I have a login page in spring boot and now I want that page to show only specific links.
Furthermore, my ADMIN User is created during startup, being done with my import.sql
INSERT INTO benutzer(id, created_at, anzeigename, benutzername, dienstnummer, passwort) VALUES (nextval('benutzer_idbenutzer_seq'), now(), 'ADMIN', 'ADMIN', '', 'xxx');
INSERT INTO rolle(id, created_at, bezeichnung) VALUES (nextval('benutzer_idbenutzer_seq'), now(), 'ADMIN');
This is a part of my SecurityConfig class which extends WebSecurityConfigurerAdapter
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(
"/",
"/registration**",
"/js/**",
"/css/**",
"/img/**",
"/webjars/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutSuccessHandler(customLogoutSuccessHandler)
.permitAll()
.and()
.sessionManagement().maximumSessions(1).sessionRegistry(sessionRegistry());
}
And this is my html
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<div sec:authorize="hasRole('ADMIN')">
Should only be shown to ADMIN Users
</div>
Maybe someone knows what I am missing?
Thank you very much!
everything that you wrote sames to be fine, check if there is some missed annotation or if the admin was created at the right way.
here is a small example that works fine on my machine:
#Configuration
public class SecurityConfigurationCompany extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").permitAll()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.antMatchers("/profiles").permitAll()
.antMatchers("/dislike").hasAuthority("USER")
.antMatchers("/addParticipant/**").hasAuthority("ADMIN")
.anyRequest().fullyAuthenticated()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and()
.logout().logoutSuccessUrl("/");
}
}
hopefully that was helpful you tell me if it doesnt work
I was able to solve my problem now.
One problem was that my ADMIN user was registered with its username ( username was created in my user table ) but not with its user_role.
After having solved this problem, I had to put the following thing in my html file in order to show specific things:
<div sec:authorize="hasAuthority('ADMIN')">
Related
I'm not sure if I can achieve this by simply configuration or I need to override LogoutAction for it.
I've configured multiple organisation and each organisation has there own site which I want to navigate to my custom url for different site instead of default url on logout from liferay.
[EDITED]
I want to navigate on different url for each site, not a common url.
Thanks
For this you can use default.logout.page.path property (in portal-ext.properties file)
default.logout.page.path=
#default.logout.page.path=/web/guest/logout
I think you can achieve this by overriding LogoutPostAction through a hook.
Define your LogoutPostAction class in portal.properties of your hook:
logout.events.post=com.my.action.MyLogoutPostAction
Here is a sample code for the class to redirect to your desired page:
public class MyLogoutPostAction extends Action {
#Override
public void run(HttpServletRequest request, HttpServletResponse response)
throws ActionException {
try {
doRun(request, response);
}
catch (Exception e) {
throw new ActionException(e);
}
}
protected void doRun(HttpServletRequest request, HttpServletResponse response)
throws Exception {
long groupId = PortalUtil.getScopeGroupId(httpReq);
// code to fetch the Group
// ....
// ....
//
String postLogoutURL = "create your own URL";
// if required: add a parameter
postLogoutURL = HttpUtil.setParameter(postLogoutURL, "my_param", "my_param_value");
// redirect to that URL
response.sendRedirect(postLogoutURL);
}
}
The only thing that can be a road block with this approach would be if Liferay has lost context of the current group from which the user was logged-out. I have not tested the code.
I’d like to use the liferay notification feature following the tutorial http://www.codeyouneed.com/liferay-custom-notifications/. And as many people before, I succeeded in increasing the number of notifications, but the notification message is not displayed.
I tried to check by adding log-output whether the methods (getBody, getLink, …) of the UserNotificationHandler are called, and they are not called at all, not even the constructor of the UserNotificationHandler is called.
So I conclude that my notification is written to the database, but my UserNotificationHandler class is not found.
In my project, I have put the
user-notification-definitions into
project/src/main/resources.
