Hi All, I want any user to be able to submit their name to a volunteer form but only administrators to be able to view any other URL. Unfortunately I don't seem to be able to get this correct. My resources.xml are as follows; <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" ...
I'm looking for a (hopefully straightforward) way to add CSRF protection to an application build on Spring WebFlow 2. An approach that migrates well to Spring WebFlow 3 (when released) is preferred. ...
Hi, this is a question i've seen here but the solution posted didn't resolve my issue. Again i'm dealing with jsf 2.0 and i have 2 pages: login.xhtml and index.xhtml, i'm also using SpringSecurity for auth purposes. index.xhtml renders ok but login doesn't(page source shows jsf tags un-parsed). I already deactivated SpringSecurity to che...
greetings all my application uses spring framework,spring security 3.0.2 we use apache tomcat as app server the problem is that with each new request to the application a new jsessionid is generated and a new session is created so the user is logged out and that's weird,why generating new jsessionid,how to stop that? i reviewed the code...
I have a pretty standard project with Spring Security. I have a login form and I need to add 'Remember me' checkbox there. How can I do that? I can provide some code if necessary. ...
greetings all um using spring security 3.0.2,all the application pages are secured to see them you must be authenticated um using https protocol i have a strange problem that after successful login and got to the requested page when try to open any link to other pages in the application the session is invalidated or lost or what happened...
Hi! I would like implement spring acl for my object fields. does anyone has an idea what do i have to implment for it? for example, i have Purchase object. i would like admin_role to have read on all the fields, and secretary_role to have read only on username and address field ...
greetings all i am deploying an app using spring framework on the apache tomcat when running the application from the tomcat directly,there's no jsessionid appended to any url at all but after mapping the application to the domain,and trying to run it i got a jsessionid appended to each url in the application,i tried the spring security ...
Hi! i am developing in JSF a Spring Security application. the login form is fine. however, when i try to retrieve the authentication object, in future code, i always get the authentication pricipal as anonymous. i try to fetch is like this: Authentication auth = SecurityContextHolder.getContext().getAuthentication(); ...
Hi! I created a class that implements the FilterInvocationSecurityMetadataSource interface. I implemented it like this: public List<ConfigAttribute> getAttributes(Object object) { FilterInvocation fi = (FilterInvocation) object; Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); Long c...
I'm trying to find a way to skip the login form when a user clicks on an "activate account" link that he has received by email. This link contains a single-use random token that can serve as an authentication method. By this token I can retrieve the user details and activate its account, but I am yet to find a way to sign-in programmati...
I want to set custom Post-Login Destinations based on user ROLES in my application. for example : If a form login isn't prompted by an attempt to access a protected resource, I want to show different pages, based on different roles. by using target-url I can't do this. how can I do this by using Spring security ? ...
Hello, I've been working on this task for too long to abandon the idea of using Spring Security to achieve it, but I wish that the community will provide with some support that will help reduce the regret that I have for choosing Spring Security. Enough ranting and now let's get to the point. I'm trying to create an ACL by using JDBCMu...
I'm using Acegi/Spring Security in grails and when i use the annotations like @Secured(['ROLE_ADMIN']) it denies my login even though the user is part of ROLE_ADMIN. In looking through the login is it seems that it's getting an IS_AUTHENTICATED_FULLY role also but I have never added that to a page so i'm not sure how to bypass that. I re...
Hi all, I'm currently implementing/configuring the LDAP authentication of a Java web application using Spring Security 3.0. I'm using Microsoft AD LDS as LDAP server and chose the Spring's BindAuthenticator. I found out that the authentication only works if the authenticated user is a member of the partition's Readers role. The BindAuth...
What is best practise in Spring when creating a new user with custom attributes...to extend org.springframework.security.core.userdetails.User or to create the User in the UserDetailsService (this is the approach taken in the IceFaces tutorial). public UserDetails loadUserByUsername(String username) throws UsernameNotFoundExcept...
Is there a way to implement control statement with Spring Security taglibs? Currently we can only check if a user has a role... <security:authorize access="hasRole('ROLE_ADMIN')"> // display something </security:authorize> How about else? ...
At present the jsp pages have normal authorize tags to conditionally render links and information etc. The website is on the intranet, and we're using Spring Security 2.0.4. Ive now got a business user who wants to allow all roles to access everything for the first few weeks, then gradually add the security back in as feedback is gather...
When logging in I want to read the URL and base on the combination of subdomain, username and password user should be authorized. like if the url is abc.xyz.com i somehow need request object to get the subdomain and authorize user using the subdomain and username. ...
The reference document says urls are matched in the same order as declared, but one declared last is being matched before some of the ones declared earlier. Here is my declaration: <intercept-url pattern="/static/**" filters="none" /> <intercept-url pattern="/login.jsp*" filters="none" /> <intercept-url pattern="/logout.jsp*" filter...