How to get username or UserDetail object in logout-success-url? Below is my configuration:
<form-login default-target-url="/security/loginSuccess.action"
always-use-default-target="false"
authentication-failure-url="/security/loginFailed.action"
login-page="/security/restrictUser.action"/>
<logout invalidate-session="true" logout-success-url="/security/logoutUser.action" />
<session-management
session-authentication-strategy-ref="customMsgAwareConcurrentSessionControlStartegy"
invalid-session-url="/security/logoutUser.action"/>
I want to get the username who has requested for logout within logout-success-url (for me it is a Struts 2 action method). I have checked SecurityContextHolder, but it seems that SecurityContextHolder is cleared when the control reaches my action method in logout-success-url.
Use custom LogoutSuccessHandler for that. Inside your configuration define bean and use success-handler-ref attribute of <logout> tag.
<logout success-handler-ref="customLogoutSuccessHandler" />
<beans:bean id="customLogoutSuccessHandler" class="..." />
And inside CustomLogoutSuccessHandler there is onLogoutSuccess method which has Authentication argument.
public class CustomLogoutSuccessHandler extends
AbstractAuthenticationTargetUrlRequestHandler implements
LogoutSuccessHandler {
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
// use authentication to get user name
}
}
Related
I'm trying to understand Spring-security but my pages can be accessed without loggin in and I don't understand why.
The "secure" page is located in WEB-INF/pages/secure and is accessed using http://localhost:8080/secret. This should not allow access, but currently does.
/secure maps here
#Controller
public class HelloWorld {
...
#RequestMapping("/secret")
public String showSecret(ModelMap model) {
return "secure/secretPage";
}
}
web.xml
...
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
/WEB-INF/springmvc-config.xml
</param-value>
</context-param>
...
applicationContext-security.xml
<http auto-config="true">
<form-login login-processing-url="/j_spring_security_check"
login-page="/login"
authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/j_spring_security_logout"/>
<intercept-url pattern="/pages/secure/**" access="IS_AUTHENTICATED_FULLY" requires-channel="https"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userAccountDetailsService"/>
</authentication-manager>
userAccountDetailsService
#Service("userAccountDetailsService") // enables component to be found to <component-scan/>
public class UserAccountDetailsService implements UserDetailsService {
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
throw new UsernameNotFoundException("Could not find user");
}
}
The /login page does not currently exist. There are no users anyway. I just want this to disallow access for now.
The URL you are hitting is /secure, not /pages/secure and yet in your Spring Security configuration you are protecting /pages/secure/** instead of /secure/**. Change the intercept URL from /pages/secure/** to /secure/** and try again.
I managed to get my application working with Active Directory (basically LDAP) using spring-security, like this:
<authentication-manager>
<authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</authentication-manager>
<beans:bean id="grantedAuthoritiesMapper" class="mypackage.ActiveDirectoryGrantedAuthoritiesMapper"/>
<beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="xxxx.xxx.xxxx" />
<beans:constructor-arg value="ldap://xxx.xxx.xxx.xxx:389" />
<beans:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" />
<beans:property name="useAuthenticationRequestCredentials" value="true" />
<beans:property name="convertSubErrorCodesToExceptions" value="true" />
</beans:bean>
But by doing only this I need to have the users registered both in my application and in the Active Directory before-hand. I would like to be able to before the user logs in (but after the Active Directory validation) to see if he exists in my database and if he doesn't create a new user in my application and then proceed as normal.
I believe I need to create a preAuthentication provider, but I don't know exactly where I can insert my own class to code the checking and registration of the user.
Optimally I would also like to check for a specific authority before creating the user.
Can anyone give me a hand?
In the end I had to change my authentication handler onAuthenticationSuccess. In spring there are authentication and login in the lifecycle of the login process. During authentication the user is, well, authenticated, but not yet logged into the application (ie only its credentials were deemed valid, but the rest of the application is not aware of the user yet.)
I changed my security.xml to:
<beans:bean id="authHandler" class="mypackage.activedirectory.ActiveDirectoryAuthenticationHandler"
...
<form-login login-page="/login" authentication-failure-handler-ref="authHandler"
authentication-success-handler-ref="authHandler" />
And here is the class:
public class ActiveDirectoryAuthenticationHandler extends MyAuthenticationHandler {
#Autowired
private UserService userService;
#Override
public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication auth)
throws IOException, ServletException {
String username= auth.getName();
User user= userService.findByUsername(username);
if (user == null) {
user= new User();
//set user properties
}
try {
userService.save(user);
} catch (EntityException e) {
System.out.println(e.getMessage());
}
super.onAuthenticationSuccess(req, resp, auth);
}
}
I still haven't figured out how to handle AD specific errors (like user is blocked, or password expired), right now it shows my application default login error message.
