Unable to connect Orbeon Remote Server using Orbeon-Auth + Tomcat 8 - basic-authentication

I want to connect to the Orbeon Remote Server which runs on Tomcat 8, using orbeon-auth application which was provided by Orbeon.
I have created the users and roles in remote server
tomcat-users.xml.
Having default realm in server.xml.
Added below properties in properties-local.xml.
<!-- Security Settings -->
<property as="xs:string" name="oxf.fr.authentication.method" value="container" />
<property as="xs:string" name="oxf.fr.authentication.container.roles" value="orbeon-service" />
<property as="xs:anyURI" processor-name="oxf:page-flow" name="authorizer" value="/orbeon-auth" />
<property as="xs:string" name="oxf.http.state" value="none" />
<property as="xs:string" name="oxf.http.forward-headers" value="Cookie" />
<property as="xs:string" name="oxf.http.forward-cookies" value=" JSESSIONID
iPlanetDirectoryPro" />
<property as="xs:integer" name="oxf.http.so-timeout" value="0" />
<property as="xs:boolean" name="oxf.http.exceptions" value="true" />
<property as="xs:string" processor-name="oxf:page-flow" name="page-public-methods" value="GET HEAD POST PUT DELETE" />
<property as="xs:string" processor-name="oxf:page-flow" name="service-public-methods" value="GET HEAD POST PUT DELETE" />
<property as="xs:anyURI" name="oxf.url-rewriting.service.base-uri" value="http://localhost:8080/forms" />
<property as="xs:anyURI" name="oxf.fr.persistence.exist.uri" value="http://localhost:8080/forms/fr/service/exist" />
<property as="xs:anyURI" name="oxf.fr.persistence.exist.exist-uri" value="http://localhost:8080/forms/exist/rest/db/orbeon/fr" />
And my web.xml contains BASIC authentication with role based configurations.
<security-constraint>
<display-name>No Restriction</display-name>
<web-resource-collection>
<url-pattern>/fr/service/*</url-pattern>
<url-pattern>/fr/style/*</url-pattern>
<url-pattern>/fr/login</url-pattern>
<url-pattern>/xforms-server</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<display-name>With Restriction</display-name>
<web-resource-collection>
<web-resource-name>Portal</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-service</role-name>
</auth-constraint>
</security-constraint>
But, with all these configurations, when I try to give the orbeon-admin credentials in the local server, it's unable to authenticate, instead provides this log.
xf:submission for submission id: fr-default-submission, error code received when submitting instance: 401
PageFlowControllerProcessor - unauthorized {controller: "oxf:/apps/fr/page-flow.xml", method: "GET", path: "/fr/service/persistence/form", status-code: "401"}
Can any one please help me to fix this issue?

