have developed one spring integration project in which i have implemented spring security.Configurations are fine.When i am hitting the to the given URL (e.g.localhost:8080/test/api) to fetch the response,the spring-security should intercept the request and should authenticate using spring security.
<http auto-config="true" create-session="never" >
<intercept-url pattern="/api/" access="ROLE_USER" />
<http-basic entry-point-ref="basicAuthenticationEntryPoint" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider">
</authentication-provider>
</authentication-manager>
The above are the basic configurations for spring security.
Thanx in advance.
If the spring security filter chain is not fired, many times is because being not configured in web app context.
Did you remember to set the spring security filter chain in web.xml:
<!-- Spring security filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
There could be various resons why this does not work. I suggest you to follow a step-by-step tutorial and see if you are missing anything:
Here is one that is very basic and concentrates on getting a simple spring security configuration up and running:
http://jtuts.com/2016/03/02/spring-security-login-form-integration-example-with-xml-configuration/
Related
1. Short Intro
recently we've updated our application just to be compliant with new Apple's rules about Apple signing flow, but wasn't enough.
Apple blocks our release base on the fact that we do not currently adopt the new web view WkWebView.
So we decide to use the following plugin: < cordova-plugin-ionic-webview > ( https://github.com/ionic-team/cordova-plugin-ionic-webview )
It was too wonderful to see that problems with XHR file:// request was fixed by new versions BUT an important CORS block is still present.
2. Problem
As the title says, every call that we perform to our server still continue to receive the error " Failed to load resource: Origin ionic://localhost is not allowed by Access-Control-Allow ... "
3. What we've done
Reading aware, we add into our server configuration (web.xml) the following filter
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
And in our config.xml as guides describe, we add:
<allow-navigation href="ionic://localhost/*"/>
<allow-navigation href="http://localhost*"/>
<content src="index.html" />
<allow-navigation href="*" />
But the problem is still present.
4. Environment versioning
iOS 13.3
Cordova 7.1.0
Ionic v1
Angular 1.5
So how to allow the application to pull data from our server ?
According to the docs, this web.xml config will not work:
The above configuration enables the filter but does not relax the cross-origin policy. As a minimum, you will need to add a cors.allowed.origins initialisation parameter as described below to enable cross-origin requests.
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://localhost, ionic://ionic</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The docs also have url-pattern set to /* and not *, but I'm not sure if that's important.
You might have to add more configuration depending on what types of requests your app makes.
I'm trying to integrate spring-security 3.1.4 in existing very old spring 3 application. I'm sure that the compatibility is good. The login is not working after the integration. Following is the security configuration.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.html" access="permitAll"/>
<intercept-url pattern="/*.html" access="hasRole('CMS')"/>
<intercept-url pattern="/**" access="permitAll"/>
<form-login login-page="/login.html" default-target-url="/UserCheck.html" authentication-failure-url="/login.html?sl=f"
always-use-default-target="true" login-processing-url="/login.html" username-parameter="username" password-parameter="password"/>
<logout logout-success-url="/logoutAction.html" />
<anonymous />
</http>
<bean id="customUserDetailsService" class="gov.fd.ecms.security.FDCMSUserDetailsService" />
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsService">
</authentication-provider>
</authentication-manager>
This is a simple configuration. When ever i hit a protected url in the browser it is redirecting to login page but then it is automatically redirecting to authentication-failure-url. Browser is displaying the error ERR_TOO_MANY_REDIRECTS. I noticed that the login.html is giving the response 302 with the response header Location = /login.html?sl=f
Can some one please help to figure this out. Thanks in advance.
Found the issue.
The login-page url and login-processing-url cannot be same. I thought the GET url for login page display and POST url for submit would work. Spring 3.1 doesn't support it, but the latest versions of spring support.
We have struts MVC in our app and want to now integrate spring security.
I am able to integrate it successfully and able to deploy application.
In order to get custom login page we must add form-login to spring security xml file. I am having difficulty in integrating custom login pages.
Struts global forward
<global-forwards>
<forward name="login" path="/" redirect="true"/>
</global-forwards>
When not logged in it will take us to login page
Web xml login config
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.vm</form-login-page>
<form-error-page>/loginError.vm</form-error-page>
</form-login-config>
</login-config>
Above section in web.xml is removed as part of integrating with spring security. Rather I have following section in spring security
<intercept-url pattern="/**" access="hasRole('ROLE')" />
<form-login login-page="/login.vm"
authentication-failure-url="/loginError.vm" />
But when I try to login I won't get custom login page rather it just points url to IP:PORT/APP/login.vm and page is not present.
Login form has j_spring_security
action="j_spring_security_check"
What changes are required in order to get custom login?
Should strut config be changed?
I'm guessing here, but I suspect that you are getting this as Spring Security does not understand/know about Velocity. I had a similair problem when I intergrated Spring Security into my Struts app using .jsp pages. In the end, I pointed login-page and authentication-failure-url to point to actions and loaded the jsp pages from there. I suggest that you try the same.
I am using spring security3.1 with name space configuration. I want to redirect to login page if I enter the URL in browser up to the context path, instead of full URL of the login page.
For example, http://xxx:8080/context/ instead http://xxx:8080/context/login.html
I am able to display login page with complete URL http://localhost:8080/context/login.html
I have tried the following code:
<http auto-config='true' authentication-manager-ref="authentication-manager" entry-point-ref="authenticationEntryPoint">
<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.html"/>
<beans:property name="forceHttps" value="true"/>
</beans:bean>
....
I added a LoginUrlAuthenticationEntryPoint entry in order to redirect to login page also but it seems not working.
The standard configuration will redirect to the login page if you add some security constraints. So use
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
</http>
and you will be redirected to the login page automatically if you request any URL. You don't need to configure an AuthenticationEntryPoint.
Make sure you can get basic examples working before trying to customize things.
Also your configuration isn't valid - you've only posted the opening element of the http block. If you still can't get it to work, please post the full configuration which reproduces your problem.
i am using spring mvc. for login whenever request comes it passes through various Filters to get the flow(as different flow for different types of users). please suggest me a good reference to Spring Filters. or a good example on it. how to configure context.xml,web.xml
Do you need something other than the spring security docs ?
This is the page from the official docs related to filters.
Filters need to be configured in both the application context.xml and the web.xml file in your project. Here are examples of each of these files and also a Login filter that I wrote for my application... Hope it helps.
Web.xml
<filter>
<filter-name>randomFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
Filter mappings also need to be specified in this file and the order in which these mappings occur decide which filter is called first.
<filter-mapping>
<filter-name>randomFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
In the application context.xml, we mention the filter path, for example:
<bean id="randomFilter" class="folderPath.RandomFilter"/>