Spring custom Authorization not working using #PreAuthorize - spring-mvc

I am trying to implement custom #PreAuthorize method in my spring (3.2.2) mvc app. But whenever I click on the link which is supposed to take me to the controller method where the #PreAuthorize is implemented it gives me this error :
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:948)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:827)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812)
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
root cause
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:339)
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:198)
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:631)
com.nav.qanda.admin.question.controller.AdminQuestionController$$EnhancerByCGLIB$$5bcda356_2.handleRequest(<generated>)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:686)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:827)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812)
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
This is my app-servlet.xml
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler" />
</security:global-method-security>
<bean id="expressionHandler" class="com.nav.panda.security.PandaMethodSecurityExpressionHandler" />
and these are the java files overriding
public class PandaMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler{
#Override
protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
MethodInvocation invocation){
PandaMethodSecurityExpressionRoot root = new PandaMethodSecurityExpressionRoot(authentication);
root.setThis(invocation.getThis());
return root;
}
public class PandaMethodSecurityExpressionRoot implements MethodSecurityExpressionOperations {
private Object filterObject;
private Object returnObject;
private Object target;
public boolean adminOnly() {
System.out.println("Checking admin authority");
return true;
// return this.hasAuthority("ADMIN");
} ... other methods
And the controller looks like this :
#RequestMapping(value = "/createPandaPage", method = RequestMethod.GET)
#PreAuthorize("adminOnly()")
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
return new ModelAndView("admin/createPanda");
}
web.xml :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The login in my application will populate a User object (which has the users authority filled from a db read) from my application. How do I pass this User Object to check for authority ? And, what else would I need to do to get this working ?

The request which leads to this method being called need to pass through the Spring Security filter chain, otherwise there will be no security context available when the permissions are checked.
Without seeing the rest of the stacktrace, I can't say 100%, but it looks like that's what's happening here, given the exception you are seeing (you should find similar issues if you search for the error message).
So you need to make sure all the requests you want secured are handled by the security filter chain, and also that your filter chain is properly configured (which it should be automatically if you're using the namespace).

Related

CORS filter issue for AuthEntryPoint

I've implemented CORS for my Spring MVC application. The following is in my Web.xml:
<filter>
<filter-name>simpleCORSFilter</filter-name>
<filter-class>com.tcs.filters.SimpleCORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>simpleCORSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
After consulting CORS with spring-boot and angularjs not working , I implemented a SimpleCORSFilter.java class
And now I implemented the following in a Spring-security.xml file:
<http
use-expressions="true" auto-config="false" create-session="stateless"
disable-url-rewriting="true" entry-point-ref="entryPoint"
authentication-manager-ref="authenticationManager">
<bean id="entryPoint" class="com.tcs.web.EntryPoint" />
But when it is executing it's not calling the class below for either the "wrong/incorrect"-password case or the correct-password case.
So, CORS configuration is blocking the call to this, but if I remove CORS, it is calling UnauthorizedEntryPoint.
Could you let know how to properly call this?
public class EntryPoint implements AuthenticationEntryPoint{
#Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException{
// here some custom code about user like values etc
String userid = request.getParameter("userId")
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Unauthorized: Authentication token was either missing or invalid.");
}
}

Which method is called just before the session gets invalidated in spring-mvc life cycle?

I'm trying to timeout an HttpSession in Spring-mvc.
When the session gets timed out I have to release the resources that were used.
For that I need to call some other methods in the application.
myService.releaseResources(id,name);
myService is an autowired object for the service class.
When the session gets timed out the sessionDestroyed method is called.
But in this method myService method value is null.
I want to know where should I call the above code.
Thanks in advance.
You need to implement HttpSessionListener.
public class SessionListener implements HttpSessionListener {
#Override
public void sessionCreated(HttpSessionEvent sessionEvent) {
// TODO Auto-generated method stub
}
#Override
public void sessionDestroyed(HttpSessionEvent sessionEvent) {
// TODO Auto-generated method stub
}
}
Add its entry to web.xml
<listener>
<listener-class>
yourpacakage.SessionListener
</listener-class>
</listener>
Then call your desired code inside sessionDestroyed method.And as far as service is concerned you can get the service object by accessing current applicationContext.
ServletContext ctx = event.getSession().getServletContext();
WebApplicationContext springContext=WebApplicationContextUtils.getWebApplicationContext(ctx);
springContext.getBean("yourService");
If you want to handle things local to a particular session bean, you can use #Predestroy to annotate your releaseResources method. That will inform Spring that you want that method to be invoked when the session ends.
Note that your MyService bean will have to be annotated to be session scoped.

