I have this spring security configuration:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/home.jsp" access="permitAll" />
<intercept-url pattern="/loginFailed" access="permitAll" />
<intercept-url pattern="/logOut" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()" />
<form-login login-page="/home.jsp" default-target-url="/index"
authentication-failure-url="/loginFailed" />
<logout logout-success-url="/logOut"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="N_a" password="12" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
If I type url, that need access="isAuthenticated() I redirect to home.jsp.
I want to see 403 error.
How to change it ?
You are using a form-based login and as such, when not authenticated, you will be prompted with the login-page. This is what you have configured and this is how, by default, Spring Security works.
If you want to override this you need to explicitly configure an AuthenticationEntryPoint to be precise the Http403ForbiddenEntryPoint. This basically always gives a 403 if someone isn't authenticated or doesn't have access. This disables the ability to be prompted with a login-form to give a user the change to login after all.
<beans:bean id="entryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<http auto-config="true" use-expressions="true" entry-point-ref="entryPoint">
<!-- Your other elements here -->
</http>
use access-denied-handler tag in http tag.
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/
or use access-denied-page property.
<http auto-config="true" access-denied-page="/403"></http>
Related
my thought is to create a website where you can authenticate in two different ways: from a typical login (SpringSecurity) and from a CAS server.
A user reaching any protected page should be redirected to /login page, where Username and Password are needed to proceed further. Then we have a choice: clicking on "Login" button will authenticate the user ONLY for this site; otherwise clicking on "Login with CAS" will redirect the User on the Login of the CAS-server (or maybe, better: directly submit Username and Password to the CAS server) and then redirected to the web application.
Either from local or CAS, a user successfully logged in must have access to the site. How can I do this? For now, I only got the local authentication - and it's working.
spring-security.xml
<http auto-config="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/static/**" access="permitAll" />
<intercept-url pattern="/srv/**" access="permitAll" />
<intercept-url pattern="/admin" access="hasAnyRole('ROLE_ADMIN')" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
<...>
</http>
<form-login login-page='/login'
default-target-url="/home"
authentication-success-handler-ref="authSuccessHandler"
authentication-failure-url="/login?error=true" />
<logout logout-success-url="/login" />
<session-management invalid-session-url="/login">
<concurrency-control expired-url="/login" />
</session-management>
</http>
<authentication-manager>
<authentication-provider ref="authProvider"/>
</authentication-manager>
I'm not using SpringBoot; i got SpringSecurity 4.0.3 and Spring Framework 4.3.7
I use spring Security. I'm trying to redirect from profile.jsp. And have
Access to the specified resource has been forbidden.
So, as i understand it's because of access failure somewhere. Page i want redirect to is also profile.jsp. So, i change options and i want to reload page. But have an exception
I've watched many similar on other topics, but still cant resolve
spring configuration
<http auto-config="true">
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/chat" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<form-login login-page="/login" default-target-url="/chat" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password"/>
<logout logout-success-url="/login?logout"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsServiceImpl">
<password-encoder ref="encoder"></password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsServiceImpl"
class="com.chat.my.service.UserDetailsServiceImpl"></beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11"/>
</beans:bean>
Try to add
<intercept-url pattern="/login*" access="isAnonymous()" />
Could be that your login page also expect to be authenticated because of your
<intercept-url pattern="/" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
I developed java application using spring mvc and spring security.
and when i upload and deploy the WAR file on tomcat7 it fails and give me this messages in the url:
manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=982F861CA67920658BC340994D5B7A32
How can i fix the problem and upload my web application properly ?
[EDITED]
My code:
<http auto-config="true" use-expressions="true">
<csrf/>
<!-- custom login -->
<form-login login-page="/login" login-processing-url="/login" username-parameter="custom_email"
password-parameter="custom_password" authentication-failure-url="/login?error=true"/>
<remember-me key="remember-me"/>
<!-- css and js-->
<intercept-url pattern="resources/cms/**" access="permitAll"/>
<intercept-url pattern="resources/home/**" access="permitAll"/>
<intercept-url pattern="/wro/**" access="permitAll"/>
<intercept-url pattern="/cms/**" requires-channel="any" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/account/**" requires-channel="any" access="isAuthenticated()"/>
<intercept-url pattern="/cart/**" requires-channel="any" access="isAuthenticated()"/>
<intercept-url pattern="/checkout/**" requires-channel="any" access="isAuthenticated()"/>
<logout logout-url="/logout" logout-success-url="/login"/>
<!--<csrf disabled="true"/>-->
</http>
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
Edit your Spring-security.xml
<http auto-config="true" use-expressions="true">
...
<csrf disabled="true"/>
</http>
I have configured and working application with authentication provided by Spring Security. Here is configuration of authentication:
<http pattern="/login" security="none"/>
<http pattern="/datastore/list" security="none"/>
<http auto-config="true" use-expressions="true">
<logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login" />
<form-login login-page="/login" authentication-failure-url="/login?success=false" default-target-url="/" />
<intercept-url pattern="/repository/**" access="isAuthenticated()" />
<intercept-url pattern="/solr/**" access="isAuthenticated()" />
<intercept-url pattern="/WebISG/**" access="isAuthenticated()" />
<intercept-url pattern="/datastore/**" access="isAuthenticated()" />
<intercept-url pattern="/*" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="c2rAuthenticationProvider" />
</authentication-manager>
Now i need to add to this service ability to use OAuth so that users will be able to use every one of these to methods and write the same URLs. Is it possible?
I created a spring mvc application with spring security. I tried to set authentication for all url with spring security.
Springsecurity.xml
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService" >
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
When I giving intercept-url to /** the page doesnot loading. It makes a timeout.
But when giving intercept-url to /admin it works perfectly. Why this happens?
Your intercept pattern for all request is OK, but you need to include an exception for your login page, try adding
<http security="none" pattern="/login"/>
UPDATE with respect to the comment
The approach above completely switches off Spring security for the given URL. As you're using CSFR, it means that spring security filter should attend to this URL as well, but not for the sake of the authentication, rather for the sake of including the unpredictable token that can secure from session fixation attacks. In any case, here's a way to process the URL with spring security, without prompting for authentication. Instead of using the above, use the following
<intercept-url pattern="/login" access="isAnonymous()"/>
inside the
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
...