Quantcast
Channel: Spring Community Forums - Security
Viewing all 284 articles
Browse latest View live

SAML login + additional authenticate with custom authentication manager

September 5, 2013, 9:36 am
$
0
0
I have a use case to login a user via SAML, then populate the authentication with an existing authentication provider (extends DaoAuthenticationProvider). Looking at ProviderManager code, it calls the parent authentication manager, if the result *is* NULL. What would be the ramifications of calling the parent regardless? After a successful SAML authentication, the SAMLAuthenticationProvider returns an instance of ExpiringUsernameAuthenticationToken which I would then like to populate with authorities from the parent's provider (DaoAuthenticationManager).

Is there a better way of doing this? I would really like to not duplicate the code in the DaoAuthenticationManager which is why I'm considering a custom ProviderManager which will call the parent ProviderManager regardless of whether result is null or not.
Search

Logout link not found with 3.2.0.RC1

September 5, 2013, 10:56 am
$
0
0
Hi guys,

I just updated to Spring Security 3.2.0.RC1 and the logout link stopped working :( .. It's all working fine with 3.2.0.M2, but not with the latest RC. I am using the java configuration so I had to:
- add the .csrf().disable() to the http element.
- change authorizeUrls to .authorizeRequests()
- add this ObjectPostProcessor.QUIESCENT_POSTPROCESSOR to the AuthenticationManagerBuilder constructor (dunno what it is).
As a result here's my configuration:

Code:
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/**").hasRole("EMPLOYEE")
            .anyRequest().authenticated().and()
            .formLogin().loginProcessingUrl("/j_spring_security_check").permitAll().loginPage("/login.jsp").permitAll().failureUrl("/login.jsp?authfailed").permitAll().and()
            .logout().logoutUrl("/j_spring_security_logout").permitAll().logoutSuccessUrl("/login.jsp").and()
            .exceptionHandling().accessDeniedHandler(defaultAccessDeniedHandler());
    }
and whenever i go to /j_spring_security_logout I get "404 Not Found".
I even created a small project so you can test.
1) Download it from here: https://www.dropbox.com/s/lmg5ytyjd9...ogout-test.zip
2) Unzip
3) mvn clean install
4) mvn jetty:run
5) Login with admin/nimda
6) Click logout

Regd CSRF support.

September 5, 2013, 3:42 pm
$
0
0
Hi everyone, I have been using Spring MVC & Spring Security for quite some time now. For configuration of Spring Security I created beans for each individual filter and I am using it as shown below.

Last week, I noticed in the new version of Spring Security there is a mechanism (newly introduced) to prevent CSRF attacks.

So my first question is how do I configure the beans for CSRF. ( csrfFilter order among list of filters ?)

I dont want to do the following

Code:
<http ...>
    ...
    <csrf />
</http>

I wish to use the following beans

Code:
<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter" >
        <constructor-arg ref ="csrfRepository" />
    </bean>

<bean id="csrfRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />
in

Code:
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
        <constructor-arg>
            <list>
                <security:filter-chain pattern="/public*.do"  filters="none" />
                <security:filter-chain pattern="/resources/**"    filters="none" />
                <security:filter-chain pattern="/logout.do"    filters="logoutFilter" />
                <security:filter-chain pattern="/**" filters="securityContextFilter, csrfFilter, authenticationFilter,
                servletApiFilter, sessionMgmtFilter, concurrencySessionFilter, exceptionTranslator, filterSecurityInterceptor" />
            </list>
        </constructor-arg>
</bean>
On the UI, I am using spring form tags.

My second question is whether I should use hidden input html tags in my template files.

Code:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
My third question is do I need to register a bean implementing RequestDataValueProcessor in my applicationContext.xml

Code:
<bean name="requestDataValueProcessor" class="com.sd.security.CsrfRequestDataValueProcessor"/>

I am using latest versions of Spring, Spring Security.

Thanks,
Vivek.

how to customize filters when using http namespace

September 6, 2013, 6:19 am
$
0
0
I'm finding it difficult to make simple customization to default fiters when I use http namespace. For example, I simply want to set forceEagerSessionCreation to true on the SecurityContextPersistenceFilter. Or set a cutom ErrorAuthenticationFaulureHandler on SessionManagementFilter.


I'd like to do something like

<http auto-config="true" use-expressions="true" disable-url-rewriting="true">
<custom-filter ref="sessionManagementFilter" position="SESSION_MANAGEMENT_FILTER" />
<intercept-url pattern="/**" access="permitAll"/>
</http>

<beans:bean id="sessionManagementFilter"
class="org.springframework.security.web.session.Se ssionManagementFilter">

<beans:constructor-arg ref="httpSessionSecurityContextRepository"/>
<beans:constructor-arg ref="concurrentSessionControlStrategy"/>

<beans:property name="authenticationFailureHandler">
<beans:bean class="my.com.ErrorAuthenticationFailureHandler"/>
</beans:property>

<beans:property name="invalidSessionStrategy">
<beans:bean class="my.com.ErrorInvalidSessionStrategy"/>
</beans:property>

</beans:bean>


But that is not valid. If I want to do something as simple as this, do I have to configure everything manually. Is there an example of manual configuration that does the same thing as http autoConfig=true that I can use as a starting point?
Viewing all 284 articles
Browse latest View live
Search