Related

Wildfly 22.0.1 Fails to deploy EAR with a MariaDB datasource

I have installed Wildfly 22.0.1.
I added a MariaDB connector and a datasource in the standalone.xml:
<datasource jndi-name="java:jboss/datasources/BeckDS" pool-name="BeckDB">
<connection-url>jdbc:mariadb://localhost/tube</connection-url>
<driver-class>org.mariadb.jdbc.Driver</driver-class>
<driver>mariadb</driver>
<security>
<user-name>username</user-name>
<password>redacted</password>
</security>
<validation>
<valid-connection-checker
class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
Which I connects just fine when I test it in the HAL Management Console.
The problem occurs when I try deploying my EAR with the following persistence.xml file in the EJB jar file.:
<persistence version="2.2"
xmlns="http://java.sun.com/xml/ns/persistence"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_2.xsd">
<persistence-unit name="BeckPU">
<provider>org.hibernate.jpa.HibernatePersistenceProvider</provider>
<jta-data-source>java:jboss/datasources/BeckDS</jta-data-source>
<properties>
<property name="hibernate.dialect" value="org.hibernate.dialect.MariaDB53Dialect"/>
<property name="hibernate.show_sql" value="true" />
<property name="hibernate.connection.maxIdleTime" value="60"/>
<property name="hibernate.archive.autodetection" value="class, hbm"/>
<property name="hibernate.dbcp.maxActive" value="8" />
<property name="hibernate.dbcp.maxIdle" value="8" />
<property name="hibernate.dbcp.maxWait" value="-1" />
<property name="hibernate.dbcp.whenExhaustedAction" value="1" />
<property name="hibernate.dbcp.testOnBorrow" value="true" />
<property name="hibernate.dbcp.testOnReturn" value="true" />
<property name="hibernate.dbcp.validationQuery" value="SELECT 1" />
</properties>
</persistence-unit>
</persistence>
The following error is reported on deployment:
WFLYSRV0027: Starting deployment of "beck-ear.ear" (runtime-name: "beck-ear.ear")
WFLYSRV0207: Starting subdeployment (runtime-name: "beck-war.war")
WFLYSRV0207: Starting subdeployment (runtime-name: "beck-ejbs.jar")
WFLYJPA0002: Read persistence.xml for BeckPU
JIPIORMV53020253: Second level cache enabled for beck-ear.ear/beck-ejbs.jar#BeckPU
WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service 'beck-ear.ear/beck-ejbs.jar#BeckPU'
HHH000204: Processing PersistenceUnitInfo [
name: BeckPU
...]
Operation ("full-replace-deployment") failed - address: ([]) - failure description: {
"WFLYCTL0412: Required services that are not installed:" => [
"jboss.deployment.subunit.\"beck-ear.ear\".\"beck-ejbs.jar\".deploymentCompleteService",
"jboss.persistenceunit.\"beck-ear.ear/beck-ejbs.jar#BeckPU\""
],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.subunit.\"beck-ear.ear\".\"beck-war.war\".component.\"jakarta.servlet.jsp.jstl.tlv.ScriptFreeTLV\".START is missing [jboss.persistenceunit.\"beck-ear.ear/beck-ejbs.jar#BeckPU\"]",
"jboss.deployment.unit.\"beck-ear.ear\".deploymentCompleteService is missing [jboss.deployment.subunit.\"beck-ear.ear\".\"beck-ejbs.jar\".deploymentCompleteService]",
"jboss.deployment.subunit.\"beck-ear.ear\".\"beck-war.war\".component.\"jakarta.servlet.jsp.jstl.tlv.PermittedTaglibsTLV\".START is missing [jboss.persistence unit.\"beck-ear.ear/beck-ejbs.jar#BeckPU\"]"
]
}
As always, many thanks for any help offered.
Dobbo

Spring security application can not redirect to CAS server login page

I am using spring security 3.x, here i need to integrate with JA-SIG CAS server, I can login CAS server through https://localhost:8443/cas/login, but after integrated with spring security, i can not redirect my login page to CAS login URL, and my previous account doesn't use, spring security always tell me login error, googled for lots of times and don't know why? any help will be appreciated. And here is patial of my spring security configuration:
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<!-- 这里的service 必须是一个由CasAuthenticationFilter 监控的URL -->
<property name="service" value="http://localhost:8082/dna/j_spring_cas_security_check" />
<property name="sendRenew" value="false" />
</bean>
<!-- hook up cas entry point -->
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<constructor-arg ref="casEntryPoint" />
</bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService">
<bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<constructor-arg ref="myUserDetailsService" />
</bean>
</property>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<!-- 配置cas服务器前缀 -->
<constructor-arg index="0" value="https://localhost:8443/cas-server-webapp-5.0.8/" />
</bean>
</property>
<property name="key" value="casAuthProviderKey" />
</bean>
<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas-server-webapp-5.0.8/login" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>
<bean id="singleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="https://localhost:8443/cas-server-webapp-5.0.8/cas/logout" />
<constructor-arg>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_cas_security_logout" />
</bean>
<!-- 目前不需要将ajax请求拒绝 -->
<bean id="authEntryPoint" class="com.gooalgene.common.authority.AjaxAwareLoginUrlAuthenticationEntryPoint" c:loginFormUrl="/login" />
<bean id="authenticationSuccessHandler" class="com.gooalgene.common.handler.AuthenticationSuccessHandlerImpl">
<property name="defaultTargetUrl" value="/dna/index" />
</bean>
<sec:http auto-config='false' use-expressions="true" entry-point-ref="casEntryPoint">
<sec:intercept-url pattern="/managerPage" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')" />
<sec:form-login authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"/>
<sec:access-denied-handler error-page="/403" />
<sec:custom-filter ref="casFilter" position="CAS_FILTER" />
<sec:custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
<sec:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="casAuthenticationProvider" />
</sec:authentication-manager>
And my spring mvc default welcome page is /login.
Here is my debug console log:
INFO [com.gooalgene.common.handler.AuthenticationFailureHandlerImpl]
- 登录失败,异常信息:No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

