I've been trying to update my project to Spring Security 4.0.0. I think I've read the migration guide quite extensively but even if I can successfully login and navigate through the pages, I get 403 errors on every Ajax requests. Everything is working fine with 3.2.7.
This is my "manual login" configuration file:
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- HTTP security configurations -->
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<intercept-url access="permitAll" pattern="/" /><!-- To permit "/" allows the use of web.xml's <welcome-file> -->
<intercept-url access="permitAll" pattern="/home" />
<intercept-url access="permitAll" pattern="/login" />
<intercept-url access="permitAll" pattern="/pages/exceptions/**" />
<intercept-url access="permitAll" pattern="/javax.faces.resource/**" />
<intercept-url access="permitAll" pattern="/resources/**" />
<intercept-url access="permitAll" pattern="/j_spring_security_check"/>
<intercept-url access="hasRole('ROLE_ADMIN')" pattern="/administration/**" />
<intercept-url access="isAuthenticated()" pattern="/**" />
<logout logout-url="/logout" logout-success-url='/home' />
<form-login login-page='/login'
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?auth=fail"
default-target-url="/home" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="${authentication.provider}" />
</authentication-manager>
<b:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="daoAuthProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService">
<b:bean class="eu.ueb.acem.services.auth.DaoUserDetailsService">
<b:property name="domainService" ref="domainService" />
</b:bean>
</b:property>
<b:property name="passwordEncoder" ref="bcryptEncoder" />
</b:bean>
</b:beans>
I try to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<headers disabled="true" />
<csrf disabled="true"/>
...
</http>
but I get :
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'headers'
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'csrf'
which is normal because 4.0.0 has no dedicated XML Schema at:
http://www.springframework.org/schema/security/
So what could possibly cause these "403 forbidden" errors?
Ok, I found the solution. It is indeed to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<csrf disabled="true"/>
...
</http>
but for the time being, we have to ignore the XML Schema error in Eclipse. Hopefully Spring will put their new Schema online soon.
Related
I am evaluating Spring 5 (MVC) and Spring Security 5.
When I am posting username and password from a custom form I get a 403 return code.
When using instead of or the Spring default login form everything is workin fine.
Here my applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/assets/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/pages/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/index.do**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/app2/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/index.do#/login"
login-processing-url="/login"
default-target-url="/index.do"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
We use Spring Security 4.x and I want to override BasicAuthenticationFilter.
Unfortunately I was not able to find how to configure the class name for the BasicAuthenticationFilter nor in the http element neither in the http-basic element the schema configuration.
How to override BasicAuthenticationFilter using the schema configuration?
I have tried to override BasicAuthenticationFilter using the custom filter without success – the schema continue to create the default BasicAuthenticationFilter.
Added
Very strange. I configured auto-config="false but I still can see the creation of the default BasicAuthenticationFilter.
It should not be created according to the documentation http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#nsa-http
Added
The configuration w/o beans definitions
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:global-method-security pre-post-annotations="enabled">
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</sec:global-method-security>
<sec:http use-expressions="true" auto-config="true" pattern="/api/**" disable-url-rewriting="false" entry-point-ref="authenticationEntryPoint">
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/api/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:logout logout-url="/logout.faces" success-handler-ref="logoutSuccessHandlerImpl" />
<sec:http-basic entry-point-ref="authenticationEntryPoint"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<!--<sec:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER"/>-->
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
<bean class="org.primefaces.webapp.filter.FileUploadFilter" name="fileUploadFilter"/>
<sec:http use-expressions="true" auto-config="true" disable-url-rewriting="false">
<sec:custom-filter ref="fileUploadFilter" before="FIRST"/>
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/login.faces" access="isAnonymous()"/>
<sec:intercept-url pattern="/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/img/**" access="permitAll" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<sec:form-login login-page="/login.faces"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.faces"
default-target-url="/pages/defaultPage.faces"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<sec:logout logout-url="/logout.faces"
success-handler-ref="logoutSuccessHandlerImpl"
/>
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
...
