Spring security XML: how to express? - spring-security

I have an application using Spring security to control the access to its endpoints.
There are two endpoints /aaa and /bbb secured as:
<security:http pattern="/aaa/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/aaa/**" access="isAuthenticated()" />
<security:intercept-url pattern="/aaa/**" access="#oauth2.hasScope('aaa_scope')" />
</security:http>
<security:http pattern="/bbb/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/bbb/**" access="isAuthenticated()" />
<security:intercept-url pattern="/bbb/**" access="#oauth2.hasScope('bbb_scope')" />
</security:http>
I need to move /bbb under /aaa, i.e. to make it into /aaa/bbb while maintaining the original security checks
for the "bbb" part (now relocated)
and for the "aaa" part except for the "bbb" part parked under it.
How do I express this in Spring security XML?
What would a descriptor incantation look like?
====================
I tried the following naive combination
<security:http pattern="/aaa/bbb/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/aaa/bbb/**" access="isAuthenticated()" />
<security:intercept-url pattern="/aaa/bbb/**" access="#oauth2.hasScope('bbb_scope')" />
</security:http>
<security:http pattern="/aaa/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/aaa/**" access="isAuthenticated()" />
<security:intercept-url pattern="/aaa/**" access="#oauth2.hasScope('aaa_scope')" />
</security:http>
but empirically observed that it allows the holder of aaa_scope (not having bbb_scope) to access /aaa/bbb.
Apparently failing an access via first descriptor causes the request not to be aborted right there, but going on try the remaining descriptors.
Thanks for advice.

Related

How to configure Spring Security with Pretty Faces?

The title of the question speaks for itself.
I want both to secure home.xhtml and the clean URL /Home.
In spring security config, do i need to do what follows or is there another way of doing it ?
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/home.xhtml" access="isAuthenticated()" />
<security:intercept-url pattern="/Home" access="isAuthenticated()" />
</security:http>
Thanks
UPDATE :
Actually my solution is to be careful with files and url names.I do this in spring security file to be more coherent:
<security:intercept-url pattern="/Home*" access="isAuthenticated()" />
That secures the two URL...all url in fact beginning by Home (not case sensitive)

Spring Security all rolles except anonymous

hi i have an spring security application
<http auto-config="true">
<intercept-url pattern="/**" />
<form-login authentication-failure-handler-ref="authenticationFailureHandler" authentication-success-handler-ref="authenticationSuccessHandler" login-page="${loginUrl}" authentication-failure-url="${loginUrl}" />
<logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutSuccessHandler" />
<anonymous enabled='false'/>
</http>
but anonymous user is not intercepted, how can i allow all roles but not ROLE_ANONYMOUS?
Try IS_AUTHENTICATED_FULLY:
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
You can do the same thing using SpEL expression:
<http auto-config="true" use-expressions="true">
...
<intercept-url pattern="/**" access="isAuthenticated()" />
...
</http>
All available expressions are listed here.
In general SpEL expressions are more flexible.

Removing Session in Spring Security

I want to put security for all the URL's except the login screen URL in spring security,
but I don't want to use session management.
Please help me out in this issue.
my security context file is below
<security:http pattern="/" security="none" />
<security:http auto-config="false" use-expressions="true" create-session="stateless" access-denied-page="/" entry-point-ref="authenticationEntryPoint" >
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:intercept-url pattern="/logout.jsp" access="permitAll" />
<security:logout logout-url="/j_spring_security_logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
The ordering of your intercept-url tags is wrong. Quote from the reference docs:
You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.
Move the intercept-url with the universal match pattern to the bottom of the list.

Mapping each http block to a specific Authentication Provider

I would like to base my Spring Security configuration depending on the user's context path. If the user goes against a url with http://path1/resource1 I would like to direct them to a specific authentication provider. If they come in on http://path2/resource2 I would like to direct them to a different authentication provider. These url paths are REST based web services calls so that's why they're stateless and not coming from a form. Currently, all authentication providers get executed. What is the best approach for this situation? I'm using spring-security 3.1.0.M1.
<http pattern="/path1/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_USER,ROLE_VAR,ROLE_ADMIN" />
<http-basic />
</http>
<http pattern="/path2/**" create-session="stateless">
<intercept-url pattern="/**" access="ROLE_USER,ROLE_VAR,ROLE_ADMIN" />
<http-basic />
</http>
You can define an authentication-manager reference in each http block:
<http pattern="/api/**" authentication-manager-ref="apiAccess">
...
</http>
<http auto-config = "true" authentication-manager-ref="webAccess">
...
</http>
<!-- Web authentication manager -->
<authentication-manager id="webAccess">
<authentication-provider
user-service-ref="userService">
</authentication-provider>
</authentication-manager>
<!-- API authentication manager -->
<authentication-manager id="apiAccess">
<authentication-provider
user-service-ref="developerService">
</authentication-provider>
</authentication-manager>
This feature has been added in Spring Security 3.1.
This works for me:
<security:authentication-manager alias="basicAuthenticationManager">
<security:authentication-provider user-service-ref="accountService">
<security:password-encoder hash="sha"/>
</security:authentication-provider>
<security:authentication-provider user-service-ref="accountService"/>
</security:authentication-manager>
<bean id="basicProcessingFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager">
<ref bean="basicAuthenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref bean="basicProcessingEntryPoint" />
</property>
</bean>
<bean id="basicProcessingEntryPoint"
class="com.yourpackage.web.util.CustomBasicAuthenticationEntryPoint">
<property name="realmName" value="yourRealm" />
</bean>
<!-- Stateless RESTful service using Basic authentication -->
<security:http pattern="/rest/**" create-session="stateless" entry-point-ref="basicProcessingEntryPoint">
<security:custom-filter ref="basicProcessingFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/rest/new" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/rest/**" access="ROLE_USER" />
</security:http>
<!-- Additional filter chain for normal users, matching all other requests -->
<security:http use-expressions="true">
<security:intercept-url pattern="/index.jsp" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/signin"
authentication-failure-url="/signin?signin_error=1"
default-target-url="/"
always-use-default-target="true"/>
<security:logout />
</security:http>
I implemented the authentication entry point because I needed to send some special error codes in certain situations but you don't need to do so.

Spring Security - How can I specify anonymous role to root page

The default URL for my web app is http://localhost:8080/Icd/
I want to display my custom login page which is /index.jsp.
However , when I configure the spring security to do so , I am getting too many redirects problem . Below the code present in the security.xml file .
Let me know if I am missing something .
<security:http auto-config="true" >
<security:intercept-url pattern="/" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/*" access="ROLE_USER" />
<security:form-login login-page="/index.jsp" />
</security:http>
<security:authentication-provider>
<security:user-service>
<security:user name="david" password="david" authorities="ROLE_USER,ROLE_ADMIN" />
<security:user name="alex" password="alex" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
When you put
<security:intercept-url pattern="/*" access="ROLE_USER" />
you're saying that every page requires ROLE_USER to be accessed (which includes the login page itself)
This (untested) may do the trick:
<security:intercept-url pattern="/index.jsp" access="permitAll"/>
<security:intercept-url pattern="/*" access="ROLE_USER" />
Try specifying your configuration like the following:
<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >
<security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
<security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>
<security:form-login
login-page="/krams/auth/login"
authentication-failure-url="/krams/auth/login?error=true"
default-target-url="/krams/main/common"/>
<security:logout
invalidate-session="true"
logout-success-url="/krams/auth/login"
logout-url="/krams/auth/logout"/>
</security:http>
This one uses a custom login page. For more info, you can check the full application at http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html

Resources