Deny GET requests for Login URL

[DJC_Spring]

Hello Everyone,

I am new to spring security and not had much experiance with it, and was hoping someone could help me with an issue I have with regards to stopping users logging in using GET.

I have read the docs and still confused with how my spring security is behaving with regards to my app. I have configuared the security XML by placing a "denyALL on All GET requests" for my login URL, however I am still able to login using GET.

Here is the configuration

Code:

 <security:http auto-config="false" use-expressions="true" entry-point-ref="formEntryPoint">
        <security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
        <security:custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
        
        <security:intercept-url pattern="/loginWithDetails" access="denyAll" requires-channel="https" method="GET"/>
        <security:intercept-url pattern="/loginWithDetails" access="permitAll" requires-channel="https" method="POST"/>
        
        <security:intercept-url pattern="/" access="permitAll" requires-channel="https" />
                
        <security:intercept-url pattern="/loginNoJS" access="permitAll" requires-channel="https" />
        <security:intercept-url pattern="/loginFailed" access="permitAll" requires-channel="https" />
        
        <security:intercept-url pattern="/activate" access="hasRole('ROLE_STAFF')" requires-channel="https" />
        
        <security:intercept-url pattern="/resources/**/*" access="permitAll" requires-channel="any" />
        
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_STAFF')" requires-channel="https"/>
        
        <security:session-management session-authentication-strategy-ref="fixationProtection"/>
    </security:http>

So I thought I could simply add a denyAll to GET requests on /loginWithDetails
and add permitAll to POST requests on /loginWithDetails

But I can still login with a GET requests using login details in the query string.

Can anyone help?

Regards
Darren.

[michal.jemala]

Hi Darren,

Spring Security 3.1 blocks login with GET method by default. If you check UsernamePasswordAuthenticationFilter.attemptAuthen tication() method (lines 72-74) you will see that that is the very first check being made.

From the config you have provided I can see that you replaced the FORM_LOGIN_FILTER with a custom bean, but did not provide its config. If you replaced the default filter, which is UsernamePasswordAuthenticationFilter, by your custom implementation you have to made this check by yourself.

Also keep in mind that security interceptors are not being applied for login requests, as the request processing ends in the filter defined on FORM_LOGIN_FILTER position, where user is either authenticated and redirected to original URL or refused and redirected to access denied URL.

Hope this helps.

Regards,
Michal

[DJC_Spring]

hi Michal,

Hey, many thanks for the reply and sorry for nnot getting back sooner! The custom bean infact forwarded request to another URL after its own sucessfull athentication. So by the time spring security checked the request url for the GET method I mentioned, the URL had changed! So it could not apply denyALL because /loginWithDetails no longer existed at that point.

The whole security setup in this app Im working has not been done properly by the looks of it, so ill just take this as how not to do spring security! Thanks very much! :-)