I have a Spring MVC Web app that I'd like to show a simple Welcome Page (index.html). On that page, I just to have a 2 href links: one to bring me to the Login Page that is then implemented using Spring Security (2.5.6) and Hibernate 3 and the other to a Registration Page for new users.
However, the problem is that Spring Security automatically loads my login page each time and does NOT load the index.html page where I have coded the 2 links to forward me to either login or registration. I am brought to the login page which works fine. However, I never get to show the initial index.html page of my web application.
Can anyone shed light on how to prevent Spring Security from overriding the 'Welcome Page' with it's Login Page.
Many thanks.
Here is my Spring Security set up in web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring-beans.xml
WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
There's nothing wrong with your web.xml file, you need to show us your WEB-INF/spring-security.xml file.
If you keep getting directed to the login page, chances are you mess up the intercept-url pattern that causes your welcome page to be caught by Spring Security for further authentication before displaying it.
This is an example of the intercept-url tags that you will find in your WEB-INF/spring-security.xml file:-
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/admin/searchUsers.do" access="ROLE_ADMIN" />
<intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN" />
<form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/home.do"/>
<logout logout-success-url="/home.do"/>
</http>
use
<form-login login-page="/login.jsp" />
Controller should handle user's request and in your case no controller which mapped to this URL. When controller found, it performs some logic and returns view name which will be used to represent server's response. So, view name translator called only after controller and only for deduce full path to particular JSP file.
<mvc:view-controller path="/" view-name="index"/>
Try to add
Related
We are developing a web application with Spring MVC and rest based conrollers. we have already implemented Authentication using spring security. Now this product should run with a valid license. This implementation is done and before webapp starts up we have this check to see whether product is licensed or not. If not user can upload license file and they can start use the product.
Once they start using the product, say after few days license might expire (of course, starting of server will catch this, but if there is no server re-start then they can happily use ever after expiry). So I want to have check on each request, whether the product is licensed (just like isAuthenticated()) or not. If not authenticated, i can redirect to License upload page.
Any ideas / pointers are appreciated.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<beans:bean id="mySuccessHandler" class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="localAuthenticationProvider" />
</authentication-manager>
<http auto-config="true" use-expressions="true">
<request-cache ref="authenticationRequestCache" />
<form-login login-page="/"
authentication-success-handler-ref="successHandler"
authentication-failure-url="/rest/login/reAuthenticate" />
<intercept-url pattern="/rest/**" access="isAuthenticated()" />
</http>
<beans:bean id="successHandler"
class="com.cavirin.security.MySavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/rest/login/checkUser" />
</beans:bean>
To check on every request you could just add a filter to your app. But that would be very annoying for users who were half-way through doing something when they get redirected to the license page. It also seems quite inefficient. As an alternative, you could add an AuthenticationProvider which just checks when someone logs in and denies authentication otherwise.
I've been configuring XPM (Tridion 2012 UI Update) on a JSP development site. It's an all-in-one package, with Content Manager, Databases and Staging on the same server for development purposes.
I've made the following configurations:
Defined Staging Web App (called JSPStaging and set to a host header of jspstaging.project.dev), which receives content and places this content in its own folder from the HTTPUpload Web App, which is defined in the Publication Target in the CME
I've added the Java Session Preview Webservice (called cd_preview_webservice)
Currently my sites are being run by Tomcat 7, and IIS 7.5 is used for routing requests to port 8080 (Tomcat) which handles jspstaging.project.dev.
I know this is hardly an ideal situation, but I have to make do.
The problem at hand:
I've currently successfully implemented XPM (or at least, the dashboard, the ability to edit components and save those)
However, as soon as you want to update the page, it sometimes refreshes and it sometimes returns an error:
The remote server returned an error: (404) Not Found.
This is an (orange) Tridion Message. I'm not entirely sure the 404 error described above is the same as the one documented on the SDL Live Content.
This is the error in the Event Viewer on the server:
Unable to update the changes using OData Service. The remote server returned an error: (404) Not Found. Component: Tridion.SiteEdit.FastTrackPublishing Errorcode: 1003 User: NT AUTHORITY\NETWORK SERVICE
As such, I'm following this downright amazing blogpost Albert Romkes wrote, and at point 2 in his article he mentions navigating to odata.svc. I cannot seem to find the file anywhere on my staging or session preview web apps. I've installed .NET applications of Tridion before, and while the .NET app on the installation media (among other files) has an acces_token and a odata.svc file, I noticed that the JAVA install of the webservice of session preview does not have these files. However, later in the install guide you need those files to set up publishing.
