I have configured SAML SSO which is working fine. When session is expired it gives following in log.
2017-04-15 15:14:16,933 [http-nio-7070-exec-8] INFO org.springframework.boot.actuate.audit.listener.AuditListener - AuditEvent [timestamp=Sat Apr 15 15:14:16 IST 2017, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={message=Access is denied, type=org.springframework.security.access.AccessDeniedException}]
2017-04-15 15:14:17,035 [http-nio-7070-exec-8] INFO org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com.hbo.sso:portal;http://www.okta.com/xxxxxxx;;;
Here is my spring-security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<import resource="classpath*:applicationContext-saml.xml" />
<security:http entry-point-ref="samlEntryPoint" use-expressions="true">
<security:intercept-url .... />
/* Logging out user */
<security:intercept-url pattern="/${myapp.logout.url}" access="permitAll()"/>
</security:http>
</beans>
When the session is expired your spring session is cleared automatically, so it throws Access Denied Exception, Solution could be 1. in your spring-security.xml add access denied page redirection details..
e.g.
<security:http >
<security:access-denied-handler error-page="/anonymous/accessdeniedpage.jsp"/>
</security:http>
or
2. If you IDP allows the configuration/redirection page on session time out, then map that to your login page.
Related
We are implementing the flexibility to configure OAuth or SAML or both OAuth and SAML. Configured the following in the saml security context:
<security:http pattern="/oauth/authorize/**" entry-point-ref="samlEntryPoint" use-expressions="true">
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" />
........
........
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint" />
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter" />
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter" />
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter" />
<security:filter-chain pattern="/oauth/authorize/**" filters="samlEntryPoint" />
</security:filter-chain-map>
</bean>
There is a configurable property which determines whether SAML is enabled or disabled. How can I skip the samlEntryPoint from getting invoked when SAML is disabled? Application is always restarted when toggling SAML, I don't have to consider the use case of switching it on/off when the application is running.
Any help is appreciated.
How can I skip the samlEntryPoint from getting invoked when SAML is disabled?
To have various authentication schemes, you can use Spring profiles and write separate security contexts files. This is how you do it :
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<!-- Spring Security configuration for SAML only authentication -->
<beans profile="auth-saml">
<import resource="security/applicationContext-security-saml.xml" />
</beans>
<!-- Spring Security configuration for OAUTH only authentication -->
<beans profile="auth-oauth">
<import resource="security/applicationContext-security-oauth.xml" />
</beans>
<!-- Spring Security configuration for SAML+OAUTH authentication -->
<beans profile="auth-saml-oauth">
<import resource="security/applicationContext-security-saml-oauth.xml" />
</beans>
</beans>
Then you choose the active Spring profile with the environment variable spring.profiles.active with value corresponding to the profile attribute value (either auth-saml, auth-oauth or auth-saml-oauth).
In addition to Gregoire's response, you can also create a class such as multiAuthenticationEntryPoint -which takes those entrypoints as property- where you can implement
#Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
// TODO Auto-generated method stub
if(sth)
{
customAuthenticationEntryPoint.commence(request, response, authException);
return;
}
else {
samlEntryPoint.commence(request, response, authException);
return;
}
}
I am developing the server side for a mobile application as per below:
- I'm using Spring MVC framework and I have already implemented BASIC AUTHENTICATION for restful requests (using JSON) as per code below.
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http create-session="stateless" entry-point- ref="restAuthenticationEntryPoint" use-expressions="true">
<security:intercept-url pattern="/restful" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/restful/*" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:custom-filter ref="myFilter" after="BASIC_AUTH_FILTER"/>
<!-- <security:logout /> -->
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="daoUserService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="restAuthenticationEntryPoint" class="com.bp_gae.utils.RestAuthenticationEntryPoint">
</bean>
<bean id="myFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="restAuthenticationEntryPoint" />
</bean>
<bean
id="passwordEncoder"
class="com.bp_gae.utils.AppPasswordEncoder" />
<bean
id="daoUserService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property
name="dataSource"
ref="dataSource" />
<property
name="enableGroups"
value="false" />
<property
name="enableAuthorities"
value="true" />
<property name="usersByUsernameQuery">
<value>
select username,password, 1
from users
where username = ?
</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>
select username,authority
from users c,
user_roles cp
where c.user_id = cp.user_id
and c.username = ?
</value>
</property>
</bean>
</beans>
So the mobile client sends username, password in every request and a check in DB is done to determine whether he can have access to protected resources.There are no sessions created. The new requirement is to intagrate Facebook authentication.
1) The mobile user signs in and authenticates on client side and sends the authentication token to server.