Spring beans injection into jax-ws services

So I already learnt that integration of spring and jax-ws is not an easy thing.
I want to inject a spring bean into jax-ws service, but for some reason I get an exception during the deployment:
Exception while loading the app : java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: java.lang.IllegalArgumentException: javax.servlet.ServletException: com.sun.enterprise.container.common.spi.util.InjectionException: Error creating managed object for class: class org.springframework.web.context.ContextLoaderListener|#]
this is my jax-ws configuration:
<wss:binding url="/ws/users">
<wss:service>
<ws:service bean="#usersWs"/>
</wss:service>
</wss:binding>
<bean id="usersWs" class="love.service.endpoint.implementations.UserServiceImpl" />
And this is my service:
#WebService
public class UserServiceImpl implements UserService{
#EJB
private DBManager dbmanager;
#Override
#WebMethod
public boolean addUser(String name, String password, String email) {
return false;
}
#Override
#WebMethod
public boolean isUsernameAvailable(String username) {
return dbmanager.isLoginAvailable(username);
}
#Override
#WebMethod
public boolean isEmailAvailable(String email) {
return dbmanager.isEmailAvailable(email);
}
}
and finally my bean configuration:
<bean id="dbmanager" class="love.commons.database.DBManager" scope="request">
<aop:scoped-proxy/>
</bean>
I also tried injecting the bean into some controllers and then it works perfectly well.
If I replace #EJB with #Autowired, the application starts, but the service still doesn't work. When I tried sending a message to it, my only response was the following:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope">
<faultcode>S:Server</faultcode>
<faultstring>Error creating bean with name 'scopedTarget.dbmanager': Scope 'request' is not active for the current thread; consider defining a scoped proxy for this bean if you intend to refer to it from a singleton; nested exception is java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request.</faultstring>
</S:Fault>
</S:Body>
</S:Envelope>

web.xml error-page location redirect is not going through my filter definitions

In my web.xml I've done the following error-page mappings, but when they are invoked those invoked requests are not passing through the filter definitions specified in web.xml file.
<error-page>
<error-code>403</error-code>
<location>/error.vm?id=403</location>
</error-page>
<error-page>
<error-code>400</error-code>
<location>/error.vm?id=400</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error.vm?id=404</location>
</error-page>
<error-page>
<exception-type>javax.servlet.ServletException</exception-type>
<location>/servlet-exception.vm</location>
</error-page>
My application is using spring-mvc and I want to handle the handler not found condition from spring mvc. My application is an multi tenant application where some filters are responsible for setting some information related to the schema.
The requests are reaching in my error.vm controller but since they are passing through the filter I'm not able to determine the theme and SecurityContext etc.
How to solve this problem?
Thank you.
Instead of using web.xml's error pages you could use a servlet filter. The servlet filter could be used to catch all exceptions, or just a particular exception such as org.springframework.web.portlet.NoHandlerFoundException. (Is that what you mean by "handler not found" exception?)
The filter would look something like this:
package com.example;
import java.io.IOException;
import javax.servlet.*;
import javax.servlet.http.*;
import org.springframework.web.portlet.NoHandlerFoundException;
public class ErrorHandlingFilter implements Filter {
public void init(FilterConfig config) throws ServletException { }
public void destroy() { }
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
try {
chain.doFilter(request, response);
} catch (NoHandlerFoundException e) {
// Or you could catch Exception, Error, Throwable...
// You probably want to add exception logging code here.
// Putting the exception into request scope so it can be used by the error handling page
request.setAttribute("exception", e);
// You probably want to add exception logging code here.
request.getRequestDispatcher("/WEB-INF/view/servlet-exception.vm").forward(request, response);
}
}
}
Then, set this up in web.xml with the help of Spring's DelegatingFilterProxy:
<filter>
<filter-name>errorHandlingFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>errorHandlingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And then finally, turn the filter into a spring bean inside your spring context xml:
<bean id="errorHandlingFilter" class="com.example.ErrorHandlingFilter" />
You might have to experiment with the order of the filter in the filter chain so that failed requests still go through the other filters you mentioned. If you're having trouble with that, a variation would be to do an HTTP redirect instead of a forward, like this:
try {
chain.doFilter(request, response);
} catch (NoHandlerFoundException e) {
request.getSession().setAttribute("exception", e);
response.sendRedirect("/servlet-exception.vm");
}
That would force the browser to request your error handling page as a new http request, which might make it easier to ensure it goes through all of the right filters first. If you need the original exception object, then you could put it in the session instead of the request.
maybe
<filter-mapping>
<filter-name>SomeFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ERROR</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

