Spring Security authentication is ignored

StackOverflow https://stackoverflow.com/questions/21734225

Question

Hello Stackoverflower,

i've got a Issue with the Spring Security stuff. The Login Box that should appear before you can proceed to your application dont appear and i can access to my application without any authentication. I dont have any clue why this happen. It would be very important to know why no User and Password are asked.

I test my app with the RESTCLient Add on for firefox.

The important entry in the web.xml looks like: 

<!--    Security Configuration -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/</url-pattern>
    </filter-mapping>

    <!-- Spring Json Init -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>json</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>json</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

My spring-security is: 

<!-- Security Propertie Configuration -->
    <security:http use-expressions="true">
    <security:http-basic/>
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider
            ref="springUserService" />
    </security:authentication-manager>

The springUserService looks like this:

@Component public class springUserService implements AuthenticationProvider {

@Override
public Authentication authenticate(Authentication authentication)
  throws AuthenticationException {
    String name = authentication.getName();
    String password = authentication.getCredentials().toString();
        List<GrantedAuthority> grantedAuths = new ArrayList<>();
        return new UsernamePasswordAuthenticationToken(name, password, grantedAuths);

}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

}

Im very thankfull for every Hint or answer.

Was it helpful?

Solution

I think you need to add some intercept url tag in your spring security config:

<security:intercept-url pattern="/securedUrl" access="isAuthenticated()" />
<security:intercept-url pattern="/login" access="permitAll" />

So change your code in something like this: 

<security:http use-expressions="true">
    <security:intercept-url pattern="/securedUrl" access="isAuthenticated()" />
    <security:intercept-url pattern="/login" access="permitAll" />
</security:http>

You can also use wildcard in pattern-attribute or custom access evaluation:

<intercept-url pattern="/url1/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')"/> 
<intercept-url pattern="/url2/**" access="isAuthenticated()" /> 
<intercept-url pattern="/resources/**" access="permitAll" /> 
<intercept-url pattern="/**" access="permitAll" />

OTHER TIPS

Try this:

<security:http auto-config="true" use-expressions="true" path-type="regex">
    <security:intercept-url pattern="/admin/.*" access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/.*" access="isAuthenticated()" />
</security:http>

Here is a more detailed example with explanations:

<http auto-config="true" use-expressions="true" path-type="regex">
    <form-login 
        password-parameter="password" -- password field name in your form
        username-parameter="username" -- username field name in your form
        login-processing-url="/security/j_spring_security_check" -- where your login form should submit to, no need to map this to anything, Spring Security handles it
        login-page="/login" -- where you'll be taken to when not logged in
        authentication-failure-url="/login?login_error=t" -- if your login fails, security will redirect you with login_error set to t
        default-target-url="/router" -- if you want to route people based on roles, etc, you can map a controller ot this URL 
        always-use-default-target="false" -- this will send logged in users to your router URL
         />
    <headers>
        <xss-protection/> -- inserts header to prevent prevents cross site scripting
    </headers>
    <logout logout-url="/security/j_spring_security_logout" /> -- logout url, no need ot map it to anything, handled by Spring Security

    <intercept-url pattern="/admin/.*"  access="hasRole('ROLE_ADMIN')" /> -- security URLs by roles
    <intercept-url pattern="/register"  access="permitAll"/>              -- let new users register by allowing everyone access to the registration page
    <intercept-url pattern="/.*"        access="isAuthenticated()" requires-channel="https" />  -- require users to be authenticated for the rest of the page and require HTTPS (optional) for ALL urls
</http>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top