I'm using Spring Security 2.0.4 and I want to remove authentication for url like
http://localhost:8080/myapp/images-by-url?url=http://www.example.com/1023
I add the following in security.xml
<http auto-config="true" lowercase-comparisons="false">
<intercept-url pattern="/images-by-url*" filters="none"/>
</http>
but it doesn't seem to work. I try
<intercept-url pattern="/images-by-url**" filters="none"/>
and it does not work either. Any idea?
Related
How can I add multiple custom implementations of standard Http Filter to a Spring Security namespace FilterChainProxy? I know I can add one filter to the chain by using the after, before or position attributes. But how can I add more than one filter?. Here is my security config file
<http pattern="/javax.faces.resource/**" security="none"/>
<http pattern="/resources/**" security="none"/>
<http pattern="/session_list.jsp" security="none"/>
<http pattern="/security/cas_logout.jsf" security="none"/>
<http pattern="/user/account_signup.jsf" security="none"/>
<http pattern="/user/company_user_association.jsf" security="none"/>
<http pattern="/user/account_signup_review.jsf" security="none"/>
<http auto-config="true" use-expressions="true" entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<logout logout-success-url="/security/cas_logout.jsf" invalidate-session="true"/>
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</http>
<beans:bean id="portalSessionFilter" class="org.x.web.security.PortalSessionInterceptor"/>
<beans:bean id="requestUrlStackFilter" class="org.x.web.security.RequestUrlStackFilter"/>
I would like to add the portalSessionFilter and requestUrlStackFilter to the filter chain above. I can potentially do this
<custom-filter ref="portalSessionFilter" before="LAST"/>
But how do I add requestUrlStackFilter before LAST and right after portalSessionFilter BTW both of them are simple GenericFilterBean implementations.
I tried creating another FilterChainProxy bean with the above two filters in its chain list and add that bean as a custom-filter to the namespace configuration before LAST and the filters seem to work but my JSF navigation is broken, especially with commandLink (I think AJAX calls are failing when using this FilterChainProxy)
Can anyone suggest any ideas on how to add these two filters and possible other filters to the Spring Security Filter Chain?
I found a solution to the problem I was having. I solved it by implementing my own filter chain instead of using the spring security filter chain proxy to chain my filters. The problem with FilterChainProxy is that it uses reset method at the end of the filter chain which will cause problems if you inject it in between the main spring security filter chain proxy.
The custom filter chain just processes the required filters and hands back control to the main spring security filterchainproxy. Here is how the config looks after the changes
<http auto-config="false" use-expressions="true" entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<logout logout-success-url="/security/cas_logout.jsf" invalidate-session="true"/>
<custom-filter position="CAS_FILTER" ref="casFilter"/>
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
<custom-filter ref="customFilterChain" before="LAST"/>
</http>
<beans:bean id="customFilterChain" class="org.x.web.security.CustomFilterChain">
<beans:constructor-arg>
<beans:list>
<filter-chain pattern="/javax.faces.resource/**" filters="none"/>
<filter-chain pattern="/resources/**" filters="none"/>
<filter-chain pattern="/**" filters="portalSessionFilter,requestUrlStackFilter"/>
</beans:list>
</beans:constructor-arg>
Here CustomFilterChain extends GenericFilterBean but in the doFilter method chains the filters (matching the request pattern) and finally passes control back to the main spring security FilterChainProxy
strange one,
I am using spring security with siteminder and it works fine. However I want to have one url which isn't protected - our loadBalancer needs a "healthCheck" url within the app itself. This url isn't intercepted by siteminder, but spring security seems to apply the preauth to it anyhow..
if I run it locally using a simple forms-based security config the following works (excluding the filters):
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/html/healthCheck.html" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/login" filters="none" />
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/*" access="hasAnyRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/" authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
In this case, I can browse to localhost/myApp/resources/html/healthCheck.html without hitting an authorization issue, but any other url will display the login form. All looking good so far!
However when I deploy to the server I am using the following config:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/html/healthCheck.html" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/login" filters="none" />
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/*" access="hasAnyRole('ROLE_USER')" />
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</http>
When I browse to: server/myapp/resources/html/healthCheck.html I get the following error:
java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor
org.springframework.security.core.userdetails.User.<init>(User.java:94)
com.myApp.security.SecuritySBSUserDetailsService.loadUserByUsername(SecuritySBSUserDetailsService.java:119)
org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper.loadUserDetails(UserDetailsByNameServiceWrapper.java:53)
I think this is caused by the UserDetailsService getting instantiated without any SM_USER. Yet the filters=none is in place.. and works when using forms authentication..Any idea what might be causing this, or better - of a workaround?
By the way, my userdetails service is configured as follows:
<beans:bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="SM_USER" />
<beans:property name="exceptionIfHeaderMissing" value="false" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
i.e. I've set exceptionIfHeaderMissing to false, if that helps..
The most obvious thing I can see is that /resources/html/healthCheck.html won't be matched by /html/healthCheck.html. If you are rewriting the URLs somewhere you should probably explain that.
If you enable debug logging, it should explain in detail what is matched against what.
I'd also leave out the auto-config. It causes more confusion than it is worth. And you should use /** rather than /* for a universal ant pattern match.
It's probably also worth mentioning here that Spring Security 3.1 has a better approach for defining empty filter chains, and also allows you to define more than one filter chain using the <http> syntax.
Okay, it seems to be a bug in spring security as far as I can see. I got around it by adding a dummy return to the start of the loadUserByName method in the UserDetailsService..
#Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
logger.trace(">> loadUserByUsername()");
logger.info("-- loadUserByUsername(): username : {}", userName);
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
if(userName==null || userName.trim().equals("")) {
return(new User("ANONYMOUS", "", true, true, true, true, authorities));
}
// rest of auth checks
It would seem like with the config I have, the UserDetails check shouldn't be getting triggered at all (as it is with the forms..). If anyone has a configuration based workaround I'll give you a plus :-)
I already have form login and Basic auth working side by side with the help of a DelegatingAuthenticationEntryPoint.
What I'm trying to do is have users coming thru the login form to be authenticated against criteria "A", and have users coming thru the Basic auth requests to be authenticated against criteria "B".
Some of the application's resources are exposed thru a RESTful service (accessible via Basic auth). Instead of having users enter their own credentials to make a REST service call, they can enter generated key/value pairs for use exclusively with the REST service that can later be revoked by the user or by the app administrator.
I would prefer to share as much of my security-specific beans as possible between the two methods of authentication. I know I will need separate UserDetailsServices as the form login queries my users table, and Basic auth will query my service_credentials table.
What is the correct way to achieve this kind of configuration in Spring Security?
Depending on your app and whether you're using Spring Security 3.1, you might be best to split the configuration into multiple filter chains, each with a separate authentication manager defined:
<http pattern="/rest_api/**" create-session="stateless"
authentication-manager-ref="serviceCredsAuthMgr">
<http-basic />
</http>
<http authentication-manager-ref="mainAuthMgr">
<form-login />
</http>
<authentication-manager id="serviceCredsAuthMgr">
<authentication-provider user-service-ref="serviceCredsUserDetailsSvc" />
</authentication-manager>
<authentication-manager id="mainAuthMgr">
<!-- whatever -->
</authentication-manager>
Instead of the pattern attribute you can also use the request-matcher-ref attribute to specify a RequestMatcher instance which will be used to map incoming requests to a particular filter chain. This has a very simple interface, but can allow you to match based on something other than the URL path, such as the Accept header.
With SpringSecurity (3.2.3.RELEASE) work fine form as well as basic auth:
<http pattern="/resources/**" security="none"/>
<http pattern="/webjars/**" security="none"/>
<http pattern="/rest/**" create-session="stateless" use-expressions="true">
<intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<http-basic />
</http>
<http auto-config="true" use-expressions="true">
<http-basic/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/loginfailed" access="permitAll"/>
<intercept-url pattern="/logout" access="permitAll"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login login-page="/login" default-target-url="/" authentication-failure-url="/loginfailed"/>
<logout logout-success-url="/logout"/>
<remember-me user-service-ref="userService"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="userService">
<!--
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT email, password, enabled FROM users WHERE email = ?"
authorities-by-username-query="
SELECT u.email, r.name FROM users u, roles r WHERE u.id = r.user_id and u.email = ?"/>
-->
<!--
<user-service>
<user name="mail#yandex.ru" password="password" authorities="ROLE_USER"/>
<user name="admin#gmail.com" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
-->
</authentication-provider>
</authentication-manager>
I want any user to be able to submit their name to a volunteer form but only administrators to be able to view any other URL. Unfortunately I don't seem to be able to get this correct. My resources.xml are as follows;
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm = "BumBumTrain Personnel list requires you to login" auto-config="true" use-expressions="true">
<http-basic/>
<intercept-url pattern="/person/volunteer*" access=""/>
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Specifically I am trying to achieve the access settings I described via;
<intercept-url pattern="/person/volunteer*" access=""/>
<intercept-url pattern="/**" access="isAuthenticated()" />
Could someone please describe how to use intercept-url to achieve the outcome I've described?
Thanks
Gav
For whatever reason in a grails app I needed;
<intercept-url pattern="/person/volunteer/**" access="" filters="none"/>
<intercept-url pattern="/images/**" access="" filters="none"/>
<intercept-url pattern="/css/**" access="" filters="none"/>
<intercept-url pattern="/js/**" access="" filters="none"/>
<intercept-url pattern="/**" access="ROLE_ADMIN" />
To get this to work, note the difference in the first rule.
What exactly does not work as you expect? what goes wrong?
I think access="" does not what you expect... Use the format from the docs:
<intercept-url pattern="/login.jsp*" filters="none"/>
If you don't use the default authentication (which you do) you would need to add a WebExpressionVoter because you use expressions expressions doc
Hi replace access="" with access="permitAll" for the url you want to make accessile without authentication.
I'm trying to add <session-management> in my Spring Security namespace configuration so that I can provide a different message than the login page when the session times out. As soon as I add it to my configuration it starts throwing "IllegalStateException: Cannot create a session after the response has been committed" when I access the app.
I'm using Spring Security 3 and Tomcat 6. Here's my configuration:
<http>
<intercept-url pattern="/go.htm" access="ROLE_RESPONDENT" />
<intercept-url pattern="/complete.htm" access="ROLE_RESPONDENT" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/login.htm"
authentication-failure-url="/login.htm?error=true"
default-target-url="/go.htm"
/>
<anonymous/>
<logout logout-success-url="/logout_message.htm"/>
<session-management invalid-session-url="/login.htm" />
</http>
Everything works great until I add in the <session-management> line. What am I missing?
You are probably hitting this bug:
https://jira.springsource.org/browse/SEC-1346
Try using the up-to-date version (3.0.2.RELEASE).
This works for me
<session-management invalid-session-url="/taac/login">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
Maybe including the auto-config="true" attribute in the <http> tag helps, you might be missing some required filters or settings.