Spring Security - Login not working when enabling HTTPS
Question
Newbie to Spring security. I had gone through some tutorials and implemented Spring Security. I have few pages which I secured via login.
Here is my spring-security.xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/person*/*"
access="hasRole('ROLE_ADMIN')" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="password"
authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
From my index.jsp, when I try to access persons URL, it's asking for authentication. And I have logout URL. Inside persons JSP page.
<a href="<c:url value="logout" />" > Logout</a>
Controller
@RequestMapping(value = "/logout", method = RequestMethod.GET)
public ModelAndView logoutPage(HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return new ModelAndView("redirect:/");
}
It's working fine. Except few things. - When I try to go to /person/add , it's directly going to the page instead of asking the Authentication. Why? and how to resolve? Do I need to mention all URLs in intercept URLs (What if I have many?)
Well the main thing is, I'm trying to configure SSL as well for my application.
I installed this tutorial .
- I have created ketstore
- Configured in tomcat, server.xml
Configured in web.xml
Now I have the following in spring-security.xml
<security:http auto-config="true" use-expressions="true"> <security:intercept-url pattern="/**" requires-channel="https" /> <security:intercept-url pattern="/person*/*" access="hasRole('ROLE_ADMIN')" /> </security:http>
The SSL is working. But Login is not working. When I go to persons URL, it's showing the page without asking for authentication. Why?
I tried adding access=hasRole('ROLE_USER') , then tomcat is showing Access denied when I give correct credentials.
How to solve it? I want to enable SSL for all URLs.
I'm using Spring 4.2.2.RELEASE and Spring Security 4.0.2.RELEASE
1 answers
solution1
1 ACCPTED 2015-10-29 11:07:50
First, try to rewrite your security:intercept-url as following:
<security:intercept-url pattern="/person*" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/person/**" access="hasRole('ROLE_ADMIN')"
Regarding SSL, the tutorial is very nice and it should work out of the box, maybe the problem is again with intercepting url's, try my suggestion.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.