Code was working fine now have replaced the below line in security.xml to provide role based security, but getting access denied http status-403
Replaced
<intercept-url pattern="/inputcreate*" access="isAuthenticated()" />
with
<intercept-url pattern="/inputcreate*" access="hasAnyRole('admin','user')" />
spring-security.xml
<http use-expressions="true" auto-config="true">
<!-- <intercept-url pattern="/inputcreate*" access="isAuthenticated()" /> -->
<intercept-url pattern="/inputcreate*" access="hasAnyRole('admin','user')" />
<form-login login-page="/login.html" default-target-url="/inputcreate.html"
authentication-failure-url="/login.html" username-parameter="j_username"
password-parameter="j_password" login-processing-url="/j_spring_security_check" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/index.html" />
</http>
just Replaced
<intercept-url pattern="/inputcreate*" access="hasAnyRole('admin','user')" />
with
<intercept-url pattern="/inputcreate*" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
After googling 3-4 hour, made this above change
This worked for me!!!!
In the Spring documentation it has been given here, to prefix role
public void setRolePrefix(String rolePrefix)
Allows a default role prefix to be specified. If this is set to a non-empty value, then it is automatically prepended to any roles read in from the db.
This may for example be used to add the ROLE_ prefix expected to exist in role names (by default) by some other Spring Security classes, in the case that the prefix is not already present in the db.
Parameters:
rolePrefix - the new prefix
Related
In Spring Security:
<sec:http pattern="/api/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**" access="ROLE_ADMIN" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
in this line <intercept-url pattern="/api/**" access="ROLE_ADMIN" />
What is difference meaning if I write:
<intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" />
or:
<intercept-url pattern="/api/**" access="hasAnyRole('ROLE_ADMIN')" />
As Spring Security documentation states:
hasRole([role]): Returns true if the current principal has the
specified role
hasAnyRole([role1,role2]): Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings).
Also, on access attribute, documentation states:
access: Lists the access attributes which will be stored in the
FilterInvocationSecurityMetadataSource for the defined URL
pattern/method combination. This should be a comma-separated list of
the security configuration attributes (such as role names).
But in your case, you're passing a single element list to the hasAnyRole, So:
access="ROLE_ADMIN" Vs access="hasAnyRole('ROLE_ADMIN')
hasRole('ROLE_ADMIN') and hasAnyRole('ROLE_ADMIN') are identical and both means that the current principal should have the ROLE_ADMIN authority.
(a "principal" generally means a user, device or some other system which can perform an action in your application).
I am using Spring Security in my project.
In the XML for configuring the security, I want to use 'Spring EL'. Instead of using access="ROLE_ADMIN" I want to use hasRole('ROLE_ADMIN') and isAuthenticated() for the access values mentioned in below code.
For that I used 'use-expressions="true"' in <http> tag. But I am still not getting output. It says that the resource is not available.
The code is currently working properly but I want to use Spring EL.
XML file:
<!-- security configuration -->
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/admin" access="ROLE_ADMIN" />
<security:intercept-url pattern="/welcome" access="ROLE_ADMIN" />
<security:access-denied-handler error-page="/accessdenied403" />
<security:form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<security:logout logout-success-url="/login?logout" />
</security:http>
So, how to use Spring EL to set value for access?
does your updated config now looks like
<security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/welcome" access="hasRole('ROLE_ADMIN')" />
Which version of Spring and Spring Security you are using?
What exception you are getting can you set log level to trace and post the log along with any stack trace here?
Are you sure you have all required jar in class path?
I created a spring mvc application with spring security. I tried to set authentication for all url with spring security.
Springsecurity.xml
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService" >
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
When I giving intercept-url to /** the page doesnot loading. It makes a timeout.
But when giving intercept-url to /admin it works perfectly. Why this happens?
Your intercept pattern for all request is OK, but you need to include an exception for your login page, try adding
<http security="none" pattern="/login"/>
UPDATE with respect to the comment
The approach above completely switches off Spring security for the given URL. As you're using CSFR, it means that spring security filter should attend to this URL as well, but not for the sake of the authentication, rather for the sake of including the unpredictable token that can secure from session fixation attacks. In any case, here's a way to process the URL with spring security, without prompting for authentication. Instead of using the above, use the following
<intercept-url pattern="/login" access="isAnonymous()"/>
inside the
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
...
I have this spring security configuration:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/home.jsp" access="permitAll" />
<intercept-url pattern="/loginFailed" access="permitAll" />
<intercept-url pattern="/logOut" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()" />
<form-login login-page="/home.jsp" default-target-url="/index"
authentication-failure-url="/loginFailed" />
<logout logout-success-url="/logOut"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="N_a" password="12" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
If I type url, that need access="isAuthenticated() I redirect to home.jsp.
I want to see 403 error.
How to change it ?
You are using a form-based login and as such, when not authenticated, you will be prompted with the login-page. This is what you have configured and this is how, by default, Spring Security works.
If you want to override this you need to explicitly configure an AuthenticationEntryPoint to be precise the Http403ForbiddenEntryPoint. This basically always gives a 403 if someone isn't authenticated or doesn't have access. This disables the ability to be prompted with a login-form to give a user the change to login after all.
<beans:bean id="entryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<http auto-config="true" use-expressions="true" entry-point-ref="entryPoint">
<!-- Your other elements here -->
</http>
use access-denied-handler tag in http tag.
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/
or use access-denied-page property.
<http auto-config="true" access-denied-page="/403"></http>
I'm trying to configure spring MVC to not authenticate any pages that have no authentication (enable the use of ROLE_ANONYMOUS as explicitly required for all pages).
But I get this message in the debug logs:
o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
The FilterSecurityInterceptor is added by the namespace. And I think I need to setRejectPublicInvocations on the filter to disable this.
But I don't see any way to do this through the http namespace. Do I have to abandon using the http namespace entirely just to accomplish this?
In my case I basically did this.
and it's working for anon users.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/loginform.*" filters="none" />
<intercept-url pattern="/topic/addtopic**"
access="hasAnyRole('USER_ROLE','ADMIN_ROLE','OPER_ROLE')" />
<intercept-url pattern="/user/**"
access="hasAnyRole('USER_ROLE','ADMIN_ROLE','OPER_ROLE')" />
<intercept-url pattern="/admin/**" access="hasRole('ADMIN_ROLE')" />
<intercept-url pattern="/cadastro.*" filters="none" />
<form-login login-page="/loginform.html"
authentication-failure-url="/loginform.html?error=invalido" />
</http>