Spring Security 3.0 - Intercept-URL - All pages require authentication but one - spring-security

I want any user to be able to submit their name to a volunteer form but only administrators to be able to view any other URL. Unfortunately I don't seem to be able to get this correct. My resources.xml are as follows;
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm = "BumBumTrain Personnel list requires you to login" auto-config="true" use-expressions="true">
<http-basic/>
<intercept-url pattern="/person/volunteer*" access=""/>
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Specifically I am trying to achieve the access settings I described via;
<intercept-url pattern="/person/volunteer*" access=""/>
<intercept-url pattern="/**" access="isAuthenticated()" />
Could someone please describe how to use intercept-url to achieve the outcome I've described?
Thanks
Gav
For whatever reason in a grails app I needed;
<intercept-url pattern="/person/volunteer/**" access="" filters="none"/>
<intercept-url pattern="/images/**" access="" filters="none"/>
<intercept-url pattern="/css/**" access="" filters="none"/>
<intercept-url pattern="/js/**" access="" filters="none"/>
<intercept-url pattern="/**" access="ROLE_ADMIN" />
To get this to work, note the difference in the first rule.


What exactly does not work as you expect? what goes wrong?
I think access="" does not what you expect... Use the format from the docs:
<intercept-url pattern="/login.jsp*" filters="none"/>
If you don't use the default authentication (which you do) you would need to add a WebExpressionVoter because you use expressions expressions doc


Hi replace access="" with access="permitAll" for the url you want to make accessile without authentication.

Related

Error when trying to use session-management

I am trying to place session-management in my security-application.xml file.
Error:
Invalid content was found starting with element 'session-management'. One of '{"http://www.springframework.org/schema/security":intercept-url,
I tried to put in other places but without success.
Advice?
------------------------UPDATE ONE------------------------
I tried:
<security:session-management invalid-session-url="/logonTimeOut.jsp">
<security:concurrency-control expired-url="/logonTimeOut.jsp"/>
</security:session-management>
and it is still not working.

I think your xml configuration is not correct .Change xml configuration like this
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"
>
<http create-session="always" use-expressions="true">
<intercept-url pattern="/anonymous*" access="isAnonymous()"/>
<intercept-url pattern="/login*" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<csrf disabled="true"/>
<form-login login-page='/login.html' authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/login.html?error=true"/>
<logout delete-cookies="JSESSIONID"/>
<remember-me key="uniqueAndSecret" token-validity-seconds="86400"/>
<session-management invalid-session-url="/invalidSession.html">
<concurrency-control max-sessions="2" expired-url="/sessionExpired.html"/>
</session-management>
</http>
<beans:bean id="myAuthenticationSuccessHandler" class="org.baeldung.security.MySimpleUrlAuthenticationSuccessHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="user1Pass" authorities="ROLE_USER"/>
<user name="admin1" password="admin1Pass" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Spring Security 5 return 403 on login

I am evaluating Spring 5 (MVC) and Spring Security 5.
When I am posting username and password from a custom form I get a 403 return code.
When using instead of or the Spring default login form everything is workin fine.
Here my applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/assets/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/pages/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/index.do**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/app2/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/index.do#/login"
login-processing-url="/login"
default-target-url="/index.do"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>

How to override BasicAuthenticationFilter using the schema configuration?

We use Spring Security 4.x and I want to override BasicAuthenticationFilter.
Unfortunately I was not able to find how to configure the class name for the BasicAuthenticationFilter nor in the http element neither in the http-basic element the schema configuration.
How to override BasicAuthenticationFilter using the schema configuration?
I have tried to override BasicAuthenticationFilter using the custom filter without success – the schema continue to create the default BasicAuthenticationFilter.
Added
Very strange. I configured auto-config="false but I still can see the creation of the default BasicAuthenticationFilter.
It should not be created according to the documentation http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#nsa-http
Added
The configuration w/o beans definitions
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:global-method-security pre-post-annotations="enabled">
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</sec:global-method-security>
<sec:http use-expressions="true" auto-config="true" pattern="/api/**" disable-url-rewriting="false" entry-point-ref="authenticationEntryPoint">
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/api/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:logout logout-url="/logout.faces" success-handler-ref="logoutSuccessHandlerImpl" />
<sec:http-basic entry-point-ref="authenticationEntryPoint"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<!--<sec:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER"/>-->
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
<bean class="org.primefaces.webapp.filter.FileUploadFilter" name="fileUploadFilter"/>
<sec:http use-expressions="true" auto-config="true" disable-url-rewriting="false">
<sec:custom-filter ref="fileUploadFilter" before="FIRST"/>
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/login.faces" access="isAnonymous()"/>
<sec:intercept-url pattern="/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/img/**" access="permitAll" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<sec:form-login login-page="/login.faces"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.faces"
default-target-url="/pages/defaultPage.faces"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<sec:logout logout-url="/logout.faces"
success-handler-ref="logoutSuccessHandlerImpl"
/>
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
...
</beans>