They look like:
<?xml version="1.0"?>
<!DOCTYPE user-notification-definitions PUBLIC "-//Liferay//DTD User Notification Definitions 6.2.0//EN" "http://www.liferay.com/dtd/liferay-user-notification-definitions_6_2_0.dtd">
<user-notification-definitions>
<definition>
<notification-type>${com.myproject.portal.notifications.UserNotificationHandler.PORTLET_ID}</notification-type>
<description>receive-a-notification-when-triggered</description>
<delivery-type>
<name>email</name>
<type>${com.liferay.portal.model.UserNotificationDeliveryConstants.TYPE_EMAIL}</type>
<default>true</default>
<modifiable>true</modifiable>
</delivery-type>
<delivery-type>
<name>website</name>
<type>${com.liferay.portal.model.UserNotificationDeliveryConstants.TYPE_WEBSITE}</type>
<default>true</default>
<modifiable>true</modifiable>
</delivery-type>
</definition>
</user-notification-definitions>
The liferay-portlet.xml is in
project/src/main/webapp/WEB-INF.
And the UserNotificationHandler in
project/src/main/java/com/myproject/portal/notifications
in the package com.myproject.portal.notifications.
I wrote something like that into the liferay-portlet.xml:
<portlet-name>example</portlet-name>
<icon>/icon.png</icon>
<user-notification-definitions>
user-notification-definitions.xml
</user-notification-definitions>
<user-notification-handler-class>
com.myproject.portal.notifications.UserNotificationHandler
</user-notification-handler-class>
</portlet>
This is my UserNotificationHandlerClass (so far, I am just trying to get it work before adding the actual content):
package com.myproject.portal.notifications;
import ...//all necessary imports
public class UserNotificationHandler extends
BaseUserNotificationHandler {
public static final String PORTLET_ID = "example_WAR_myprojectportlet";
private static final Logger log = Logger.getLogger(UserNotificationHandler.class);
public UserNotificationHandler() {
log.info("UserNotificationHandler - Constructor");
setPortletId(UserNotificationHandler.PORTLET_ID);
}
#Override
protected String getBody(UserNotificationEvent userNotificationEvent,
ServiceContext serviceContext) throws Exception {
log.info("in getBody");
return "";
}
#Override
protected String getLink(UserNotificationEvent userNotificationEvent,
ServiceContext serviceContext) throws Exception {
log.info("in getLink");
return "";
}
protected String getBodyTemplate() throws Exception {
log.info("in getBodyTemplate");
return "";
}
}
I trigger the notification in my portlet like this:
ServiceContext serviceContext = ServiceContextFactory.getInstance(request);
JSONObject payloadJSON = JSONFactoryUtil.createJSONObject();
payloadJSON.put("userId", userId);
payloadJSON.put("yourCustomEntityId", 12345);
payloadJSON.put("additionalData", "success");
UserNotificationEventLocalServiceUtil.addUserNotificationEvent(userId,
UserNotificationHandler.PORTLET_ID,
(new Date()).getTime(),
userId,
payloadJSON.toString(),
false,
serviceContext);
What is the problem here?
Do you literally have public static final String PORTLET_ID = "myportlet"; in your code? If so, note the extra information in the tutorial that you link:
NB Important Information: The com.example.notifications.ExampleUserNotificationHandler.PORTLET_ID string that you use as your notification type has to match an actual portlet ID. It doesn’t actually need to be YOUR portlet ID but that would be the right thing to have there. The reason being that Notifications display portlet uses it to display a small portlet icon next to your notification to help the user identify the source of the notification. Providing a bad Portlet ID or something like null leads to a hard-to-trace NullPointerException in the JSP. Took me an hour to track it down.
Most likely the portlet ID looks rather like "example_WAR_myportlet", this indicates that it's deployed in a plugin named example.war and the portlet id (in portlet.xml) is myportlet. Try if it works then - Liferay might need to find the portlet in order to find, instanciate and use its NotificationHandler. (Note: This is currently a guess - I didn't try the full code posted)
In your liferay-portlet.xml you wrote
<user-notification-handler-class>
UserNotificationHandler
</user-notification-handler-class>
It should be:
<user-notification-handler-class>
com.myproject.portal.notifications.UserNotificationHandler
</user-notification-handler-class>
You should also check if this part is good
<user-notification-definitions>
user-notification-definitions.xml
</user-notification-definitions>
"user-notification-definitions.xml" file should be on WEB-INF/classes in the final WAR
How can we remove the rememberme part from files generated with jhipster ? Do you have some documentation about this part ? I looked into code but it doesn't seem to be done easily, or on wihch template should I see ?
