I am trying to develop Spring Security project with JWT.
I want access Login api with out Spring Security (without JWT token). But with below configuration, every time (for login api as well) it is checking for JWT token giving me 403 error.
Below is my WebSecurityConfig.
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private JwtAuthFilter jwtAuthFilter;
#Autowired
private TokenAuthenticationService jwtAuthenticationProvider;
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(jwtAuthenticationProvider);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/api/v1/login");
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/api/v1/login")
.permitAll()
.and()
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
}
}
Thanks in advance
For login path configuration something like this can be used:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.usernameParameter("username") // default is username
.passwordParameter("password") // default is password
.loginPage("/authentication/login") // default is /login with an HTTP get
.failureUrl("/authentication/login?failed") // default is /login?error
.loginProcessingUrl("/authentication/login/process"); // default is /login
// with an HTTP
// post
}
If some paths need to be ignored configure(WebSecurity web) can be overridden:
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/v1/somepath").antMatchers("/static/**");
}
There is filter class named JwtAuthFilter that is being executed before every service you call.
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
this code provides to be executed filter before every request, but its okay, you have to see this FilterClass there must be some check if token doesnt exist filter class must be returned and request will directly go to the login service. if you can show that Filter class and I will help you.
Related
I wrote a simple backend software and I wanted to secure it with Spring Security and LDAP. It is obvious that LDAP part of the project works fine. the problem is that when I use the formLogin() for entring, that doesn't work and when I use postman it shows the result without asking user name and password! I think something in mywebSecurityConfig is wrong. this is my webSecurityConfig code:
#Configuration public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().fullyAuthenticated();
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=people")
.contextSource()
.url("ldap://localhost:10389/dc=example,dc=com")
.and()
.passwordCompare()
.passwordEncoder(new LdapShaPasswordEncoder() {
})
.passwordAttribute("userPassword");
} }
Use #EnableWebSecurity to enable Spring Security.
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
}
and remove .antMatchers("/**").permitAll() from your configuration as it matches all the requests. This construct is normally used to specify specific whitelisted endpoints like static documentation that does not require security:
.antMatchers("/docs/**").permitAll()
I'm unable to differentiate between the following HttpSecurity and WebSecurity methods.
#Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity
.ignoring()
.antMatchers(HttpMethod.POST, "/api/v1/register");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers(HttpMethod.POST, "/api/v1/register").permitAll();
}
ignoring() and permitAll() makes the URLs as open URL, thus giving access to un-authenticated users also.
But when to use which method ?
HttpSecurity.authenticated() method gives access to all authenticated users, irrespective of role.
But, what is the difference between WebSecurity. ignoring() and HttpSecurity.permitAll() ?
I have a Spring boot application with Spring security.
My problem is similar to this one, but in my case I want to redirect the user to the login page if he's not authenticated when he tries to access any page of the application.
The following image shows the architecture of the application:
My config class looks like this:
#EnableWebSecurity
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/**").hasAnyRole("USER")
.and().formLogin().loginPage("/login").permitAll()
.and().authorizeRequests().antMatchers("/resources/**").permitAll().anyRequest().permitAll();
}
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
With this configuration, no resource will be loaded.
How can I configure my project to redirect the user to the login page if he's not authenticated and at the same time having my resources folder loaded?
plz checkout configure method
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/login*").permitAll()
.anyRequest().authenticated()
.and().formLogin().loginPage("/login");
}
and implements WebMvcConfigurer Class like below
#Configuration
#EnableWebMvc
public class WebMvcConfiguration implements WebMvcConfigurer {
#Override
public void addResourceHandlers(final ResourceHandlerRegistry registry) {
registry.addResourceHandler("/static/**")
.addResourceLocations("classpath:/static/");
}
}
addResourceHandlers means find resources in /static.
Spring security is not allowing your css when a "GET" request to it is made allow it by changing the following line to the next line
this line = .antMatchers("/*.js").permitAll()
this line = .antMatchers("/*.js", "/*.css").permitAll()
Update your method by using authenticated() like below.
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login*").