LDAP - AD Username Password configuration for context-source

I am using Spring Security to authenticate against Active Directory using LDAP protocol. Following code works well in authentication and setting up LDAP templates too (springSecurity.xml) :
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:ldap="http://www.springframework.org/schema/ldap"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/ldap
http://www.springframework.org/schema/ldap/spring-ldap.xsd">
<http use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/authenticated" access="isAuthenticated()" />
<form-login login-page="/login" default-target-url="/authenticated"
authentication-failure-url="/login?error=true" />
<logout />
</http>
<beans:bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<beans:property name="location">
<beans:value>classpath:/ldap.properties</beans:value>
</beans:property>
<beans:property name="SystemPropertiesMode">
<beans:value>2</beans:value> <!-- OVERRIDE is 2 -->
</beans:property>
</beans:bean>
<beans:bean id="adAuthenticationProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="${sample.ldap.domain}" />
<beans:constructor-arg value="${sample.ldap.url}" />
<beans:property name="useAuthenticationRequestCredentials"
value="true" />
<beans:property name="convertSubErrorCodesToExceptions"
value="true" />
</beans:bean>
<authentication-manager>
<authentication-provider ref="adAuthenticationProvider" />
</authentication-manager>
<!-- Ldap after authentication -->
<context:property-placeholder location="classpath:/ldap.properties"
system-properties-mode="OVERRIDE" />
<context:annotation-config />
<ldap:context-source id="contextSource"
password="${sample.ldap.password}"
url="${sample.ldap.url}"
username="${sample.ldap.userDn}"
base="${sample.ldap.base}"
referral="follow" />
<ldap:ldap-template id="ldapTemplate"
context-source-ref="contextSource" />
<ldap:repositories base-package="com.domain" />
<beans:bean class="com.service.UserService">
<beans:property name="directoryType" value="${sample.ldap.directory.type}" />
</beans:bean>
<!-- Required to make sure BaseLdapName is populated in UserService -->
<beans:bean
class="org.springframework.ldap.core.support.BaseLdapPathBeanPostProcessor" />
</beans:beans>
Authentication works fine while fetching j_username and j_password from login.jsp. To set up the ldap template i am using username and password attribute defined in properties file, but i wish to use same username and password from spring security. Please guide me as how to bind the Username and Password attribute properties in ldap:context-source id="contextSource" to spring security credentials.
The code is little messy, any input for improvement is welcomed.
As specified in the Configuration chapter of the reference documentation, you can use the Spring Security authentication for the ContextSource by specifying a custom authentication-source-ref in the the configuration element of the ContextSource. In your case you would use the a SpringSecurityAuthenticationSource, shipped with Spring Security.
<ldap:context-source id="contextSource"
url="${sample.ldap.url}"
base="${sample.ldap.base}"
referral="follow"
authentication-source-ref="authenticationSource"/>
<bean id="authenticationSource"
class="org.springframework.security.ldap.authentication.SpringSecurityAuthenticationSource" />

How to change spring security oauth2 default token endpoint?