2) The server should get user facebook details using that token (check whether this token is valid against facebook) using facebook app-id and app-secret from FB app I've created. I am using Spring Social for that purpose.
3) All protected resources are accessible after either basic or Facebook successful auth.
4) I already have a Users table in DB (username,email,password) and I'm thinking of creating another one with SocialUsers (email, token) and do some matching between them to link same users.
I am not sure on how to get both authentication methods working in my security.xml file.
-Do I have to set up another filter for Social Auth?
-In that case how can I use both filters?
Any suggestions / sample code welcome!
Help me with the advice please.
I need to disable/enable spring security on my application by some variable in xml file.
my spring-security.xml file
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_ADMIN" />
<logout logout-success-url="/mainpage" />
<login login-success-url="/mainpage" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="hey" password="there" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
How can be this perfomed?
Thanks.
security
A request pattern can be mapped to an empty filter chain, by setting this attribute to none. No security will be applied and none of Spring Security's features will be available.
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/appendix-namespace.html#nsa-http-security
so:
<http auto-config="true" security="none">
and as usual the "none" parameter can be a springEL expression (well a subset anyways).
hope this is what you were looking for
EDIT:
forgot to mention that it's a new feature is Spring Security 3.1
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/new-3.1.html#new-3.1-highlevel
EDIT2:
For a more dynamic solution use bean profiles. http://static.springsource.org/spring/docs/3.1.x/spring-framework-reference/html/new-in-3.1.html#d0e1293 and http://blog.springsource.com/2011/02/11/spring-framework-3-1-m1-released/
Does spring security have a way to prevent the last point below? I'm using 3.0.5
-user logs into my website
-user goes to any page in website and clicks log out
-log out link invalidates user session and sends them to the login page in my website
-in same browser, user navigates to new website (say cnn.com)
-user hits back button and they land at my login page
-user hits back button again and they end up at the page within the application that may have data that we dont want to be there. If they click any link on the page they immediately get sent to login page, but they can view the cached page from the browser cache...any way to not let them view this?
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/denied.html">
<intercept-url filters="none" pattern="/javax.faces.resource/**" />
<intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
<intercept-url filters="none" pattern="/preregistered/*"/>
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS,ROLE_USER"/>
<intercept-url
pattern="/preregistered/*"
access="ROLE_ANONYMOUS,ROLE_USER"/>
<intercept-url
pattern="/registered/*"
access="ROLE_USER"
requires-channel="http"/>
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html" />
<logout invalidate-session="true"
logout-url="/auth/logout.html"
success-handler-ref="DCLogoutSuccessHandler"/>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" />
<session-management session-fixation-protection="none"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias="am">
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="xmlAuthenticationProvider" />
</authentication-manager>
</beans:beans>
the below filter took care of my situation:
package com.dc.api.service.impl;
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;
public class CacheControlFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response;
resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT");
resp.setHeader("Last-Modified", new Date().toString());
resp.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
resp.setHeader("Pragma", "no-cache");
chain.doFilter(request, response);
}
#Override
public void destroy() {}
#Override
public void init(FilterConfig arg0) throws ServletException {}
}
to solve this problem you must add in your security xml config file :
<security:http auto-config="true" use-expressions="true">
<security:headers >
<security:cache-control />
<security:hsts/>
</security:headers>
In spring 3.0.x
<bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter">
<property name="cacheSeconds" value="0" />
</bean>
In spring 2.5.x
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="cacheSeconds" value="0" />
</bean>
Yes, I used spring-security 3.2.9.RELEASE and simply giving <security:headers /> in one the spring config file like applicationContext.xml file as in the above posts
<security:http
auto-config="true" use-expressions="true">
<security:headers />
</security:http>
so that user won't be able to go to visited other app pages
using browser back and forward buttons after logout.
If you, like me, didn't get it working after using c12's caching filter, and you are using <security:http auto-config="true"> make sure you don't need the auto-config="true" part anymore. It (looks like it) adds http basic authentication which does not handle logging out by protocol! This results in that you can GET your logout URL but hitting the back button will just bring you back since you're not really logged out.
Rather than reading;
A user name and password are being requested by http://localhost:8080. The site says: "Spring Security Application"
I want to change the prompt, or at least change what the "site says". Does anyone know how to do this via resources.xml?
In my Grails App Spring configuration, my current version is as follows;
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="true" use-expressions="true">
<http-basic/>
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
You can't change it. Your application sends to the browser only the "Spring Secuirty Application" part. Other parts of the prompt are added by you browser.
To change the "Spring Security Application" part, you can use realm attribute of the <http> element:
<http realm = "My Application" ... >