j_spring_security_check results in 405

[tobias.balling]

Hi there,

for having a backend which is offering api's for web (inculding sessions) and mobile apps (stateless) i played a bit with the new multiple http filters and patterns feature.

Weird thing ist that if I set my pattern to (standard) /** my login for the webapp and stuff works as expected. But once i change that to a custom pattern (/web/**) i get a Http 405 post not supported.

Thing is that I could figure out that the submit form is doing exaclty the same thing. But one alternative gives this 405.

i'll add the security.xml here and also add the github link
@security.xml (not working... removing the /web/ from the pattern makes it)

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    <!-- HTTP security configurations -->
    <http use-expressions="true" pattern="/web/**">
        <form-login login-processing-url="/web/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
        <logout logout-url="/resources/j_spring_security_logout" />
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/web/admin/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/web/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />
    </http>
    
    <http create-session="stateless" use-expressions="true" pattern="/mobile/**">
        <http-basic/>
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/mobile/api/" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
    </http>
    
    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
        <authentication-provider>
            <password-encoder hash="sha-256" />
            <user-service>
                <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN" />
                <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

@github:
git://github.com/tobiasballing/SpringAndMobileAuthentication.git

thanks for help :/

[Rob Winch]

The login.jspx form is not being submitted to Spring Security because it sends the request to /resources/j_spring_security_check. Instead it should submit to /web/resources/j_spring_security_check (which is what you have configured).

The first <http> element states that it will only be interested in requests that start with /web (i.e. pattern="/web/**". This means that specifying logout of /resources/j_spring_security_logout will not work since it does not start with /web (i.e. it conflicts with patther="/web/**"). Similarly /resources will never match anything since it does not start with /web/. Another thing to note is that /web/** access=isAuthenticated() will match all requests that the first <http> element consumes. Therefore, it will never get to /resources/ (it does not start with /web/ anyway) and it will never get to /** since the pattern /web/** matches everything already.

The second <http> block will only match URLs that start with /mobile/ so the /resources/ URL within it will never match anything (it doesn't start with /mobile).

[tobias.balling]

Hey Rob,

thank you for the response. As you can see I am pretty new and doing a few newby mistakes

But i changed my configs as you described. no it seems to be working for the first shot.

But one more question.

Do you think that this solution is the best way having a Spring Application for a WebApp and a Mobile App? Is there maybe already an approach doing that? And do you see some more security issues in my config?

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    <!-- HTTP security configurations -->
    <http use-expressions="true" pattern="/web/**">
        <form-login login-processing-url="/web/resources/j_spring_security_check" login-page="/web/login" authentication-failure-url="/web/login?login_error=t" />
        <logout logout-url="/web/resources/j_spring_security_logout" />
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/web/admin/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/web/login" access="permitAll" />
        <intercept-url pattern="/web/logout" access="permitAll" />
        <intercept-url pattern="/web/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
    </http>
    
    <http create-session="stateless" use-expressions="true" pattern="/mobile/**">
        <http-basic/>
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/mobile/api/" access="isAuthenticated()" />
    </http>
    
    <http security="none" pattern="/**" />
        
    
    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
        <authentication-provider>
            <password-encoder hash="sha-256" />
            <user-service>
                <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN" />
                <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Thank you. I will keep this repo open for people searching for a config providing access to a native mobile App and a Web App. Maybe we can configure a solution for this approach together.

Thank you very much
Tobi

[tobias.balling]

One more thing to add is that I would probably need some custom entry point for the mobile App request so that they wont be challanged to login if they are not. Anybody an idea?

[Rob Winch]

Do you think that this solution is the best way having a Spring Application for a WebApp and a Mobile App? Is there maybe already an approach doing that? And do you see some more security issues in my config?

There is no way of knowing without understanding your entire solution and testing it thoroughly.

[tobias.balling]

Tanks again Rob

Ok, am tryin to give a short intro.

I want to develop a Spring MVC WebApp which is secured using Spring Security. To rapid prototype I am using roo.

Now I try to establish (on any way) a Spring Server which gives the user session secured access for the web as well as stateless access for iphones. Therefore I thought to have seperated Web Controllers which are not secured using sessions, but giving native iphone apps the possibility to access functions sending their credentials using stateless auth could be the easiest way to do that.

Thats the general requirement and i would be completly open for any idea.

In the App i put to

github under git://github.com/tobiasballing/SpringAndMobileAuthentication.git

I tried to create two kind of controllers.

1. for the web, accesiable via pattern /web/... (e.g.) foo.com/web/users/
2. Controllers for the mobile app (/mobile/users/) with the onliest difference that those are secured by http basic and stateless

What i tried is doing exactly that giving the previous posted security.xml file

If you are saying that this is not how mobile devices should access a Spring Backend secured by Spring Security im pretty thankful for any suggestion.

Thank you