I have project secured via Spring security. I need to determine whether the user, who just accessed to JSP is already logged in. I've read some articles, posts here and documentation and tried to implement it with this code:
<sec:authorize ifAnyGranted="ROLE_ANONYMOUS">
USER NOT LOGGED IN
<td>Login</td>
</sec:authorize>
<sec:authorize ifNotGranted="ROLE_ANONYMOUS">
USER LOGGED IN
<td>Logout</td>
</sec:authorize>
Nevertheless I always get "USER LOGGED IN" and I can't realize why.. This is my security context
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http pattern="/resources/**" security="none"/>
<security:http pattern="/login*" security="none" auto-config="true"/>
<security:http pattern="/denied" security="none"/>
<security:http auto-config="true" access-denied-page="/denied" servlet-api-provision="false">
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/edit/**" access="ROLE_EDIT"/>
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:form-login login-page="/login" authentication-failure-url="/denied"
default-target-url="/"/>
<security:logout logout-success-url="/login" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="adam" password="adampassword" authorities="ROLE_USER"/>
<security:user name="jane" password="janepassword" authorities="ROLE_USER, ROLE_ADMIN"/>
<security:user name="sue" password="suepassword" authorities="ROLE_USER, ROLE_EDIT"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
I'd appreciate any help :)
If a page is accesible to anyone, as set in your secruity context, you can conditionally display content like so :
<sec:authorize var="loggedIn" access="isAuthenticated()"/>
and using fairly standard jstl you can then :
<c:choose>
<c:when test="${loggedIn}">
<td>Logout</td>
A tad of googling tells me ifnotgranted is deprecated
Related
I have a problem with Spring Security. It looks like this:
I change some data in a formular
I leave the computer for some time (enough to timeout the active session)
I come back to the computer
I click a "save" button in the webapp
Now - the data IS saved to the database, and then the app logs me out telling that my session has timed out. This behavior is improper, how to make sure that I am completely logged out after defined or default time, without any possibility to save data after the timeout?
My security-context.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<import resource="spring-database.xml" />
<security:http pattern="/login" security="none" />
<security:http pattern="/loginfailed" security="none" />
<security:http pattern="/403" security="none" />
<security:http auto-config="true">
<security:intercept-url pattern="/*" access="ROLE_ADMIN" />
<security:form-login login-page="/login"
default-target-url="/" authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/login" />
<security:access-denied-handler
error-page="/403" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select username,password, enabled from users where username= ?"
authorities-by-username-query="select username,role from user_roles where username= ?" />
</security:authentication-provider>
</security:authentication-manager>
</beans>
You are missing an xml attribute in your <security:logout tag. Just add invalidate-session="true" in this tag. Through this way in every case of an invalid Session the user will be forced to re-login. You may read more information about this feature of Spring Secutity in this thread.
Below you may find a part of your XML which includes the aforementioned attribute.
...
<security:http auto-config="true">
<security:intercept-url pattern="/*" access="ROLE_ADMIN" />
<security:form-login login-page="/login"
default-target-url="/" authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/login" invalidate-session="true"/>
<security:access-denied-handler
error-page="/403" />
</security:http>
...
Spring security how do admin perform every action which comes after (/admin/**) just using 1 intercept url
Spring Security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/user**" access="permitAll" />
<!-- access denied page -->
<access-denied-handler error-page="/noaccess" />
<form-login login-page="/login" authentication-failure-url="/loginfailed" authentication-success-handler-ref="customSuccessHandler"
username-parameter="username" password-parameter="password" />
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="loginService" />
</authentication-manager>
<beans:bean id="customSuccessHandler" class="com.slp.pro.handler.CustomSuccessHandler" />
</beans:beans>
I am pretty new in Spring Security and I have the following problem.
I have this controller method that handle request toward the /riepilogoCentrale resource
#RequestMapping(value = "/riepilogoCentrale", method = RequestMethod.GET)
public String riepilogoUtenteCentrale(HttpServletRequest request, Model model, Locale locale) {
System.out.println("INTO riepilogoUtenteCentrale()");
return "centrale/riepilogoCentrale";
}
My problem is that this resource (so the related rendered page) have to be accessible to everyone (also the not logged user) and as it is actually configured Spring Security if I try to access to this resource as visitor (not logged user) Spring redirects me to the log in page.