Thanks
Have you tried removing the RememberMe configuration in SecurityConfiguration.java (See commented out code below), and then removed the RememberMe section from login.html? For example:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
// .and()
// .rememberMe()
// .rememberMeServices(rememberMeServices)
// .key(env.getProperty("jhipster.security.rememberme.key"))
.and()
.formLogin() here
I have a check box and on post it always shows false (unchecked) state -:
Here is the simple code -:
public ActionResult Index3()
{
var checkBoxTest = new CheckBoxTest() {Istrue = true};
return View(checkBoxTest);
}
[HttpPost]
public ActionResult Index3(CheckBoxTest checkBoxTest)
{
return View(checkBoxTest);
}
Model -:
public class CheckBoxTest
{
public bool Istrue { get; set; }
}
View -:
#using(Html.BeginForm())
{
<div>
Check Box Test:
#Html.CheckBoxFor(model=>model.Istrue,new{#disabled="disabled"})
</div>
<div>
<input type="submit" value="Submit"/>
</div>
}
Whenever I post it on server, checkbox always shows unselected state-
But if I remove -"new{#disabled="disabled"})" from attributes it works fine.
Most of the people I saw on internet have used the same technique for disabling check box - how in their case , it is working ? or may be I am making any mistake ...
If you really want to submit the value back to server in this case, you can add a hidden variable like this:
#Html.HiddenFor(model=>model.Istrue)
Simon Svensson's comment is correct and Ankit Vijay's answer provides a good work-around.
Another work-around, if you don't care that disabled check box is not submitted, is to add two lines to your HttpPost ActionResult as follows:
[HttpPost]
public ActionResult Index3(CheckBoxTest checkBoxTest)
{
ModelState.Remove("Istrue");
checkBoxTest.Istrue = true;
return View(checkBoxTest);
}
Even though the checkbox won't be checked during the post, it will be checked when the form is redisplayed.
See Rick Strahl's Web Log for a thorough explanation of why the ModelState.Remove line is needed.
I'm facing a little issue with Spring Security 3.0.x (3.0.2 in particular at the moment). The whole application I'm working on is working perfectly except when someone who doesn't have the authorities tries to log on.
When it occurs, the users is redirected to the "welcome" page, since his username/password are valid, and he receive a cute white page with this : "Error 403: Access is denied"
So, I've been looking on the net trying to find how this behavior can be handled. So far I've come to the conclusion, please correct me if I'm wrong, that it is managed by the ExceptionTranslationFilter. But I don't quite understand how to make any good use of this information.
I've tryied to edit my SecurityContext.xml to add a access-denied-handler tag to my http tag, but it doesn't work. Do I need to add more than this tag to make it work? Is there any other possibilities to make my application more user-friendly?
Edit : I would like to redirect to a page, let's says 403.html, for example.
Sincerly,
Thanks
I still don't get why you had to implement your own access handler... I have currently faced same task:
<security:access-denied-handler error-page="/accessDenied"/> - works like charm.
Don't forget to specify handler in your Controller:
#RequestMapping(value = "/accessDenied")
public String accessDenied() {
return "accessDenied"; // logical view name
}
Update for Spring Boot(2014 Oct):
#Configuration
#EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling().accessDeniedHandler(customHandler) OR .accessDeniedPage("/somePage.html").and
.formLogin()
.failureHandler(ajaxAuthenticationFailureHandler)}
Nowadays we don't really return views for such task since angular js kicks in so you can use your failure/success handler and return tailored JSON responses. For us it was sufficient to use failure handler but you get to choose where you want your control to kick in. We generally don't use view resolvers as there are UI tiles frameworks(such as angular partials) able to construct pieces into single page for you. Html pieces are stored on the server and served simply as static resources.
