Develop Reference

Spring Security 404 error

I want to use spring security for authentification but when I try to access the site, I get the 404 error on all requests. I'm trying to debug this for few days, but nothing work for me.
Here is my web.xml :
<!-- Spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-database.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml:
<context:component-scan base-package="com.example.users.service"/>
<http auto-config="true" use-expressions="true" authentication-manager-ref="authManager">
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<csrf />
</http>
<authentication-manager id="authManager">
<authentication-provider user-service-ref="myUserDetailsService" />
</authentication-manager>
spring-database.xml:
<tx:annotation-driven transaction-manager="transactionManager"/>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/test" />
<property name="username" value="root" />
<property name="password" value="12345678" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
<prop key="hibernate.format_sql">true</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
<property name="packagesToScan" value="com.example.users.model"/>
</bean>
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory"/>
</bean>
and mvc-dispatcher-servlet.xml:
<context:component-scan base-package="com.example.*" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
Any help would be greatly appreciated.
Thanks.

We don't know what version of Spring Security you are using, but if you have 4.X.X then this url won't work: /j_spring_security_check. They have changed it to /login.
Here is the docs.
I think this config should do the trick:
<http auto-config="true" use-expressions="true" authentication-manager-ref="authManager">
<form-login
login-page="/login"
default-target-url="/welcome"
always-use-default-target="true"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<access-denied-handler error-page="/403" />
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/login" access="permitAll"/>
<logout logout-success-url="/login?logout" />
<csrf />
</http>

Assuming Dmitriy might have solved this by now, I am answering on the hopes that it may be useful for others who stumble upon on this issue.
I cannot find the spring mvc dispatcher servlet config xml.
We dont need to add component scan specially in the spring security xml configuration if its already taken care in the spring configuration.
The intercept-url pattern="/j_spring_security_check" access="permitAll" may not be required. Spring security is intelligent, it will only apply security for the url pattern mentioned. All other urls are free to access.
Depending on Spring security version, /j_spring_security_check or /login url should be used in the form action. Former is used in Spring 3.x and latter is used in Spring 4.x
login-page attribute in form-login must match a url in the spring mvc application through controller mapping or xml mapping.
Finally, important thing is, if you mess up a single config in spring security xml, spring will let you run the app but it will always result in 404. So make sure you have all urls mapped to controller mapping, all pages are resolvable in the spring mvc application.
For example, if the access-denied-handler error-page="/403" element cannot find /403 mapping then it will result in 404 error though the user is authenticated and authorized successfully.
if you debug the spring security framework how all the filters are working, you can see how your application is behaving.
<i><debug/></i> element in spring security can help.
Please let me know if this helps.

spring security logout success url redirecting to http from https

Our application is protected by siteminder web agent and is on https.
Our application is running on weblogic and is on http.
When the user access protected URL, the siteminder login page(https) is displayed and the user enters his credentials here.
But after successful authentication, the user was redirected to http URL and page cannot be displayed or unable to connect message was displayed.
I fixed this issue by adding redirectHttp10Compatible="false" attribute to my view resolver.
Now, upon logout, the application is redirecting to logout success URL over http rather than https.
redirectHttp10Compatible="false" attribute is still in the same place.
Any help in this regard is very helpful and highly appreciated.
Thanks a lot in advance.
The below are the config files(edited, removed irrelevant lines) :
<-- DISPATCHER SERVLET -->
<context:component-scan base-package="xxx.xxx.controllers"/>
<mvc:annotation-driven />
<mvc:default-servlet-handler/>
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="100000000"/>
</bean>
<bean id="jspViewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:viewClass="org.springframework.web.servlet.view.JstlView"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp"
p:redirectHttp10Compatible="false"
/>
<-- SPRING SECURITY XML FILE -->
<http pattern="/login/login.action" security="none"/>
<http pattern="/login/logout.action" security="none"/>
<http pattern="/WEB-INF/jsp/Login.jsp" security="none"/>
<http pattern="/WEB-INF/jsp/Logout.jsp" security="none"/>
<http auto-config="false" entry-point-ref="http403EntryPoint" use-expressions="true">
<form-login login-page="/login/login.action"
default-target-url="/home.action"
authentication-failure-url="/login/login.action?loginFailed=true"
always-use-default-target="true"/>
<custom-filter ref="siteMinderAgent" position="PRE_AUTH_FILTER"/>
<logout logout-success-url="/login/logout.action"
invalidate-session="true" />
</http>
<beans:bean id="siteMinderAgent"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="SM_USER"/>
<beans:property name="authenticationManager" ref="appAuthenticationManager" />
</beans:bean>
<beans:bean id="preauthAuthProvider"
class="com.xxx.security.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="http403EntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<authentication-manager alias="appAuthenticationManager">
<authentication-provider ref="preauthAuthProvider"/>
</authentication-manager>

