how to block the unauthorized user using Spring Security?

Question

I'm new to SpringSecurity.

This my Spring-security-Context.xml file

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
                        http://www.springframework.org/schema/beans 
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security 
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http auto-config="true" path-type="ant">
        <form-login login-page="/jack/login" authentication-failure-url="/jack/login" default-target-url="/jack/home"  />

        <intercept-url pattern="/themes/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
        <intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
        <intercept-url pattern="/jack/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
        <intercept-url pattern="/jack/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
        <intercept-url pattern="/jack/**/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
        <intercept-url pattern="/jack/**/*.jpg" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" /> 
        <intercept-url pattern="/jack/upload-users" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/jack/login" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
        <intercept-url pattern="/jack/logincheck" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/jack/logout" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
        <intercept-url pattern="/jack/sessionExpire" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/jack/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:logout logout-url="/jack/logout"
            logout-success-url="/jack/login" invalidate-session="true" />
        <session-management invalid-session-url="/jack/logout" >
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="false"  expired-url="/jack/logout"/>               
        </session-management>
        <security:custom-filter ref="expiredSessionFilter" after="REMEMBER_ME_FILTER"/>
    </http>




    <beans:bean id="expiredSessionFilter" class="com.jack.web.filter.ExpiredSessionFilter">
    </beans:bean>




    <!-- Authentication providers -->
     <beans:bean id="customAuthenticationProvider" class="com.jack.security.provider.CustomAuthenticationProvider" > 
        <!-- <security:custom-authentication-provider />  -->
        <!-- <beans:property name="userDetailsService"  ref="userDetailsService"/>  -->
    </beans:bean>


    <authentication-manager>
        <authentication-provider ref="customAuthenticationProvider" />
    </authentication-manager>

</beans:beans>

case 1: in web.xml jack is the springcontext name

in security-context.xml jack is the pattern like /jack/login

when i give URL like

localhost:8080/project/jack/login

this spring security works very well

case 2: in web.xml xxx is the springcontext name

in security-context.xml jack is the pattern like /jack/login

i'm not change anything in securitycontext.xml

When I give

localhost:8080/project/xxx/login

spring security allows the user to enter into my application.

after logout, if user copy - paste's the home page url means spring security not redirecting the user into login page.

How can i redirect the user to spring login page or is there any other option i have?

Answer 1

Try using project in intercept-url pattern and instead of jack use ** there and then rest of the url you want to restrict.

Eg. Instead /jack/upload-users use /project/**/upload-users .

And also note that IS_AUTHENTICATED_ANONYMOUSLY is used to allow access to user even if he's not authenticated in application.

Hope this helps you. Cheers.

Answer 2

Currently you are per default allowing access to all URL by using

  `<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />`

So you need to Blacklist every URL you want to protect. Spring security is checking the patterns in the order listed in the configuration. The first matching pattern is applied without any further checking. So if no pattern matches the pattern="/**" will be applied granting anyone access.

Better practice would be to deny access by default this means setting the access for pattern="/**" to the most permissiv role you have or at least to require authentication (for example using access="isAuthenticated()" ) This way you are using a whitelist approach and don't have to worry to much about missing url-patterns.

Update

To comment on the logout problem. You redirect to a custom logout-url . What is beyond that url? The spring security logout routine is called via /j_spring_security_logout which is the default if you don't call a logout-url otherwise you should call /j_spring_security_logout in your custom logout routine.