DigestAuthentication in spring framework xml based auth - spring

Hi I am learning spring security and i want to implement Digest autherntication in my web app. So I have to declare a bean in my security cofig xml. With the filter bean defination i have add a entrypoint in the xml also. My question is what is the significance of this DigestAuthenticationEntryPoinnt.
-----------------------------------------code below----------------------------------------
<bean id="digestEntryPoint" class=
"org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
<property name="realmName" value="Contacts Realm via Digest Authentication"/>
<property name="key" value="acegi"/>
<property name="nonceValiditySeconds" value="10"/>
</bean>

Related

Spring My-batis MapperScannerConfigurer not resolving dat source place holder values

After adding MapperScannerConfigurer bean configuration to the configuration xml to autowire my-batis mappers, getting below datasource bean creation error for placeholder issue. looks like spring unable to resolve the dynamic data source properties from property file. Configuration has PropertySourcesPlaceholderConfigurer defination as well to retrieve the datasource properties(min pool size and max pool size ) from class path file. even though having PropertySourcesPlaceholderConfigurer bean configuration, Integration test failing with below error. Basically it is unable to resolve dynamic properties. Any help is much appreciated..
This is just spring and my-batis based project and I there is no spring boot.
Spring version 5.3
my-batis-spring 2.0.6
java.lang.NumberFormatException: For input string: "${datasource.minpoolsize}"
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="basePackage" value="com.mapper" />
<property name="sqlSessionFactoryBeanName" value="sqlSessionFactory" />
</bean>
<bean id="appProperties"
class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer">
<property name="ignoreUnresolvablePlaceholders" value="true" />
<property name="locations">
<list>
<value>
classpath:configs/application.yaml
</value>
</list>
</property>
</bean>
Instead of configuring MapperScannerConfigurer in the xml, I used #MapperScan on
Spring configuration bean which resolved the issue.

Put a spring bean into the Application scope?

This is related this question:
I need to inject a Spring bean into the Tomcat application's scope at startup:
<beans:bean id="myUrl" class="java.lang.String" >
<beans:constructor-arg type="java.lang.String">
<beans:value>${my.registry.location:some.url}</beans:value>
</beans:constructor-arg>
</beans:bean>
Is there a slick way to do this from the Spring XML configuration or do I need to override some servlet method (ugh)?
I thought I would post this in case it helps someone. Spring has a bean that will do this on initialization for you: ServletContextAttributeExporter.
You use it like this:
<bean id="myBean" class="java.lang.String" >
<constructor-arg type="java.lang.String">
<value>${some.property.value}</value>
</constructor-arg>
</bean>
<bean class="org.springframework.web.context.support.ServletContextAttributeExporter">
<property name="attributes">
<map>
<entry key="myBean" value-ref="myBean" />
</map>
</property>
</bean>
You can then do something like this in your non-Spring aware JSP code (for example):
<div>
Value of my bean is: ${applicationScope.myBean}
</div>

Spring boot unable to create multiple rabbit connection factories

I am trying to connect to and consume from two different clusters of rabbitmq using a spring boot app via xml. It works well when a single rabbit:connection-factory bean is created in the application context. However, when the second one is added, it fails to start the application with the error "Parameter 1 of method rabbitListenerContainerFactory in org.springframework.boot.autoconfigure.amqp.RabbitAnnotationDrivenConfiguration required a single bean, but 2 were found:". How do I go about creating different factories per cluster? Please suggest an alternative way of doing this, if it's not the right approach?
Here is the xml snippet:
<rabbit:connection-factory id="firstConnectionFactory" connection-factory="firstSpringConnectionFactory" />
<rabbit:connection-factory id="secondConnectionFactory" connection-factory="secondSpringConnectionFactory"/>
<bean id="firstSpringConnectionFactory"
class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="${rabbitmq.ssl.enabled}" />
<property name="host" value="${rabbitmq.first.host}"/>
<property name="virtualHost" value="${rabbitmq.vhost}"/>
<property name="port" value="${rabbitmq.cluster.port}"/>
<property name="username" value="${rabbitmq.user}"/>
<property name="password" value="${rabbitmq.first.password}"/>
</bean>
<bean id="secondSpringConnectionFactory"
class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="${rabbitmq.ssl.enabled}" />
<property name="host" value="${rabbitmq.second.host}"/>
<property name="virtualHost" value="${rabbitmq.vhost}"/>
<property name="port" value="${rabbitmq.cluster.port}"/>
<property name="username" value="${rabbitmq.user}"/>
<property name="password" value="${rabbitmq.second.password}"/>
</bean>
And the listener container code:
ConnectionFactory cf = rabbitConnectionFactory;//One of the connnection factories will be injected here from app context
SimpleMessageListenerContainer container = new SimpleMessageListenerContainer();
container.setConnectionFactory(cf);
container.setConcurrentConsumers(count);
container.addQueueNames(queueName);
container.setMessageListener(listener);
container.start();
Since you don't rely on the Spring Boot here and don't use Spring AMQP annotation support I suggest you to exclude RabbitAnnotationDrivenConfiguration from auto-configuration:
#EnableAutoConfiguration(exclude={RabbitAnnotationDrivenConfiguration.class})
spring.autoconfigure.exclude = org.springframework.boot.autoconfigure.amqp.RabbitAnnotationDrivenConfiguration
If you still need #RabbitListener somewhere in other place of your project, you only have a choice to build all the #EnableRabbit infrastructure manually.

