How can I configure OSIV in Spring, not Spring boot? - spring

Spring boot knows that 'true' value is entered by default if OSIV is not configured.
So, is OSIV true by default in Spring mvc projects? is it false? Also, how can I set it up?
Below is what it looks like when I configure OSIV in my spring boot project in application.yml.
jpa:
open-in-view: true
And next, this is how it looks when I configure jpa in my spring project in context.xml.
<bean id ="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="jpaProperties">
<props>
<prop key="jpa.open-in-view">true</prop> //I thought to set it up like this, but it doesn't work, and I couldn't find any official documentation for the setup.
</props>
</property>
</bean>

in my web.xml setting bellow
<filter>
<filter-name>OpenEntityManagerInViewFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>OpenEntityManagerInViewFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Related

Spring Session changed the cookie value causing HTTP 302 on succeeding requests

Migrating from servlet container HTTP session to spring session has caused HTTP 302 after successful login. I've got an HTTP 200 on first request after login, but succeeding requests seem redirected to login page again. Cannot debug on succeeding requests as it seems not able to reach through the servlet where I put some breakpoint.
Right now, we are using spring session 1.3.5 version. And have noticed that in spring's SessionRepositoryFilter, it replaced the original request cookies (e.g. servlet container) to the value from spring session. I am not sure if this is the root cause of the issue. If it is, can someone suggest how to resolve it? Or is it related to some sort of missing configuration?
Here's the current setup based on the guide from spring session: here
Spring session XML configuration:
<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean id="hazelcastInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="com.xxx.xxx.xxx.xxx.CustomHazelcastProvider.getInstance"/>
</bean>
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
Reference of spring XML configuration in web.xml:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:application-context.xml</param-value>
</context-param>
Registration of spring session repository filter in web.xml. As describe in the guide, I placed it as the first entry of the filter chain.
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/rs/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
I have been working on it for days now and don't know yet how to fix it. Will appreciate any help or suggestion that you can advise.
Thank you in advance.
I resolved the issue using spring session HeaderHttpSessionStrategy.
Steps I've made:
In my spring session XML configuration, I removed the entry related to cookie serializer to change the cookie name.
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
By default, spring session uses CookieHttpSessionStrategy. Added below entry in spring session XML configuration.
<bean id="httpSessionStrategy" class="org.springframework.session.web.http.HeaderHttpSessionStrategy"/>
Then on every request, I am passing x-auth-token in the http request header.
After the said change, the application works as expected. Able to login without an issue.
Hope this solution will help others who have encountered the same issue.

Does Spring Session require the use of Spring Security?

Does spring session internally require the use of spring security?
Right now, we have an existing application which uses HTTP session from servlet container (e.g. WebLogic). Due to some issues on session replication and for future plans to use another servlet container, we decided to look for existing framework that would make the HTTP session container independent.
The team decided to look at Spring Session in combination with Hazelcast as described in official documentation. We use spring session version 1.3.5.RELEASE.
For hazelcast configuration, we use this session configuration.
<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean id="hazelcastInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="xxx.xxx.xxx.cache.CustomHazelcastProvider.getInstance"/>
</bean>
<bean class="org.springframework.session.web.http.SessionEventHttpSessionListenerAdapter">
<constructor-arg>
<list>
<bean class="xxx.xxx.xxx.util.CustomHttpSessionListener"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
In web.xml, we put this filter chain.
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CustomServletRequestFilter</filter-name>
<filter-class>xxx.xxx.xxx.servlet.filter.CustomServletRequestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CustomServletRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And added spring configuration below in web.xml
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:application-context.xml</param-value>
</context-param>
In the same web.xml, we use form-based authentication.
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
In addition, we are using the default cookie based HTTP strategy.
After deploying the said changes in weblogic, we are able to get a successful login. Able to check the session ID coming from spring session. However, the next hop or succeeding REST calls, it always returns HTTP 302. It gets redirected to login page.
Does spring session require the use of spring security? Is there some configuration that we need to add to resolve this issue?
Will appreciate any help or suggestion to resolve this issue.
Thank you.

the attributes 'j_username' and 'j_password' were shown as a plain text under Form Data in the request header

I am facing one of a security issue that Chrome dev tools were showing these attributes 'j_username' and 'j_password' as a plain text under Form Data in the request header.
It is an old application, in which we are using acegi-security 0.8.2 with Spring framework.
Workaround in our project: 1. in web.xml, we have mentioned the filter ChannelProcessingFilter as a separate filter,
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.util.FilterChainProxy
</param-value>
</init-param>
</filter>
<filter>
<filter-name>Acegi Channel Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>
net.sf.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
</init-param>
</filter>
2..In applicationContext.xml, we have defined the ChannelProcessingFilter,
<bean id="channelProcessingFilter" class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.htm*=REQUIRES_SECURE_CHANNEL
/j_acegi_security_check*=REQUIRES_SECURE_CHANNEL
/admin/**=REQUIRES_SECURE_CHANNEL
/**=REQUIRES_INSECURE_CHANNEL
</value>
</property>
</bean>
<bean id="channelDecisionManager" class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor"/>
<ref bean="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="secureChannelProcessor" class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor" class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/>
3.To only deliver the login page over HTTPS, we have enabled the SSL/TSL support by generating keystore and enabled the Connector port="8443" in conf/server.xml in the tomcat server
The problem here am facing is, on clicking the j_acegi_security_check request, in Chrome dev tools was showing these attributes 'j_username' and 'j_password' as a plain text under Form Data in the request header.
Am I missing anything here? Kindly help me on encrypt this password or disable this attribute as how it is implemented in the banking applications

securing controller added to jasig cas 3.5.2

I have been tasked with adding password change functionality to our CAS Server, but am new to CAS as well as Spring. I have successfully added a multi action controller to the overlay, but I am at a loss as to how to secure the views and require the user to be authenticated before viewing the pages. As of now, this is what I have added to the CAS overlay project:
web.xml
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/pm/change/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/pm/change/*</url-pattern>
</servlet-mapping>
cas-servlet.xml
<property name="mappings">
<props>
...
<prop key="/pm/change/*">passwordChangeController</prop>
</props>
</property>
<bean id="passwordChangeController" class="...PasswordChangeController"
p:passwordChangeView="default/ui/pmPasswordChangeView"
p:passwordChangeSuccessView="default/ui/pmPasswordChangeSuccessView"
/>
I believe I am missing mappings in securityContext.xml, but everything I have tried there has ended in endless redirect loops, or simply access denied messages in all cases.
Any advice would be much appreciated.
Thank you

Dispatcher servlet is not able to map my request.I am using spring 2

I have a simple spring application. The basic implementation is, my app will accept the url's .I have a configuration for dispatcher servlet in web.xml. From there the request is handed over to url handler mapping which maps the url to a controller which is configured in application-web.xml. Normal scenarios it works fine
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:application-web.xml</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
application-context.xml
<bean id="urlMapping"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<!-- Integration: URL Mapping for Page controllers START -->
<!-- DEFAULT URL MAPPING -->
<prop key="/*">pasController</prop>
</props>
</property>
</bean>
But for one particular url I am facing issue.
localhost:7001//..................../etc1/passwd
For the above mentioned url, dispatcher servlet is not able to map it to the controller, so because of this request stuck in weblogic level and thread will be stuck.I mean during the mapping process it is getting stuck, container is not able to know what to do.It is not even reaching the application context level.
How to overgo through this situation?Is there any way to play with the above kind of url's. I tried with both spring 2 ang spring3 web mvc jars.

Resources