Lets play with Embedded Tomcat to achieve similar behavior to web.xml !
#Configuration
#EnableAutoConfiguration
public class ApplicationWebXml extends SpringBootServletInitializer {
private static final Logger LOGGER = LoggerFactory.getLogger(Application.class);
#Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.profiles(addDefaultProfile())
.showBanner(false)
.sources(Application.class);
}
//required for container customizer to work, the numerous tutorials didn't work for me, so I simply tried overriding the default one
#Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory();
return tomcat;
}
#Bean
public EmbeddedServletContainerCustomizer containerCustomizer(
) {
return new EmbeddedServletContainerCustomizer() {
#Override
public void customize(ConfigurableEmbeddedServletContainer container) {
TomcatEmbeddedServletContainerFactory containerFactory = (TomcatEmbeddedServletContainerFactory) container;
containerFactory.setSessionTimeout(1); // just for your interest, remove as necessary
containerFactory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN,"/views/accessDenied.html"),
new ErrorPage(HttpStatus.NOT_FOUND,"/views/notFound.html"));
containerFactory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
#Override
public void customize(Connector connector) {
connector.setPort(8082);// just for your interest, remove as necessary
}
});
}
};
}
}
A cleaner way to handle error redirects is to use the <error-page> and <error-code> tags in your web.xml. See below for an example:
<!-- Custom 403 Error Page -->
<!--
NOTE: Security will throw this error when a user has been authenticated successfully
but lacks the permissions to perform the requested action.
-->
<error-page>
<error-code>403</error-code>
<location>/403.jsp</location>
</error-page>
This block of code will redirect to the specified location whenever it encounters the specified error code.
This eliminates the need for authorization code inside your application logic.
I've found how to do this. By implementing the AccessDeniedHandler interface and the corresponding handle method I can, easily, control the way the Http 403 error is handled.
This way, you can add various items in the session and then intercept them on your jsp.
The xml file then looks like this :
<sec:http>
<!-- lots of urls here -->
<sec:access-denied-handler ref="accessDeniedHandler" />
<sec:anonymous/>
</sec:http>
<bean id="accessDeniedHandler" class="foo.bar.CustomAccessDeniedHandler">
<property name="accessDeniedUrl" value="403.html" />
</bean>
The java class :
package foo.bar;
public class CustomAccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler {
private String accessDeniedUrl;
public CustomAccessDeniedHandler() {
}
public CustomAccessDeniedHandler(String accessDeniedUrl) {
this.accessDeniedUrl = accessDeniedUrl;
}
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.sendRedirect(accessDeniedUrl);
request.getSession().setAttribute("CustomSessionAttribute", "value here");
}
public String getAccessDeniedUrl() {
return accessDeniedUrl;
}
public void setAccessDeniedUrl(String accessDeniedUrl) {
this.accessDeniedUrl = accessDeniedUrl;
}
}
And a jsp example :
<%# taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<c:if test="${!empty CustomSessionAttribute}">
<br/>
ACCESS IS DENIED
<br/>
</c:if>
<!-- other stuff down here -->
The way to make this work is to define a handler in your entry point:
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
#Override
public void commence(HttpServletRequest request, HttpServletResponse response, org.springframework.security.core.AuthenticationException authException) throws IOException, ServletException {
if (authException != null) {
// you can check for the spefic exception here and redirect like this
response.sendRedirect("403.html");
}
}
}
You can define this as your entry point by setting this as you entry point in the xml config file:
<http entry-point-ref="customAuthenticationEntryPoint">
...
</http>
You have checked the tag in an application and to me it seems to work.
<sec:access-denied-handler error-page="/handle403Url" />
where handle403Url I want to call to handle this error (for example to show an error).
Don't forget that you have to allow this url in the filters so it can be reached by this user authority, so in the start of the flters you have to add something like this:
<sec:intercept-url pattern="/handle403Url" filters="none" />