Skip login with RequestMethod.GET

[Cristale]

Hi all.

I have a serious problem with my security settings.

My application has a security module which consists of 5 tables:

- User: Users of the application
- Role: application profiles
- MenuOption: Options menu of the application
- UserRole: the profiles assigned to application users
- RoleMenuOption: menu options assigned to the application profiles

As you can see, the module can even create new roles which may have the permissions that you want to assign.

My problem is this:

1. I start my application, it show me the login page. OK.
2. In my login page, I write a URL in address toolbar of my browser. OK.
3. If this request is served with a GET method in my @Controller, the application dont asked me user and password. Just putting the url from your browser toolbar. Skip the login! ERROR.

For example:

@RequestMapping(value = "/productForm.html", method = RequestMethod.GET)
public @ModelAttribute("bean") MyBean viewProduct(Model model) {

...
}

If I put in my address toolbar of my browser the address "http://host:port/myapp/product/productForm.html?id=282312" without having logged in, allows me to enter to productForm page.

This is wrong. I searched several resources, sites, etc for a solution, and yet not find it.

My file security-roles.xml

PHP Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans 
             http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
             http://www.springframework.org/schema/security 
             http://www.springframework.org/schema/security/spring-security-3.0.xsd">


        <http auto-config="true" access-denied-page="/error.jsp">
            <intercept-url pattern="/images/**" filters="none" />
            <intercept-url pattern="/scripts/**" filters="none" />
            <intercept-url pattern="/styles/**" filters="none" />
        
            <form-login login-page="/login.jsp" 
                login-processing-url="/j_security_check" 
                authentication-failure-url="/login.jsp?error=true" />    
        
            <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />
        </http>     
        
         <authentication-manager alias="authenticationManager">
            <authentication-provider ref="daoAuthenticationProvider">
                <password-encoder ref="passwordEncoder"/>
            </authentication-provider>
        </authentication-manager>
          
         <beans:bean id="daoAuthenticationProvider" class="com.myapp.security.MyAuthenticatorProvider">
            <beans:property name="userDao" ref="userDao"/>
            <beans:property name="roleDao" ref="roleDao"/>
            <beans:property name="parametroDao" ref="parametroDao"/>
        </beans:bean>
        
        <beans:bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
            <beans:property name="key" value="anonymous"/>
          </beans:bean>
        
        <beans:bean id="myFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
            <beans:property name="securityMetadataSource" ref="securityMetadataSource" />
            <beans:property name="authenticationManager" ref="authenticationManager" />
            <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
        </beans:bean>

        <beans:bean  class="org.springframework.security.access.vote.ConsensusBased">
                <beans:property name="allowIfAllAbstainDecisions" value="true" />
                <beans:property name="decisionVoters">
                    <beans:list>
                       <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                       <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                    </beans:list>
                </beans:property>
        </beans:bean>

        <beans:bean id="accessDecisionManager"
            class="com.myapp.security.MyAccessDecisionManager" />

        <beans:bean id="securityMetadataSource" class="com.myapp.security.MySecureResourceFilter" 
              init-method="initilize" >          
              <beans:property name="opcionMenuDao" ref="opcionMenuDao" />  
        </beans:bean>

</beans:beans>

What happend? What am I doing wrong?

I understand that the bean "myFilter" should prevent that anyone enter to some page in the application, if this person not logged in. But they are entering.

Thanks in advance for any help regarding this issue.

Susan

[arthomps]

Code:

        
<http auto-config="true" access-denied-page="/error.jsp">
<intercept-url pattern="/images/**" access="permitAll()" />
<intercept-url pattern="/scripts/**" access="permitAll()" />
<intercept-url pattern="/styles/**"  access="permitAll()" /> 
<intercept-url pattern="/yourloginPage/**"  access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()"/>

.....

If you want a given url to require that the user be authenticated - you need to say so. Or a better practice would be to deny access to everything and then explicitly allow acces to unauthenticated users where appropriate.

[Cristale]

Thanks arthomps.

Some time ago, I tried the following:

<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

The results were the same: I can enter to page with GET method without login.

When I tried with your indication, I'm getting the following error:

GRAVE: Excepción enviando evento inicializado de contexto a instancia de escuchador de clase com.pe.pgn.clubpgn.webapp.listener.StartupListener
org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.security.web.access.intercept .FilterSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [permitAll(), isAuthenticated()]

Any ideas?

Susan

[arthomps]

Your version of spring is different then mine. My comment is based off 3.1. Consult the docs for the version you're using. At a high level, you just need to tell spring security that it needs to require that the user be authenticated before they access a page.