CODEWITHSUNDEEP
javaspring-mvcspring-security
user2805089
user2805089

Reputation: 99

Spring Security not restricting access

I am new to Spring Security and have run into a problem. When I attempt to access a page that is expected to be restricted it is displaying the requested page anyway, no 403 nor redirecting to login page, no errors in the logs, nothing, just as if Spring Security was not implemented at all.

When the application is deployed I see the following in the logs which tells me Spring Security is at least starting:

INFO: Checking whether login URL '/security/credentials' is accessible with your configuration

I have attempted to change the login page to a restricted page, just to test that is actually restricted and I get the following, which tells me that it is correctly being restricted, at least in the simulation.

INFO: Checking whether login URL '/dashboard' is accessible with your configuration

org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)

I have the following setup:

web.xml 

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
         http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

   <welcome-file-list>
      <welcome-file>
         index.html
      </welcome-file>
   </welcome-file-list>

   <context-param>
      <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
      <param-value>messages</param-value>
   </context-param>

   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
        WEB-INF/applicationContext.xml
    </param-value>
   </context-param>

   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>

   <filter>
      <filter-name>UrlRewriteFilter</filter-name>
      <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
      <init-param>
         <param-name>logLevel</param-name>
         <param-value>TRACE</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>UrlRewriteFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
   </filter-mapping>


   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <init-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>
            /WEB-INF/applicationContext.xml
        </param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>

   </servlet>
   <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>/app/*</url-pattern>
   </servlet-mapping>
</web-app>

The Spring Security configuration file is imported from my applicationContext.xml.

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
   xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd">

   <http auto-config="true" use-expressions="true">
      <form-login 
         login-page="/security/credentials"
         login-processing-url="/security/signin" 
         default-target-url="/dashboard"
         authentication-failure-url="/security/signin_failed" />
      <intercept-url pattern="/resources/**" access="permitAll"/>
      <intercept-url pattern="/security/**" access="permitAll" />
      <intercept-url pattern="/favicon.ico" access="permitAll"/>
      <intercept-url pattern="/**" access="denyAll"/>
      <logout logout-success-url="/security/signout" />
      <remember-me />
   </http>

   <authentication-manager alias="authenticationManager">
      <authentication-provider>
         <user-service>
            <user name="test" password="password" authorities="ROLE_USER" />
         </user-service>
      </authentication-provider>
   </authentication-manager>
</beans:beans>

Upvotes: 2

Views: 6511

Answers (2)

coder
coder

Reputation: 4466

I suggest try it after removing <remember-me /> tag, or deleting all the cookies first. It appears because of existing cookie you are able to access /dashboard

Edit: You have UrlRewriteFilter configured before spring security, check whats the final url thats given to spring security filter, or you can try after disabling UrlRewriteFilter ?

Upvotes: 0

Markus Coetzee
Markus Coetzee

Reputation: 3444

Spring is behaving correctly as you are actually telling Spring that /security/** requests requires no authentication (access="permitAll"):

...
<intercept-url pattern="/security/**" access="permitAll" />
...

If you wanted to restrict access to only authenticated users then you could specify:

...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

Or if you wanted to restrict access to a specific role (replace ROLE_XXX with your specific role):

...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...

Please note that login related URLs can't be restricted (for obvious reasons): 

login-page="/security/credentials"
     login-processing-url="/security/signin" 
     default-target-url="/dashboard"
     authentication-failure-url="/security/signin_failed" />

So either change them to rather start with something like /login/ instead of /security/ or add specific intercepts URLs for each of them (if you must use them):

...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

The more specific URLs should be declared first as Spring uses the first rule that it finds from the top.

Upvotes: 1

Related Questions