In my Spring Security I have an issue. When I access url's like /admin, /client or even /admin/addUser.jsp it returns me to a login page (as it necessary) but when I access the url like /addUser (which mapped to Spring MVC controller) it returns me a page in any case even if user is not authenticated. What configuration I need to add/remove/modify in order to Security performs everything well.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config="true" use-expressions="true"> <!--access-decision-manager-ref="accessDecisionManager"-->
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/admin*/**" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/client*/**" access="hasRole('ROLE_USER')"/>
<security:form-login login-page="/login" default-target-url="/index" authentication-failure-url="/loginFail"
authentication-success-handler-ref="redirectRoleStrategy"/>
<security:logout logout-success-url="/logout" invalidate-session="true"/>
<security:access-denied-handler error-page="/403"/>
</security:http>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService"/>
</security:authentication-manager>
<bean id="redirectRoleStrategy" class="com.payment.system.util.RoleBasedAuthenticationSuccessHandler">
<property name="roleUrlMap">
<map>
<entry key="ROLE_ADMIN" value="/admin"/>
<entry key="ROLE_USER" value="/client"/>
</map>
</property>
</bean>
</beans>
P.S.: By the way, my IDEA strikes-through me a <property name="providers"> line reporting me that this property is deprecated. To what property I should replace this?
Thank you!
Just add
<security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
after all yours intercept-url tags (I mean it must be the last one)
For PS question: as explained in javadoc just use use constructor injection (via constructor-arg tag).
When you will add the configuration suggested by Maksym it will solve your authentication problem. But it will NOT solve your authorization problem. A user with the role ROLE_USER will be able to access to /addUser.
Two solutions:
1) Move all URLs that should be accessed by admin under to /admin**. This solution may be complicated.
2) Replace configuration suggested my Maxim by the following configuration:
<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
Please not that in this case the user with the role ROLE_USER will be able to access only to URLs /client*/**
Please tell me if you need any additional help.
Best regards,
Michael
P.S. I recommend to define all beans via namespace as explained here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html
It should eliminate warnings.
Related
I want to use spring security for authentification but when I try to access the site, I get the 404 error on all requests. I'm trying to debug this for few days, but nothing work for me.
Here is my web.xml :
<!-- Spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-database.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml:
<context:component-scan base-package="com.example.users.service"/>
<http auto-config="true" use-expressions="true" authentication-manager-ref="authManager">
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<csrf />
</http>
<authentication-manager id="authManager">
<authentication-provider user-service-ref="myUserDetailsService" />
</authentication-manager>
spring-database.xml:
<tx:annotation-driven transaction-manager="transactionManager"/>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/test" />
<property name="username" value="root" />
<property name="password" value="12345678" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
<prop key="hibernate.format_sql">true</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
<property name="packagesToScan" value="com.example.users.model"/>
</bean>
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory"/>
</bean>
and mvc-dispatcher-servlet.xml:
<context:component-scan base-package="com.example.*" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
Any help would be greatly appreciated.
Thanks.
We don't know what version of Spring Security you are using, but if you have 4.X.X then this url won't work: /j_spring_security_check. They have changed it to /login.
Here is the docs.
I think this config should do the trick:
<http auto-config="true" use-expressions="true" authentication-manager-ref="authManager">
<form-login
login-page="/login"
default-target-url="/welcome"
always-use-default-target="true"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<access-denied-handler error-page="/403" />
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/login" access="permitAll"/>
<logout logout-success-url="/login?logout" />
<csrf />
</http>
Assuming Dmitriy might have solved this by now, I am answering on the hopes that it may be useful for others who stumble upon on this issue.
I cannot find the spring mvc dispatcher servlet config xml.
We dont need to add component scan specially in the spring security xml configuration if its already taken care in the spring configuration.
The intercept-url pattern="/j_spring_security_check" access="permitAll" may not be required. Spring security is intelligent, it will only apply security for the url pattern mentioned. All other urls are free to access.
Depending on Spring security version, /j_spring_security_check or /login url should be used in the form action. Former is used in Spring 3.x and latter is used in Spring 4.x
login-page attribute in form-login must match a url in the spring mvc application through controller mapping or xml mapping.
