Announcement Announcement Module
Collapse
No announcement yet.
Restricted URL Access Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricted URL Access

    Hi,
    I've a problem with Spring Web Flow.
    For security reasons I need that user can navigate only by following the declared flows and can't call a specific page directly.
    Now, with the flowing configuration:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <flow xmlns="http://www.springframework.org/schema/webflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/webflow
            http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd"
    	start-state="page1" parent="parent">	
    	
    	<view-state id="page1" view="/WEB-INF/views/secure/page1.xhtml">	  
    		<transition on="goPage2" to="page2"/>			
    	</view-state>
    	
    	<view-state id="page2" view="/WEB-INF/views/secure/page2.xhtml">	  			
    	</view-state>
    	
    	<end-state id="end"/>
    	
    </flow>
    a user can go to this url: https://localhost:8443/myApp/app/secure/page2 and take access to the page2 directly, without passing through the page1.
    How can I force the user navigation of following the flow rules and lock other access?

    Sorry for my bad english. Thanks and regards.

  • #2
    Fix your mappings... Basically the url you posted goes nowhere and you probably have something in your configuration ( a default handler) which maps to all urls which lead to nowhere. You should remove such a beast.

    Comment


    • #3
      Hi Marten!

      First of all thanks for your help.

      I've checked my configuration and I think that the problem can be caused by this tag in the web-mvc-config.xml file:

      Code:
      <bean class="org.springframework.web.servlet.view.UrlBasedViewResolver">
      		<property name="viewClass" value="org.springframework.faces.mvc.JsfView" />
      		<property name="prefix" value="/WEB-INF/views/" />
      		<property name="suffix" value=".xhtml" />
      </bean>
      I've tried to remove it, but now I've navigation problems, it's all very slow and I receive a lot of errors in console like this:

      Servlet.service() for servlet appServlet threw exception: java.lang.OutOfMemoryError: Java heap space

      I'm using Primefaces framework for front-end layer, have you got suggestions about the configuration?

      Thanks!


      Originally posted by Marten Deinum View Post
      Fix your mappings... Basically the url you posted goes nowhere and you probably have something in your configuration ( a default handler) which maps to all urls which lead to nowhere. You should remove such a beast.

      Comment


      • #4
        No that isn't the problem you need to viewresolver to resolve viewnames to actual files to render.

        There is something in your HandlerMapping (probably) which is the default handler or you have configured something mapped at / or /* as a catch-all.

        Comment


        • #5
          Hi Marten,

          this is my project configuration:

          web-context-config.xml
          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns="http://www.springframework.org/schema/beans"
          	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
          	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
          		
          		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
          
          
          
          	<!-- enable annotation -->
          	<context:annotation-config />
          
          	<!-- package root -->
          	<context:component-scan base-package="it.myproject" />
          
          	<import resource="web-db-config.xml" />
          	<import resource="web-security-config.xml" />
          	<import resource="web-mvc-config.xml" />
          
          </beans>
          web-webflow-config.xml
          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          	xmlns:webflow="http://www.springframework.org/schema/webflow-config" xmlns:faces="http://www.springframework.org/schema/faces"
          	xsi:schemaLocation="http://www.springframework.org/schema/beans 
          				http://www.springframework.org/schema/beans/spring-beans.xsd
          	           http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.3.xsd
          	           http://www.springframework.org/schema/faces http://www.springframework.org/schema/faces/spring-faces-2.2.xsd">
          
          
          	<!-- Executes flows: the central entry point into the Spring Web Flow system -->
          	<webflow:flow-executor id="flowExecutor">
          		<webflow:flow-execution-listeners>
          			<webflow:listener ref="facesContextListener" />
          		</webflow:flow-execution-listeners>
          	</webflow:flow-executor>
          
          	<!-- The registry of executable flow definitions -->
          	<webflow:flow-registry id="flowRegistry" flow-builder-services="flowBuilderServices" base-path="/WEB-INF/flows">
          		<webflow:flow-location-pattern value="/**/*.xml" />
          	</webflow:flow-registry>
          
          	<faces:flow-builder-services id="flowBuilderServices" development="true" />
          
          	<!-- A listener maintain one FacesContext instance per Web Flow request. -->
          	<bean id="facesContextListener" class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener" />
          	
          		<!-- A listener to apply Spring Security authorities -->
          	<bean id="securityListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener" />
           