We have spring security oauth2 based application. Every thing is working fine. But i am failed to change default token endpoint from "/oauth/token" to "/external/oauth/token".
My spring-servlet.xml
<http pattern="/external/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
use-expressions="true" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/external/oauth/token" access="isFullyAuthenticated()" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<oauth:authorization-server client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler" token-endpoint-url="/external/oauth/token">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
But the result when i access this endpoint is
{
error: "unauthorized"
error_description: "An Authentication object was not found in the SecurityContext"
}
am i missing any thing ? Please suggest.
With the version 2.0.5.RELEASE or above of spring-security-oauth2
In one line in java based configuration, tested and works fine, somehow it's overriding the RequestMapping value of the TokenEndpoint class.
#Configuration
#EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.pathMapping("/oauth/token", "<your custom endpoint>")
}
}
Just struggled with this for a few days, but have it working now on latest Spring Oauth2 1.0.5.RELEASE. I'm not 100% sure my solution is the classiest (Step 4 in particular), but it works and I'm able to move forward.
In my case, I wanted to remove the /oauth prefix from the urls to end up with just /token and /authorize. The solution for me was mostly xml config, with two hacks to override endpoint request mappings.
1 - In app context xml, add authorization-endpoint-url and token-endpoint-url attribs to your <oauth:authorization-server> element.
Mine:
<oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler" authorization-endpoint-url="/authorize" token-endpoint-url="/token">
2 - In app context xml, adjust the security endpoints accordingly. There should be two, which respectively manage security on the token and auth urls. Need to update the pattern prop on <http> and <intercept-url> tags.
Mine:
<http pattern="/token/**" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/token/**" access="IS_AUTHENTICATED_FULLY" />
...
<http pattern="/authorize/**" access-denied-page="/login.jsp?authorization_error=true" disable-url-rewriting="true" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/authorize/**" access="IS_AUTHENTICATED_FULLY" />
3 - (If you chose to employ the optional clientCreds filter.) In app context xml, you should already have wired-in the clientCredentialsTokenEndpointFilter bean as a <custom-filter> within yourelement. So, within the filter's bean, add afilterProcessesUrl` property.
Mine:
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="filterProcessesUrl" value="/token" />
</bean>
4 - The last step is to override the request mapping urls of the actual internal endpoint controllers. The spring oauth2 lib comes with two classes: AuthorizationEndpoint and TokenEndpoint. Each use #RequestMapping type annotations to bind the url (as we all do for our projects' app controllers). For me, it was a hair-pulling effort to attempt to override the value of the request mappings in any way other than to (sadly) recreate the spring class package in my src folder, copy the AuthorizationEndpoint and TokenEndpoint classes verbatim into said folder, and edit the inline #RequestMapping annotation values.
Anyway, that does the trick. Would love to hear of a more graceful way to override the endpoint controller request mapping values.
Thanks.
Final, working app context:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:sec="http://www.springframework.org/schema/security" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
<!-- Declare OAuth2 services white-list. (This is the top of the config.) -->
<oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler" authorization-endpoint-url="/authorize" token-endpoint-url="/token">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<!-- <oauth:password /> -->
</oauth:authorization-server>
<bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
<!-- This bean bridges client auth service and user tokens... kind of an out of place requirement. -->
<property name="tokenServices" ref="tokenServices" />
</bean>
<!-- This starts the far back-end config for client token management. -->
<sec:authentication-manager id="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetailsService" />
</bean>
<bean id="clientDetailsService" class="com.mycompany.oauth.spring.security.oauth2.IntegratedOauth2ClientDetailsService">
<!-- This bean is what wires OAuth2 into the persistence stack for client details stored in the oauth_client table. -->
</bean>
<!-- OAuth is layered on to spring security which is centered around users which requires a user auth manager. -->
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetailsService" />
</bean>
<bean id="tokenStore" class="com.mycompany.oauth.spring.security.oauth2.IntegratedOAuth2TokenStore">
<!-- This bean is what wires OAuth2 tokens into my company's application stack. -->
<constructor-arg ref="dataSource" />
</bean>
<!-- **************************************************************************************** -->
<!-- Finally, sew OAuth into spring security with some http tags... -->
<!-- **************************************************************************************** -->
<!-- The OAuth2 endpoint for direct token requests (i.e. for client_credentials flow). -->
<http pattern="/token/**" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/token/**" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="filterProcessesUrl" value="/token" />
</bean>
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myrealm" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<!-- The OAuth2 endpoint for user-approved authorization (i.e. for "authorization" flow involving user login/approve). -->
<http pattern="/authorize/**" access-denied-page="/login.jsp?authorization_error=true" disable-url-rewriting="true" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/authorize/**" access="IS_AUTHENTICATED_FULLY" />
<form-login authentication-failure-url="/login.jsp?authentication_error=true" default-target-url="http://www.mycompany.com/" login-page="/login.jsp" login-processing-url="/login.do" />
<http-basic />
<anonymous />
</http>
</beans>
For customize the token end point URL, do the following steps.
1) Write your own class that extends ClientCredentialsTokenEndpointFilter class & call ClientCredentialsTokenEndpointFilter class constructor with "/external/oauth/token" value.
super("/external/oauth/token");
2) Plug your new customize filter in security configuration.
Replace
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
with
<custom-filter ref="your customize filter" after="BASIC_AUTH_FILTER" />
3) Create your own class for new mapping (/external/oauth/token) & extend tokenendpoint.
4) Change http & intercept-url element's pattern attribute value to "/external/oauth/token"
You are making this harder than what it should be, it's actually very simple !
(Notice I'm using "oauth2:" instead of "oauth:" as the XML tag)
Go to your security-context.xml
Find "oauth2:authorization-server" in the above file.
<oauth2:authorization-server
client-details-service-ref="someService"
request-validator-ref="someScopeRequestValidator"
token-services-ref="someTokenServices" >
Just add token-endpoint-url="/oauth/whatever_you_like"
<oauth2:authorization-server
client-details-service-ref="someService"
request-validator-ref="someScopeRequestValidator"
token-services-ref="someTokenServices"
**token-endpoint-url="/oauth/whatever_you_like"** >

