We have Spring MVC application. We are trying to integrate the Spring security in it.
We have written our custom authentication provider which will do the work of authentication.
Below is the code for my custom authentication provider.
public class CustomAuthenticationProvider extends DaoAuthenticationProvider {
#Autowired
private AuthenticationService authenticationService;
#Override
public Authentication authenticate(Authentication authentication) {
CustomAuthenticationToken auth = (CustomAuthenticationToken) authentication;
String username = String.valueOf(auth.getPrincipal());
String password = String.valueOf(auth.getCredentials());
try {
Users user = new User();
user.setUsername(username);
user.setPassword(PasswordUtil.encrypt(password));
user = authenticationService.validateLogin(user);
return auth;
} catch (Exception e) {
throw new BadCredentialsException("Username/Password does not match for " + username);
}
}
#Override
public boolean supports(Class<? extends Object> authentication) {
return (CustomAuthenticationToken.class.isAssignableFrom(authentication));
}
}
Here i am getting NullpointerException on the following line
user = authenticationService.validateLogin(user);
The authenticationService is not getting autowired in the custom authentication provider. While the same service authenticationService is autowired in the same way in my MVC controller.
Is this because authentication provider is a Spring security component?
Below is a my web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/myApp-security.xml
</param-value>
</context-param>
<servlet>
<servlet-name>myApp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/myApp-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>myApp</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
Edit 1 :-
I have added the following lines in my spring security configuration file.
<beans:bean id="customAuthenticationProvider" class="com.myApp.security.provider.CustomAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
Please help how to autowire my service classes in the Spring security components?
Are you using the <debug/> element? If so, try removing to see if it fixes your problem as SEC-1885 prevents #Autowired from working when using <debug/>.
Perhaps autowiring postprocessor is not enabled in the root application context (but enabled in the DispatcherServlet's context as a side effect of <mvc:annotation-driven> or <context:component-scan>).
You can enable it by adding <context:annotation-config> to myApp-security.xml.
I experienced this issue and came to the conclusion that while autowiring was taking place, the spring security was operating with a completely different instance of the classes. To solve this I imported the security configuration into the spring mvc configuration as below.
This allowed Spring security to share the context with my spring mvc.
<import resource="myapp-security.xml" />
I faced the same issue and fixed it.
The solution is even if u have #Autowired annotation set for Service class.
#Autowired
private AuthenticationService authenticationService;
Removed the bean definition in your dispatcher-servlet.xml and it will work.
<!--
<beans:bean id="customAuthenticationProvider" class="com.myApp.security.provider.CustomAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
-->
and add it in security context file
if you are using Spring MVC then you have to add both spring-security.xml and dispatcher-servlet.xml in contextConfigLocation.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
/WEB-INF/dispatcher-servlet.xml
</param-value>
</context-param>
you need to define your CustomAuthenticationProvider as a spring bean (in applicationContext.xml generally or applicationContext-security.xml if you have one)
You should use
You cannot use because your myApp-security.xml is creating another ApplicationContext which doesnt see all the autowiring from your context created by myApp-servlet.xml
Related
I am learning Spring MVC (with Thymeleaf) while porting over a JBoss Seam website to Spring MVC.
I am trying to replace a HTTPServlet (doPost to /myservlet) with a Spring Controller with the following code:
#RequestMapping(value="/myservlet", method = RequestMethod.POST)
public String executeAction(HttpServletRequest request, HttpServletResponse response) throws IOException {
StringBuilder buffer = new StringBuilder();
BufferedReader reader = request.getReader();
String line;
while((line = reader.readLine()) != null) {
buffer.append(line);
}
String payload = buffer.toString();
System.out.println("payload: " + payload);
return "/index";
}
This method needs to read the XML Payload (String) sent via a HTTP Post to this endpoint.
When the external client (.NET - which will be used in the live environment) invokes this I get the following log messages:
[org.springframework.web.servlet.PageNotFound] (default task-3) Request method 'POST' not supported
[org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver] (default task-3) Handler execution resulted in exception: Request method 'POST' not supported
I have also tried this as a HTTPServlet but with the same problem. Can someone please advise as to what I am doing wrong?
