I have CSRF enabled in xml file for Spring 4:
<http auto-config="true" use-expressions="true">
...
<csrf />
</http>
And added it to logining form:
<form name='form' action="<c:url value='/login' />" method='post'>
<table>
<tr>
<td>User:</td>
<td><input type='text' style="width:100%" name='username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' style="width:100%" name='password' />
</td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit" value="TryMe)" />
</td>
</tr>
<tr>
<td colspan='2'><input name="reset" type="reset" />
</td>
</tr>
</table>
<input type="text" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
But still when I try to access resource and get redirected to logining page I get error:
Expected CSRF token not found. Has your session expired?
What I have missed?
EDIT:
I have spotted that CSRF does work with default login page!
The problem was with login-page name. My name was "logining", but Spring Security didnt add CSRF tag to it(( Dont know no why. But if I put "/login" with my login page after redirect - everything works. This tutorial helped me a lot:
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-logout
Related
This may be a simple question but I am new to MVC. So please bear with me.
I want to get the checkbox value into the table row. Here is my code for the table.
<tbody>
#foreach (var itms in Model.takeoverdlist)
{
<tr id="#itms.TAKEOVER_D_id">
<td class="text-left">
<input type="hidden" name="tasklist[]" id="task_id" value="#(itms.TAKEOVER_D_id)" />
</td>
<td class="text-left">
<input type="text" id="task#(itms.TAKEOVER_D_id)" name="task#(itms.TAKEOVER_D_id)" value="#(itms.TAKEOVER_D_task)" style="width:100%" />
</td>
<td class="text-left">
<input type="text" id="amnt#(itms.TAKEOVER_D_id)" name="amnt#(itms.TAKEOVER_D_id)" value="#(itms.TAKEOVER_D_amount)" style="width:100%" />
</td>
<td class="text-left">
<input type="checkbox" id="donebit#(itms.TAKEOVER_D_id)" name="donebit#(itms.TAKEOVER_D_id)" value="#(itms.TAKEOVER_D_done)" style="width:100%" />
</td>
</tr>
}
I get other values just fine, but the checkbox is unchecked. It should be checked.
When I inspect the table the value for the checkbox is "value".
I need to know the following. I copied the following code from auth.gsp. I need to know what:
1.) I need to know what '${postUrl}' means?
2.) I did copy this code and paste it in another GSP called index.gsp, but the page didn't login successfully.
<form action='${postUrl}' method='POST' id="loginForm" name="loginForm" autocomplete='off'>
<div class="sign-in">
<h1><g:message code='spring.security.ui.login.signin'/></h1>
<table>
<tr>
<td><label for="username"><g:message code='spring.security.ui.login.username'/></label></td>
<td><input name="j_username" id="username" size="20" /></td>
</tr>
<tr>
<td><label for="password"><g:message code='spring.security.ui.login.password'/></label></td>
<td><input type="password" name="j_password" id="password" size="20" /></td>
</tr>
<tr>
<td colspan='2'>
<input type="checkbox" class="checkbox" name="${rememberMeParameter}" id="remember_me" checked="checked" />
<label for='remember_me'><g:message code='spring.security.ui.login.rememberme'/></label> |
<span class="forgot-link">
<g:link controller='register' action='forgotPassword'><g:message code='spring.security.ui.login.forgotPassword'/></g:link>
</span>
</td>
</tr>
<tr>
<td colspan='2'>
<s2ui:linkButton elementId='register' controller='register' messageCode='spring.security.ui.login.register'/>
<s2ui:submitButton elementId='loginButton' form='loginForm' messageCode='spring.security.ui.login.login'/>
</td>
</tr>
</table>
</div>
</form>
Spring security work on filters. If you print postUrl in your gsp file then it looks like /myApp/j_spring_security_check, only /j_spring_security_check URL is processed by Spring Security filter.
If you past auth.gap and not sending this url then cannot login. Change your gsp slightly to make this run, replace ${postUrl} with ${createLink(uri: '/j_spring_security_check')}.
