How to configure Spring Security with Pretty Faces? - spring-security

The title of the question speaks for itself.
I want both to secure home.xhtml and the clean URL /Home.
In spring security config, do i need to do what follows or is there another way of doing it ?
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/home.xhtml" access="isAuthenticated()" />
<security:intercept-url pattern="/Home" access="isAuthenticated()" />
</security:http>
Thanks
UPDATE :
Actually my solution is to be careful with files and url names.I do this in spring security file to be more coherent:
<security:intercept-url pattern="/Home*" access="isAuthenticated()" />
That secures the two URL...all url in fact beginning by Home (not case sensitive)

Related

Spring security XML: how to express?

I have an application using Spring security to control the access to its endpoints.
There are two endpoints /aaa and /bbb secured as:
<security:http pattern="/aaa/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/aaa/**" access="isAuthenticated()" />
<security:intercept-url pattern="/aaa/**" access="#oauth2.hasScope('aaa_scope')" />
</security:http>
<security:http pattern="/bbb/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/bbb/**" access="isAuthenticated()" />
<security:intercept-url pattern="/bbb/**" access="#oauth2.hasScope('bbb_scope')" />
</security:http>
I need to move /bbb under /aaa, i.e. to make it into /aaa/bbb while maintaining the original security checks
for the "bbb" part (now relocated)
and for the "aaa" part except for the "bbb" part parked under it.
How do I express this in Spring security XML?
What would a descriptor incantation look like?
====================
I tried the following naive combination
<security:http pattern="/aaa/bbb/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/aaa/bbb/**" access="isAuthenticated()" />
<security:intercept-url pattern="/aaa/bbb/**" access="#oauth2.hasScope('bbb_scope')" />
</security:http>
<security:http pattern="/aaa/**">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/aaa/**" access="isAuthenticated()" />
<security:intercept-url pattern="/aaa/**" access="#oauth2.hasScope('aaa_scope')" />
</security:http>
but empirically observed that it allows the holder of aaa_scope (not having bbb_scope) to access /aaa/bbb.
Apparently failing an access via first descriptor causes the request not to be aborted right there, but going on try the remaining descriptors.
Thanks for advice.

How to redirect user to authentication page when he tries to enter the url of the secured page ?

I'm using spring security to authenticate users, if it's the right user :he has access to the home page ..
But when I tried to enter with the url (without entering my name or my password ) an anonymous user can see the home page !
My application is not secured !
Could someone help me please ?
This is my spring-securityConfig.xml :
<http auto-config="true">
<form-login login-page="/login" username-parameter="j_username"
password-parameter="j_password" default-target-url="/accueil"
authentication-failure-url="/403" always-use-default-target="true" />
<logout logout-success-url="/login" />
<http-basic/>
<intercept-url pattern="/**" />
</http>
<authentication-manager>
<authentication-provider ref="userService">
</authentication-provider>
</authentication-manager>
You don't have to do anything for the redirection, it comes with Spring Security by default. It's just that your home page isn't secure. Did you try
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />

Removing Session in Spring Security

I want to put security for all the URL's except the login screen URL in spring security,
but I don't want to use session management.
Please help me out in this issue.
my security context file is below
<security:http pattern="/" security="none" />
<security:http auto-config="false" use-expressions="true" create-session="stateless" access-denied-page="/" entry-point-ref="authenticationEntryPoint" >
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:intercept-url pattern="/logout.jsp" access="permitAll" />
<security:logout logout-url="/j_spring_security_logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
The ordering of your intercept-url tags is wrong. Quote from the reference docs:
You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.
Move the intercept-url with the universal match pattern to the bottom of the list.

Spring Security - How can I specify anonymous role to root page

The default URL for my web app is http://localhost:8080/Icd/
I want to display my custom login page which is /index.jsp.
However , when I configure the spring security to do so , I am getting too many redirects problem . Below the code present in the security.xml file .
Let me know if I am missing something .
<security:http auto-config="true" >
<security:intercept-url pattern="/" access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/*" access="ROLE_USER" />
<security:form-login login-page="/index.jsp" />
</security:http>
<security:authentication-provider>
<security:user-service>
<security:user name="david" password="david" authorities="ROLE_USER,ROLE_ADMIN" />
<security:user name="alex" password="alex" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
When you put
<security:intercept-url pattern="/*" access="ROLE_USER" />
you're saying that every page requires ROLE_USER to be accessed (which includes the login page itself)
This (untested) may do the trick:
<security:intercept-url pattern="/index.jsp" access="permitAll"/>
<security:intercept-url pattern="/*" access="ROLE_USER" />
Try specifying your configuration like the following:
<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >
<security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
<security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>
<security:form-login
login-page="/krams/auth/login"
authentication-failure-url="/krams/auth/login?error=true"
default-target-url="/krams/main/common"/>
<security:logout
invalidate-session="true"
logout-success-url="/krams/auth/login"
logout-url="/krams/auth/logout"/>
</security:http>
This one uses a custom login page. For more info, you can check the full application at http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html

Spring Security session-management setting and IllegalStateException

I'm trying to add <session-management> in my Spring Security namespace configuration so that I can provide a different message than the login page when the session times out. As soon as I add it to my configuration it starts throwing "IllegalStateException: Cannot create a session after the response has been committed" when I access the app.
I'm using Spring Security 3 and Tomcat 6. Here's my configuration:
<http>
<intercept-url pattern="/go.htm" access="ROLE_RESPONDENT" />
<intercept-url pattern="/complete.htm" access="ROLE_RESPONDENT" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/login.htm"
authentication-failure-url="/login.htm?error=true"
default-target-url="/go.htm"
/>
<anonymous/>
<logout logout-success-url="/logout_message.htm"/>
<session-management invalid-session-url="/login.htm" />
</http>
Everything works great until I add in the <session-management> line. What am I missing?
You are probably hitting this bug:
https://jira.springsource.org/browse/SEC-1346
Try using the up-to-date version (3.0.2.RELEASE).
This works for me
<session-management invalid-session-url="/taac/login">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
Maybe including the auto-config="true" attribute in the <http> tag helps, you might be missing some required filters or settings.

Resources