</beans>
As per the schema documentation in the xsd if you want to replace a filter you need to use the position tag:
<sec:custom-filter ref="customBasicAuth" position="BASIC_AUTH_FILTER"/>
Also if you include the <sec:http-basic element, then the default basic auth filter will be added to the filter chain.
The auto-config is a legacy attribute and can be removed (no need to set it to false)
I'm migrating from Spring Security 3 to 4 and have an issue with header type of returning page - by default it comes as text/plain and as a result I see just html text instead of real page. In Spring Security 3 everything was working fine
<http pattern="/images/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/xml/**" security="none"/>
<http pattern="/**" use-expressions="true"
authentication-manager-ref="authenticationManager"
disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<access-denied-handler ref="accessDeniedHandler"/>
<form-login login-page="/pages/home/login.html"
default-target-url="/pages/home/entry.html" authentication-failure-handler-ref="authenticationFailureHandler"
always-use-default-target="true"
authentication-details-source-ref="authenticationDetailsSource"/>
<logout logout-success-url="/pages/home/login.html" invalidate-session="true"/>
<intercept-url pattern="/pages/home/**" access="hasRole('ROLE_CLIENT') or hasRole('ROLE_ANONYMOUS_CLIENT')"/>
<intercept-url pattern="/pages/admin/**" access="hasRole('ROLE_ADMIN')"/>
<session-management invalid-session-url="/pages/home/login.html"/>
<anonymous enabled="false"/>
<custom-filter ref="anonymousAuthenticationFilter" position="ANONYMOUS_FILTER"/>
<custom-filter before="CAS_FILTER" ref="oauthFilter"/>
</http>
<beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/pages/home/login.html"/>
</beans:bean>
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/pages/home/login.html"/>
</beans:bean>
hi i have an spring security application
<http auto-config="true">
<intercept-url pattern="/**" />
<form-login authentication-failure-handler-ref="authenticationFailureHandler" authentication-success-handler-ref="authenticationSuccessHandler" login-page="${loginUrl}" authentication-failure-url="${loginUrl}" />
<logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutSuccessHandler" />
<anonymous enabled='false'/>
</http>
but anonymous user is not intercepted, how can i allow all roles but not ROLE_ANONYMOUS?
Try IS_AUTHENTICATED_FULLY:
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
You can do the same thing using SpEL expression:
<http auto-config="true" use-expressions="true">
...
<intercept-url pattern="/**" access="isAuthenticated()" />
...
</http>
All available expressions are listed here.
In general SpEL expressions are more flexible.
I have successfully setup LDAPS container-based authentication, and am now trying to get it working with spring security since I will also need to perform lookups/queries.
In WAS I have all the endpoints using the correct keystore (except for WC_DefaulHost). Additionally, I also setup Dynamic endpoint config for ldaps,host,port.
When i try to log in, I'm just getting "spring_security_login?login_error" and no system.out exceptions.
Am I missing something? Aren't endpoint configurations enough? Any way I can get more info to troubleshoot?
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<authentication-manager>
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<!-- AD authenticator -->
<beans:constructor-arg value="ldaps://host:port/DC=" />
<beans:property name="userDn" value="CN=,OU=,DC=" />
<beans:property name="password" value="" />
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean id="wimLdapAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch">
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="" />
<beans:constructor-arg index="1" value="CN={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<http auto-config="true" pattern="/**">
<!-- Security zones -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<intercept-url pattern="/spring_security_login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>
</beans:beans>
It's working now.. seems like it wasn't an SSL problem... I switched the order of the intercept-url so that /** is the last one and added a custom login form..
<form-login login-page="/login" default-target-url="/viewAllTeams" authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
<form-login default-target-url="/viewAllTeams"/>
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/loginfailed" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
I also found that you can show exceptions using the following:
<div class="errorblock">
Your login attempt was not successful, try again.<br /> Caused :
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>