.antMatchers("/resources/**").permitAll()
.antMatchers("/*.js").permitAll()
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin();
}
Refer this article
I had this problem in my login page before authentication, I found it and resolved my problem by overrode this method in SecurityConfig
#Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/resources/**");
}
afterward login page knew .js and .css
I have an App that is using OAuth2 password grant type to manage the user authorizations to his resources. All App resources are only allowed access for a client with once provided token to act on behalf of some user, except the URI to create users, this one I want that only authenticaed clients have access to it. I'm using spring-security-oauth2 as my OAuth implementation and but can't figure out how to accomplish this in a less hacky way than the one described bellow:
POST /users to be acessed only by authenticated clients.
Currently I figured out how to this by removing #EnableAuthorizationServer and creating a new class and extending AuthorizationServerSecurityConfiguration class and overriding method: configure( HttpSecurity http ) and creating a new #Configuration class and #Import AuthorizationServerEndpointsConfiguration and CustomAuthorizationServerSecurityConfiguration.
The problem is that, in my new custom class I need to override and copy/paste the entire method original code in the overrided method, ending with something like:
#Override
protected void configure( HttpSecurity http ) throws Exception {
AuthorizationServerSecurityConfigurer configurer = new AuthorizationServerSecurityConfigurer();
FrameworkEndpointHandlerMapping handlerMapping = endpoints.oauth2EndpointHandlerMapping();
http.setSharedObject(FrameworkEndpointHandlerMapping.class, handlerMapping);
configure(configurer);
http.apply(configurer);
String tokenEndpointPath = handlerMapping.getServletPath("/oauth/token");
String tokenKeyPath = handlerMapping.getServletPath("/oauth/token_key");
String checkTokenPath = handlerMapping.getServletPath("/oauth/check_token");
http
.authorizeRequests()
.antMatchers(tokenEndpointPath).fullyAuthenticated()
.antMatchers( HttpMethod.POST, "/users/**").fullyAuthenticated()
.antMatchers(tokenKeyPath).access(configurer.getTokenKeyAccess())
.antMatchers(checkTokenPath).access(configurer.getCheckTokenAccess())
.and()
.requestMatchers()
.requestMatchers( new AntPathRequestMatcher(tokenKeyPath),
new AntPathRequestMatcher(tokenEndpointPath),
new AntPathRequestMatcher(checkTokenPath),
new AntPathRequestMatcher("/users/**", HttpMethod.POST.name()));
http.setSharedObject(ClientDetailsService.class, clientDetailsService);
}
My first question is, the a better way to do this?
The second thing that I want to do is to auto create the AccessToken by password grant type when a new user is created (in the URI POST /users), and I can't figure any way to do this.
Can someone provide any insight on this two needs?
Thanks
Not sure if this is what you are asking but what I understad is that you want
to configure specific security constrains for request on /users endpoint with POST method. so
this is how I would do this.I do not think that extending
AuthorizationServerSecurityConfiguration is neccesary since recomended way
is usually to extend just WebSecurityConfigurerAdapter in your main
security config class, remember that you can configure your HttpSecurity multiple times for multiple endpoints, but if you configure the same endpoint in multiple places the last configuration read will be the one active
#EnableWebSecurity public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
//other methods ...
