We are using JSF2 and using Navigation Handler to control the navigation between public and secured pages of our web application.
The logic has become so complicated as we need to check for which page is secure and which page is public.
Is there any framework or better way to handle Navigation Handler...
Normally you put the secured pages in a common URL path, such as /app/*, /secured/*, /private/*, etc. This way you can use a single entry point to control the access. If you're using container managed security, it's then a matter of specifying the proper URL pattern:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted pages</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
If you are however using homegrown security, then you need to implement a Filter for that instead:
#WebFilter("/secured/*")
public class AuthorizationFilter implements Filter {
// ...
}
or when you're still not on Servlet 3.0 yet, then register it as follows instead of using #WebFilter:
<filter>
<filter-name>authorizationFilter</filter-name>
<filter-class>com.example.AuthorizationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authorizationFilter</filter-name>
<url-pattern>/secured/*</url-pattern>
</filter-mapping>
Inside the doFilter() method you need to write code which checks if the user is logged in or not and then continues the chain or redirects the response to the login page (which is by itself of course not covered by the same URL pattern).
See also:
Is there any easy way to preprocess and redirect GET requests?
Related
I am trying to implement Spring Security and map the home page which is an HTML page from the Spring Security.
It works with the Thymeleaf dependency in pom.xml, but not without it. I do not want to use it. Moreover I need to use Angularjs partials in the mapping.
My IDE is IntelliJ.
How do I do this without Thymeleaf?
Create a subclass of
org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter
#Configuration
public class ResourceConfig extends WebMvcConfigurerAdapter
in
WebMvcConfigurerAdapter.addResourceHandlers(ResourceHandlerRegistry)
add your resource mappings :
registry.addResourceHandler("/index.html").addResourceLocations(resourcePath);
resourcePath is the path to your resource e.g.
html/index.html if its in src/main/reources/html
you can also make generic mappings.
We've an application which performs form login with spring security. But now we wanted to authenticate user from the query string as well. I tried with custom filter but it didn't solve the purpose. Can anyone please help me in solving the problem?
Authentication via GET is disabled in spring security for, well, security reasons. GET-requests (and their parameters) make their way into log files what is a very bad thing for login credentials. They can also be cached in upstream proxies where the logging is totally out of your control. You have been warned, but if you really want to:
You can enable auth via GET by setting a property on your loginFilter. Depending on your config style (xml or javaconfig) this will be:
<bean id="loginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:postOnly="false" />
or
#Bean
public UsernamePasswordAuthenticationFilter getLoginFilter() {
UsernamePasswordAuthenticationFilter loginFilter = new UsernamePasswordAuthenticationFilter();
loginFilter.setPostOnly(false);
return loginFilter;
}
How Struts2 controller check, we need to check our action mapping in Struts.xml file. Which Interceptor check, we need to search for our action in Struts.xml?
I mean to say, why we need to provide its name as Struts.xml? Beacuse suppose if we are gonna change its name, then we have to override cofig init-param. But for this we need to provide Struts-default.xml in param-value as first parameter. then only, I will be able to change struts.xml name.
For Example:-
<init-param>
<param-name>config</param-name>
<param-value>struts-default.xml,test.xml</param-vale>
</init-param>
So I want to ask why it don't work without struts-default.xml.
I have an application that requires the users to choose between 2 different authentication methods.
One being username/password authentication and the other being username/password/one-time-password.
i have created the additional authentication provider and it works well when overriding the daoAuthenticationProvider provider in my resources.groovy as done in http://burtbeckwith.com/blog/?p=1090
however now when i need my authentication method to live side by side with the standard daoAuthenticationProvider i am a bit stuck.
I know i have my custom authentication provider and a custom filter registered in resources.groovy. The question is how do i make a url("redirect /my_auth to the filter") be intercepted by my custom filter?
