Protect Spring web MVC app with Spring security and error pages in a web.xml
Question
Idea: I want to protect every site of a Spring web MVC with a HTTP basic authentication, but want to redirect via error-page in case of a 40* or 500 server error to /welcome (Of course the user has to be authenticated or he will see the basic authentication dialog).
Problem: Every time I try to access the site, the basic authentication dialog pops up as expected. But when I cancel the dialog aka press cancel I land on the protected welcome page [and see all important/secured information] - no basic authentication dialog!
Sample controller:
@Controller
public class WelcomeController
{
// Welcome is a protected site!
@RequestMapping(value = {"/", "/welcome"}, method = RequestMethod.GET)
public ModelAndView welcome()
{
return new ModelAndView("welcome");
}
}
Security configuration:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity security) throws Exception
{
// Set the security settings
security.httpBasic().and().authorizeRequests().anyRequest().authenticated().and().csrf();
}
}
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
... Snipped ...
<servlet-mapping>
<servlet-name>testapp</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<error-page>
<error-code>400</error-code>
<location>/welcome</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/welcome</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/welcome</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/welcome</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/welcome</location>
</error-page>
</web-app>
1 answers
solution1
1 ACCPTED 2015-12-17 15:40:23
I also had to implement the same setup for a customer. Additionally we had a web application firewall in front of our application server.
I still don't know how Tomcat ignored the authentication check of Spring. The important part is not to mess around with 401, 402 and 403 HTTP codes (I removed their handlers from the web.xml)
I ended up with a generic error page. It's discussable if you should handle 500 errors yourself. If your system throws a 500 error, you might be unable to handle it because your system just threw the 500 error and you will run into another 500 error during the error processing process --> Use simple model and views, static HTML sites or redirect to an error handler servlet.
Spring security:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity security) throws Exception
{
// Set the security settings
security.httpBasic().and().authorizeRequests().anyRequest().authenticated().and().csrf();
}
}
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">
<!-- Snipped -->
<error-page>
<error-code>404</error-code>
<location>/error</location>
</error-page>
</web-app>
404 error action:
@Controller
public class ErrorController
{
@RequestMapping(value = "/error", method = RequestMethod.GET)
public ModelAndView addresses()
{
return new ModelAndView("error"); // Or redirect to /welcome
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.