Does Spring Session require the use of Spring Security? - spring

Does spring session internally require the use of spring security?
Right now, we have an existing application which uses HTTP session from servlet container (e.g. WebLogic). Due to some issues on session replication and for future plans to use another servlet container, we decided to look for existing framework that would make the HTTP session container independent.
The team decided to look at Spring Session in combination with Hazelcast as described in official documentation. We use spring session version 1.3.5.RELEASE.
For hazelcast configuration, we use this session configuration.
<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean id="hazelcastInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="xxx.xxx.xxx.cache.CustomHazelcastProvider.getInstance"/>
</bean>
<bean class="org.springframework.session.web.http.SessionEventHttpSessionListenerAdapter">
<constructor-arg>
<list>
<bean class="xxx.xxx.xxx.util.CustomHttpSessionListener"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
In web.xml, we put this filter chain.
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CustomServletRequestFilter</filter-name>
<filter-class>xxx.xxx.xxx.servlet.filter.CustomServletRequestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CustomServletRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And added spring configuration below in web.xml
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:application-context.xml</param-value>
</context-param>
In the same web.xml, we use form-based authentication.
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
In addition, we are using the default cookie based HTTP strategy.
After deploying the said changes in weblogic, we are able to get a successful login. Able to check the session ID coming from spring session. However, the next hop or succeeding REST calls, it always returns HTTP 302. It gets redirected to login page.
Does spring session require the use of spring security? Is there some configuration that we need to add to resolve this issue?
Will appreciate any help or suggestion to resolve this issue.
Thank you.

Related

How can I configure OSIV in Spring, not Spring boot?

Spring boot knows that 'true' value is entered by default if OSIV is not configured.
So, is OSIV true by default in Spring mvc projects? is it false? Also, how can I set it up?
Below is what it looks like when I configure OSIV in my spring boot project in application.yml.
jpa:
open-in-view: true
And next, this is how it looks when I configure jpa in my spring project in context.xml.
<bean id ="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="jpaProperties">
<props>
<prop key="jpa.open-in-view">true</prop> //I thought to set it up like this, but it doesn't work, and I couldn't find any official documentation for the setup.
</props>
</property>
</bean>
in my web.xml setting bellow
<filter>
<filter-name>OpenEntityManagerInViewFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>OpenEntityManagerInViewFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Spring Session changed the cookie value causing HTTP 302 on succeeding requests

Migrating from servlet container HTTP session to spring session has caused HTTP 302 after successful login. I've got an HTTP 200 on first request after login, but succeeding requests seem redirected to login page again. Cannot debug on succeeding requests as it seems not able to reach through the servlet where I put some breakpoint.
Right now, we are using spring session 1.3.5 version. And have noticed that in spring's SessionRepositoryFilter, it replaced the original request cookies (e.g. servlet container) to the value from spring session. I am not sure if this is the root cause of the issue. If it is, can someone suggest how to resolve it? Or is it related to some sort of missing configuration?
Here's the current setup based on the guide from spring session: here
Spring session XML configuration:
<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean id="hazelcastInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="com.xxx.xxx.xxx.xxx.CustomHazelcastProvider.getInstance"/>
</bean>
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
Reference of spring XML configuration in web.xml:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:application-context.xml</param-value>
</context-param>
Registration of spring session repository filter in web.xml. As describe in the guide, I placed it as the first entry of the filter chain.
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/rs/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
I have been working on it for days now and don't know yet how to fix it. Will appreciate any help or suggestion that you can advise.
Thank you in advance.
I resolved the issue using spring session HeaderHttpSessionStrategy.
Steps I've made:
In my spring session XML configuration, I removed the entry related to cookie serializer to change the cookie name.
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
By default, spring session uses CookieHttpSessionStrategy. Added below entry in spring session XML configuration.
<bean id="httpSessionStrategy" class="org.springframework.session.web.http.HeaderHttpSessionStrategy"/>
Then on every request, I am passing x-auth-token in the http request header.
After the said change, the application works as expected. Able to login without an issue.
Hope this solution will help others who have encountered the same issue.

the attributes 'j_username' and 'j_password' were shown as a plain text under Form Data in the request header

