I am new to Spring Security and have run into a problem. When I attempt to access a page that is expected to be restricted it is displaying the requested page anyway, no 403 nor redirecting to login page, no errors in the logs, nothing, just as if Spring Security was not implemented at all.
When the application is deployed I see the following in the logs which tells me Spring Security is at least starting:
INFO: Checking whether login URL '/security/credentials' is accessible with your configuration
I have attempted to change the login page to a restricted page, just to test that is actually restricted and I get the following, which tells me that it is correctly being restricted, at least in the simulation.
INFO: Checking whether login URL '/dashboard' is accessible with your configuration
org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)
I have the following setup:
web.xml
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<welcome-file-list>
<welcome-file>
index.html
</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>messages</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>TRACE</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
</web-app>
The Spring Security configuration file is imported from my applicationContext.xml.
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<form-login
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/security/**" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll"/>
<logout logout-success-url="/security/signout" />
<remember-me />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="test" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Spring is behaving correctly as you are actually telling Spring that /security/** requests requires no authentication (access="permitAll"):
...
<intercept-url pattern="/security/**" access="permitAll" />
...
If you wanted to restrict access to only authenticated users then you could specify:
...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
Or if you wanted to restrict access to a specific role (replace ROLE_XXX with your specific role):
...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...
Please note that login related URLs can't be restricted (for obvious reasons):
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
So either change them to rather start with something like /login/ instead of /security/ or add specific intercepts URLs for each of them (if you must use them):
...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
The more specific URLs should be declared first as Spring uses the first rule that it finds from the top.
I suggest try it after removing <remember-me /> tag, or deleting all the cookies first.
It appears because of existing cookie you are able to access /dashboard
Edit:
You have UrlRewriteFilter configured before spring security, check whats the final url thats given to spring security filter, or you can try after disabling UrlRewriteFilter ?
Related
I'm developing an application that uses JSF (Mojarra) to control de MVC flow, but I also want to integrate Spring Security for its Autehntication and Authorization processes.
However, I'm having a problem where Spring Bean Factory cannot instantiate the classes that I build to do custom login and so on. From there, the system doesn't even go online.
The stacktrace starts with:
java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And then
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [com.tfduque.fieldAssist.manager.LoginBean] for bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/applicationContext.xml]; nested exception is java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And so on...
(Full stacktrace)
This is how my folders are organized, if it matters:
My application context (for spring security configurations):
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/login*" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/javascript/**" security="none" />
<http pattern="/Secured/**" create-session="stateless"
use-expressions="true">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<http-basic />
</http>
<http auto-config="true" use-expressions="true"
access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login.xhtml" login-processing-url="/j_login"
authentication-failure-url="/login.xhtml" always-use-default-target="false"
default-target-url="/" />
<logout invalidate-session="true" logout-success-url="/login.xhtml"
logout-url="/j_logout" delete-cookies="JSESSIONID" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="authenticationEntryPoint">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="appUserDetailsService"
class="com.tfduque.fieldAssist.security.AppUserDetailsService" />
<beans:bean id="authenticationEntryPoint"
class=" com.tfduque.fieldAssist.manager.LoginBean">
<beans:property name="loginFormUrl" value="/Login.xhtml" />
<beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
</beans:bean>
</beans:beans>
Some of my web.xml configs (btw, I'm also using weld for injection):
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.jboss.weld.environment.servlet.Listener</listener-class>
</listener>
<resource-env-ref>
<resource-env-ref-name>BeanManager</resource-env-ref-name>
<resource-env-ref-type>javax.enterprise.inject.spi.BeanManager</resource-env-ref-type>
</resource-env-ref>
<!-- Security -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Login Bean is annotated like this:
#Named("login")
#RequestScoped
public class LoginBean {
public String doLogin() throws IOException, ServletException {
[...]
}
I think that this is all needed to understand the problem.
I try to use Spring Security for an application which has 3 kinds of users: Admin, employee, and responsible. each one must be redirected after his authentication to his jsp pages which are grouped in a folder
this is my spring configuration but it doesn't work:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<intercept-url pattern="/responsable*" access="ROLE_RESP" />
<intercept-url pattern="/employee*" access="ROLE_EMP" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="123456" authorities="ROLE_ADMIN" />
<user name="resp" password="123456" authorities="ROLE_RESP" />
<user name="emp" password="123456" authorities="ROLE_EMP" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
and this is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>projet</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>responsable/responsable.jsp</welcome-file>
<welcome-file>employee/employee.jsp</welcome-file>
</welcome-file-list>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<!-- Loads Spring Security config file -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
</param-value>
</context-param>
</web-app>
#sad,
You are trying to use spring security as a re-director rather than its actual purpose. What your spring security definition means is that you are granting different users different levels of entitlements. So while Admin can visit every URL of your app, an employee may only have access to any area that begins with /employee URL. The actual redirection will happen within your Disptacher Servlet/Controller configuration. Thanks.
