Search in sources :

Example 1 with FilterInvocationSecurityMetadataSource

use of org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource in project spring-security by spring-projects.

the class AbstractInterceptUrlConfigurer method configure.

@Override
public void configure(H http) throws Exception {
    FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http);
    if (metadataSource == null) {
        return;
    }
    FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(http, metadataSource, http.getSharedObject(AuthenticationManager.class));
    if (filterSecurityInterceptorOncePerRequest != null) {
        securityInterceptor.setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest);
    }
    securityInterceptor = postProcess(securityInterceptor);
    http.addFilter(securityInterceptor);
    http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);
}
Also used : AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) FilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource)

Example 2 with FilterInvocationSecurityMetadataSource

use of org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource in project spring-security by spring-projects.

the class DefaultFilterChainValidator method checkLoginPageIsntProtected.

/*
	 * Checks for the common error of having a login page URL protected by the security
	 * interceptor
	 */
private void checkLoginPageIsntProtected(FilterChainProxy fcp, List<Filter> filterStack) {
    ExceptionTranslationFilter etf = getFilter(ExceptionTranslationFilter.class, filterStack);
    if (etf == null || !(etf.getAuthenticationEntryPoint() instanceof LoginUrlAuthenticationEntryPoint)) {
        return;
    }
    String loginPage = ((LoginUrlAuthenticationEntryPoint) etf.getAuthenticationEntryPoint()).getLoginFormUrl();
    logger.info("Checking whether login URL '" + loginPage + "' is accessible with your configuration");
    FilterInvocation loginRequest = new FilterInvocation(loginPage, "POST");
    List<Filter> filters = null;
    try {
        filters = fcp.getFilters(loginPage);
    } catch (Exception e) {
        // May happen legitimately if a filter-chain request matcher requires more
        // request data than that provided
        // by the dummy request used when creating the filter invocation.
        logger.info("Failed to obtain filter chain information for the login page. Unable to complete check.");
    }
    if (filters == null || filters.isEmpty()) {
        logger.debug("Filter chain is empty for the login page");
        return;
    }
    if (getFilter(DefaultLoginPageGeneratingFilter.class, filters) != null) {
        logger.debug("Default generated login page is in use");
        return;
    }
    FilterSecurityInterceptor fsi = getFilter(FilterSecurityInterceptor.class, filters);
    FilterInvocationSecurityMetadataSource fids = fsi.getSecurityMetadataSource();
    Collection<ConfigAttribute> attributes = fids.getAttributes(loginRequest);
    if (attributes == null) {
        logger.debug("No access attributes defined for login page URL");
        if (fsi.isRejectPublicInvocations()) {
            logger.warn("FilterSecurityInterceptor is configured to reject public invocations." + " Your login page may not be accessible.");
        }
        return;
    }
    AnonymousAuthenticationFilter anonPF = getFilter(AnonymousAuthenticationFilter.class, filters);
    if (anonPF == null) {
        logger.warn("The login page is being protected by the filter chain, but you don't appear to have" + " anonymous authentication enabled. This is almost certainly an error.");
        return;
    }
    // Simulate an anonymous access with the supplied attributes.
    AnonymousAuthenticationToken token = new AnonymousAuthenticationToken("key", anonPF.getPrincipal(), anonPF.getAuthorities());
    try {
        fsi.getAccessDecisionManager().decide(token, loginRequest, attributes);
    } catch (AccessDeniedException e) {
        logger.warn("Anonymous access to the login page doesn't appear to be enabled. This is almost certainly " + "an error. Please check your configuration allows unauthenticated access to the configured " + "login page. (Simulated access was rejected: " + e + ")");
    } catch (Exception e) {
        // May happen legitimately if a filter-chain request matcher requires more
        // request data than that provided
        // by the dummy request used when creating the filter invocation. See SEC-1878
        logger.info("Unable to check access to the login page to determine if anonymous access is allowed. This might be an error, but can happen under normal circumstances.", e);
    }
}
Also used : DefaultLoginPageGeneratingFilter(org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter) AccessDeniedException(org.springframework.security.access.AccessDeniedException) ConfigAttribute(org.springframework.security.access.ConfigAttribute) FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) ExceptionTranslationFilter(org.springframework.security.web.access.ExceptionTranslationFilter) AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken) LoginUrlAuthenticationEntryPoint(org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint) FilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource) AccessDeniedException(org.springframework.security.access.AccessDeniedException) SecurityContextPersistenceFilter(org.springframework.security.web.context.SecurityContextPersistenceFilter) DefaultLoginPageGeneratingFilter(org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter) SessionManagementFilter(org.springframework.security.web.session.SessionManagementFilter) Filter(javax.servlet.Filter) JaasApiIntegrationFilter(org.springframework.security.web.jaasapi.JaasApiIntegrationFilter) AnonymousAuthenticationFilter(org.springframework.security.web.authentication.AnonymousAuthenticationFilter) BasicAuthenticationFilter(org.springframework.security.web.authentication.www.BasicAuthenticationFilter) SecurityContextHolderAwareRequestFilter(org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter) ExceptionTranslationFilter(org.springframework.security.web.access.ExceptionTranslationFilter) UsernamePasswordAuthenticationFilter(org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter) AnonymousAuthenticationFilter(org.springframework.security.web.authentication.AnonymousAuthenticationFilter) FilterInvocation(org.springframework.security.web.FilterInvocation)

Example 3 with FilterInvocationSecurityMetadataSource

use of org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource in project spring-security by spring-projects.

the class DefaultFilterChainValidatorTests method validateCustomMetadataSource.

// SEC-1957
@Test
public void validateCustomMetadataSource() {
    FilterInvocationSecurityMetadataSource customMetaDataSource = mock(FilterInvocationSecurityMetadataSource.class);
    fsi.setSecurityMetadataSource(customMetaDataSource);
    validator.validate(fcp);
    verify(customMetaDataSource).getAttributes(any());
}
Also used : DefaultFilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource) FilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource) Test(org.junit.Test)

Aggregations

FilterInvocationSecurityMetadataSource (org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource)3 FilterSecurityInterceptor (org.springframework.security.web.access.intercept.FilterSecurityInterceptor)2 Filter (javax.servlet.Filter)1 Test (org.junit.Test)1 AccessDeniedException (org.springframework.security.access.AccessDeniedException)1 ConfigAttribute (org.springframework.security.access.ConfigAttribute)1 AnonymousAuthenticationToken (org.springframework.security.authentication.AnonymousAuthenticationToken)1 AuthenticationManager (org.springframework.security.authentication.AuthenticationManager)1 FilterInvocation (org.springframework.security.web.FilterInvocation)1 ExceptionTranslationFilter (org.springframework.security.web.access.ExceptionTranslationFilter)1 DefaultFilterInvocationSecurityMetadataSource (org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource)1 AnonymousAuthenticationFilter (org.springframework.security.web.authentication.AnonymousAuthenticationFilter)1 LoginUrlAuthenticationEntryPoint (org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint)1 UsernamePasswordAuthenticationFilter (org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter)1 DefaultLoginPageGeneratingFilter (org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter)1 BasicAuthenticationFilter (org.springframework.security.web.authentication.www.BasicAuthenticationFilter)1 SecurityContextPersistenceFilter (org.springframework.security.web.context.SecurityContextPersistenceFilter)1 JaasApiIntegrationFilter (org.springframework.security.web.jaasapi.JaasApiIntegrationFilter)1 SecurityContextHolderAwareRequestFilter (org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter)1 SessionManagementFilter (org.springframework.security.web.session.SessionManagementFilter)1