I have a simple search input:
<form>
<input name="search" />
</form>
As soon as I add a th:action, Thymeleaf adds a hidden CSRF input field, even though I don't need it here.
Is there a way to disable this behavior for this given form?
You can add
<csrf disabled="true"/>
to your spring-security.xml file, because the csrf protection is enable default.
So your config file may like :
<http auto-config="true" use-expressions="false">
<form-login
login-page="/login"
default-target-url="/index"
login-processing-url="/login"
password-parameter="password"
username-parameter="username"
authentication-failure-handler-ref="authenticationFailureHandler"
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<csrf disabled="true"/>
</http>
Related
I've been trying to update my project to Spring Security 4.0.0. I think I've read the migration guide quite extensively but even if I can successfully login and navigate through the pages, I get 403 errors on every Ajax requests. Everything is working fine with 3.2.7.
This is my "manual login" configuration file:
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- HTTP security configurations -->
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<intercept-url access="permitAll" pattern="/" /><!-- To permit "/" allows the use of web.xml's <welcome-file> -->
<intercept-url access="permitAll" pattern="/home" />
<intercept-url access="permitAll" pattern="/login" />
<intercept-url access="permitAll" pattern="/pages/exceptions/**" />
<intercept-url access="permitAll" pattern="/javax.faces.resource/**" />
<intercept-url access="permitAll" pattern="/resources/**" />
<intercept-url access="permitAll" pattern="/j_spring_security_check"/>
<intercept-url access="hasRole('ROLE_ADMIN')" pattern="/administration/**" />
<intercept-url access="isAuthenticated()" pattern="/**" />
<logout logout-url="/logout" logout-success-url='/home' />
<form-login login-page='/login'
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?auth=fail"
default-target-url="/home" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="${authentication.provider}" />
</authentication-manager>
<b:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="daoAuthProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService">
<b:bean class="eu.ueb.acem.services.auth.DaoUserDetailsService">
<b:property name="domainService" ref="domainService" />
</b:bean>
</b:property>
<b:property name="passwordEncoder" ref="bcryptEncoder" />
</b:bean>
</b:beans>
I try to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<headers disabled="true" />
<csrf disabled="true"/>
...
</http>
but I get :
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'headers'
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'csrf'
which is normal because 4.0.0 has no dedicated XML Schema at:
http://www.springframework.org/schema/security/
So what could possibly cause these "403 forbidden" errors?
Ok, I found the solution. It is indeed to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<csrf disabled="true"/>
...
</http>
but for the time being, we have to ignore the XML Schema error in Eclipse. Hopefully Spring will put their new Schema online soon.
hi i have an spring security application
<http auto-config="true">
<intercept-url pattern="/**" />
<form-login authentication-failure-handler-ref="authenticationFailureHandler" authentication-success-handler-ref="authenticationSuccessHandler" login-page="${loginUrl}" authentication-failure-url="${loginUrl}" />
<logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutSuccessHandler" />
<anonymous enabled='false'/>
</http>
but anonymous user is not intercepted, how can i allow all roles but not ROLE_ANONYMOUS?
Try IS_AUTHENTICATED_FULLY:
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
You can do the same thing using SpEL expression:
<http auto-config="true" use-expressions="true">
...
<intercept-url pattern="/**" access="isAuthenticated()" />
...
</http>
All available expressions are listed here.
In general SpEL expressions are more flexible.
I want to put security for all the URL's except the login screen URL in spring security,
but I don't want to use session management.
Please help me out in this issue.
my security context file is below
<security:http pattern="/" security="none" />
<security:http auto-config="false" use-expressions="true" create-session="stateless" access-denied-page="/" entry-point-ref="authenticationEntryPoint" >
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:intercept-url pattern="/logout.jsp" access="permitAll" />
<security:logout logout-url="/j_spring_security_logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
The ordering of your intercept-url tags is wrong. Quote from the reference docs:
You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.
