I use spring security to implement security on my site:
....
<security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>
<security:form-login
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<security:intercept-url pattern="/api/**"/>
<security:anonymous enabled="false"/>
<security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
success-handler-ref="logoutSuccessHandler"
/>
<security:csrf disabled="true"/>
<security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
</security:http>
....
<security:authentication-manager>
<security:authentication-provider ref="XXXXLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="XXXXUserDetailsService"/>
</security:authentication-manager>
....
I use web sockets on my site and sometimes it is useful to login through web sockets.
I have not ideas where to dig. Please share your expertise.
Related
The application I'm working on already has user authentication (it's a desktop application). I need to add basic authentication on the url /teachers.htm so that a third-party can receive data in json format. How can I do this?
Oh, and I can`t use Spring Boot.
security.xml
<security:authentication-manager>
<security:authentication-provider ref="customAuthProvider">
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true" create-session="always">
<security:expression-handler ref="customExpressionHandler" />
<security:intercept-url pattern="/**" access="isAuthenticatedIfRequired()" />
<security:form-login login-page="/login" default-target-url="/index.htm" username-parameter="login" always-use-default-target="true"
password-parameter="password" authentication-failure-url="/login" />
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout.htm" />
<security:session-management session-authentication-strategy-ref="customAuthenticationStrategy" />
</security:http>
CustomAuthenticationProvider
#Override
#Transactional(readOnly = true)
public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
UserInfo user = userDao.findUserByLogin((String) authentication.getPrincipal());
WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
sessionsInfo.addLoggedInUser(details.getSessionId(), user);
return new TRUsernamePasswordAuthenticationToken(user.getId(), user.getLoginName(),
user.getName(), user.getUserType(), user.getUserLanguage(), null, authorities,
organizations, user.getCurrentOrganizationId());
}
There is special tag for that http-basic.
In your case will be something like this:
<security:http use-expressions="true">
<security:intercept-url pattern="/teachers.htm" access="isAuthenticated()" />
<security:http-basic />
</security:http>
Cause I already had authentication in the app, I resolved the issue by making two entry-points in Spring Security. The result:
<security:user-service id="apiUserDetailsService">
<security:user name="user" password="pw" authorities="ROLE_ADMIN" />
</security:user-service>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthProvider">
</security:authentication-provider>
<security:authentication-provider user-service-ref="apiUserDetailsService"/>
</security:authentication-manager>
<security:http entry-point-ref="basicAuthEntryPoint" pattern="/pw/**" use-expressions="true">
<security:intercept-url pattern="/pw/smth.htm" access="hasAnyRole('ROLE_ADMIN')" />
<security:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="basicAuthEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="REST Realm" />
</bean>
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationEntryPoint" ref="basicAuthEntryPoint" />
</bean>
<security:http use-expressions="true" create-session="always">
<security:expression-handler ref="customExpressionHandler"/>
<security:intercept-url pattern="/pages/activationcode.jsp" access="permitAll()"/>
<security:intercept-url pattern="/**/*.css" access="permitAll()"/>
<security:intercept-url pattern="/**" access="isAuthenticatedIfRequired()"/>
<security:form-login login-page="/login" default-target-url="/index.htm" username-parameter="login" always-use-default-target="true"
password-parameter="password" authentication-failure-url="/login"/>
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout.htm"/>
<security:session-management session-authentication-strategy-ref="customAuthenticationStrategy"/>
</security:http>
In my security XML the interceptions are included as follow:
<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<security:headers>
<security:cache-control disabled="false"/>
</security:headers>
<security:csrf disabled="true"/>
<security:form-login
login-page="/login"
authentication-failure-url="/login_error"
username-parameter="username"
password-parameter="password"
default-target-url="/home"
always-use-default-target="false"
/>
<security:remember-me key="uniqueAndSecret" token-validity-seconds="604800"
remember-me-parameter="remember-me"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/home" access="hasRole('ROLE_LOGIN')"/>
<security:intercept-url pattern="/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:intercept-url pattern="/clover/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:access-denied-handler error-page="/403"/>
<security:session-management session-fixation-protection="migrateSession" invalid-session-url="/login"
session-authentication-error-url="/logout">
</security:session-management>
<security:logout invalidate-session="true" logout-success-url="/login?logout" logout-url="/logout"
delete-cookies="JSESSIONID"/>
</security:http>
With this settings, http://localhost:8080/admin/clover/business/{businessId}?cloverAppType=kioskthis URL is intercepted but http://localhost:8080/admin/clover/business/{businessId}/order?cloverAppType=kiosk&appName=MainApp this URL is not intercepted (when the user is logged out, that URL can be accessed). With usage of the * wild card, is that URL pattern not intercepted? What can be done to resolve this?