When I follow the JSP site part and fill in the fields on the Session Preview Tab of the Publication Target, I cannot navigate to this odata url on the server itself, which is now
http://localhost:8080/cd_preview_webservice/cdws/odata.svc/
The Tridion Logging does not say something is wrong, for staging AND for session preview web app, as well as the Tomcat logs. They even say OData is working just fine, as far as I can tell...
If I cannot navigate to the url posted above, does this mean something is wrong, or that the 404 error is because of that?
EDIT
my web.xml of staging:
<?xml version="1.0" encoding="UTF-8"?>
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
Content Delivery Web service
<jsp-config>
<taglib>
<taglib-uri>cd_tags</taglib-uri>
<taglib-location>/WEB-INF/lib/cd_tags.tld</taglib-location>
</taglib>
</jsp-config>
<listener>
<listener-class>
com.tridion.storage.persistence.session.SessionManagementContextListener
</listener-class>
</listener>
<!--
OData and linking Web service
-->
<servlet>
<servlet-name>Content Delivery Web service</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.resourceConfigClass</param-name>
<param-value>com.sun.jersey.api.core.ClassNamesResourceConfig</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.classnames</param-name>
<param-value>com.tridion.webservices.odata.ODataWebservice;com.tridion.webservices.linking.LinkingService;com.tridion.webservices.odata.JAXBContextResolver</param-value>
</init-param>
</servlet>
<filter>
<filter-name>Ambient Data Framework</filter-name>
<filter-class>com.tridion.ambientdata.web.AmbientDataServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Ambient Data Framework</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>Content Delivery Web service</servlet-name>
<url-pattern>/cdws/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>Page Content Filter</filter-name>
<filter-class>com.tridion.preview.web.PageContentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Page Content Filter</filter-name>
<url-pattern>/cdws/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.tridion.webservices.odata.ODataContextListener</listener-class>
</listener>
<filter>
<filter-name>Binary Content Filter</filter-name>
<filter-class>com.tridion.preview.web.BinaryContentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Binary Content Filter</filter-name>
<url-pattern>/Images/*</url-pattern>
</filter-mapping>
You mentioned that you've added the cd_preview_webservice, however, the error message dictates that it's not working. On the Java side, you won't see the odata.svc file as this url is handled by one of the classes within the jars, so don't worry about that.
In your Tomcat console, does it show that the app has been deployed/started without error?
Also the URL that you mention "/cd_preview_webservice/cdws/odata.svc/" has a "/cdws/" in it. This seems a bit irregular. Typically the url is "/cd_preview_webservice/odata.svc". What is does your web.xml look like?
What is the best way to protect our Spring MVC application from CSRF and XSS.
Is there native Spring MVC support for this?
In Spring:
Forms ( globally):
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
Forms ( locally):
<spring:htmlEscape defaultHtmlEscape="true" />
You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration
<http>
<!-- ... -->
<csrf />
</http>
Here is a blog about it.
http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html
another one.
http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC
For token generation esapi can be used.
https://code.google.com/p/owasp-esapi-java/
In my application I'm using spring MVC(3.0.5) architecture along with BIRT reporting framework.
I'm trying to serve all requests including the static resources like css, js, html and image files using the spring DispatcherServlet.
For this purpose I added the following entries to my web.xml
<servlet>
<servlet-name>springapp</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
...............
...............
<servlet-mapping>
<servlet-name>springapp</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
This will direct all request to the DispatcherServlet and in my context file I added
<mvc:resources mapping="/css/**" location="/css/" />
<mvc:resources mapping="/docs/**" location="/docs/" />
<mvc:resources mapping="/images/**" location="/images/" />
<mvc:resources mapping="/js/**" location="/js/" />
<mvc:resources mapping="/themes/**" location="/themes/" />
so that these resources will be loaded from the file system.
These configurations are working fine. But I'm facing issues with my BIRT reporting engine now.
The BIRT reporting engine uses some jsp files located in a folder called webcontent which is located at the root of the application. Since we are directing all request to DispatcherServlet even the request for these jsp pages are going to the spring servlet. As I understand from some posts the jsp files are normally handled by org.apache.jasper.servlet.JspServlet which is registered in the Apache Tomcat's web.xml file and it has a servlet mapping as follows
<!-- The mapping for the JSP servlet -->
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
What are the changes that I should make in my servlet mapping to work in this environment? I need the jsp files to be handled by the default jsp servlet not by the spring servlet. How can I achieve this?
