Hi i am new to Spring and I have a following problem:
I had succesfully implemented login mechanism
on my website, but I know how to make it work only
on specified subpages by:
<http entry-point-ref="authenticationEntryPoint" auto-config="true">
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
And I would like to hide only choosen elements on subpages that are
visible for any user.
For example anyone can acces a subpage to read an article on my website, but
only registered user can add a comment.
you may want to use <sec:global-method-security pre-post-annotations="enabled"/> in your web context, so that you can use that annotation #PreAuthorize("hasRole('YOUR ROLE')") in your controller.
Than you can user the spring-security tags to show/hide content on your jsp page depending on the connected user role.
you can have more docs here http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html
Related
Could someone help me on this. appreciate your help.
I am using Spring security 3.1 with create-session="stateless" option.
Which throwing "InsufficientAuthenticationException" : "Full authentication is required to access this resource" exception of ExceptionTranslationFilter.
I am not able to understand what I am doing wrong and why I am getting this exception . As this exception stated that the credentials are not proper but I can see the credentials are going through request.Still I am getting 401 unauthorized
Fact is that the user is able to login properly & I get the message on console also. But again it is redirecting to login page due to access denied exception.
Here I am putting the code
Spring-Security.xml
<http entry-point-ref="negotiateSecurityFilterEntryPoint"
create-session="stateless" >
<intercept-url pattern="/user/loginuser" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
<custom-filter ref="securityContextPersistenceFilter" after="BASIC_AUTH_FILTER" />
<custom-filter ref="ldapAuthFilter" position="CAS_FILTER" />
<custom-filter ref="databaseAuthFilter" position="FORM_LOGIN_FILTER" />
</http>
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name='securityContextRepository'>
<bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='false' />
</bean>
</property>
</bean>
As far as I know, that's exactly what stateless is meant to do.
Once you set create-session parameter as stateless, on every http call the SecurityContextPersistenceFilter won't be even called (by default) or, even if you force it to be called according to your configuration, it won't be any session level security information in the SecurityContextHolder.
This stateless pattern is intended to be used in a Rest style architecture, where authentication and authorization information is sent on every request. Better said, I don't think that stateless session creation pattern should be used unless you are developing a full stateless application
I found a good post about this, Spring Security Session Management, look carefully section 2. When Is The Session Created?
So stateless session creation strategy does not fit to a classic login form pattern.
In your scenario, I guesss that what is happening is that, once the login request is completed and the request is authenticathed, it is probably redirecting to a kind of welcome page using an HTTP 301 or 302 redirect, redirection which again is not carrying authentication info, so ends redirecting again to login page.
If you simply use "ifRequired" as session-creation, or as it is the default value, just don't set it, I bet your login would end successfully and redirect to wherever it should correctly without asking to log in again. And, if you do it like this, avoid setting the SecurityContextPersistenceFilter, it is configured automatically.
I am using spring security 4 and I realized that if I add a url handler in the controller and forget to specify access rights in spring security xml , this page will not be secured and will be accessible to all. I was trying to use:
<intercept-url pattern="/**" access="denyAll" />
But it bans all users, even those I specifically open access to in other tags.
Maybe you think about something like that?
access="isAuthenticated()"
as said here it returns true if the user is not anonymous.
I think the main idea of keeping app secure is not to make mistakes by human too... Even the best security system is not secure when human forgot to set a password.
I am new to Springs and not a advanced programmer of java.
I am creating a prototype where i am using Springs security.
to keep it simple i am using JSP form based user authentication and have some dummy users in my applicationContext-security.xml
<security:http auto-config='true'>
<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="foo" password="foo" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="bob" password="bob" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
The idea is that later this authentication method will be replaced by OpenId authentication.
Now what i need is once the user is authenticated, using the authenticated username i would like to retrieve additional details of the user from a database table and put it in Springs UserDetails object so that its available to me all the time
what i have researched so far is that i need to create my Custom UserDetailsService
my question is if i am using springs standard authentication method do i need to create a custom UserDetailsService ?
I just want to store some additional details reading it from a database.
i have gone through many examples but none of them answers this particular issue.
also since i am little new to these technologies. i get lost no how to tie the code snippets together. any help to point me to right direction would be great
thanks
Yes. Generally you need a custom UserDetailsService which returns your extended UserDetails object with the additional properties you want. You'll find plenty of example configurations if you search SO, like this one, for example.
Strictly speaking, you don't have to use a UserDetailsService or implement UserDetails (you can implement AuthenticationProvider directly), but it's the easiest approach to being with and probably where you should start.
I have a web application where I use spring security. I have a problem logging out because my application remembers the last page after logging out. What I want is once the user logs out should not be able go back.
My application-config snippet :
<security:logout logout-url="/logout.do"
invalidate-session="true"
logout-success-url="/logoutSuccess.do" />
Try this:
HttpServletRequest.getSession(false).invalidate();
The standard logout filter will invalidate the current HTTPSession, if your user has a cached version of one of your protected pages there isn't much you can do about that however even if they return to that page they will not be able to use it to make any further requests to your application until they obtain another valid session.
I've got a basic Spring Security 3 set up using my own login page. My configuration is below. I have the login and sign up page accessible to all as well as most everything else. I'm new to Spring Security and understand that if a user is trying to access a protected resource they will be taken to the defined login page. And upon successful login they are taken to some other page, home in my case. I want to keep the latter behavior; however, I'd like specify that if a user tries to access certain resources they are taken to the sign up page, not the login page. Currently, in my annotated controllers I check the security context to see if the user is logged in and if not I redirect them to the sign up page. I only do this currently with two urls and no others. This seemed redundant so I tried creating a HandlerInterceptor to redirect for these requests but realized that with annotations, you can't specify specific requests to be handled - they all are. So I'm wondering if there is some way to implement this type of specific url handling in Spring Security, or is going the HandlerInterceptor route my only option? Thanks!
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login*" access="permitAll"/>
<intercept-url pattern="/signup*" access="permitAll"/>
<intercept-url pattern="/static/**" filters="none" />
<intercept-url pattern="/" access="permitAll"/>
<form-login login-page="/login" default-target-url="/home"/>
<logout logout-success-url="/home"/>
<anonymous/>
<remember-me/>
</http>
Check out this link Adding Custom Filters - my guess is you will need to extend the UsernamePasswordAuthenticationFilter with your own version that does the logic you've outlined above, rather then using the autoconfig and the <form-login> element.