We Keep Coding

Multiple login form in spring security

I'm new to the spring and in my project I need to add two login forms to both admins and users through spring security. Up to this point I was able to create one login page successfully. Here is my
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/welcome*" access="isAnonymous()"/>
<intercept-url pattern="/signup*" access="isAnonymous()"/>
<!--<intercept-url pattern="/login*" access="isAnonymous()" />-->
<intercept-url pattern="/selection" access="isAuthenticated()"/>
<intercept-url pattern="/dashboard" access="isAuthenticated()"/>
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/selection"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService" >
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService" class="com.cse.cloud4s.service.MyUserDetailsService"/>
</beans:beans>
web.xml
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml,
/WEB-INF/spring-database.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
How can I modify the code to use multiple login pages?

You can have as many login pages as you want, but only one default login page the one to which spring security redirects if user is not authenticated - anyway, it would be hard to guess before authentication if user wants to log as admin.
The only rule is that all login pages must submit same fields to same url, and that that url is processed by spring security.
My only question is why do you need multiple login page ? The spring security way is to have privileges attached to login name, not to the way you log in.

From Spring Security 3.1 it is now possible to use multiple http
elements to define separate security filter chain configurations for
different request patterns. If the pattern attribute is omitted from
an http element, it matches all requests. Creating an unsecured
pattern is a simple example of this syntax, where the pattern is
mapped to an empty filter chain.
For more details refer this Spring Security Documenttation

Access denied on the index.jsp due to spring security

This issue is related to spring security. Whenever I run my application on tomcat by default index.jsp opens but now i am getting access denied on this page.
From index.jsp i am redirecting the page to login.jsp, but since I am getting access denied on this page, redirection is not happening. What i meant to say is if hit: "localhost:8080/abc" I am getting access denied but if I hit "localhost:8080/abc/login" the page opens. (just to be clear, abc is the application context)
I am pretty much sure i have messed up somewhere in the spring security config, because it was working fine before.
Below are my files:
This is my spring-security.xml
<sec:global-method-security pre-post-annotations="enabled"/>
<!--
Add white listed urls here.
Please note that the filter chain will not be applied and the security context not populated.
Use for static resource mostly
-->
<http pattern="/resources/**" security="none" />
<http pattern="/login" security="none" />
<http pattern="/login1" security="none" />
<http pattern="/googleLogin" security="none" />
<!-- Add protected resource here -->
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="AuthenticationService" />
</authentication-manager>
<beans:bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<beans:bean id="AuthenticationService" class="com.hitesh.security.AuthenticateUserService"/>
<beans:bean id="oauth2PreAuthFilter" class="com.hitesh.security.OAuth2PreAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="preAuthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</beans:bean>
<beans:bean id="preAuthenticatedUserDetailsService" class="com.hitesh.security.Oauth2PreAuthenticatedUserService"/>
This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Inventory Project</display-name>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/abc/application.xml,
classpath:/abc/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I am stuck on this for quite a time, any help will be really appreciated.
Update: On application startup, my code is going into the oauth2PreAuthFilter. For index.jsp, it shouldn't run this filter. Is there a way to avoid this, i have tried
<http pattern="/index" security="none" />
but this didn't helped.

Try this (use your values):
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
</http>

Got the fix:
<http auto-config="true" pattern="/index.jsp" />

Cannot secure HTML files using Spring-Security

I have a webapp which I deploy on google appengine. I believe that the issue is not related to GAE, but there is something that I am missing...
Basically, I want to force the user to be authenticated in order to see/use anything that is under /secured dir. I have HTML page that is under this dir, but the user can easily navigate to it (without being authenticated). How do I secure it using SS?
I read this and that, tried it but it did not help :-(
My config - web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- to integrate Spring with AppEngine project -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-servlet.xml</param-value>
</context-param>
<!-- if we work with Spring-security, we already have a listener -->
<!-- listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener-->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
spring-servlet.xml:
<context:annotation-config />
<context:property-placeholder location="classpath:client.properties" />
<context:component-scan base-package="com.nice.coffee" />
<context:component-scan base-package="com.ohadr.auth_flows" />
<context:component-scan base-package="com.ohadr.crypto" />
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<!-- dont use debug! https://jira.spring.io/browse/SEC-1885 >
<sec:debug />
-->
<mvc:resources mapping="/secured/**" location="/secured/" />
<sec:http pattern="/login/**" security="none" />
<sec:http pattern="/forgotPasswordPage" security="none" />
<sec:http pattern="/forgotPassword" security="none" />
<sec:http pattern="/createAccountPage" security="none" />
<sec:http pattern="/createAccount" security="none" />
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/**/ohad.html" access="ROLE_ADMIN" />
<sec:intercept-url pattern="/secured/**" access="ROLE_USER" />
<sec:anonymous />
<sec:form-login login-page="/login/login.htm"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="userDetailsService">
<sec:password-encoder hash="sha-256">
<sec:salt-source user-property="username" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>...
my proj hierarchy:
...thanks in advance!