For this post I understood that the second priority in servlet matching is for the url prefix, so my url pattern / for spring servelt is overriding the default jsp servlet mapping, Is this assumption correct? If it is correct then how to overcome this?
Thank you.
The typical mapping of DispatcherServlet is <url-pattern>/</url-pattern>. In this case it still handles all requests except for requests handled by other servlets (in particular, requests to *.jsp), so that it should solve the problem.
I seem to be getting the following error when I try to access a Remote Java class (on Spring/BlazeDS) from the Flex/Cairngorm application. I am going crazy at the moment trying to see what is wrong - any help would be greatly appreciated - thanks Mike.
**Error: C0007E: RemoteObject not found for mycomponentsService
at RemoteObjects/getService()
at com.adobe.cairngorm.business::ServiceLocator/getRemoteObject()
at com.nomura.dashboard.client.business::DashBoardDelegate()**
All my config files are below:
Cairngorm - BusinessDelegate.as
this.service = ServiceLocator.getInstance().getRemoteObject("**mycomponentsService**");
Cairngorm - Services.mxml
mx:RemoteObject id="mycomponentsService"
destination="remotecomponentService"
showBusyCursor="true">
Spring/BlazeDS - application-config.xml
flex:remote-service ref="remotecomponentService"
bean id="remotecomponentService"
class="com.mycompany.dashboard.server.dao.ComponentsDAO"
Spring/BlazeDS - services-config.xml
channel-definition id="myamf" class="mx.messaging.channels.AMFChannel"
endpoint url="http://localhost:8080/dashboard-server/spring/messagebroker/amf"
class="flex.messaging.endpoints.AMFEndpoint"
The web.xml also contains Spring references - see below
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4">
<!-- The front controller of this Spring Web application, responsible for handling all application requests -->
<display-name>dashboard-server</display-name>
<servlet>
<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/*-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map /spring/* requests to the DispatcherServlet -->
<servlet-mapping>
<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
<url-pattern>/spring/*</url-pattern>
</servlet-mapping>
</web-app>
Can we see your web.xml also please? I am surprised to see the word "spring" in the endpoint URL. My endpoints have always looked like
url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf"
E.g.: I think your services-config.xml should look more like this.
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="http://{server.name}/dashboard-server/messagebroker/amf"
class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
I would also suggest not hardcoding the end-point URL so much. Just go with
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint class="flex.messaging.endpoints.AMFEndpoint"
url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" />
</channel-definition>
Update:
OK, so your web.xml looks OK, as does having the spring in your URL. What I don's see in your Spring configuration file (application-config.xml) is the Spring URL mapping. For example, in my Spring config files, in addition to the the bean definitions, there is a mapping. E.g.:
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<value>
/histogram/**=bean.HistogramController
/counter/**=bean.CounterController
</value>
</property>
</bean>
<bean id="bean.HistogramController" class="ch.comp.app.HistogramXportController" />
<bean id="bean.CounterController" class="ch.comp.app.CounterXportController" />
(I have one app that is Spring-based, and another that uses BlazeDS, but not both...so I might be missing something. That said, what I'm asking still should be valid. In theory. But take it with a grain of salt.)
Maybe some some super basic debugging is in order. Can you check to see if the calls to your server are returning HTTP 404 or not on theses problem endpoints? A couple ways to do this:
Check the access logs for GET /dashboard-server/spring/messagebroker/amf. What is the HTTP status code for these requests? (Free, easy, no new tools.)
If you are using FireFox as a browser, add the Tamper Data plug in. You don't have to tamper with the data, but it shows you what is being called, what is returned, and all the HTTP headers.
Use a full on Flash/Flex oriented protocol sniffer tool, like Charles Web Debugging Proxy.
It will very helpful to narrow down the problem to know if where these requests are failing on the communications stack.
I have attached web.xml below. In terms of the word "Spring" - I am using the standard BlazrDS/Spring integration WAR file which requires "spring" to be there. The bean id="remotecomponentService" is acutally a Spring bean.
Are you saying even with the BlazeDS/Spring WAR I can use your solution above?
The web.xml also contains Spring references - see below
<web-app version="2.4">
<display-name>dashboard-server</display-name>
<servlet>
<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/*-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map /spring/* requests to the DispatcherServlet -->
<servlet-mapping>
<servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
<url-pattern>/spring/*</url-pattern>
</servlet-mapping>
</web-app>