          </beans>
          web-mvc-config.xml
          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          	xmlns="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
          	xmlns:faces="http://www.springframework.org/schema/faces"
          	xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
          		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
                  http://www.springframework.org/schema/faces http://www.springframework.org/schema/faces/spring-faces-2.2.xsd">
          
          	<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
          
          	<import resource="web-webflow-config.xml" />
          
          	<!-- Enables the Spring MVC @Controller programming model -->
          	<mvc:annotation-driven />
          
          	<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources 
          		directory -->
          	<mvc:resources location="/" mapping="/resources/**" />
          
          	<!-- Enable processing of JSF 2 resource requests. For example: /ch18/app/javax.faces.resource/jsf.js?ln=javax.faces -->
          	<faces:resources />
          
          
          
          	<!-- Maps request paths to flows in the flowRegistry -->
          
           
          	<bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping">
          		<property name="order" value="1" />
          		<property name="flowRegistry" ref="flowRegistry" />
          		<property name="defaultHandler">
          			<!-- If no flow match, map path to a view to render; e.g. the "/login" path would map to the view named "login" -->
           			<bean class="org.springframework.web.servlet.mvc.UrlFilenameViewController" />
          		</property>
          
          		<property name="interceptors">
          			<list>
          				<!-- define any interceptors here like openSessionViewInterceptor or localeChangeInterceptor -->
           			</list>
          		</property>
          	</bean>
          
          	<!-- Resolves views selected for rendering by @Controllers to .xhtml resources in the /WEB-INF/ directory -->
          	<bean class="org.springframework.web.servlet.view.UrlBasedViewResolver">
          		<property name="viewClass" value="org.springframework.faces.mvc.JsfView" />
          		<property name="prefix" value="/WEB-INF/views/" />
          		<property name="suffix" value=".xhtml" />
          	</bean>
          
          	<!-- Dispatches requests mapped to flows to FlowHandler implementations -->
          	<bean class="org.springframework.faces.webflow.JsfFlowHandlerAdapter">
          		<property name="flowExecutor" ref="flowExecutor" />
          	</bean>
          
          	<!-- Message Source -->
          	<bean class="org.springframework.context.support.ReloadableResourceBundleMessageSource" id="messageSource"
          		p:basenames="WEB-INF/messages/messages,WEB-INF/messages/application" p:fallbackToSystemLocale="false" />
          
          </beans>
          web.xml

          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
            <display-name>myproject_webLayer</display-name>
              
            <welcome-file-list>
              <welcome-file>index.html</welcome-file>
            </welcome-file-list>
            
            <context-param>  
              <param-name>primefaces.THEME</param-name>  
              <param-value>myprojectStyle</param-value>  
           </context-param>  
            
            
            <context-param>
              <param-name>locatorFactorySelector</param-name>
              <param-value>beanRefFactory.xml</param-value>
            </context-param>
            <context-param>
              <param-name>parentContextKey</param-name>
              <param-value>ear.context</param-value>
            </context-param>
            <context-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>/WEB-INF/config/web-context-config.xml</param-value>
            </context-param>
           
          
            <listener>
              <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
            </listener>
            <listener>
              <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
            </listener>
             
            
            <context-param>
              <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
              <param-value>.xhtml</param-value>
            </context-param>
            <context-param>
              <param-name>javax.faces.PROJECT_STAGE</param-name>
              <param-value>Development</param-value>
            </context-param>
            <context-param>
              <param-name>javax.faces.FACELETS_REFRESH_PERIOD</param-name>
              <param-value>1</param-value>
            </context-param>
            <servlet>
              <servlet-name>Faces Servlet</servlet-name>
              <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
            </servlet>
            <servlet-mapping>
              <servlet-name>Faces Servlet</servlet-name>
              <url-pattern>*.faces</url-pattern>
            </servlet-mapping>
            <servlet>
              <servlet-name>appServlet</servlet-name>
              <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
              <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>/WEB-INF/config/web-context-config.xml</param-value>
              </init-param>
              <load-on-startup>1</load-on-startup>
            </servlet>
            <servlet-mapping>
              <servlet-name>appServlet</servlet-name>
              <url-pattern>/app/*</url-pattern>
            </servlet-mapping>
           
            <!-- LogBack filter -->
            <filter>
              <filter-name>MDCInsertingServletFilter</filter-name>
              <filter-class>ch.qos.logback.classic.helpers.MDCInsertingServletFilter</filter-class>
            </filter>
            <filter-mapping>
              <filter-name>MDCInsertingServletFilter</filter-name>
              <url-pattern>/*</url-pattern>    
            </filter-mapping>
            
