I am trying to retrieve a security context within my spring-jersey bean, however I keep getting Null authentication. When I run the same command from within my spring application it correctly retrieves the current logged in users security context.
The configuration of spring-jersey requires creating a separate servlet to the main spring application, thus the web.xml has two servlet's - one for spring app, second for jersey rest api.
Assuming the problem is related to this, I tried setting the security context sharing mode to global, however I still unable to get the context information from within Jersey.
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_GLOBAL)
Any help with this would be greatly appreciated!
Many thanks,
Nigel
Perhaps user is simply not authenticated, because your Jersey requests don't have a session cookie and therefore are not associated with the authenticated user's session?
You may check it by enabling anonymous authentication in Spring Security - you should get anonymous authentication instead of null if the guess is right.
#axtavt Thank you for the comment. This clue helped solve my problem, checking how my security filters were configured, I found this line in my spring security configuration
<security:intercept-url pattern="/api/**" filters="none" />
This line effectively disables all spring security filters, removing this fixed the problem.
Many thanks for your help :)
Related
I'm having trouble getting Spring Security to work in my Spring MVC app. It is configured correctly (I think) and I am fully expecting it to use the configured security filter on all requests. It isn't. My question isn't to make sure I'm configured correctly so I'm not going to post any code, I am only asking if there is a method or something I can call in one of my controllers that will return true or false signifying if Spring Security is actually enabled or not so I can know how to proceed debugging. Thanks!
In your case, you could use spring actuator.
This is module used for application monitoring. You can read more about it, in this blog post: http://www.baeldung.com/spring-boot-actuators
I'm trying to understand how uel-interception works in spring security. Let assume that we write the following rule in our security config:
<security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
My question is is Spring Security going to create the object of AbstractSecurityInterceptor or what? I need to understand that because if my assumption about creation an object for each rule right I'm going to create the instances dynamically by myself in order to control authentication rule dynamically in runtime.
basically spring security will create one instance of FilterSecurityInterceptor
this filter will read the url pattern and will try to protected the mapped url
more information here spring security core
We have a Spring web application which already uses Spring security for authenticating users and granting access to a group of restricted pages. However we have another group of resources that we wish to secure. For this second group we don't want user authentication but instead we want users to go a page: /access.html and enter an access code (previously emailed to them) and then they will be granted access to those resources without login. The access code (token) will only be valid for a limited period of time and then it expires.
Can I use spring security somehow to implement this in parallel to the user authentication setup we already have in place?
Sure, there are a couple of ways to do this. It sounds like all you need to do is create a filter that can check for your token in the session/request and create/update the Spring Security context to have the desired role. Then authorization proceeds as normal.
In particular you will be adding GrantedAuthories to your Authentication object for the Spring Security Context. There are a lot of details to this process and I admit my answer is not complete but a full answer would be pretty extensive.
I have done the similar things with cookie.
You can implement your own filter which extends GenericFilterBean
And then set the config with spring-security like below
<security:http ... >
....
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="cookieAuthenticationFilter" />
</security:http>
Have a look at the source code of BasicAuthenticationFilter may be helpful.
I am new to spring security so not getting how to proceed for making the Url's to be authenticated should come from database.
What things to be added in applicationContext-security.xml and what custom java classes will be needed?
Please help me with example.
Thanks
I got the same issue with you. The following links would be helpful.
http://static.springsource.org/spring-security/site/faq.html#faq-dynamic-url-metadata
http://forum.springsource.org/showthread.php?112799-How-to-dynamically-decide-lt-intercept-url-gt-access-attribute-value-in-Spring-Security
How to dynamically decide <intercept-url> access attribute value in Spring Security?
i want code to check whether the user in logged in or not. I get replied with context that to use HttpServletRequest.getUserPrincipal(). But i do not know how to set the username in servlet so that it is further called by getUserPrincipal()
Thank in advance
To get a user via getUserPrincipal, you need to authenticate using container-managed authentication. This usually (always?) involves setting security constraints and authentication mechanisms in your web.xml. There are several examples in the JEE5 tutorial. How usernames/passwords are registered is an implementation detail that will depend on the servlet container and how it is configured.