Move the intercept-url with the universal match pattern to the bottom of the list.
strange one,
I am using spring security with siteminder and it works fine. However I want to have one url which isn't protected - our loadBalancer needs a "healthCheck" url within the app itself. This url isn't intercepted by siteminder, but spring security seems to apply the preauth to it anyhow..
if I run it locally using a simple forms-based security config the following works (excluding the filters):
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/html/healthCheck.html" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/login" filters="none" />
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/*" access="hasAnyRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/" authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
In this case, I can browse to localhost/myApp/resources/html/healthCheck.html without hitting an authorization issue, but any other url will display the login form. All looking good so far!
However when I deploy to the server I am using the following config:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/html/healthCheck.html" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/login" filters="none" />
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/*" access="hasAnyRole('ROLE_USER')" />
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</http>
When I browse to: server/myapp/resources/html/healthCheck.html I get the following error:
java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor
org.springframework.security.core.userdetails.User.<init>(User.java:94)
com.myApp.security.SecuritySBSUserDetailsService.loadUserByUsername(SecuritySBSUserDetailsService.java:119)
org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper.loadUserDetails(UserDetailsByNameServiceWrapper.java:53)
I think this is caused by the UserDetailsService getting instantiated without any SM_USER. Yet the filters=none is in place.. and works when using forms authentication..Any idea what might be causing this, or better - of a workaround?
By the way, my userdetails service is configured as follows:
<beans:bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="SM_USER" />
<beans:property name="exceptionIfHeaderMissing" value="false" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
i.e. I've set exceptionIfHeaderMissing to false, if that helps..
The most obvious thing I can see is that /resources/html/healthCheck.html won't be matched by /html/healthCheck.html. If you are rewriting the URLs somewhere you should probably explain that.
If you enable debug logging, it should explain in detail what is matched against what.
I'd also leave out the auto-config. It causes more confusion than it is worth. And you should use /** rather than /* for a universal ant pattern match.
It's probably also worth mentioning here that Spring Security 3.1 has a better approach for defining empty filter chains, and also allows you to define more than one filter chain using the <http> syntax.
Okay, it seems to be a bug in spring security as far as I can see. I got around it by adding a dummy return to the start of the loadUserByName method in the UserDetailsService..
#Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
logger.trace(">> loadUserByUsername()");
logger.info("-- loadUserByUsername(): username : {}", userName);
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
if(userName==null || userName.trim().equals("")) {
return(new User("ANONYMOUS", "", true, true, true, true, authorities));
}
// rest of auth checks
It would seem like with the config I have, the UserDetails check shouldn't be getting triggered at all (as it is with the forms..). If anyone has a configuration based workaround I'll give you a plus :-)
The default URL for my web app is http://localhost:8080/Icd/
I want to display my custom login page which is /index.jsp.
However , when I configure the spring security to do so , I am getting too many redirects problem . Below the code present in the security.xml file .
Let me know if I am missing something .
<security:http auto-config="true" >
<security:intercept-url pattern="/" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/*" access="ROLE_USER" />
<security:form-login login-page="/index.jsp" />
</security:http>
<security:authentication-provider>
<security:user-service>
<security:user name="david" password="david" authorities="ROLE_USER,ROLE_ADMIN" />
<security:user name="alex" password="alex" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
When you put
<security:intercept-url pattern="/*" access="ROLE_USER" />
you're saying that every page requires ROLE_USER to be accessed (which includes the login page itself)
This (untested) may do the trick:
<security:intercept-url pattern="/index.jsp" access="permitAll"/>
<security:intercept-url pattern="/*" access="ROLE_USER" />
Try specifying your configuration like the following:
<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >
<security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
<security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>
<security:form-login
login-page="/krams/auth/login"
authentication-failure-url="/krams/auth/login?error=true"
default-target-url="/krams/main/common"/>
<security:logout
invalidate-session="true"
logout-success-url="/krams/auth/login"
logout-url="/krams/auth/logout"/>
</security:http>
This one uses a custom login page. For more info, you can check the full application at http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html