Finally, important thing is, if you mess up a single config in spring security xml, spring will let you run the app but it will always result in 404. So make sure you have all urls mapped to controller mapping, all pages are resolvable in the spring mvc application.
For example, if the access-denied-handler error-page="/403" element cannot find /403 mapping then it will result in 404 error though the user is authenticated and authorized successfully.
if you debug the spring security framework how all the filters are working, you can see how your application is behaving.
<i><debug/></i> element in spring security can help.
Please let me know if this helps.
Our application is protected by siteminder web agent and is on https.
Our application is running on weblogic and is on http.
When the user access protected URL, the siteminder login page(https) is displayed and the user enters his credentials here.
But after successful authentication, the user was redirected to http URL and page cannot be displayed or unable to connect message was displayed.
I fixed this issue by adding redirectHttp10Compatible="false" attribute to my view resolver.
Now, upon logout, the application is redirecting to logout success URL over http rather than https.
redirectHttp10Compatible="false" attribute is still in the same place.
Any help in this regard is very helpful and highly appreciated.
Thanks a lot in advance.
The below are the config files(edited, removed irrelevant lines) :
<-- DISPATCHER SERVLET -->
<context:component-scan base-package="xxx.xxx.controllers"/>
<mvc:annotation-driven />
<mvc:default-servlet-handler/>
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="100000000"/>
</bean>
<bean id="jspViewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:viewClass="org.springframework.web.servlet.view.JstlView"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp"
p:redirectHttp10Compatible="false"
/>
<-- SPRING SECURITY XML FILE -->
<http pattern="/login/login.action" security="none"/>
<http pattern="/login/logout.action" security="none"/>
<http pattern="/WEB-INF/jsp/Login.jsp" security="none"/>
<http pattern="/WEB-INF/jsp/Logout.jsp" security="none"/>
<http auto-config="false" entry-point-ref="http403EntryPoint" use-expressions="true">
<form-login login-page="/login/login.action"
default-target-url="/home.action"
authentication-failure-url="/login/login.action?loginFailed=true"
always-use-default-target="true"/>
<custom-filter ref="siteMinderAgent" position="PRE_AUTH_FILTER"/>
<logout logout-success-url="/login/logout.action"
invalidate-session="true" />
</http>
<beans:bean id="siteMinderAgent"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="SM_USER"/>
<beans:property name="authenticationManager" ref="appAuthenticationManager" />
</beans:bean>
<beans:bean id="preauthAuthProvider"
class="com.xxx.security.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="http403EntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<authentication-manager alias="appAuthenticationManager">
<authentication-provider ref="preauthAuthProvider"/>
</authentication-manager>
In my spring mvc project the login page is served as a direct url host/context/login.jsp.
My web.xml states dispatcher-servlet url pattern as:
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern> / </url-pattern>
</servlet-mapping>
Also my mvc-dispatcher-servlet.xml is below:
<context:component-scan base-package="com.company" />
<mvc:resources location="/, /assets/"
mapping="/assets/**" />
<mvc:annotation-driven/>
<context:property-placeholder location="classpath*:METAINF/spring/application.properties" />
<bean id="jspViewResolver" class="org.springframework.web.servlet.view.UrlBasedViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<security:http use-expressions="true">
<security:form-login login-page="/login.jsp" login-processing-url="/j_spring_security_check" authentication-failure-url="/login.jsp?login_error=iup"/>
<security:http-basic />
<security:logout />
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/WEB-INF/jsp/**" access="hasRole('ROLE_ADMIN')" />
</security:http>
Also I have a jsp file login.jsp just above the WEB-INF folder for direct access.
On my local machine when I do localhost:8080/context/login.jsp everyting runs fine and login.jsp is rendered but on server machine the call is intercepted by DispatcherServlet and it tries to find a corresponding url mapping(which is not present). What could possibly be making it happen. The logs for catalina.out at server machine are as:
-DispatcherServlet with name 'mvc-dispatcher' processing GET request for [/context/login.jsp]
-command not found
-Looking up handler method for path /login.jsp
-command not found
-Did not find handler method for [/login.jsp]
-command not found
-No mapping found for HTTP request with URI [/context/login.jsp] in DispatcherServlet with name 'mvc-dispatcher'
I'm currently working on a Spring MVC project and have some issue with using "<MVC:resource "tag of SpringMVC to load static resource. So I downloaded the springMVC showcase project and did some change on it to check this tag.