            <!-- Spring Security -->
            <filter>
          	<filter-name>springSecurityFilterChain</filter-name>
          	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
            </filter>
            <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
          	<url-pattern>/*</url-pattern>
            </filter-mapping>
                                                              
          </web-app>
          faces-config.xml
          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <!-- This file is not required if you don't need any extra configuration. -->
          <faces-config version="2.0" xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="
                  http://java.sun.com/xml/ns/javaee
                  http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
          
             <!-- This descriptor activates the JSF 2.0 Servlet -->
          
          	<application>
          		<el-resolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>
          	</application>
          
          </faces-config>

          Comment


          • #6
            web-security-config.xml
            Code:
            <?xml version="1.0" encoding="UTF-8"?>
            <beans xmlns:security="http://www.springframework.org/schema/security" xmlns="http://www.springframework.org/schema/beans"
            	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
            	xsi:schemaLocation="http://www.springframework.org/schema/beans 
            	http://www.springframework.org/schema/beans/spring-beans.xsd
                                http://www.springframework.org/schema/security 
                                http://www.springframework.org/schema/security/spring-security-3.1.xsd">
            
            	<!-- LDAP server configuration -->
            	<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
            		<property name="url" value="-" />
            		<property name="base" value="-" />
            		<property name="userDn" value="-" />
            		<property name="password" value="-" />
            		<property name="pooled" value="false" />
            
            	</bean>
            
            	<security:global-method-security pre-post-annotations="enabled" />
            	
            	<security:http use-expressions="true" disable-url-rewriting="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">		
            	
            		<!-- Session Management Entries -->
            	    <security:session-management session-authentication-strategy-ref="sas"/>
                	
                	<!-- URL restriction entries -->
            		<security:intercept-url pattern="/app/secure/**" requires-channel="https" access="isAuthenticated()" />
                	<security:intercept-url pattern="/WEB-INF/views/secure/**" requires-channel="https" access="isAuthenticated()" />
            		<security:intercept-url pattern="/app/public/**" requires-channel="https" access="permitAll" />
            		<security:intercept-url pattern="/WEB-INF/views/public/**" requires-channel="https" access="permitAll" />
            		
            		<!-- SSL Config -->
            		<security:port-mappings>
            	    	<security:port-mapping http="8080" https="8443"/>
            	    </security:port-mappings>
            
            	</security:http>
            
            	
             	<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
                	<property name="loginFormUrl" value="/app/public/main"/> 
            	</bean>
            	
            	<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>
            	
            	<security:authentication-manager alias="authenticationManager">
            		<security:authentication-provider ref="ldapAuthProvider" />
            	</security:authentication-manager>
            
            	<!-- Logger -->
            	<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />
            	<!-- ldap -->
            	<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
            		<constructor-arg>
            			<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
            				<constructor-arg ref="contextSource" />
            				<property name="userDnPatterns">
            					<list>
            						<value>cn={0},ou=people</value>
            					</list>
            				</property>
            				<property name="userSearch" ref="userSearch" />
            			</bean>
            		</constructor-arg>
            		<constructor-arg>
            			<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
            				<constructor-arg ref="contextSource" />
            				<constructor-arg value="ou=people" />
            				<property name="groupRoleAttribute" value="ou" />
            				<property name="searchSubtree" value="true" />
            			</bean>
            		</constructor-arg>
            	</bean>
            
            	<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            		<constructor-arg index="0" value="" />
            		<constructor-arg index="1" value="(uid={0})" />
            		<constructor-arg index="2" ref="contextSource" />
            	</bean>
            
            </beans>
            Which can be the problem?

            Thanks and regards.

            Comment


            • #7
              As stated before

              Originally posted by mdeinum
              you probably have something in your configuration ( a default handler)
              Now in your configuration (you even have a comment in there stating it).

              Code:
              <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping">
              	<property name="order" value="1" />
              	<property name="flowRegistry" ref="flowRegistry" />
              	<property name="defaultHandler">
              		<!-- If no flow match, map path to a view to render; e.g. the "/login" path would map to the view named "login" -->
              		<bean class="org.springframework.web.servlet.mvc.UrlFilenameViewController" />
              	</property>
              </bean>

              Comment

              Working...
              X