Our application using spring framework need to implement request based CSRF token in order to meet security requirements. Currently we have session based CSRF token provided by HttpSessionCsrfTokenRepository as Spring default. According to instruction I found, by configuring xml like this
<security:csrf token-repository-ref="customRequestCsrfTokenRepository"/>
<bean id="customRequestCsrfTokenRepository" class="com.dev.common_web.security.configuration.CustomCsrfTokenRepository"/>
Custom token repository which implements CsrfTokenRepository interface will be loaded to handle token request.
However when application starts, and running in debug mode, I can see it is spring default HttpSessionCsrfTokenRepository is used to handle loading and generating of token. I have also tried using spring CookieCsrfTokenRepository in xml config like
<security:csrf token-repository-ref="cookieCsrfTokenRepository"/>
<bean id="cookieCsrfTokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"/>
And when application is running, it is again HttpSessionCsrfTokenRepository which is loaded to handle token request. Seems it doesn't matter what is configured as value of "token-repository-ref" in xml, it is always HttpSessionCsrfTokenRepository in use.
How to configure spring to use other csrf token repository instead of the default HttpSessionCsrfTokenRepository? We are using Spring 5.2.
I managed to figure this out :-).
In security.xml of our application, we have also customized csrf request matcher defined in order to disable csrf checking for some of the pages. When now adding customized csrf token repository, these two have to be defined in the same line inside <security:csrf ... />. If they are defined in two lines like this, only one is loaded.
<security:csrf token-repository-ref="customRequestCsrfTokenRepository"/>
<security:csrf request-matcher-ref="customCsrfRequestMatcher"/>
It has to be like this
<security:csrf token-repository-ref="customRequestCsrfTokenRepository" request-matcher-ref="customCsrfRequestMatcher" />
Related
In my Spring Boot application, user information is encoded and stored in cookies. For every request the user sends, server just needs to parse cookie. If success, server extracts user info and let the request pass. How can I implement this procedure in Spring Security by implementing a custom authentication procedure?
I'm trying to switch from Shiro to Spring Security.
You can write a sub class of AbstractAuthenticationProcessingFilter:
Abstract processor of browser-based HTTP-based authentication requests.
and add this class to the filter chain, see Spring Security Reference:
You can add your own filter to the stack, using the custom-filter element and one of these names to specify the position your filter should appear at:
<http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter"/>
I am trying to provide security to the REST endpoints. I am following instructions from this page. In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java
After implementation it correctly shows the access denied error upon calling a secured REST endpoint. But even though I specify username/password in the request header I get the access denied error. I am testing in postman setting username/password in Basic Auth. What am I missing any idea?
The example you have followed is implementing a form-based authentication. In order to change it to http auth (which is more suitable for REST services) you need to look for the following form-login tag in your security.xml:
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
And just change it to an empty http-basic tag:
<http-basic />
If you did not change anything else, then it supposed to work perfectly. You can also test your setup from your browser, by trying to access your page. If you configured everything properly you will get a popup this time, not a form. That will be HTTP-basic authentication welcoming you.
Since likely you are using the Java-based configuration, the equivalent of this change would be to replace:
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
.and().formLogin();
with:
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
.and().httpBasic();
Is it possible to somehow bypass spring security for certain cases? We are currently using spring security 3.1.x and this setup is working well (form-login, etc).
For our web-api, we now have a requirement that certain objects can be set as 'external' meaning that they should not require login. All objects will be under /api/* but the actual path will be dynamic (usually its /api/{type}/{id}).
Any suggestions?
you can define the url pattern in separate http to bypass spring security filter chain, like this
<http pattern="/api/**" security="none"/>
I modified my applicationContext-security-preauth.xml with the goal of removing filters from a particular URL.
I'm having trouble with the spring-security-oauth filter, so I want to temporarily avoid using this filter for particular requests.
<intercept-url pattern="/notsecure/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
After building and copying the new JAR, and then refreshing Tomcat, my /notsecure/ HTTP requests still hit this filter, according to my logs.
I would not have expected for any filter to be hit given my configuration change.
EDIT: I'm using Spring Security 2
If you want to avoid hitting any filters for that URL you will need an additional <http> element like this:
<security:http pattern="/notsecure/**" security="none"/>
(This will work only with Spring Security 3.1+)
IS_AUTHENTICATED_ANONYMOUSLY requires that the request is anonymously authenticated which is done by a filter (namely the AnonymousAuthenticationFilter).
I want to configure Spring Security to enable both BASIC and DIGEST authentication for the same set of URL's, but it's unclear whether or not this is possible. I see that I need to enable multiple AuthenticationEntryPoint instances to set the appropriate HTTP headers, but I don't see any built in classes to accomodate this. DelegatingAuthenticationEntryPoint comes close, but ultimately it only selects one entry point.
I implemented a custom AuthenticationEntryPoint that calls the commence method on a supplied list of AuthenticationEntryPoint instances, but it eventually throws an IllegalStateException because each AuthenticationEntryPoint calls sendError (which I gather is not allowed).
Is there any way to do this without implementing a completely custom entry point?
Id did it by configuring Spring security for Digest authentication only, and then adding a BasicProcessingFilter manually at the beginning of the filter chain, as explained There
<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<security:custom-filter before="AUTHENTICATION_PROCESSING_FILTER"/>
<property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>