As per the schema documentation in the xsd if you want to replace a filter you need to use the position tag:
<sec:custom-filter ref="customBasicAuth" position="BASIC_AUTH_FILTER"/>
Also if you include the <sec:http-basic element, then the default basic auth filter will be added to the filter chain.
The auto-config is a legacy attribute and can be removed (no need to set it to false)

403 errors after upgrading to Spring Security 4.0.0

I've been trying to update my project to Spring Security 4.0.0. I think I've read the migration guide quite extensively but even if I can successfully login and navigate through the pages, I get 403 errors on every Ajax requests. Everything is working fine with 3.2.7.
This is my "manual login" configuration file:
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- HTTP security configurations -->
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<intercept-url access="permitAll" pattern="/" /><!-- To permit "/" allows the use of web.xml's <welcome-file> -->
<intercept-url access="permitAll" pattern="/home" />
<intercept-url access="permitAll" pattern="/login" />
<intercept-url access="permitAll" pattern="/pages/exceptions/**" />
<intercept-url access="permitAll" pattern="/javax.faces.resource/**" />
<intercept-url access="permitAll" pattern="/resources/**" />
<intercept-url access="permitAll" pattern="/j_spring_security_check"/>
<intercept-url access="hasRole('ROLE_ADMIN')" pattern="/administration/**" />
<intercept-url access="isAuthenticated()" pattern="/**" />
<logout logout-url="/logout" logout-success-url='/home' />
<form-login login-page='/login'
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?auth=fail"
default-target-url="/home" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="${authentication.provider}" />
</authentication-manager>
<b:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="daoAuthProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService">
<b:bean class="eu.ueb.acem.services.auth.DaoUserDetailsService">
<b:property name="domainService" ref="domainService" />
</b:bean>
</b:property>
<b:property name="passwordEncoder" ref="bcryptEncoder" />
</b:bean>
</b:beans>
I try to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<headers disabled="true" />
<csrf disabled="true"/>
...
</http>
but I get :
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'headers'
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'csrf'
which is normal because 4.0.0 has no dedicated XML Schema at:
http://www.springframework.org/schema/security/
So what could possibly cause these "403 forbidden" errors?

Ok, I found the solution. It is indeed to use:
<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
<csrf disabled="true"/>
...
</http>
but for the time being, we have to ignore the XML Schema error in Eclipse. Hopefully Spring will put their new Schema online soon.

Handling both form and HTTP basic authentication with different sources

I already have form login and Basic auth working side by side with the help of a DelegatingAuthenticationEntryPoint.
What I'm trying to do is have users coming thru the login form to be authenticated against criteria "A", and have users coming thru the Basic auth requests to be authenticated against criteria "B".
Some of the application's resources are exposed thru a RESTful service (accessible via Basic auth). Instead of having users enter their own credentials to make a REST service call, they can enter generated key/value pairs for use exclusively with the REST service that can later be revoked by the user or by the app administrator.
I would prefer to share as much of my security-specific beans as possible between the two methods of authentication. I know I will need separate UserDetailsServices as the form login queries my users table, and Basic auth will query my service_credentials table.
What is the correct way to achieve this kind of configuration in Spring Security?

Depending on your app and whether you're using Spring Security 3.1, you might be best to split the configuration into multiple filter chains, each with a separate authentication manager defined:
<http pattern="/rest_api/**" create-session="stateless"
authentication-manager-ref="serviceCredsAuthMgr">
<http-basic />
</http>
<http authentication-manager-ref="mainAuthMgr">
<form-login />
</http>
<authentication-manager id="serviceCredsAuthMgr">
<authentication-provider user-service-ref="serviceCredsUserDetailsSvc" />
</authentication-manager>
<authentication-manager id="mainAuthMgr">
<!-- whatever -->
</authentication-manager>
Instead of the pattern attribute you can also use the request-matcher-ref attribute to specify a RequestMatcher instance which will be used to map incoming requests to a particular filter chain. This has a very simple interface, but can allow you to match based on something other than the URL path, such as the Accept header.

With SpringSecurity (3.2.3.RELEASE) work fine form as well as basic auth:
<http pattern="/resources/**" security="none"/>
<http pattern="/webjars/**" security="none"/>
<http pattern="/rest/**" create-session="stateless" use-expressions="true">
<intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<http-basic />
</http>
<http auto-config="true" use-expressions="true">
<http-basic/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/loginfailed" access="permitAll"/>
<intercept-url pattern="/logout" access="permitAll"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login login-page="/login" default-target-url="/" authentication-failure-url="/loginfailed"/>
<logout logout-success-url="/logout"/>
<remember-me user-service-ref="userService"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="userService">
<!--
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT email, password, enabled FROM users WHERE email = ?"
authorities-by-username-query="
SELECT u.email, r.name FROM users u, roles r WHERE u.id = r.user_id and u.email = ?"/>
-->
<!--
<user-service>
<user name="mail#yandex.ru" password="password" authorities="ROLE_USER"/>
<user name="admin#gmail.com" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
-->
</authentication-provider>
</authentication-manager>

Resources