#Override
#Bean
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
#Order(1)
#Override
protected void configure(HttpSecurity http) throws Exception {
//configure your path here
//I purposly configured GET user to
// permit all to see diference
//for example
// #formatter:off
http
.authorizeRequests()
.antMatchers(HttpMethod.GET,"/user")
.permitAll()
.antMatchers(HttpMethod.POST,"/user")
.fullyAuthenticated()
.and().csrf().disable()
.formLogin();
// #formatter:on
}
}
and then in your Ouath configuration
#Configuration
public class OAuth2ServerConfiguration {
private static final String RESOURCE_ID = "restservice";
#Configuration
#EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
#Override
public void configure(ResourceServerSecurityConfigurer resources) {
// #formatter:off
resources
.resourceId(RESOURCE_ID);
// #formatter:on
}
#Override
public void configure(HttpSecurity http) throws Exception {
// #formatter:off
http
.requestMatchers()
.antMatchers("/resources/**","/greeting")
.and()
.authorizeRequests()
.antMatchers("/resources").access("#oauth2.hasScope('read') or hasRole('ROLE_USER')")
.antMatchers("/greeting").access("#oauth2.hasScope('read')");
}
}
#Configuration
#EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private TokenStore tokenStore = new InMemoryTokenStore();
#Autowired
#Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// #formatter:off
endpoints
.tokenStore(this.tokenStore)
.authenticationManager(authenticationManager);
// #formatter:on
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// #formatter:off
clients
.inMemory()
.withClient("clientapp")
.authorizedGrantTypes("password","refresh_token")
.authorities("USER")
.scopes("read", "write")
.resourceIds(RESOURCE_ID)
.secret("123456");
// #formatter:on
}
#Bean
#Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setSupportRefreshToken(true);
tokenServices.setTokenStore(this.tokenStore);
return tokenServices;
}
}
}
As you can see above HttpSecurity is conconfigured twice once in class that extends WebSecurityConfigurerAdapter and also in your class extendingResourceServerConfigurerAdapter for your Ouath configuration
part of this example is taken from this gitHub example by royclarkson
https://github.com/royclarkson/spring-rest-service-oauth
I am not sure what you are asking about in your second question, could you clarify ?
I am using spring-security 3.2.0.RC2 with java config and two HttpSecurity configurations. One for REST API and one for UI.
When I post to /logout it redirects to /login?logout but then (incorrectly) redirects to /login.
When i enter username and password successfully I get redirected to login?logout and have to enter credentials a second time to get to the main page.
So it seems like the permitAll for login is not being honored for login?logout.
My security config looks like this:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Resource
private MyUserDetailsService userDetailsService;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
StandardPasswordEncoder encoder = new StandardPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}
#Configuration
#Order(1)
public static class RestSecurityConfig
extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/v1/**").authorizeRequests()
.antMatchers("/v1/admin/**").hasRole("admin")
.antMatchers("/v1/account/**").hasRole("admin")
.antMatchers("/v1/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
.antMatchers("/v1/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
.antMatchers("/v1/**").authenticated()
.and().httpBasic();
}
}
#Configuration
#Order(2)
public static class UiSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/account/**").hasRole("admin")
.antMatchers("/admin/**").hasRole("admin")
.antMatchers("/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
.antMatchers("/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
.anyRequest().authenticated()
.and().formLogin().loginPage("/login").permitAll();
}
}
}
Can anyone explain why this is happening or what is wrong with my configuration?
A secondary problem that I see with this configuration is that the jsp tag sec:authorize url=... does not work although sec:authorize access=... does work.
In the url=... case it always shows the content even if the user is not authorized.
I know the user is not authorized becuase hitting the link that should have been hidden by the sec:authorize tag results in a 403 Forbidden.
Any help on this greatly appreciated!
I found a workaround for this apparent bug.
I added permitAll() on /login/** as follows:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/account/request/**").permitAll()
.antMatchers("/login/**").permitAll()
.antMatchers("/account/change_password/**").authenticated()
.antMatchers("/account/**").hasAuthority("admin")
.antMatchers("/admin/**").hasAuthority("admin")
.antMatchers("/plant/**").hasAnyAuthority("admin", "dataProvider")
.antMatchers("/upload/**").hasAnyAuthority("admin", "dataProvider")
.anyRequest().authenticated()
.and().formLogin().loginPage("/login").permitAll();
}
Answering my own question in case it helps anyone else who runs into this bug.
Instead of this:
.antMatchers("/login/**").permitAll()
I think the better solution would be this:
http
.authorizeRequests()
.antMatchers("/account/request/**").permitAll()
.*antMatchers("/login").permitAll()
.antMatchers("/account/change_password/**").authenticated()
.antMatchers("/account/**").hasAuthority("admin")
.antMatchers("/admin/**").hasAuthority("admin")
.antMatchers("/plant/**").hasAnyAuthority("admin", "dataProvider")
.antMatchers("/upload/**").hasAnyAuthority("admin", "dataProvider")
.anyRequest().authenticated()
.and().formLogin().loginPage("/login").permitAll().
.and().logout().logoutSuccessUrl("/login?logout").permitAll();
The reason being, url pattern for permitAll(), in this case has limited scope when compared to "/login/**"