Spring Security authentication decision

In my Spring Security I have an issue. When I access url's like /admin, /client or even /admin/addUser.jsp it returns me to a login page (as it necessary) but when I access the url like /addUser (which mapped to Spring MVC controller) it returns me a page in any case even if user is not authenticated. What configuration I need to add/remove/modify in order to Security performs everything well.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config="true" use-expressions="true"> <!--access-decision-manager-ref="accessDecisionManager"-->
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/admin*/**" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/client*/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/login" default-target-url="/index" authentication-failure-url="/loginFail"
authentication-success-handler-ref="redirectRoleStrategy"/>
<security:logout logout-success-url="/logout" invalidate-session="true"/>
<security:access-denied-handler error-page="/403"/>
</security:http>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService"/>
</security:authentication-manager>
<bean id="redirectRoleStrategy" class="com.payment.system.util.RoleBasedAuthenticationSuccessHandler">
<property name="roleUrlMap">
<map>
<entry key="ROLE_ADMIN" value="/admin"/>
<entry key="ROLE_USER" value="/client"/>
</map>
</property>
</bean>
</beans>
P.S.: By the way, my IDEA strikes-through me a <property name="providers"> line reporting me that this property is deprecated. To what property I should replace this?
Thank you!

Just add
<security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
after all yours intercept-url tags (I mean it must be the last one)
For PS question: as explained in javadoc just use use constructor injection (via constructor-arg tag).

When you will add the configuration suggested by Maksym it will solve your authentication problem. But it will NOT solve your authorization problem. A user with the role ROLE_USER will be able to access to /addUser.
Two solutions:
1) Move all URLs that should be accessed by admin under to /admin**. This solution may be complicated.
2) Replace configuration suggested my Maxim by the following configuration:
<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
Please not that in this case the user with the role ROLE_USER will be able to access only to URLs /client*/**
Please tell me if you need any additional help.
Best regards,
Michael
P.S. I recommend to define all beans via namespace as explained here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html
It should eliminate warnings.

spring webmvc mapping the jsp (without controllers)

I am trying to get my hands on Spring 3 web-mvc. I have a simple page link (you know.. <a href="xyz"> thing.
Somehow spring mvc doesn't like that.. eer.. well, my spring config is not working how i would like it to be.
I tried with DefaultRequestToViewNameTranslator but that didn't help. I think its something to do with what "Handler" spring dispatcher servlet chooses.. but I am not able to grasp those things yet. Log output did not help much either.
Can someone help?
Here is web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/applicationContext.xml</param-value>
</context-param>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Reads request input using UTF-8 encoding -->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Handles all requests into the application -->
<servlet>
<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring/appServlet/servlet-context.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
And spring config:
<!-- Scans the classpath of this application for #Components to deploy as beans -->
<context:component-scan base-package="com.mycompany.mvc" />
<!-- Configures the #Controller programming model -->
<mvc:annotation-driven />
<!-- Forwards requests to the "/" resource to the "welcome" view -->
<mvc:view-controller path="/" view-name="index"/>
<!-- Configures Handler Interceptors -->
<mvc:interceptors>
<!-- Changes the locale when a 'locale' request parameter is sent; e.g. /?locale=de -->
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor" />
</mvc:interceptors>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources/ directory -->
<mvc:resources mapping="/css/**" location="/css/" />
<mvc:resources mapping="/js/**" location="/js/" />
<mvc:resources mapping="/images/**" location="/images/" />
<!-- Saves a locale change using a cookie -->
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver" />
<!-- Application Message Bundle -->
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="/WEB-INF/messages/messages" />
<property name="cacheSeconds" value="0" />
</bean>
<!-- Automatic resolution of the view names.. Convention over configuration -->
<bean id="viewNameTranslator" class="org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator"/>
<!-- Resolves view names to protected .jsp resources within the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/content/"/>
<property name="suffix" value=".jsp"/>
</bean>
And jsp where link is defined:
<li>flot integration</li>
And the log file output:
DEBUG o.s.web.servlet.DispatcherServlet:693 - DispatcherServlet with name 'Spring MVC Dispatcher Servlet' processing GET request for [/demo/flot]
WARN o.s.web.servlet.PageNotFound:947 - No mapping found for HTTP request with URI [/demo/flot] in DispatcherServlet with name 'Spring MVC Dispatcher Servlet'
DEBUG o.s.web.servlet.DispatcherServlet:674 - Successfully completed request