Rather than putting the secured pags under src/main/webapp/secured, which get served up directly, put them in src/main/resources/secured, and change your resources statement to
<mvc:resources mapping="/secured/**" location="classpath:/secured/" />

It appears that my problem was in this line:
<mvc:resources mapping="/secured/**" location="/secured/" />
spring-mvc is "confused" where both location and mapping are with the same name. So when a request to a resource enters the application, e.g. .../secured/my.html, spring-mvc does not use the mapping at all.
The solution was to change the location name (or the mapping, but I changed the location-name) so i ended up with:
<mvc:resources mapping="/secured/**" location="/secured_resources/" />
and all my resources (html, JS, etc) were under a dir called 'secured_resources'. Then, when a request arrived to the application, e.g .../secured/my.html, it was mapped successfully using MVC, hence the browser is redirected to login page, etc.

Spring Security not restricting access

I am new to Spring Security and have run into a problem. When I attempt to access a page that is expected to be restricted it is displaying the requested page anyway, no 403 nor redirecting to login page, no errors in the logs, nothing, just as if Spring Security was not implemented at all.
When the application is deployed I see the following in the logs which tells me Spring Security is at least starting:
INFO: Checking whether login URL '/security/credentials' is accessible with your configuration
I have attempted to change the login page to a restricted page, just to test that is actually restricted and I get the following, which tells me that it is correctly being restricted, at least in the simulation.
INFO: Checking whether login URL '/dashboard' is accessible with your configuration
org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)
I have the following setup:
web.xml
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<welcome-file-list>
<welcome-file>
index.html
</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>messages</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>TRACE</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
</web-app>
The Spring Security configuration file is imported from my applicationContext.xml.
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<form-login
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/security/**" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll"/>
<logout logout-success-url="/security/signout" />
<remember-me />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="test" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Spring is behaving correctly as you are actually telling Spring that /security/** requests requires no authentication (access="permitAll"):
...
<intercept-url pattern="/security/**" access="permitAll" />
...
If you wanted to restrict access to only authenticated users then you could specify:
...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
Or if you wanted to restrict access to a specific role (replace ROLE_XXX with your specific role):
...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...
Please note that login related URLs can't be restricted (for obvious reasons):
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
So either change them to rather start with something like /login/ instead of /security/ or add specific intercepts URLs for each of them (if you must use them):
...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
The more specific URLs should be declared first as Spring uses the first rule that it finds from the top.

I suggest try it after removing <remember-me /> tag, or deleting all the cookies first.
It appears because of existing cookie you are able to access /dashboard
Edit:
You have UrlRewriteFilter configured before spring security, check whats the final url thats given to spring security filter, or you can try after disabling UrlRewriteFilter ?

How use Spring Security 3 on Struts 2?

I have read a lot of tutorials about using Spring Security 3 on Struts 2. But I can't make it work :/.
I can't find a "Dummy step by step guide" about implement this framework on Struts 2.
Here is what I have:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<display-name>cv</display-name>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>example/HelloWorld.jsp</welcome-file>
</welcome-file-list>
</web-app>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context/spring-context-2.5.xsd"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/context/spring-context-2.5.xsd/spring-spring-context-2.5.xsd-3.1.1.RELEASE.xsd
">
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true" use-expressions="true">
<intercept-url pattern="/auth/**" filters="none"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<http>
<intercept-url pattern="/login*" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/search.action*" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/user/**" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login.action" />
<logout logout-url="/logout.action" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="customer" password="customer" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
</beans>
And my HelloWorld.jsp
<body>
<h1>Welcome!</h1><br />
<sec:authorize access="isAnonymous()">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_USER')">
This session will be visible to an Customer only.<br/>
You are an Customer.<br/>
</sec:authorize>
${HelloMessage}<br />
Logout
</body>
I want to test how the privileges works using the tag "isAnonymous" showing that block of text, but I can't make it work
:(

You need to add Spring Security's filter chain to the web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This goes after your Struts filter. This will allow Spring Security to check/block the request prior to Struts being handed the request.
Assuming the user is allowed to access the content Spring Security will set up a SecurityContext object that will make allow the JSP tags work.