Instead of registering the filters in resources.groovy, you can do this using filterChain configurations in Config.groovy. Declare all the filters spring security will be using in filterchain.filterNames, including both the standard filters you want, as well as your custom ones:
grails.plugins.springsecurity.filterChain.filterNames = [
'securityContextPersistenceFilter', 'logoutFilter',
'authenticationProcessingFilter', 'firstCustomFilter','secondCustomFilter',
'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter',
'exceptionTranslationFilter', 'filterInvocationInterceptor'
]
Then map your custom filters to specific URLs - one way to do this using exclusions is as follows:
grails.plugins.springsecurity.filterChain.chainMap = [
'/customUrlOne/**': 'JOINED_FILTERS,-secondCustomFilter',
'/customUrlTwo/**': 'JOINED_FILTERS,-firstCustomFilter',
'/**': 'JOINED_FILTERS,-firstCustomFilter,-secondCustomFilter'
]
JOINED_FILTERS is the set of all filters you've declared in the first map. Under "/**", all filters except your custom filters which have been excluded will be active. Similarly, under the custom URLs, all filters, minus the excluded custom filter meant for the other URL will be active. This will ensure that traffic going to customUrlOne will be intercepted by firstCustomFilter, and traffic going to customUrlTwo will be intercepted by secondCustomFilter.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I have my application in Struts1 and I have used Dispatch action in all my actions. Please tell me now how do I Shift to struts 2 and what are the modifications that should be made to change all my actions and form beans.
I will suggest you this document series:
http://www.infoq.com/articles/converting-struts-2-part1
http://www.infoq.com/articles/migrating-struts-2-part2
First link explains the topic and there is an example at second link. I wrote below an explanation taken from there:
Configuring the framework
The first, and most important configuration, is the one that enables the web application framework within the servlet containers web.xml file.
The configuration that everyone should be familiar with for Struts is:
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
For Struts2 there are very few changes. The most significant is that the dispatcher has been changed from a servlet to a servlet filter. The configuration is just as easy as for a servlet, and shown here:
<filter>
<filter-name>webwork</filter-name>
<filter-class>
org.apache.struts.action2.dispatcher.FilterDispatcher
</filter-class>
</filter>
<filter-mapping>
<filter-name>webwork</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Deconstructing the Actions
In the request walk-through we spoke about some of the differences between Struts and Struts2 from a high level. Let's take it a step deeper now, and look at the differences between the structures of the actions in each framework.
Let's first review the general structure of the Struts action. The general form of the Struts action looks like this:
public class MyAction extends Action {
public ActionForward execute(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws Exception {
// do the work
return (mapping.findForward("success"));
}
}
When implementing a Struts action, you need to be aware of the following items:
All actions have to extend the Action base class.
All actions have to be thread-safe, as only a single action instance is created.
Because the actions have to be thread-safe, all the objects that may be needed in the processing of the action are passed in the method signature.
The name of the method that is invoked for the processing of the action is "execute" (there is a DispatchAction class available in Struts which can re-route the method to be executed to another method in the same action, however the initial entry point from the framework into the action is still the "execute" method).
An ActionForward result is returned using a method from the ActionMapping class, most commonly via the "findForward" method call.
In contrast, the Struts2 action provides a much simpler implementation. Here's what it looks like:
public class MyAction {
public String execute() throws Exception {
// do the work
return "success";
}
}
The first thing you may have noticed is that the action doesn't extend any classes or interfaces. In fact, it goes further than this. By convention, the method invoked in the processing of an action is the "execute" method - but it doesn't have to be. Any method that follows the method signature public String methodName() can be invoked through configuration.
Finally, and perhaps the most revolutionary difference from the original Struts implementation, is that the method invoked in the processing of an action (the "execute" method) has no parameter. So how do you get access to the objects that you need to work with? The answer lies in the "inversion of control" or "dependency injection" pattern (for more information Martin Fowler has an informative article at http://www.martinfowler.com/articles/injection.html). The Spring Framework has popularized this pattern, however, the predecessor to Struts2 (WebWork) started using the pattern around the same time.
You may use dynamic method invocation to vaguely-mimic the old DispatchAction-style "pass in the method name" functionality (or you could write an interceptor that used a parameter to do much the same thing).
There are no "form beans" per se in Struts 2, although you can implement ModelDriven (some docs) and it sort-of works like a form bean.
All JSPs will need to be re-written, but only if you're using the Struts 1 tags. If you used only JSTL tags, you may not need to, it'd depend.
The link provided by Ischin is a good place to start getting more details.
For the Struts 2.x: Make the dispatcher action filter as *.action
For the struts 1.x: Make the action filter as *.do .