The web.xml contents are:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<!-- Send unauthorised request to the 404 page -->
<error-page>
<error-code>403</error-code>
<location>/404.html</location>
</error-page>
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/appServlet/servlet-context.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
</web-app>
The xml payload:
<Jobs>
<Job Action="Post">
<AdvertiserName>Advertiser1</AdvertiserName>
<AdvertiserType ValueID="15897">15897</AdvertiserType>
<SenderReference>01111111</SenderReference>
<DisplayReference>DISPLAYREF_635346301296069467_4445_Test89
</DisplayReference>
<Classification ValueID="6211">1002915</Classification>
<SubClassification></SubClassification>
<Position><![CDATA[CASE MANAGER]]></Position>
<Description><![CDATA[ The Case Manager role is the vital link between all parties within the mortgage application process. ...]]></Description>
<Country ValueID="246">United Kingdom</Country>
<Location ValueID="12096">Yorkshire</Location>
<Area ValueID="107646">Bradford</Area>
<PostalCode>BD1 1EE</PostalCode>
<ApplicationURL>http://removed.com/Application.aspx?uPjAaXJ9HmZ04+4i/bqmFAz
</ApplicationURL>
<Language ValueID="120036">2057</Language>
<ContactName>Joe Bloggs</ContactName>
<EmploymentType ValueID="2163">2163</EmploymentType>
<StartDate></StartDate>
<Duration></Duration>
<WorkHours ValueID="2190">2190</WorkHours>
<SalaryCurrency ValueID="1078">1007000</SalaryCurrency>
<SalaryMinimum>16200.00</SalaryMinimum>
<SalaryMaximum>16200.00</SalaryMaximum>
<SalaryPeriod ValueID="2178">1007600</SalaryPeriod>
<JobType>APPLICATION</JobType>
</Job>
</Jobs>
In case anyone else has this issue, the problem is related to the method signature and CSRF.
I got around this by following geoand's advice (thanks) by changing the method signature to add #RequestBody String payload
And by disabling CSRF for the specific URL (/myservlet) but leaving it enabled for the other URL's using the following in the spring security config:
<http auto-config="true" use-expressions="true" pattern="/myservlet" >
<csrf disabled="true"/>
</http>
<http auto-config="true" use-expressions="true" >
<access-denied-handler error-page="/403" />
<form-login login-page="/login.html" authentication-failure-url="/login-error.html" authentication-success-handler-ref="customAuthenticationSuccessHandler" />
<logout logout-success-url="/index" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/advertiser/**" access="hasRole('ROLE_ADVERTISER')" />
<csrf disabled="false"/>
</http>
Thank you all for your replies/comments.
Kaz
I removed crsf
.and().csrf().and().exceptionHandling().accessDeniedPage("/Access_Denied");
I changed as
and().exceptionHandling().accessDeniedPage("/Access_Denied");//this Work
We are using Tomcat 7.0.54.
The web.xml:
<context-param>
<param-name>log4jContextName</param-name>
<param-value>SabaLog4jContext</param-value>
</context-param>
There is sample servlet which starts on load
<servlet>
<servlet-name>startUp</servlet-name>
<servlet-class>foo.StartupServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
The StartupServlet simple as:
public class StartupServlet extends HttpServlet {
#Override
public void init() throws ServletException {
getServletContext().setAttribute("test", "ATest");
super.init();
}
}
The log4j2 can not access the test attribute with ${web:attr.test} and I got the warning as:
INFO: org.apache.logging.log4j.web.WebLookup unable to resolve key 'test'
It seems that Log4j2 works fine but the problem is that it starts before my Startup. I tried to use a servletContextListener class but no luck.
I also tried to disable Log4jAutoInitialization in web.xml and manually start set them as below.
<listener>
<listener-class>org.apache.logging.log4j.web.Log4jServletContextListener</listener-class>
</listener>
<filter>
<filter-name>log4jServletFilter</filter-name>
<filter-class>org.apache.logging.log4j.web.Log4jServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>log4jServletFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
But no luck:(
The log4j2.xml is as below:
<property name="baseFolder">${web:rootDir}/../logs/${web:test}</property>
So how can setup my web.xml so that my code execute before Log4j context.
The web.xml also contains spring Listeners as:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
First, make sure Tomcat is configured to provide the functionality of a servlet 3.0 container in your web.xml file:
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
You'll want the 3.0 functionality so you can specify the order in which the servlets are loaded. Then you'll want to have your own ServletContainerInitializer to initialize the ServletContext attributes. Here's an snippet of one of mine:
/* Initializer that is configured, via web.xml, to initialize before Log4j2's initializer. This gives us the
* opportunity to set some servlet context attributes that Log4j2 will use when it eventually initializes.
*/
public class BitColdHardCashContainerInitializer implements ServletContainerInitializer {
#Override
public void onStartup(final Set<Class<?>> classes, final ServletContext servletContext) throws ServletException {
if (servletContext.getMajorVersion() > 2) {
servletContext.log("BitColdHardCashContainerInitializer starting up in Servlet 3.0+ environment.");
}
// Set the webapp.name attribute so that Log4j2 may use it to create a path for log files.
servletContext.setAttribute("webapp.name", servletContext.getContextPath().replaceAll("/", "").trim());
Next, you want your ServerContainerInitializer to run before Log4j2's. In your web.xml, give your servlet a name:
<absolute-ordering>
<name>BitColdHardCash</name>
<others/>
</absolute-ordering>
This needs to be be specified before the <servlet> element.
