parent
6f2359ccae
commit
4ef2a7984f
|
@ -94,7 +94,7 @@
|
|||
<tbody>
|
||||
<row>
|
||||
<entry valign="middle">spring-security-core</entry>
|
||||
<entry>Core authentication and access-contol classes and interfaces.
|
||||
<entry>Core authentication and access-control classes and interfaces.
|
||||
Remoting support and basic provisioning APIs.</entry>
|
||||
<entry>Required by any application which uses Spring Security.
|
||||
Supports standalone applications, remote clients, method
|
||||
|
@ -174,7 +174,7 @@
|
|||
The <filename>core</filename> package and sub packages contain the basic classes and
|
||||
interfaces which are used throughout the framework and the other two main packages
|
||||
within the core jar are <filename>authentication</filename> and
|
||||
<filename>access</filename>. The <filename>access</filename> package containst
|
||||
<filename>access</filename>. The <filename>access</filename> package contains
|
||||
access-control/authorization code such as the
|
||||
<interfacename>AccessDecisionManager</interfacename> and related voter-based
|
||||
implementations, the interception and method security infrastructure, annotation
|
||||
|
|
|
@ -199,7 +199,7 @@ Our existing configuration means that all we need to do is create a *login.html*
|
|||
|
||||
IMPORTANT: Do not display details about why authentication failed. For example, we do not want to display that the user does not exist as this will tell an attacker that they should try a different username.
|
||||
|
||||
TIP: We use Thymeleaf to automatically add the CSRF token to our form. If we were not using Thymleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
|
||||
TIP: We use Thymeleaf to automatically add the CSRF token to our form. If we were not using Thymeleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
|
||||
|
||||
Start up the server and try visiting http://localhost:8080/sample/ to see the updates to our configuration. We now see our login page, but it does not look very pretty. The issue is that we have not granted access to the css files.
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ in order to utilize the _sec:authentication_ and _sec:authorize_ attributes.
|
|||
<3> Displays the authorities of the currently authenticated principal.
|
||||
<4> The logout form.
|
||||
|
||||
TIP: Thymeleaf will automatically add the CSRF token to our logout form. If we were not using Thymleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
|
||||
TIP: Thymeleaf will automatically add the CSRF token to our logout form. If we were not using Thymeleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
|
||||
|
||||
==== Update the _secured_ page
|
||||
|
||||
|
|
|
@ -378,7 +378,7 @@ The first option is to include the actual CSRF token in the body of the request.
|
|||
By placing the CSRF token in the body, the body will be read before authorization is performed.
|
||||
This means that anyone can place temporary files on your server.
|
||||
However, only authorized users will be able to submit a File that is processed by your application.
|
||||
In general, this is the recommended approach because the temporary file uplaod should have a negligible impact on most servers.
|
||||
In general, this is the recommended approach because the temporary file upload should have a negligible impact on most servers.
|
||||
|
||||
[[csrf-considerations-multipart-url]]
|
||||
==== Include CSRF Token in URL
|
||||
|
|
|
@ -130,7 +130,7 @@ Next we will discuss various ways of including the CSRF token in a form as a hid
|
|||
Spring Security's CSRF support provides integration with Spring's https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/reactive/result/view/RequestDataValueProcessor.html[RequestDataValueProcessor] via its https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.html[CsrfRequestDataValueProcessor].
|
||||
In order for `CsrfRequestDataValueProcessor` to work, the `Mono<CsrfToken>` must be subscribed to and the `CsrfToken` must be <<webflux-csrf-include-subscribe,exposed as an attribute>> that matches https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.html#DEFAULT_CSRF_ATTR_NAME[DEFAULT_CSRF_ATTR_NAME].
|
||||
|
||||
Fortunately, Thymleaf https://www.thymeleaf.org/doc/tutorials/2.1/thymeleafspring.html#integration-with-requestdatavalueprocessor[provides support] to take care of all the boilerplate for you by integrating with `RequestDataValueProcessor` to ensure that forms that have an unsafe HTTP method (i.e. post) will automatically include the actual CSRF token.