Since my project is a simple one, seems to me the two tags for "conversionservice" is not necessary.
However after I removed this two tag, something wired happend.
If I have both the tag for static resources "<resources mapping="/resources/.." and the "<context:component-scan base-package="org.springframework.samples.mvc" />" tag (in controllers.xml) configged, then I cann't access any uri that anotated on controllers- it returns a 404 not found error. if I comment out the resource mapping tag, then those controllers works fine.
Anyone have ever experience this situation? Any idea how to get around that?
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven conversion-service="conversionService">
<argument-resolvers>
<beans:bean class="org.springframework.samples.mvc.data.custom.CustomArgumentResolver"/>
</argument-resolvers>
</annotation-driven>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources/ directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<!-- Only needed because we install custom converters to support the examples in the org.springframewok.samples.mvc.convert package -->
<beans:bean id="conversionService" class="org.springframework.format.support.FormattingConversionServiceFactoryBean">
<beans:property name="formatters">
<beans:bean class="org.springframework.samples.mvc.convert.MaskFormatAnnotationFormatterFactory" />
</beans:property>
</beans:bean>
<!-- Imports user-defined #Controller beans that process client requests -->
<beans:import resource="controllers.xml" />
</beans:beans>
<context:annotation-config/> just don't work on Spring 3.1.0, but <mvc:annotation-driven/> just works, I referenced this post
I got the same issue and what I did is to remove the "**" in the resource tag.
I had faced similar issue - SO Question
You can either use <mvc:annotation-driven/> or provide handler mapping yourself with order of higher precedence -
<bean id="annotationUrlMapping" class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="order" value="0" />
</bean>
<bean id="annotationMethodHandlerAdapter" class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"/>
Edit: My Spring framework version 3.0.5
A small issue here, The language is not changing when I click the language changer link.
The language files (messages_xx.properties) are in the classpath i18n directory. The files are:
i18n/messages_en.properties
i18n/messages_ar.properties
Spring Configuration
<!-- Component scanner. This is used to automatically find Spring annotations like #Service and #Repository -->
<context:component-scan base-package="com.keype" />
<!-- Annotation driven programming model -->
<mvc:annotation-driven />
<context:annotation-config />
<mvc:resources mapping="/static/**" location="/static/" />
<!-- Session Object Configuration -->
<bean id="session" class="com.keype.system.Session" scope="session">
<aop:scoped-proxy />
</bean>
<!-- The View Resolver -->
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp"
/>
<!-- i18n Configuration. Default language is english. Change language using ?language=en -->
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
<property name="defaultLocale" value="en" />
</bean>
<!-- Message text files. This is set UTF-8 to display Arabic UTF correctly. -->
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:i18n/messages" />
<property name="defaultEncoding" value="UTF-8"/>
</bean>
A section from the JSP Code
<spring:message code="header.arabic" /> |
<spring:message code="header.english" />
The issue is, when I click the above link to change the language, the locale changing functionality is not working. I tested by changing the "defaultLocate" to "ar" and I'm getting Arabic text.
What could possibly be wrong here? There is nothing in the tomcat log also.
You have to register the localeChangeInterceptor among the MVC interceptors for Spring-MVC to consider it. Add the interceptor to the configuration:
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"></property>
</bean>
</mvc:interceptors>
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"
p:paramName="lang" />
</mvc:interceptors>
<bean id="localeResolver"
class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
<property name="defaultLocale" value="en" />
</bean>
Another thing that can help others:
In my case, I MUST add in the applicationContext.xml. Putting it in the spring-servlet (ref. dispatcher), not worked at all.
You need to register the LocaleChangeInterceptor inside the mvc interceptors tag as below,
E.g.
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="siteLanguage" />
</bean>
</mvc:interceptors>
I was getting the same error and it worked using this code :-)