I'm using spring/spring-security 3.1 and want to take some action depends on the authorities in ATHENTICATION object whenever session is timed out.AUTHENTICATION object is null on session timeout.
Here are the files for reference:
security config:
<logout invalidate-session="true" logout-url="/j_spring_security_logout" success-handler-ref="logoutSuccessHandler"/>
<!-- Custom filter to deny unwanted users even though registered -->
<custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<!-- Custom filter for username, password and domain. The real customization is done in the customAuthenticationManager -->
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
</http>
Note: tried with "invalidate-session="false"" as well.
and my custom LogoutSuccessHandler:
public class EnterpriseLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler{
#Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
for(GrantedAuthority authority: authentication.getAuthorities()){
if(authority.getAuthority()!=null)
logger.debug("THE CURRENT AUTHORITY FOR THE SESSION IS : {} ",authority.getAuthority().toString());
else
logger.debug("THE CURRENT AUTHORITY FOR THE SESSION IS authority.getAuthority(): NULL ");
if(authority.getAuthority()!=null && authority.getAuthority().equalsIgnoreCase(Operational.SPRING_SECURITY.LOGIN_SOURCE_BEACON)){
loginSource = authority.getAuthority().toString();
break;
}
}
}
}
So, there is the question how I can obtain Authentication object on the session timeout.
Can some help me to find out the solution for the above problem.
Thanks in advance.
I create a spring MVC application that uses spring security for authentication, here's the spring-security.xml
<http use-expressions="true">
<form-login login-page="/homepage.jsp" default-target-url="/homepage.jsp" authentication-failure-url="/homepage.jsp?login-success=false" />
<logout logout-success-url="/homepage.jsp" />
</http>
<authentication-manager alias="authenticationManager" >
<authentication-provider>
<password-encoder hash="sha" />
<jdbc-user-service data-source-ref="marketDataSource"
users-by-username-query="
select email_address, password, '1'
from user where email_address=?"
authorities-by-username-query="
select email_address, 'ROLE_USER' from user
where email_address=?"
/>
</authentication-provider>
</authentication-manager>
when a new user try to register, he fill in registration from and press submit, that will create a new user, if the registration successfully completed, I try to authenticate the registered user using this method:
private void authenticateUserAndSetSession(User user, HttpServletRequest request) {
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
user.getEmailAddress(), user.getPasswordSha(), grantedAuthorities);
request.getSession();
token.setDetails(new WebAuthenticationDetails(request));
try {
Authentication authenticatedUser = authenticationManager
.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
} catch (Exception e) {
e.printStackTrace();
}
}
I checked this post Auto login after successful registration to make the previous method, but when I try to use it, it throws Bad Credential Exception, what's wrong with this solution?
I had been faced with the similar problem. In legacy code the password was hashed by hand.
The better choice is to store object of User class (may be it is a plain form binding) with the plain password and clear it later. Clearing credencials is the responsibility of spring-security too (interface org.springframework.security.core.CredentialsContainer).
If it isn't possible remove tag of encoder or use the plain text encoder <password-encoder hash="plaintext"/>.
I am using GWT with spring security. I have a custom authentication provider where I perform all my authentication. How can I configure the remember me feature without using the UserDetailsService? I am not using LDAP.
My AppliationContext_security.xml
<http auto-config="true" entry-point-ref="UnauthorizedEntryPoint"
create-session="always">
<form-login authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout success-handler-ref="logoutSuccessHandler"
invalidate-session="true" />
<intercept-url pattern="/**/myapp.rpc" access="ROLE_USER" />
<custom-filter before="CONCURRENT_SESSION_FILTER" ref="XSRFAttackFilter" />
</http>
<authentication-manager>
<authentication-provider ref="myAuthenticationProvider" />
</authentication-manager>
In my custom authentication provider,
#Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String username = (String) authentication.getPrincipal();
String password = (String) authentication.getCredentials();
boolean response = loginmanager.authenticateUser(username, password,
((ServletRequestAttributes) RequestContextHolder
.getRequestAttributes()).getRequest().getSession());
if (!response) {
throw new BadCredentialsException(
"Invalid Credentials.");
}
Authentication authentication = ...
authentication.setAuthenticated(true);
return authentication;
}
Any help will be greatly appreciated.
You will need to create a custom UserDetailsService that gets the username/password from the same place that your loginmanager is reading it from. See the source for TokenBasedRememberMeServices.processAutoLoginCookie() to see how it's being used.