Spring security authentication using database - java

I am struggling with spring security authentication using database. Simply saying it doesn't work - i can't login on my user, it always redirects me to accessdenied.
application-security.xml
<http auto-config="true" use-expressions="true">
<csrf disabled="true"/>
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login" default-target-url="/AddUser.html" authentication-failure-url="/accessdenied" />
<logout logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username,password,enabled from user_authentication where username=?"
authorities-by-username-query="select u1.username, u2.role from user_authentication u1, user_authorization u2 where u1.user_id = u2.user_id and u1.username =?" />
</authentication-provider>
</authentication-manager>
I have user = 'abcd' with password 'abcd'. Database query select u1.username, u2.role from user_authentication u1, user_authorization u2 where u1.user_id = u2.user_id and u1.username ='abc' returns 'abcd' with 'ROLE_ADMIN'. My login form must be ok (everything was ok when i was using hardcoded username and password in my application-security.xml). Also datasource is fine - it works for CRUD operations. Any ideas what might be wrong?

In the form-login:
<form-login login-page="/login"
default-target-url="/AddUser.html"
authentication-failure-url="/accessdenied" />
you dont't have any parameters like:
username-parameter="username"
password-parameter="password"
So just add them:
<form-login login-page="/login"
default-target-url="/AddUser.html"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/accessdenied" />

Related

Spring Security not Intercepting a particular pattern

In my security XML the interceptions are included as follow:
<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<security:headers>
<security:cache-control disabled="false"/>
</security:headers>
<security:csrf disabled="true"/>
<security:form-login
login-page="/login"
authentication-failure-url="/login_error"
username-parameter="username"
password-parameter="password"
default-target-url="/home"
always-use-default-target="false"
/>
<security:remember-me key="uniqueAndSecret" token-validity-seconds="604800"
remember-me-parameter="remember-me"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/home" access="hasRole('ROLE_LOGIN')"/>
<security:intercept-url pattern="/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:intercept-url pattern="/clover/business/*" access="hasRole('ROLE_MANAGE_BUSINESS')"/>
<security:access-denied-handler error-page="/403"/>
<security:session-management session-fixation-protection="migrateSession" invalid-session-url="/login"
session-authentication-error-url="/logout">
</security:session-management>
<security:logout invalidate-session="true" logout-success-url="/login?logout" logout-url="/logout"
delete-cookies="JSESSIONID"/>
</security:http>
With this settings, http://localhost:8080/admin/clover/business/{businessId}?cloverAppType=kioskthis URL is intercepted but http://localhost:8080/admin/clover/business/{businessId}/order?cloverAppType=kiosk&appName=MainApp this URL is not intercepted (when the user is logged out, that URL can be accessed). With usage of the * wild card, is that URL pattern not intercepted? What can be done to resolve this?

Access to the specified resource has been forbidden

I use spring Security. I'm trying to redirect from profile.jsp. And have
Access to the specified resource has been forbidden.
So, as i understand it's because of access failure somewhere. Page i want redirect to is also profile.jsp. So, i change options and i want to reload page. But have an exception
I've watched many similar on other topics, but still cant resolve
spring configuration
<http auto-config="true">
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/chat" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<form-login login-page="/login" default-target-url="/chat" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsServiceImpl">
<password-encoder ref="encoder"></password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsServiceImpl"
class="com.chat.my.service.UserDetailsServiceImpl"></beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11"/>
</beans:bean>
Try to add
<intercept-url pattern="/login*" access="isAnonymous()" />
Could be that your login page also expect to be authenticated because of your
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>

How to set user detail in session atttribute after login in spring secuiry xml

I implement Spring Security in a project. I want to put a custom object(domain object) in session at the time of login, so that I can check the user details from HttpServletRequest object in any controller.
Please help me, how to do it?
My Spring security file is :
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/forgotPassword/**" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/listSensorData"
authentication-failure-url="/login?login_error=1"
username-parameter="username"
password-parameter="password"
login-processing-url="/loginSSuser"
></form-login>
<logout logout-success-url="/login" invalidate-session="true" logout-url="/logout" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="SsmsUserDetService" >
</authentication-provider>
</authentication-manager>

Combine OAuth and Basic auth in Spring Security

I have configured and working application with authentication provided by Spring Security. Here is configuration of authentication:
<http pattern="/login" security="none"/>
<http pattern="/datastore/list" security="none"/>
<http auto-config="true" use-expressions="true">
<logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login" />
<form-login login-page="/login" authentication-failure-url="/login?success=false" default-target-url="/" />
<intercept-url pattern="/repository/**" access="isAuthenticated()" />
<intercept-url pattern="/solr/**" access="isAuthenticated()" />
<intercept-url pattern="/WebISG/**" access="isAuthenticated()" />
<intercept-url pattern="/datastore/**" access="isAuthenticated()" />
<intercept-url pattern="/*" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="c2rAuthenticationProvider" />
</authentication-manager>
Now i need to add to this service ability to use OAuth so that users will be able to use every one of these to methods and write the same URLs. Is it possible?

return 403 error if isAuthenticated() == false

I have this spring security configuration:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/home.jsp" access="permitAll" />
<intercept-url pattern="/loginFailed" access="permitAll" />
<intercept-url pattern="/logOut" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()" />
<form-login login-page="/home.jsp" default-target-url="/index"
authentication-failure-url="/loginFailed" />
<logout logout-success-url="/logOut"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="N_a" password="12" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
If I type url, that need access="isAuthenticated() I redirect to home.jsp.
I want to see 403 error.
How to change it ?
You are using a form-based login and as such, when not authenticated, you will be prompted with the login-page. This is what you have configured and this is how, by default, Spring Security works.
If you want to override this you need to explicitly configure an AuthenticationEntryPoint to be precise the Http403ForbiddenEntryPoint. This basically always gives a 403 if someone isn't authenticated or doesn't have access. This disables the ability to be prompted with a login-form to give a user the change to login after all.
<beans:bean id="entryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<http auto-config="true" use-expressions="true" entry-point-ref="entryPoint">
<!-- Your other elements here -->
</http>
use access-denied-handler tag in http tag.
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/
or use access-denied-page property.
<http auto-config="true" access-denied-page="/403"></http>

Categories