/chat" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<form-login login-page="/login" default-target-url="/chat" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsServiceImpl">
<password-encoder ref="encoder"></password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsServiceImpl"
class="com.chat.my.service.UserDetailsServiceImpl"></beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11"/>
</beans:bean>
Try to add
<intercept-url pattern="/login*" access="isAnonymous()" />
Could be that your login page also expect to be authenticated because of your
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
Related
I developed java application using spring mvc and spring security.
and when i upload and deploy the WAR file on tomcat7 it fails and give me this messages in the url:
manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=982F861CA67920658BC340994D5B7A32
How can i fix the problem and upload my web application properly ?
[EDITED]
My code:
<http auto-config="true" use-expressions="true">
<csrf/>
<!-- custom login -->
<form-login login-page="/login" login-processing-url="/login" username-parameter="custom_email"
password-parameter="custom_password" authentication-failure-url="/login?error=true"/>
<remember-me key="remember-me"/>
<!-- css and js-->
<intercept-url pattern="resources/cms/**" access="permitAll"/>
<intercept-url pattern="resources/home/**" access="permitAll"/>
<intercept-url pattern="/wro/**" access="permitAll"/>
<intercept-url pattern="/cms/**" requires-channel="any" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/account/**" requires-channel="any" access="isAuthenticated()"/>
<intercept-url pattern="/cart/**" requires-channel="any" access="isAuthenticated()"/>
<intercept-url pattern="/checkout/**" requires-channel="any" access="isAuthenticated()"/>
<logout logout-url="/logout" logout-success-url="/login"/>
<!--<csrf disabled="true"/>-->
</http>
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
Edit your Spring-security.xml
<http auto-config="true" use-expressions="true">
...
<csrf disabled="true"/>
</http>
I implement Spring Security in a project. I want to put a custom object(domain object) in session at the time of login, so that I can check the user details from HttpServletRequest object in any controller.
Please help me, how to do it?
My Spring security file is :
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/forgotPassword/**" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/listSensorData"
authentication-failure-url="/login?login_error=1"
username-parameter="username"
password-parameter="password"
login-processing-url="/loginSSuser"
></form-login>
<logout logout-success-url="/login" invalidate-session="true" logout-url="/logout" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="SsmsUserDetService" >
</authentication-provider>
</authentication-manager>
I have configured and working application with authentication provided by Spring Security. Here is configuration of authentication:
<http pattern="/login" security="none"/>
<http pattern="/datastore/list" security="none"/>
<http auto-config="true" use-expressions="true">
<logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login" />
<form-login login-page="/login" authentication-failure-url="/login?success=false" default-target-url="/" />
<intercept-url pattern="/repository/**" access="isAuthenticated()" />
<intercept-url pattern="/solr/**" access="isAuthenticated()" />
<intercept-url pattern="/WebISG/**" access="isAuthenticated()" />
<intercept-url pattern="/datastore/**" access="isAuthenticated()" />
<intercept-url pattern="/*" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="c2rAuthenticationProvider" />
</authentication-manager>
Now i need to add to this service ability to use OAuth so that users will be able to use every one of these to methods and write the same URLs. Is it possible?
I have a web app where you can login with form-login or you can be pre-authenticated and be logged in like that. Both method work well but I only can find way to use a success handler with the form-login using the authentication-success-handler-ref property.
My question is, how can I call the success handler "mySuccessHandler" for the PRE_AUTH_FILTER in my security-app-context? I would guess I can call it as a property or something under the PreAuthenticatedProcessingFilter, preauthAuthProvider or the custom-filter.
Just need to go to different pages if the user has the role Teacher or Student.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http pattern="/**" use-expressions="true" create-session="always">
<intercept-url pattern="/login.jsp*" access="permitAll" />
<intercept-url pattern="/**/ErrorPages/**" access="permitAll" />
<intercept-url pattern="/**/Students/**" access="hasAnyRole('STUDENT, TEACHER')" />
<intercept-url pattern="/**/Teacher/**" access="hasRole('TEACHER')" />
<intercept-url pattern="/**/Login/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**/Js/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**/Css/**" access="permitAll" />
<intercept-url pattern="/**/Img/**" access="permitAll" />
<intercept-url pattern="/**/api/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="denyAll" />
<custom-filter position="PRE_AUTH_FILTER" ref="PreAuthenticatedProcessingFilter" />
<access-denied-handler
<form-login
username-parameter="idnumber"
password-parameter="password" login-processing-url="/athuga_innskraningu"
login-page='/login.jsp'
authentication-failure-handler-ref="myAuthErrorHandler"
authentication-success-handler-ref="mySuccessHandler"
always-use-default-target='true'
authentication-failure-url="/login.jsp?login_error=true"/>
<logout logout-url="/utskra/" logout-success-url="/login.jsp"/>
</http>
<beans:bean id="mySuccessHandler" class="is.inna.rest.login.AuthenticationSuccess"/>
<beans:bean id="myAuthErrorHandler" class="is.inna.rest.login.AuthenticationFailure"/>
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<beans:bean name="myUserDetailsService" class="is.inna.rest.login.UserDetailServiceLogin" />
<beans:bean id="userDetailsServiceWrapper" class="is.inna.rest.login.UserDetailServicePreAuth" />
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="preauthAuthProvider" />
</authentication-manager>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceWrapper"/>
</beans:bean>
<beans:bean id="PreAuthenticatedProcessingFilter" class="is.inna.rest.login.PreAuthenticatedProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
Your requirement is to redirect user to different pages depending on the role. You can do this using authentication success handler also. Refer the sample success handler class I have written. You always have access to Authentication object in the overridden onAuthenticationSuccess method. You can get the authorities and role of logged in user and depending upon it, you can always redirect user to appropriate page.
Hope this helps.
I have this spring security configuration:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/home.jsp" access="permitAll" />
<intercept-url pattern="/loginFailed" access="permitAll" />
<intercept-url pattern="/logOut" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()" />
<form-login login-page="/home.jsp" default-target-url="/index"
authentication-failure-url="/loginFailed" />
<logout logout-success-url="/logOut"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="N_a" password="12" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
If I type url, that need access="isAuthenticated() I redirect to home.jsp.
I want to see 403 error.
How to change it ?
You are using a form-based login and as such, when not authenticated, you will be prompted with the login-page. This is what you have configured and this is how, by default, Spring Security works.
If you want to override this you need to explicitly configure an AuthenticationEntryPoint to be precise the Http403ForbiddenEntryPoint. This basically always gives a 403 if someone isn't authenticated or doesn't have access. This disables the ability to be prompted with a login-form to give a user the change to login after all.
<beans:bean id="entryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<http auto-config="true" use-expressions="true" entry-point-ref="entryPoint">
<!-- Your other elements here -->
</http>
use access-denied-handler tag in http tag.
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/
or use access-denied-page property.
<http auto-config="true" access-denied-page="/403"></http>