Controller should handle user's request and in your case no controller which mapped to this URL. When controller found, it performs some logic and returns view name which will be used to represent server's response. So, view name translator called only after controller and only for deduce full path to particular JSP file.
Try to add
<mvc:view-controller path="demo/flot" view-name="demo/flot"/>
(Also, you probably may try to omit view-name attribute, but I don't sure.)

Currently.. following worked..
Though the property /** might be an issue for me later when I add the controllers too.
But I can customize the .jsp file url
<bean id="handlerMapping"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="/**">urlFilenameViewController</prop>
</props>
</property>
</bean>
<bean id="urlFilenameViewController" class="org.springframework.web.servlet.mvc.UrlFilenameViewController" />

Using spring-webmvc 3.0.6.RELEASE this worked for me:
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<view-controller path="secure/*" view-name="secure/index"/>
<view-controller path="secure/extreme/*" view-name="secure/extreme/index"/>
<!-- Resolves views selected for rendering by #Controllers to .jsp resources
in the /WEB-INF/views directory -->
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
Beans annotated with #Controller and #RequestMapping are called on the appropriate url, any url like secure/* and secure/extreme/* is handled by WEB-INF/views/secure/index.jsp and WEB-INF/views/secure/extreme/index.jsp respectively

I am using spring web 3.2.1 and I have only internal resolver and annotations based config. The jsp files view are accessible by default without using controller i.e not coded in any controller at return value of the mapped controller method. I guess there is some implicit rule.

Putting
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="/WEB-INF/messages/messages" />
<property name="cacheSeconds" value="0" />
</bean>
in application-context.xml resolved the issue for me. The view which does not have a controller(request mapping) will not load if we put these things in servlet.xml. I tried putting these things in application-context.xml and it worked for me. Thanks!!!

After version 3.1 there is WebMvcConfigurerAdapter, so you can put the mapping in configuration like this:
#Configuration
#EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("/index");
}
}

Spring MVC 3 Locale changing using a link not working

Edit: My Spring framework version 3.0.5
A small issue here, The language is not changing when I click the language changer link.
The language files (messages_xx.properties) are in the classpath i18n directory. The files are:
i18n/messages_en.properties
i18n/messages_ar.properties
Spring Configuration
<!-- Component scanner. This is used to automatically find Spring annotations like #Service and #Repository -->
<context:component-scan base-package="com.keype" />
<!-- Annotation driven programming model -->
<mvc:annotation-driven />
<context:annotation-config />
<mvc:resources mapping="/static/**" location="/static/" />
<!-- Session Object Configuration -->
<bean id="session" class="com.keype.system.Session" scope="session">
<aop:scoped-proxy />
</bean>
<!-- The View Resolver -->
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp"
/>
<!-- i18n Configuration. Default language is english. Change language using ?language=en -->
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
<property name="defaultLocale" value="en" />
</bean>
<!-- Message text files. This is set UTF-8 to display Arabic UTF correctly. -->
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:i18n/messages" />
<property name="defaultEncoding" value="UTF-8"/>
</bean>
A section from the JSP Code
<spring:message code="header.arabic" /> |
<spring:message code="header.english" />
The issue is, when I click the above link to change the language, the locale changing functionality is not working. I tested by changing the "defaultLocate" to "ar" and I'm getting Arabic text.
What could possibly be wrong here? There is nothing in the tomcat log also.

You have to register the localeChangeInterceptor among the MVC interceptors for Spring-MVC to consider it. Add the interceptor to the configuration:
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"></property>
</bean>
</mvc:interceptors>

<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"
p:paramName="lang" />
</mvc:interceptors>
<bean id="localeResolver"
class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
<property name="defaultLocale" value="en" />
</bean>

Another thing that can help others:
In my case, I MUST add in the applicationContext.xml. Putting it in the spring-servlet (ref. dispatcher), not worked at all.

You need to register the LocaleChangeInterceptor inside the mvc interceptors tag as below,
E.g.
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="siteLanguage" />
</bean>
</mvc:interceptors>
I was getting the same error and it worked using this code :-)