I am facing one of a security issue that Chrome dev tools were showing these attributes 'j_username' and 'j_password' as a plain text under Form Data in the request header.
It is an old application, in which we are using acegi-security 0.8.2 with Spring framework.
Workaround in our project: 1. in web.xml, we have mentioned the filter ChannelProcessingFilter as a separate filter,
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.util.FilterChainProxy
</param-value>
</init-param>
</filter>
<filter>
<filter-name>Acegi Channel Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>
net.sf.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
</init-param>
</filter>
2..In applicationContext.xml, we have defined the ChannelProcessingFilter,
<bean id="channelProcessingFilter" class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.htm*=REQUIRES_SECURE_CHANNEL
/j_acegi_security_check*=REQUIRES_SECURE_CHANNEL
/admin/**=REQUIRES_SECURE_CHANNEL
/**=REQUIRES_INSECURE_CHANNEL
</value>
</property>
</bean>
<bean id="channelDecisionManager" class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor"/>
<ref bean="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="secureChannelProcessor" class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor" class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/>
3.To only deliver the login page over HTTPS, we have enabled the SSL/TSL support by generating keystore and enabled the Connector port="8443" in conf/server.xml in the tomcat server
The problem here am facing is, on clicking the j_acegi_security_check request, in Chrome dev tools was showing these attributes 'j_username' and 'j_password' as a plain text under Form Data in the request header.
Am I missing anything here? Kindly help me on encrypt this password or disable this attribute as how it is implemented in the banking applications

Dispatcher servlet is not able to map my request.I am using spring 2

I have a simple spring application. The basic implementation is, my app will accept the url's .I have a configuration for dispatcher servlet in web.xml. From there the request is handed over to url handler mapping which maps the url to a controller which is configured in application-web.xml. Normal scenarios it works fine
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:application-web.xml</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
application-context.xml
<bean id="urlMapping"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<!-- Integration: URL Mapping for Page controllers START -->
<!-- DEFAULT URL MAPPING -->
<prop key="/*">pasController</prop>
</props>
</property>
</bean>
But for one particular url I am facing issue.
localhost:7001//..................../etc1/passwd
For the above mentioned url, dispatcher servlet is not able to map it to the controller, so because of this request stuck in weblogic level and thread will be stuck.I mean during the mapping process it is getting stuck, container is not able to know what to do.It is not even reaching the application context level.
How to overgo through this situation?Is there any way to play with the above kind of url's. I tried with both spring 2 ang spring3 web mvc jars.

Integrate JSF 2.1 and Spring 3.2

I want to use my Spring Beans in my JSF application, letting Spring inject my services/repositories in my JSF Managed Beans.
I found a lot of solutions in the Internet, but the only one that worked was the following lines of code:
ApplicationContext ctx = FacesContextUtils.getWebApplicationContext(FacesContext.getCurrentInstance());
albumRepository = (AlbumRepository) ctx.getBean("albumRepository");
albumRepository is the Spring Bean I'm trying to inject.
The problem is that it's really lame, I don't wanna do this in every class, for every injection. I'd like to use anotations, like "#Inject".
Searching an answer in Google, I found that I should integrate JSF and Spring using the following config in faces-config.xml:
<application>
<el-resolver>
org.springframework.web.jsf.el.SpringBeanFacesELResolver
</el-resolver>
</application>
Then, I should be able to use my Spring Beans with the annotation "#ManagedProperty(value="#{albumRepository}")". I tried it, but I aways get the error "The property albumRepository for the managed bean does not exist".
Searching again in Google I found out that I could use the Spring annotations to do my injections, the only thing i'd need would be to register the package where my managed beans are located in the applicationContext.xml. I've done it, but Spring just ignores my annotations (#Inject and #Autowired, I tried both).
After all these failures I tried to stop using the JSF annotations (#ManagedBean and #ViewScoped), instead, I used Spring ones (#Controller and #Scope). Now JSF doesn't even recognize the beans.
What am I doing wrong?
Edit: My ApplicationContext.xml
<context:annotation-config/>
<jpa:repositories base-package="com.ae.repository" />
<context:component-scan base-package="com.ae.client.web, com.ae.service" />
<!-- Data Source -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<property name="url"><value>jdbc:mysql://localhost:3306/academia</value></property>
<property name="username"><value>root</value></property>
<property name="password"><value>root</value></property>
</bean>
<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL" />
<property name="showSql" value="true" />
</bean>
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="jpaVendorAdapter" ref="jpaAdapter" />
<property name="persistenceXmlLocation" value="/META-INF/persistence-web.xml"/>
</bean>
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory" />
</bean>
Edit: My web.xml
<!-- Spring -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- JSF -->
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<!-- Primefaces -->
<filter>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<filter-class>org.primefaces.webapp.filter.FileUploadFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
In your web.xml has context param like this ?
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/*Context.xml</param-value>
</context-param>
Also can you send listener about spring in your web.xml
If you want Spring IOC container to manage all your beans. Use one of #Component, #Named or javax.annotation.ManagedBean annotation and you can inject them using #Autowired or #Inject. Don't forget to use Spring's #Scope for any of those.
See Documentation
If you want to use JSF IOC container as well along with Spring IOC container, you can inject Spring beans into a JSF bean using #ManagedProperty.
See Also:
#Scope("request") not working
How does Spring autowire by name when more than one matching bean is found?

Resources