This is my Spring Security configuration file (named spring-security.xml):
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http pattern="/resources/**" security="none"/>
<http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/registrati" access="permitAll" />
<intercept-url pattern="/salvaRegistrazione" access="permitAll" />
<intercept-url pattern="/captcha.html" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<logout logout-success-url="/login" logout-url="/logout" />
<form-login login-page="/login"
authentication-failure-url="/login?error=true"
default-target-url="/"
username-parameter="nomeUtente"
password-parameter="password"
login-processing-url="/j_spring_security_check"/>
<csrf disabled="true"/>
</http>
<authentication-manager id="authenticationManager" >
<authentication-provider>
<jdbc-user-service data-source-ref="datasource"
users-by-username-query="select des_usr_par, des_psw_par,true from TID001_ANAGPARTECIPA where des_usr_par =?"
authorities-by-username-query="select des_usr_par, prg_par from TID001_ANAGPARTECIPA where des_usr_par = ? "/>
</authentication-provider>
</authentication-manager>
</beans:beans>
So, how can I exclude the /riepilogoCentrale from the Spring Security management and make it accessible also to the not logged users ?
You're already doing this for some of your resources; for example:
<intercept-url pattern="/salvaRegistrazione" access="permitAll" />
I would imagine that you'd add another intercept-url value including /riepilogoCentrale as the pattern, and implement other business logic inside of your controller based on whether or not the user is authenticated.
You are already excluding some resources.
<http pattern="/resources/**" security="none"/>
Just add the same entry with your riepilogoCentrale-resource.
(sorry for my english)
I'm new in Spring Security, and I need, just when my user is logged, that the application redirection to another page, but aparently, I have no permission, and i'm getting error "HTTP Status 404 - /springsecurity/medicoPaciente.jsp".. i dont know what to do.. My code is:
spring-security.xml
*<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="ROLE_USER" />
<intercept-url pattern="/vistaPacientet**" access="ROLE_GUEST" />
<form-login login-page="/login" default-target-url="/medico"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<form-login login-page="/login" default-target-url="/medview/**"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mau" password="1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>*
I think, here is where i have to declare all the jsp..
Please help me :(
I have been using Spring Security 2.x for some time now, but recently I switched to 3.x. I always use my own implementation of UserDetails interface and authentication against DB.
Everything works fine (logging in, logging out, url filters, seeing username of authorized user, etc.).
The only thing left to do was to display "Please login" message when user is not authorized. I tried few approaches:
<sec:authorize access="not isAnonymous()">
or
<sec:authorize access="hasRole('ROLE_ANONYMOUS')">
etc.
None of them worked. Finally I added <sec:authentication property="principal.authorities" /> to my home page output to debug what roles user really has. This is what I see:
Logged user - [ROLE_USER, ROLE_ADMIN]
Unathorized user - `` <- empty String
It looks like I somehow lost the default ROLE_ANONYMOUS authority, which was always added by Spring, if I recall correctly. Was that recently dropped or something? Perhaps I have to take care of this anonymous access in some other manner?
Relevant part of security context:
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- UNPROTECTED RESOURCES -->
<http pattern="/" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http pattern="/home" security="none"/>
<http pattern="/login*" security="none"/>
<http pattern="/resources/**" security="none"/>
<!-- PROTECTED RESOURCES -->
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/admin/**" access="hasRole('ROLE_USER,ROLE_ADMIN')"/>
<form-login login-page="/login" default-target-url="/dashboard" authentication-failure-url="/login?login_error=true"/>
<logout logout-url="/logout"/>
</http>
<beans:bean id="userAccountsAuthenticationProvider" class="pl.xxx.utils.UserAccountsAuthenticationProvider" />
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="salt" />
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userAccountsAuthenticationProvider">
<password-encoder ref="standardPasswordEncoder"/>
</authentication-provider>
</authentication-manager>
</beans:beans>
Anonymous Authentication can be configured in few different ways - do you use <http auto-config="true">, <anonymous> tag or define beans by yourself as custom filter? It'll be easier if you posted your security-context.xml.
Anyway, you want to display "Please login", so I assume you really wanted
<sec:authorize access="isAnonymous()">Please login</sec:authorize>
without "not" (by the way I can't find if "not" is a valid part of expression in this context).
Another way is to use isAuthenticated() instead, negate it in EL and see if it works in your case:
<sec:authorize access="isAuthenticated()" var="isAuthenticated" />
<c:if test="${not isAuthenticated}">
<!-- do stuff -->
</c:if>
EDIT:
Change security="none" to access="IS_AUTHENTICATED_ANONYMOUSLY" and move chosen patterns to intercept-url. It should enable Spring Security's Filter Chain and apply AnonymousAuthenticationFilter on request:
<!-- UNPROTECTED RESOURCES -->
<http pattern="/favicon.ico" security="none"/>
<http pattern="/resources/**" security="none"/>
<!-- PROTECTED RESOURCES -->
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/home" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/admin/**" access="hasRole('ROLE_USER,ROLE_ADMIN')"/>
<form-login login-page="/login" default-target-url="/dashboard" authentication-failure-url="/login?login_error=true"/>
<logout logout-url="/logout"/>
</http>
assuming you want use isAnonymous() in /, /home and /login*.
My previous solution worked, because with security="none" checking for isAuthenticated() always yielded false, so negating it was like checking for not being loggged.