|
||||
Fortunately, Thymeleaf https://www.thymeleaf.org/doc/tutorials/2.1/thymeleafspring.html#integration-with-requestdatavalueprocessor[provides support] to take care of all the boilerplate for you by integrating with `RequestDataValueProcessor` to ensure that forms that have an unsafe HTTP method (i.e. post) will automatically include the actual CSRF token.
|
||||
|
||||
[[webflux-csrf-include-form-attr]]
|
||||
===== CsrfToken Request Attribute
|
||||
|
|
|
@ -77,9 +77,9 @@ It should also be compatible with applications using Spring 2.5.x.
|
|||
==== I'm new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I've copied some configuration files I found but it doesn't work.
|
||||
What could be wrong?
|
||||
|
||||
Or subsititute an alternative complex scenario...
|
||||
Or substitute an alternative complex scenario...
|
||||
|
||||
Realistically, you need an understanding of the technolgies you are intending to use before you can successfully build applications with them.
|
||||
Realistically, you need an understanding of the technologies you are intending to use before you can successfully build applications with them.
|
||||
Security is complicated.
|
||||
Setting up a simple configuration using a login form and some hard-coded users using Spring Security's namespace is reasonably straightforward.
|
||||
Moving to using a backed JDBC database is also easy enough.
|
||||
|
@ -131,7 +131,7 @@ If you are using hashed passwords, make sure the value stored in your database i
|
|||
[[appendix-faq-login-loop]]
|
||||
==== My application goes into an "endless loop" when I try to login, what's going on?
|
||||
|
||||
A common user problem with infinite loop and redirecting to the login page is caused by accidently configuring the login page as a "secured" resource.
|
||||
A common user problem with infinite loop and redirecting to the login page is caused by accidentally configuring the login page as a "secured" resource.
|
||||
Make sure your configuration allows anonymous access to the login page, either by excluding it from the security filter chain or marking it as requiring ROLE_ANONYMOUS.
|
||||
|
||||
If your AccessDecisionManager includes an AuthenticatedVoter, you can use the attribute "IS_AUTHENTICATED_ANONYMOUSLY". This is automatically available if you are using the standard namespace configuration setup.
|
||||
|
@ -387,7 +387,7 @@ Any which are marked as "optional" in the Spring Security POM files will have to
|
|||
[[appendix-faq-apacheds-deps]]
|
||||
==== What dependencies are needed to run an embedded ApacheDS LDAP server?
|
||||
|
||||
If you are using Maven, you need to add the folowing to your pom dependencies:
|
||||
If you are using Maven, you need to add the following to your pom dependencies:
|
||||
|
||||
[source]
|
||||
----
|
||||
|
|
|
@ -517,11 +517,11 @@ Select the `AllowFromStrategy` to use when using the ALLOW-FROM policy.
|
|||
|
||||
** `static` Use a single static ALLOW-FROM value.
|
||||
The value can be set through the <<nsa-frame-options-value,value>> attribute.
|
||||
** `regexp` Use a regelur expression to validate incoming requests and if they are allowed.
|
||||
** `regexp` Use a regular expression to validate incoming requests and if they are allowed.
|
||||
The regular expression can be set through the <<nsa-frame-options-value,value>> attribute.
|
||||
The request parameter used to retrieve the value to validate can be specified using the <<nsa-frame-options-from-parameter,from-parameter>>.
|
||||
** `whitelist` A comma-seperated list containing the allowed domains.
|
||||
The comma-seperated list can be set through the <<nsa-frame-options-value,value>> attribute.
|
||||
** `whitelist` A comma-separated list containing the allowed domains.
|
||||
The comma-separated list can be set through the <<nsa-frame-options-value,value>> attribute.
|
||||
The request parameter used to retrieve the value to validate can be specified using the <<nsa-frame-options-from-parameter,from-parameter>>.