Here is my Spring Security configuration:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>tutorial.root</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>greetServlet</servlet-name>
<servlet-class>ru.andrew.springsecuregwt.server.GreetingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>greetServlet</servlet-name>
<url-pattern>/springsecuregwt/greet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>Springsecuregwt.html</welcome-file>
</welcome-file-list>
</web-app>
applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<debug />
<global-method-security pre-post-annotations="enabled" />
<http pattern="/static/**" security="none"/>
<http pattern="/loggedout.jsp" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>
<remember-me />
</http>
<beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder"/>
<user-service>
<user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" />
<user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" />
<user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" />
<user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
When I click on the logout link, I'm successfully landing at the logout page, but if I enter
localhost:8080/projectname
in the new Chrome tab, I can gain access to the app, without any authentication page.
What do I do wrong and how can I fix such security issue?
Spring remembeMe functionality creates a cookie with the name 'SPRING_SECURITY_REMEMBER_ME_COOKIE'. It then uses this to authenticate. If your logout only deletes the webapp container session id the authentication will check for that and then the presence of this cookie. So you need to make sure you remove this cookie on logout.
I have read a lot of tutorials about using Spring Security 3 on Struts 2. But I can't make it work :/.
I can't find a "Dummy step by step guide" about implement this framework on Struts 2.
Here is what I have:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<display-name>cv</display-name>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>example/HelloWorld.jsp</welcome-file>
</welcome-file-list>
</web-app>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context/spring-context-2.5.xsd"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/context/spring-context-2.5.xsd/spring-spring-context-2.5.xsd-3.1.1.RELEASE.xsd
">
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true" use-expressions="true">
<intercept-url pattern="/auth/**" filters="none"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<http>
<intercept-url pattern="/login*" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/search.action*" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/user/**" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login.action" />
<logout logout-url="/logout.action" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="customer" password="customer" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
</beans>
And my HelloWorld.jsp
<body>
<h1>Welcome!</h1><br />
<sec:authorize access="isAnonymous()">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_USER')">
This session will be visible to an Customer only.<br/>
You are an Customer.<br/>
</sec:authorize>
${HelloMessage}<br />
Logout
</body>
I want to test how the privileges works using the tag "isAnonymous" showing that block of text, but I can't make it work
:(
You need to add Spring Security's filter chain to the web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This goes after your Struts filter. This will allow Spring Security to check/block the request prior to Struts being handed the request.
Assuming the user is allowed to access the content Spring Security will set up a SecurityContext object that will make allow the JSP tags work.
I'm just getting started with Spring Security 3.1 and I haven't found a way to implment it on top of a JSF 2.1 web app. I currently have:
A web.xml with:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext-business.xml
/WEB-INF/applicationContext-security.xml
</param-value>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
And my applicationContext-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/resources/**" security="none" />
<http use-expressions="true">
<intercept-url pattern="/administracion/departamentos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/derechos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/diasfestivos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/dias/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/solicitudes/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/empleados/**" access="recursoshumanos" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="rod" password="koala" authorities="recursoshumanos" />
<user name="dianne" password="emu" authorities="jefe" />
<user name="scott" password="wombat" authorities="jefe" />
</user-service>
</authentication-provider>
</authentication-manager>
I'm guessing this example would work with a regular .jsp but I'm probably missing additional steps to make it work with JSF, unfortunately, I haven't been able to find a fully working example so far. What do i need to do? Thanks!
Edit: The problem is that i can still navigate freely to the secured areas of the application without needing to log in.
Edit: BTW, I just noticed that a filter to the root of the web app does indeed trigger the authentication mechanism. It still fails everywhere else though.
Authorities should start with
ROLE_
Have a look here Spring Security FAQ and SO
As noted by gbagga, the answer was pretty simple: Add the "faces" part of the path to the patterns. Thanks!
Configuration seems to be correct. Maybe you are missing the auto-config="true" option in your http definition. See more here
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-auto-config
What is your problem exactly? You can not login with the specified username/password? Authorization is not applied to your application?