Create a web-fragment.xml file:
<web-fragment xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-fragment_3_0.xsd"
version="3.0" metadata-complete="true">
<name>BitColdHardCash</name>
<distributable />
<ordering>
<before>
<others />
</before>
</ordering>
</web-fragment>
This tells Tomcat to initialize your ServletContainerInitializer first, before anything else, including Log4j2's. This goes in the META-INF directory.
That should do it. One more thing to check would be your catalina.properties file. You are using a version of Tomcat that fixes a bug regarding the calling of ServletContextInitializers. I'm not sure if the bug was in Tomcat source code or in the default supplied catalina.properties file. In the event you are using a catalina.properties file that pre-dates the fix, just crack it open an ensure that log4j*.jar is not included in the list of files specified for the tomcat.util.scan.DefaultJarScanner.jarsToSkip property.
In case I want to read bean definitions from spring-application-context.xml, I would do this in web.xml file.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
In case I want to read bean definitions through Java Configuration Class (AnnotationConfigWebApplicationContext), I would do this in web.xml
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
org.package.MyConfigAnnotatedClass
</param-value>
</init-param>
</servlet>
How do I use both in my application. like reading beans from both configuration xml file and annotated class.
Is there a way to load spring beans in xml file while we are using AppConfigAnnotatedClass to instantiate/use rest of the beans.
This didnt work
Xml file defines bean as
<bean name="mybean" class="org.somepackage.MyBean"/>
Java Class Imports Resources as
#ImportResource(value = {"classpath:some-other-context.xml"})
#Configuration
public class MyConfigAnnotatedClass {
#Inject
MyBean mybean;
}
But mybean value is always null which ofcourse will give nullpointerexception when calling method on mybean.
You can annotate your #Configuration class with
#ImportResource(value = {"classpath:some-other-context.xml"})
#Configuration
public class MyConfigAnnotatedClass {
...
}
to have it import <beans> type xml contexts.
You can do the same thing the other way around. Your #Configuration class is also a #Component. If you have a <component-scan> that includes its package, all its declared beans will be added to the context. Alternatively, you can do
<bean name="myAdditionalConfig" class="org.somepackage.MyConfigAnnotatedClass" />
Note that package cannot be used as a name in the package structure.
I have a very basic setup which I am trying to get working.
web.xml
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/site/*</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/mvc-dispatcher-servlet.xml</param-value>
</context-param>
mvc-dispatcher-servlet.xml
<context:component-scan base-package="com.blabla.controller" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/pages/" p:suffix=".jsp"
p:viewClass="org.springframework.web.servlet.view.JstlView" />
In the controller
#Controller
#RequestMapping(value = "/site")
public class SearchController {
#RequestMapping(value = "welcome", method = RequestMethod.GET)
public String test() {
return "test";
}
This is the problem that I have:
I would like to write /site/* as url-pattern in my web.xml, but when I do that I get
WARNING: No mapping found for HTTP request with URI [/site/welcome] in DispatcherServlet with name 'mvc-dispatcher'
When I write /site/welcome in full, everything works, but I dont want this because I dont want to add every page manually to the web.xml
And when I write "/*" as url-pattern i get the error message:
WARNING: No mapping found for HTTP request with URI [/WEB-INF/pages/test.jsp] in DispatcherServlet with name 'mvc-dispatcher'
which I guess makes sense because the the location of the jsp is included in the pattern.
So how do you do it: how can you be sufficiently vague in your url pattern without the problems I just had?
I'd like to have some init params in my web.xml and retrieve them later in the application, I know I can do this when I have a normal servlet. However with resteasy I configure HttpServletDispatcher to be my default servlet so I'm not quite sure how I can access this from my rest resource. This might be completely simple or I might need to use a different approach, either way it would be good to know what you guys think. Following is my web.xml,
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>RestEasy sample Web Application</display-name>
<!-- <context-param>
<param-name>resteasy.scan</param-name>
<param-value>true</param-value>
</context-param> -->
<listener>
<listener-class>
org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
</listener-class>
</listener>
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.pravin.sample.YoWorldApplication</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
My question is how do I set something in the init-param and then retrieve it later in a restful resource. Any hints would be appreciated. Thanks guys!
Use the #Context annotation to inject whatever you want into your method:
#GET
public Response getWhatever(#Context ServletContext servletContext) {
String myParm = servletContext.getInitParameter("parmName");
}
With #Context you can inject HttpHeaders, UriInfo, Request, HttpServletRequest, HttpServletResponse, ServletConvig, ServletContext, SecurityContext.
Or anything else if you use this code:
public class MyApplication extends Application {
public MyApplication(#Context Dispatcher dispatcher) {
MyClass myInstance = new MyClass();
dispatcher.getDefautlContextObjects().
put(MyClass.class, myInstance);
}
}
#GET
public Response getWhatever(#Context MyClass myInstance) {
myInstance.doWhatever();
}