Shiro with Spring MVC Wildcard permissions not working

I have couple of permissions as:
inventory:po:view
inventory:po:create
inventory:po:update
In the JSP, below works:
<shiro:hasPermission name="inventory:po:create">
<li><a href='<c:url value="/inventory/document/viewDocument?doctype=2" />'>Purchase Order</a></li>
</shiro:hasPermission>
However, below doesn't.
<shiro:hasPermission name="inventory:po:*">
</shiro:hasPermission>
Shiro Version is 1.2.1. I also tried using the subject.isPermitted() call in and that doesn't work too.
I'm sure this is supposed to be pretty straight forward, but is there anything I miss in the configuration to enable wildcard support ? Please advice.
Shiro Configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<!-- Security Manager -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="jdbcRealm" />
<property name="cacheManager" ref="cacheManager"/>
</bean>
<!-- Caching -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="ehCacheManager" />
</bean>
<bean id="ehCacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
<bean id="sessionDAO"
class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO" />
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionDAO" ref="sessionDAO" />
</bean>
<!-- JDBC Realm Settings -->
<bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
<property name="name" value="jdbcRealm" />
<property name="dataSource" ref="dataSource" />
<property name="authenticationQuery"
value="SELECT password FROM system_user_accounts WHERE username=? and status=10" />
<property name="userRolesQuery"
value="SELECT role_code FROM system_roles r, system_user_accounts u, system_user_roles ur WHERE u.user_id=ur.user_id AND r.role_id=ur.role_id AND u.username=?" />
<property name="permissionsQuery"
value="SELECT code FROM system_roles r, system_permissions p, system_role_permission rp WHERE r.role_id=rp.role_id AND p.permission_id=rp.permission_id AND r.role_code=?" />
<property name="permissionsLookupEnabled" value="true"></property>
<property name="cachingEnabled" value="true" />
</bean>
<!-- Spring Integration -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after
the lifecycleBeanProcessor has run: -->
<bean id="annotationProxy"
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean id="authorizationAttributeSourceAdvisor"
class="org.apache.shiro.sprinemphasized textg.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
<!-- Secure Spring remoting: Ensure any Spring Remoting method invocations
can be associated with a Subject for security checks. -->
<bean id="secureRemoteInvocationExecutor"
class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
<property name="securityManager" ref="securityManager" />
</bean>
<!-- Passthrough for Login page -->
<bean id="passThruLogin" class="org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter">
<property name="loginUrl" value="/login" />
</bean>
<!-- Shiro filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/dashboard" />
<property name="unauthorizedUrl" value="/error" />
<property name="filters">
<map>
<entry key="authc" value-ref="passThruLogin" />
</map>
</property>
<property name="filterChainDefinitions">
<value>
<!-- !!! Order matters !!! -->
/authenticate = anon
/login = anon
/logout = anon
/error = anon
/static/** = anon
/** = authc
</value>
</property>
</bean>
The " * " isn't a wildcard in shiro's permission checking, on the contrary it means "requires all values".
You should assert a wildcard right of your own (read is usually a good default wildcard permission) and be explicit on the permission check.
On the contrary '*' means 'GRANT the user all rights', which got you confused with imho.
From Check Permissions part of shiro's documentation about permission
if ( SecurityUtils.getSubject().isPermitted("printer:print") ) {
//print the document
}
Therefore, this is an incorrect check. What if the current user does not have the ability to print to any printer, but they do have the ability to print to say, the lp7200 and epsoncolor printers. Then the 2nd example above would never allow them to print to the lp7200 printer even though they have been granted that ability!

Resources