1

I wrote here because I cannot find a clear answer to my problem:

My project is using Spring MVC and Spring Security. I well installed both for a web application (of course using Java). I can access with post and get method, but only after the user has been connected via the usual form of Spring Security.

From now, the user do a request on an address like this:

../../get.request?request=getListCommand

where get.request is a mapping from Spring MVC. This access is enable only after the user has been authenticated!

What I need to do: Add the possibility to access directly to this request, without has been authenticated previously, using an address like this one for example:

http://123.123.123.123:123/get.request?request=getListCommand&j_password=myPassword&j_username=myName

or

same thing with the post protocol and the params given (request=getListCommand, j_password=myPassword, j_username=myName)

Of course the authentication will have to be done previously the request is performed and the result sent back.

I searched on many website or directly on the Spring security website. They talk about filterchaining, own user name authentication, RMI; but I don't really found a full example doing what I presented above.

Thanks for anyone than can help me that way.

ps: I use all default or the most simple configuration for Spring security (no fengshui' style :-))

Here is my securit context xml file

<http realm="NexCap Up"
        auto-config="true"
        access-denied-page="/www/jsp/authentication/accessDenied.jsp"
        create-session="always"
        disable-url-rewriting="true">          
            <port-mappings>
                <port-mapping http="8084" https="8443"/>
            </port-mappings>        

            <intercept-url pattern="/www/jsp/authentication/connexion.jsp"                    
                access='IS_AUTHENTICATED_ANONYMOUSLY' requires-channel="https"/>

            <intercept-url pattern="/www/jsp/authentication/connexionFailed.jsp" 
                access='IS_AUTHENTICATED_ANONYMOUSLY'  />

            <intercept-url pattern="/www/jsp/authentication/applicationExit.jsp" 
                access='IS_AUTHENTICATED_ANONYMOUSLY'  /> 


          <intercept-url 
                pattern="/get.Request" 
                method="GET"
                access="ROLE_REMOTE" />

             <intercept-url 
                pattern="/post.Request"  
                method="POST"
                access="ROLE_REMOTE" />

            <intercept-url pattern="/**" 
                access="ROLE_REMOTE,ROLE_SCRIPT"  />
       <form-login 
            authentication-failure-url="/www/jsp/authentication/connexionFailed.jsp"
            login-page="/www/jsp/authentication/connexion.jsp"
            default-target-url="/www/jsp/index.jsp"
            always-use-default-target="true"/>

        <logout
            logout-success-url="/www/jsp/authentication/applicationExit.jsp"
            invalidate-session="true"/>

        <session-management
            invalid-session-url="/www/jsp/authentication/invalidSession.jsp"
            session-authentication-error-url = "/www/jsp/authentication/authentificationError.jsp"
            session-fixation-protection="none">

            <!-- Sessions concurrentes -->
            <concurrency-control 
                error-if-maximum-exceeded="false"
                expired-url="/www/jsp/authentication/sessionExpired.jsp"
                max-sessions="1" />

        </session-management>

    </http>

And the part of the web.xml file about the spring security

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Security</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>


<filter>
  <display-name>springSecurityFilterChain</display-name>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
  </filter-class>


<filter-mapping>
   <filter-name>springSecurityFilterChain</filter-name>
   <url-pattern>/*</url-pattern>


<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>
       /WEB-INF/spring/secu-config.xml
   </param-value>

user954156
  • 468
  • 2
  • 6
  • 17
  • Putting your password in the URL is a terrible idea because many web servers will write URLS to access logs. – ams Oct 11 '12 at 12:48
  • It's not a public network, but for an intranet. – user954156 Oct 11 '12 at 14:45
  • even though its an on intranet its not secure someone could be standing next to a person who is logged in and see their password in the url, a lot of people use the same password for different systems, so you are really making your users insecure. At the very least you should push the username and password into the http headers. also users will cut and paste urls over im and email which can inadvertently cause problems. Do you want some high ranking manager using your app getting mad because he emailed a link and gave away his username/password – ams Oct 11 '12 at 19:38

1 Answers1

0

Assuming that there is a applicationContext-security.xml in your WEB-INF.
It would be great if you can post your applicationContext-security.xml
And also that you have almost default configuration for spring security.

I would recommend following.

First change your url to /public/get.request?request=getListCommand

Then add following snippet to applicationContext-security.xml

<http use-expressions="true">
 <intercept-url pattern="/public/**" access="permitAll" />
 <!-- You can add n number of filters here-->
</http>

What it will do is bypass security for all the paths under /public/. Reason for changing URL is that you might not want your whole application to be public.

Below is Example of my XML.
Please also note that my authentication provider is custom so dont be confused with that. All you need is to look at my <http> section and you will get an idea how to implement in your application.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled">
        <!-- AspectJ pointcut expression that locates our "post" method and applies security that way
        <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        -->
    </global-method-security>

    <http use-expressions="true">
        <intercept-url pattern="/favicon.ico" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll"/>
        <intercept-url pattern="/login.jsp*" access="permitAll"/>
        <intercept-url pattern="/Admin/**" access="hasAnyRole('ROLE_SUPER_USER')"/>
        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
        <http-basic/>
        <logout logout-success-url="/login.jsp"/>
        <remember-me user-service-ref="loginService" />
        <!-- Uncomment to limit the number of sessions a user can have -->
     </http>

    <authentication-manager>
        <authentication-provider user-service-ref="loginService">
         <password-encoder hash="md5"/>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="loginService" class="com.indyaah.service.LoginService">
    </beans:bean>
    <beans:bean id="authService" class="com.indyaah.service.AuthService" />
</beans:beans>

As you can see I allow login.jsp and my static content (images/js/css/etc.) to be accessed anonymously meaning without logging in.

Hope this help.

Let me know if you need further help in understanding.

Anuj Patel
  • 17,261
  • 3
  • 30
  • 57
  • I read what you said, if I right understood, you explained me how to enable user to access some part of my web site without login. It's not totaly fault, but I want them to be login not by a classic html form, but directly given their log information in the address (It's not my choice, I have to do like that). I added my config xml files above, in case that can help – user954156 Oct 11 '12 at 14:58