|
||||
|
||||
|
||||
|
|
|
@ -235,7 +235,7 @@ With the configuration above, the flow of logout would be:
|
|||
* The logout success page, `/cas-logout.jsp`, should instruct the user to click a link pointing to `/logout/cas` in order to logout out of all applications.
|
||||
* When the user clicks the link, the user is redirected to the CAS single logout URL (https://localhost:9443/cas/logout).
|
||||
* On the CAS Server side, the CAS single logout URL then submits single logout requests to all the CAS Services.
|
||||
On the CAS Service side, JASIG's `SingleSignOutFilter` processes the logout request by invaliditing the original session.
|
||||
On the CAS Service side, JASIG's `SingleSignOutFilter` processes the logout request by invalidating the original session.
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -76,7 +76,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
|||
|
||||
<b:bean id="digestEntryPoint"
|
||||
class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"
|
||||
p:realmName="My App Relam"
|
||||
p:realmName="My App Realm"
|
||||
p:key="3028472b-da34-4501-bfd8-a355c42bdf92"
|
||||
/>
|
||||
|
||||
|
|
|
@ -82,7 +82,7 @@ public UserDetailsService users() {
|
|||
.password("password")
|
||||
.roles("USER")
|
||||
.build();
|
||||
UserDetails user = users
|
||||
UserDetails admin = users
|
||||
.username("admin")
|
||||
.password("password")
|
||||
.roles("USER", "ADMIN")
|
||||
|
|
|
@ -16,7 +16,7 @@ The interceptor uses a `MethodSecurityMetadataSource` instance to obtain the con
|
|||
Other implementations will be used to handle annotation-based configuration.
|
||||
|
||||
==== Explicit MethodSecurityInterceptor Configuration
|
||||
You can of course configure a `MethodSecurityIterceptor` directly in your application context for use with one of Spring AOP's proxying mechanisms:
|
||||
You can of course configure a `MethodSecurityInterceptor` directly in your application context for use with one of Spring AOP's proxying mechanisms:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
|
|
|
@ -155,7 +155,7 @@ Next we will discuss various ways of including the CSRF token in a form as a hid
|
|||
===== Automatic CSRF Token Inclusion
|
||||
|
||||
Spring Security's CSRF support provides integration with Spring's https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/support/RequestDataValueProcessor.html[RequestDataValueProcessor] via its https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/servlet/support/csrf/CsrfRequestDataValueProcessor.html[CsrfRequestDataValueProcessor].
|
||||
This means that if you leverage https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-view-jsp-formtaglib[Spring’s form tag library], https://www.thymeleaf.org/doc/tutorials/2.1/thymeleafspring.html#integration-with-requestdatavalueprocessor[Thymleaf], or any other view technology that integrates with `RequestDataValueProcessor`, then forms that have an unsafe HTTP method (i.e. post) will automatically include the actual CSRF token.
|
||||
This means that if you leverage https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-view-jsp-formtaglib[Spring’s form tag library], https://www.thymeleaf.org/doc/tutorials/2.1/thymeleafspring.html#integration-with-requestdatavalueprocessor[Thymeleaf], or any other view technology that integrates with `RequestDataValueProcessor`, then forms that have an unsafe HTTP method (i.e. post) will automatically include the actual CSRF token.
|
||||
|
||||
[[servlet-csrf-include-form-tag]]
|
||||
===== csrfInput Tag
|
||||
|
|
|
@ -30,7 +30,7 @@ This content will only be visible to users who have the "supervisor" authority i
|
|||
</sec:authorize>
|
||||
----
|
||||
|
||||
When used in conjuction with Spring Security's PermissionEvaluator, the tag can also be used to check permissions.
|
||||
When used in conjunction with Spring Security's PermissionEvaluator, the tag can also be used to check permissions.
|
||||
For example:
|
||||
|
||||
[source,xml]
|
||||
|
|
|
@ -5,7 +5,7 @@ If your application is designed for English-speaking users, you don't need to do
|
|||
If you need to support other locales, everything you need to know is contained in this section.