Spring Security 3 - Add information to (role) voters

I am pretty new to Spring security and just going through the reference, doing some examples. One feature that I am strongly missing (and I wonder that hardly anybody else seems to miss it) is to provide custom information to the user why or for what reason access was denied. E.g. I would like to inform the user that he has no access to module A or that he needs to needs to be granted role-access B, etc.
I took at a look at the role interface, but this information seems to get lost:
int vote(Authentication authentication, Object object, List<ConfigAttribute> config);
Spring Security Access Denied logging with missing role
This says, that I have to provide a custom implementation of AccessDecisionManager.
But how could an actual implementation look like which provides specific information if access is denied? And how to hook it into spring security?
For starters simple role-based access would be sufficient. Can anybody provide any examples on this?
Have a look at the AffirmativeBased - DecisionManager. You can enhance it an add some additional information to the AccessDeniedException.
But it seams to be not so easy to get the reasons from the Voters why they dendied the access. (I hope you will find some naming pattern, or you have even to extend the voters).
And this is an example how to configure your custom DecisionManager
<security:http auto-config="true" access-decision-manager-ref="myDecisionManager">
<bean id="myAccessDecisionManager"
class="MyAffirmativeBasedDecisionManager">
<constructor-arg name="decisionVoters">
<list>
<ref bean="roleVoter" />
<ref bean="authenticatedVoter" />
<ref bean="preAdviceVoter" />
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
<bean id="authenticatedVoter"
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean id="preAdviceVoter"
class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
<constructor-arg ref="exprPreInvocationAdvice" />
</bean>
<bean
class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"
id="exprPreInvocationAdvice">
<property name="expressionHandler" ref="methodExprHandler" />
</bean>
<bean id="methodExprHandler"
class="org.springframework.security.access.expression.method.ExtensibleMethodSecurityExpressionHandler">
<property name="methodSecurityExpressionRootFactory">
<bean
class="com.queomedia.infrastructure.security.spring.MethodSecurityExpressionRootFactoryImpl" />
</property>
</bean>

Spring MVC from 2.5 to 3.0

We are migrating our web application from Spring 2.5 to Spring 3.0.5. Looks like all the Controller classes (the classes in org.springframework.web.servlet.mvc package: BaseCommandController, AbstractCommandController, SimpleFormController, etc) have been deprecated. We used those classes heavily in our application. These classes have been replaced by #Controller annotation instead.
I have a few questions regarding Spring 3.0.x Controller configuration...
We used the following XML to create a Controller bean in Spring 2.5. If <context:component-scan> is used instead to create the Controller beans, then how do I wire-in the dependencies? If possible I would like to avoid Auto-Wiring.
<bean id="photosetViewController" class="com.xyz.web.PhotosetViewController"
p:photosetManager-ref="photosetManager"
p:photoManager-ref="photoManager" />
We have created 3 Interceptors. We use SimpleUrlHandlerMapping to map these Interceptors to different request URLs and also to map URLs to Controllers. How do we achieve the same in Spring 3.0.x?
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="alwaysUseFullPath" value="true" />
<property name="interceptors">
<list>
<ref bean="httpRedirectInterceptor"/>
<ref bean="loginInterceptor"/>
</list>
</property>
<property name="mappings">
<value>
/abc.html=abcLookupController
/photoupload.html=photoUploadController
</value>
</property>
</bean>
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="alwaysUseFullPath" value="true" />
<property name="interceptors">
<list>
<ref bean="httpRedirectInterceptor"/>
<ref bean="loginInterceptor"/>
<ref bean="userMenuInterceptor" />
</list>
</property>
<property name="mappings">
<value>
/index.html=homepageController
/success.html=simpleController
</value>
</property>
</bean>
In case of SimpleFormControllers we used different methods like initBinder, referenceData, formBackingObject. We also used command objects and validation classes. How do we achieve the same in Spring 3.0.x?
<bean id="photosetAddController" class="com.xyz.web.PhotosetAddController"
p:photosetManager-ref="photosetManager"
p:photosetTypeManager-ref="photosetTypeManager"
p:stateManager-ref="stateManager" >
<property name="validator">
<bean class="com.xyz.form.PhotosetAddValidator" />
</property>
<property name="formView" value="photosetadd" />
<property name="successView" value="redirect:/photoset" />
</bean>
Any pointers are greatly appreciated.
As skaffman noted - your code will work fine without any modifications. I'll answer your questions in short:
You can use #Resource(name="beanName") for name-based injection. But autowiring is also a good option. Either #Autowired, or #javax.inject.Inject. Note that you can use #Qualifier("name") to differentiate between beans with the same interface/base class. You can even use the javax.inject qualifiers (read about all these in the docs)
interceptor mappings can stay the same
There is #InitBinder, which denotes the initBinder method. I can't tell about the other.

Resources