I've set basic spring authentication. When user comes to page and enters secured URL, login form is rendered, but I want to show error 403 page (or any other page i choose).
If I understand correctly I can't use access-denied-handler because user is not authenticated at all.
How do I show any other page than login form page to non-authenticated user, when he accesses secured URL?
When you are using form-login the default AuthenticationEntryPoint redirects to the login page.
You can override this by injecting a custom entry point using the entry-point-ref attribute.
You can use the code for Http403ForbiddenEntryPoint as a guideline (or use that directly if all you want is a response code sent to the client).
Add the below tag in your security context file.
access-denied-page="<name of the page>"
add this in http tag like below:
<http auto-config="true" access-denied-page="/authenticationfailed.jsp">
Related
I'm trying to make an authentication functionality in my app, so when I press the login button, a web browser opens and I get to verify my account, and then I get a token in the URL, the problem is that in order for me to get redirected to my app, I need to make the redirect_uri as so AuthSession.makeRedirectUri( 'gecond://' )
but the website from where I'm getting my authentication doesn't allow this type of redirect_uri ( this is the URI that's being used: "https://preprod.autenticacao.gov.pt/oauth/askauthorization?redirect_uri=exp%3A%2F%2F192.168.2.26%3A19000&client_id=123456789&response_type=token&state=UOgf2pE6S0"),
it only allows a specific redirect_uri (like so "https://preprod.autenticacao.gov.pt/oauth/askauthorization?redirect_uri='https://preprod.autenticacao.gov.pt/OAuth/Authorized'&client_id=123456789&response_type=token&state=UOgf2pE6S0"), but when I use this URI, I do manage to get an access token in the URL of the page, but I'm not redirected back to my app.
I'm fairly new to this type of topic, so I might be missing a few steps.
I'm quite sure you misread the documentation. The reply URL is where you add you application's page where the user is redirected after login.
The URL you used is the example URL from the documentation.
Please check the official documentation.
I'm using FOS UserBundle and I have defined a custom AuthenticationSuccessHandler to show a different home page depending on the roles, but I think it should be called only if the user originally requested the login page, shouldn't it ?
On login success I'd like to be redirected to the original request.
As described in the docs, it seems to be the default behavior, but in my case, it still uses my authentication handler.
Can someone help me to redirect the user to his original request ?
For the record, here is how I registered my authentication success handler service:
services:
security.success_handler:
class: Glide\SecurityBundle\[...]\AuthenticationSuccessHandler
public: false
arguments: ['#router', '#security.context']
Yes, the default behavior is to redirect the user to the page they originally requested. However, since you are overriding the default authentication handler, you need to handle redirecting them to that page yourself.
I recommend you look at symfonys authentication handler and mimic its process for figuring out the users original request.
I've recently decided to migrate over to using servicestack authentication. From what I can tell, to have a redirect after a successful login of an oauth provider, you add the url to the appSettings of your web.config, i.e. oauth.GoogleOpenId.RedirectUrl.
My question is, is there anyway to make this more dynamic so that if a user get's redirected to the log on page when trying to access an authorized page, say their profile page, that once they log on successfully they get routed to their profile page instead of what's configured in the web.config? Forms authentication did this by using a 'returnUrl' query parameter.
Any help would be appreciated.
The behavior of accessing a protected page, redirecting to a /login page (overridable with HtmlRedirect on AuthFeature or Authenticate attribute) and on successful login should automatically redirect to the previously attempted protected page.
To do this you want to specify the redirect url in the continue or ReturnUrl FormData POST variable or QueryString when attempting to authenticate with the /auth service.
Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.
I'm developing a web application with GlassFish 3.1 and JSF 2.0 / EJB 3.1. Some of my pages are secured. The secured URL-Parts are defined in the web.xml as URL-patterns. These pages are secured through a security-realm which redirects to a login page also defined in the web.xml as login.xhtml. On the login.xhtml my inputfields for username and password are connected to a session scoped backing bean which executes:
ExternalContext ec = getExternalContext();
HttpServletRequest request = getHttpServletRequest(ec);
request.login(username, password);
The EJB container is responsible for redirecting all incoming requests to secured areas with an invalid session to this page.
But, for example the user is bookmarking the page index.xhtml and was requesting this page. First he has to login over login.xhtml. He authenticates himself by typing his username+password and clicking the submit button.
The problem is: How to determine the target adress, in this case index.html?
The method request.getRequestURI() shows login.xhtml and not index.html. I can redirect always to index.xhtml, but what if the user has typed in xyz.xhtml? Is there any way?
Thanks
Adem
The original request information are stored in the request object with the following keys:
"javax.servlet.forward.request_uri"
"javax.servlet.forward.query_string"