|
||||
|
||||
All exception messages can be localized, including messages related to authentication failures and access being denied (authorization failures).
|
||||
Exceptions and logging messages that are focused on developers or system deployers (including incorrect attributes, interface contract violations, using incorrect constructors, startup time validation, debug-level logging) are not localized and instead are hard-coded in English within Spring Security's code.
|
||||
Exceptions and logging messages that are focused on developers or system deplopers (including incorrect attributes, interface contract violations, using incorrect constructors, startup time validation, debug-level logging) are not localized and instead are hard-coded in English within Spring Security's code.
|
||||
|
||||
Shipping in the `spring-security-core-xx.jar` you will find an `org.springframework.security` package that in turn contains a `messages.properties` file, as well as localized versions for some common languages.
|
||||
This should be referred to by your `ApplicationContext`, as Spring Security classes implement Spring's `MessageSourceAware` interface and expect the message resolver to be dependency injected at application context startup time.
|
||||
|
|
|
@ -221,7 +221,7 @@ import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
|||
@RequestMapping("/messages/inbox")
|
||||
public ModelAndView findMessagesForUser(@AuthenticationPrincipal(expression = "customUser") CustomUser customUser) {
|
||||
|
||||
// .. find messags for this user and return them ...
|
||||
// .. find messages for this user and return them ...
|
||||
}
|
||||
----
|
||||
|
||||
|
@ -356,7 +356,7 @@ Will output HTML that is similar to the following:
|
|||
|
||||
Spring Security provides `CsrfTokenArgumentResolver` which can automatically resolve the current `CsrfToken` for Spring MVC arguments.
|
||||
By using <<jc-hello-wsca,@EnableWebSecurity>> you will automatically have this added to your Spring MVC configuration.
|
||||
If you use XML based configuraiton, you must add this yourself.
|
||||
If you use XML based configuration, you must add this yourself.
|
||||
|
||||
Once `CsrfTokenArgumentResolver` is properly configured, you can expose the `CsrfToken` to your static HTML based application.
|
||||
|
||||
|
|
|
@ -96,7 +96,7 @@ Typically this would involve a redirect to the welcome page.
|
|||
|
||||
[[servletapi-start-runnable]]
|
||||
==== AsyncContext.start(Runnable)
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html#start%28java.lang.Runnable%29[AsynchContext.start(Runnable)] method that ensures your credentials will be propagated to the new Thread.
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html#start%28java.lang.Runnable%29[AsyncContext.start(Runnable)] method that ensures your credentials will be propagated to the new Thread.
|
||||
Using Spring Security's concurrency support, Spring Security overrides the AsyncContext.start(Runnable) to ensure that the current SecurityContext is used when processing the Runnable.
|
||||
For example, the following would output the current user's Authentication:
|
||||
|
||||
|
@ -182,10 +182,10 @@ new Thread("AsyncThread") {
|
|||
----
|
||||
|
||||
The issue is that this Thread is not known to Spring Security, so the SecurityContext is not propagated to it.
|
||||
This means when we commit the HttpServletResponse there is no SecuriytContext.
|
||||
This means when we commit the HttpServletResponse there is no SecurityContext.
|
||||
When Spring Security automatically saved the SecurityContext on committing the HttpServletResponse it would lose our logged in user.
|
||||
|
||||
Since version 3.2, Spring Security is smart enough to no longer automatically save the SecurityContext on commiting the HttpServletResponse as soon as HttpServletRequest.startAsync() is invoked.
|
||||
Since version 3.2, Spring Security is smart enough to no longer automatically save the SecurityContext on committing the HttpServletResponse as soon as HttpServletRequest.startAsync() is invoked.
|
||||
|
||||
[[servletapi-31]]
|
||||
=== Servlet 3.1+ Integration
|
||||
|
|
Loading…
Reference in New Issue