I'm working on some backend project and want to load form via jQueryUI tabs
<div id="parameters_tabs" style="width:920px;">
<ul>
<li><?=$this->lang->line('tab_name')?></li>
</ul>
</div>
in response I produce few forms as in example below:
<?
for ($i = 0; $i < count($groups); $i++)
{
?>
<form id="group_form<?=$i?>" method="POST" action="<?=base_url()?>update_group">
<input type="hidden" name="<?=$this->config->item('csrf_token_name')?>" value="<?=$token?>" />
<input type="hidden" name="id" value="<?=$groups[$i]['id']?>" />
<tr>
<td>
<input type="text" value="<?=$groups[$i]['name']?>" name="name" />
</td>
<td>
<input type="text" value="<?=$groups[$i]['short_name']?>" name="short_name" />
</td>
<td>
<textarea cols="80" rows="4" name="desc"><?=$mgroups[$i]['desc']?></textarea>
</td>
<td style="width: 30px">
<a class="save" onclick="$('#group_form<?=$i?>').submit();"><?=$this->lang->line('save')?></a>
</td>
</tr>
</form>
<?
}
?>
when clicking on "save" I got standard error about CSRF protection:
"An Error Was Encountered
The action you have requested is not allowed."
Can anyone help me and tell where I made mistake? Of course in source I see proper csrf_token_name.
This article helped me when I was experiencing the same issue. Using the built-in form helper form_open() function might also help solve the problem (as it generates the hidden CSRF field for you).
I have a simple login form with this code in jsp file:
<s:form
action="conexion" validate="true" theme="xhtml" target="formError">
<s:textfield name="username" key="profile.rut" />
<s:password name="password" key="profile.password" />
<s:submit id="boton_ingreso"/>
</s:form>
when that is rendered, it renders this way:
<form onreset="clearErrorMessages(this);clearErrorLabels(this);" method="post" target="formError" action="/AgendaPlus/conexion.action" onsubmit="return validateForm_conexion();" name="conexion" id="conexion">
<table class="wwFormTable">
<tbody><tr>
<td class="tdLabel"><label class="label" for="conexion_username">RUT:</label></td>
<td><input type="text" id="conexion_username" value="" name="username"></td>
</tr>
<tr>
<td class="tdLabel"><label class="label" for="conexion_password">ContraseƱa:</label></td>
<td><input type="password" id="conexion_password" name="password"></td>
</tr>
<tr>
<td colspan="2"><div align="right"><input type="submit" value="Submit" id="boton_ingreso" class="ui-button ui-widget ui-state-default ui-corner-all" role="button" aria-disabled="false">
</div></td>
</tr>
</tbody></table></form>
That way, when an error occurs, the error is shown above each field with error as a <tr> tag and since it is a table, I cannot style it to move to other place. I tried with target attribute of <s:form> tag but it did not work.
See the tag docs for fielderror:
<s:fielderror />
You know there are other themes, and that you can create your own, right?
For example, the "simple" theme doesn't render any tables or errors.
The target attribute seems a weird use for error reporting.
I've added Spring Security to my application. I am able to login fine but after I click logout, I'm then unable to login again.
Here is my applicationContext-security.xml
<http auto-config="true" access-denied-page="/accessDenied.html">
<intercept-url pattern="/login.html*" filters="none"/>
<intercept-url pattern="/static/**" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.html"
authentication-failure-url="/login.html?login_error=1"
default-target-url="/search.html"/>
<logout logout-success-url="/login.html"/>
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
</http>
<!--
Usernames/Passwords are
rod/koala
-->
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_USER" />
</user-service>
Here is my login form:
<form method="post" action="j_spring_security_check">
<table>
<tr>
<td><label for="j_username">Username:</label></td>
<td>
<input type="text" name="j_username" id="j_username" size="20" maxlength="50"
<c:if test="${not empty param.login_error}">
value="<%= session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) %>"
</c:if>/>
</td>
</tr>
<tr>
<td><label for="j_password">Password:</label></td>
<td>
<input type="password" name="j_password" id="j_password" size="20" maxlength="50"/>
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="checkbox" name="_spring_security_remember_me"/> Remember me on this computer.
</td>
</tr>
<tr>
<td> </td>
<td>
<input type="submit" class="button-submit" name="submit" value="Login">
</td>
</tr>
</table>
And my logout link points to:/j_spring_security_logout
UPDATE: (10.30.2009 09:44 EDT)
Some additional info, I enabled DEBUG level logging and can now see this in my console:
09:42:14 DEBUG [http-8080-1] (AbstractProcessingFilter.java:412) - Authentication request failed: org.springframework.security.concurrent.ConcurrentLoginException: Maximum sessions of 1 for this principal exceeded
It would seem that this line from my applicationContext-security.xml has something to do with it:
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
I'm not sure why even if I've logged out that it thinks I've exceeded the max num of sessions.
Any help appreciated, thanks!
-aj
Actually, I just solved it. ;)
This listener was missing from my web.xml:
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>