I want to use a custom login page. By default the login-processing-url is /j_spring_security_check but in my case I don't want to set the /j_spring_security_check in the action attribute of my login form, instead I am using a custom action(method in the login controller). The problem is that using my code I can't use the in-memory list of users (jimi, bob) no authentication is achieved so my application keeps redirecting me to the login page. Do I have to create my own filter in place of the UsernamePasswordAuthenticationFilter? Any ideas? Hope I've made myself clear.
<security:http auto-config="false" use-expressions="false">
<security:intercept-url pattern="/mysite/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:form-login login-page="/mysite/login" username-parameter="username" password-parameter="password" default-target-url="/mysite/home" always-use-default-target="false""/>
<security:logout logout-success-url="/logout" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="jimi" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="bob" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
Does anyone know in Spring a way to implement a user-service or authentication provider that will accept any user when logging in?
This is further to my previous question: spring-ws get username & password
I have a basic security setup in my spring-ws project:
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:intercept-url pattern="/*.wsdl" access="ROLE_USER" />
<security:http-basic/>
</security:http>
<security:authentication-manager erase-credentials="false">
<security:authentication-provider user-service-ref="userService">
<security:user-service>
<security:user name="me" password="mypass"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
I don't want to specify users in the user-service, I want a user with any details to have access, I simply want to make sure the user gives a username and password and to ensure that I can access this from the SecurityContextHolder.
Is it necessary to implement my own user-service or authentication-provider to do this and if so can anyone point in the direction of an example or provide me with one?
Thanks!
You need to provide your own AuthenticationProvider i.e. an implementation of the org.springframework.security.authentication.AuthenticationProvider interface.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="myProvider" />
</security:authentication-manager>
<bean id="myProvider" class="MyProvider"/>
MyProvider can then either delegate to a custom UserDetailsService to set the authorieties (the roles) or set a ROLE_USER directly.
if you change
<security:http auto-config="true">
to
<security:http auto-config="true" use-expressions="true">
you can then set your intercepts from
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:intercept-url pattern="/*.wsdl" access="ROLE_USER" />
to
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/*.wsdl" access="isAuthenticated()" />
that will allow any authenticated user access to those url patterns.
You need to do the following:
Configure your intercept URL to provide access to any role names. You can do this by doing the following:
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
<security:intercept-url pattern="/*.wsdl" access="IS_AUTHENTICATED_REMEMBERED" />
<security:http-basic/>
</security:http>
Create your own user service which grants at least one authority to the user for any username and password combination.
Configure spring security to use the service you created.
<bean id="userService" class="com.ek.UserService" />
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userService" />
</authentication-manager>
I hope this gives you the idea on what you need to do. Else, we can work on creating a sample code for you.
I have a simple authentication provider that I'm trying to use with Spring Security.
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<security:authentication-manager>
<security:authentication-provider
ref="ipAddressAuthenticationProvider" />
</security:authentication-manager>
Currently, with the above configuration, the user is redirected to a logon page when the first visit. I do not want this redirect. I'm trying to hit this authentication provider on every page visit. Any way to make this work without writing additional custom code?
I'm guessing I need to cleanly get rid of form filter and basic filter somehow.
Result
I got it working with the config below. I had to extend AbstractPreAuthenticatedProcessingFilter and simply return ""; for both of its abstract methods.
<security:http use-expressions="true" entry-point-ref="http403ForbiddenEntryPoint">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
</security:http>
<bean id="preAuthFilter" class="com.hercules.ratinggame.business.security.IpAddressPreAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="http403ForbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="ipAddressAuthenticationProvider" />
</security:authentication-manager>
Currently you use auto-config="true" which means you get few filters configured iunder the hood, including <form-login> element with UsernamePasswordAuthenticationFilter filter.
Also, to hit this authentication provider on every page visit you'll need a filter which can obtain data from request (IP address as far as I can see). The filter will probably be RequestHeaderAuthenticationFilter or more likely your own AbstractPreAuthenticatedProcessingFilter implementation which will have access to your autentication-manager.
To sum up, configuration will look like:
<security:http use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:logout /> <!-- optional -->
<security:custom-filter position="PRE_AUTH_FILTER"
ref="ipFromRequestPreAuthenticationFilter" />
</security:http>
<!-- this will probably extend AbstractPreAuthenticatedProcessingFilter -->
<bean id="ipFromRequestPreAuthenticationFilter"
class="com.example.IpFromRequestPreAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ipAddressAuthenticationProvider" />
</security:authentication-manager>