Autowired dependency not injected in Aspect in Spring MVC

I am not able to #Autowire the Service Layer Instance in Aspect. In Aspect the reference to the #Autowired bean is NULL and it throws NullPointerException. Any help will be much appreciated. I think, I messed up with configuration.
Following is my servlet-context.xml:
<!-- Activates various annotations to be detected in bean classes -->
<context:annotation-config />
<context:spring-configured />
<!-- Scans the classpath of this application for #Components to deploy as beans -->
<context:component-scan base-package="xx.yy" />
<!-- an #AspectJ aspect will be interpreted as an aspect by Spring AOP and beans in the context will be advised accordingly -->
<aop:aspectj-autoproxy />
<beans:bean id="loggingAspect" class="xx.yy.aop.aspects.LoggingAspect" />
<beans:bean id="authenticationAspect" class="xx.yy.aop.aspects.AuthenticationAspect" />
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
Following is my Aspect:
#Configurable
#Component
#Aspect
public class AuthenticationAspect {
private static final Logger logger = LoggerFactory.getLogger(AuthenticationAspect.class);
#Autowired
private LoginService loginService;
//....
}
Here is my controller using the #Authentication Annotation defined above:
#Controller
#RequestMapping("/user")
public class UsersController {
#Autowired
private UserService userService;
#Authenticate
#RequestMapping(value="/{userId}/profile", method=RequestMethod.GET)
public String displayUser(WebRequest webRequest, #PathVariable("userId") String userId, Model model) {
User user = userService.findUser(Long.valueOf(userId));
model.addAttribute("user", user);
model.addAttribute("AccordionMenuTab","5");
model.addAttribute("selectedLink","profile");
return "profile";
}
I am getting following exception:
Oct 8, 2011 3:12:48 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet appServlet threw exception
java.lang.NullPointerException
at xx.yy.controller.UsersController.displayUser_aroundBody1$advice(UsersController.java:28)
at xx.yy.controller.UsersController.displayUser(UsersController.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
See this piece of the documentation:
7.8.3 Configuring AspectJ aspects using Spring IoC
When using AspectJ aspects with Spring applications, it is natural to both want and expect to be able to configure such aspects using Spring. The AspectJ runtime itself is responsible for aspect creation, and the means of configuring the AspectJ created aspects via Spring depends on the AspectJ instantiation model (the 'per-xxx' clause) used by the aspect.
The majority of AspectJ aspects are singleton aspects. Configuration of these aspects is very easy: simply create a bean definition referencing the aspect type as normal, and include the bean attribute 'factory-method="aspectOf"'. This ensures that Spring obtains the aspect instance by asking AspectJ for it rather than trying to create an instance itself. For example:
<bean id="profiler" class="com.xyz.profiler.Profiler"
factory-method="aspectOf" />
For anyone looking for a java based bean configuration, Using java reflections I could archive the same
#Bean
public ExceptionAspectHandler exceptionAspectHandler(){
try
{
//noinspection JavaReflectionMemberAccess
Method method = ExceptionAspectHandler.class.getMethod("aspectOf" );
return (ExceptionAspectHandler) method.invoke(null);
}
catch( IllegalAccessException | InvocationTargetException | NoSuchMethodException e )
{
logger.log( Level.SEVERE, "Error creating bean : ", e );
}
return null;
}
Since the aspectOf() method is not available during compile time we cannot create the bean by just calling the method. That is why XML configuration is able to handle it.
Alternatively simpler approach
#Bean
public ExceptionAspectHandler exceptionAspectHandler()
{
return Aspects.aspectOf( ExceptionAspectHandler.class );
}
This also does work.

Resources