Mention worthy: I am following a tutorial about Securing GWT apps with Spring Security.
I don't get this. I can't seem to get permitAll
to work as I need it to.
This is my current configuration:
<http auto-config="true">
<intercept-url pattern="/**" access="permitAll" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
</http>
If I'm accessing my site on //localhost:8080
the site gets not entirely loaded because the request
//localhost:8080/app/xsrf
is 403 Forbidden
for some reason. The way I configured Spring Security should not be the problem here if I understood it correctly.
I does not work if I simply add
<intercept-url pattern="/**" access="permitAll" />
to <http ..>
what does work is adding this:
<http pattern="/app/xsrf" security="none"/>
I would like to understand why because this is not how I wan to configure Spring Security.. adding every single URL that is supposed to be permitted.
An additional problem I am facing is that for whatever reason (perhaps the same) I cannot access //localhost:8080/login
. Which means If I submit my login to /login
I am getting 403 Forbidden
.
Now, one would think that adding <http pattern="/login" security="none"/>
would help here but no. If I add that to my configuration I am getting 404 Not Found
on this particular URL.
This starts to drive me insane as I am stuck here for so many days I don't dare to tell you. Your help shall be appreciated and rewarded.
Entire applicationContext-service.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- Imports -->
<beans:import resource="applicationContext-jooq.xml"/>
<!-- /////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Spring Security -->
<http pattern="/app/xsrf" security="none"/>
<!-- <http pattern="/login" security="none"/> -->
<http auto-config="true">
<intercept-url pattern="/**" access="permitAll" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
</http>
<beans:bean id="authenticationListener"
class="com.mz.server.web.auth.CustomAuthenticationListener"/>
<beans:bean id="authenticationProvider"
class="com.mz.server.web.auth.CustomAuthenticationProvider"/>
<beans:bean id="userDetailsService"
class="com.mz.server.web.service.CustomUserDetailsService"/>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="authenticationProvider"/>
</authentication-manager>
<!-- // END Spring Security -->
<!-- /////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Services -->
<beans:bean id="loginService" class="com.mz.server.web.service.LoginService">
<beans:constructor-arg ref="dslContext" />
</beans:bean>
<!-- // END Services -->
</beans:beans>
Edit:
Reduced applicationContext-service.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- Imports -->
<beans:import resource="applicationContext-jooq.xml"/>
<!-- //////////////////////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Spring Security -->
<global-method-security pre-post-annotations="enabled"/>
<http auto-config="true">
<intercept-url pattern="/**" access="permitAll" />
</http>
<!-- // END Spring Security-->
</beans:beans>
This is the web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>GWT Application | mz</display-name>
<welcome-file-list> <!-- Default page to serve -->
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!-- //////////////////////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Filters -->
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- // END FILTERS -->
<!-- //////////////////////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>com.mz.server.web.ServerConfig</listener-class>
</listener>
<!-- // END Listeners -->
<!-- //////////////////////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Servlets -->
<servlet>
<servlet-name>login</servlet-name>
<servlet-class>com.mz.server.web.servlet.LoginServletImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/app/login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>xsrf</servlet-name>
<servlet-class>com.google.gwt.user.server.rpc.XsrfTokenServiceServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>xsrf</servlet-name>
<url-pattern>/app/xsrf</url-pattern>
</servlet-mapping>
<servlet> <!-- Dispatcher Servlet for REST API for Mobile Devices -->
<servlet-name>mobile-restapi</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mobile-restapi</servlet-name>
<url-pattern>/app/restapi/*</url-pattern>
</servlet-mapping>
<!-- // END Servlets -->
<!-- //////////////////////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Context Parameter -->
<context-param>
<param-name>
gwt.xsrf.session_cookie_name
</param-name>
<param-value>
mzsid
</param-value>
</context-param>
<context-param>
<param-name>
contextConfigLocation
</param-name>
<param-value>
classpath:/**/spring-config.xml
classpath*:applicationContext-service.xml
</param-value>
</context-param>
<!-- // END Context Parameter -->
<!-- //////////////////////////////////////////////////////////////////////////////// -->
</web-app>
Spring Security's anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as getCallerPrincipal , for example, will still return null even though there is actually an anonymous authentication object in the SecurityContextHolder .
anyRequest(). authenticated() is that any request must be authenticated otherwise my Spring app will return a 401 response.
Setting up an <intercept-url> element with access=”permitAll” will configure the authorization so that all requests are allowed on that particular path: <intercept-url pattern="/login*" access="permitAll" /> Or, via Java configuration: http.authorizeRequests().antMatchers("/login*").permitAll();
It appears that the error was in web.xml. Instead of <url-pattern>/*</url-pattern>
(as stated in the tutorial I was following) it should be /**
:
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<!-- It appears that this should say '/**' and not '/*' as stated in many
tutorials
(e.g. http://websystique.com/spring-security/spring-security-4-hello-world-annotation-xml-example/). -->
<url-pattern>/**</url-pattern>
</filter-mapping>
Interestingly is that I'm now getting the following "INFO":
INFO: Suspicious url pattern: "/**" in context [] - see section SRV.11.2 of the Servlet specification
All I can say is that this is starting to feel personal ..
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With