Spring Security Headers included, still getting 'Header Not Set' vulnerability warning - spring

I want to get rid of Header related vulnerability warnings. (Missing X-Frame Header, Missing Content Type Header)
I went through the Spring doc and made the required changes. But still getting those warnings (I'm using Owasap Zap security tool to validate vulnerability warnings)
Security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http create-session="never" entry-point-ref="http403EntryPoint" >
<security:headers>
<security:content-type-options/>
<security:frame-options/>
</security:headers>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="_" password="_" authorities="_" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
</beans>
I've added the required dependencies in the pom file.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version 4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version 4.1.0.RELEASE</version>
</dependency>

I was missing the required servlet filter in the web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
This filter invokes a Spring bean (springSecurityFilterChain) which is an internal infrastructure bean created by the namespace to handle web security.

Related

Spring security blocking access to GWT services

I am a Spring security newbie am am having an issue when I am pairing it up with GWT. Namely, my calls to the services in GWT are marked as 403 forbidden.
POST http://127.0.0.1:8888/grapl/adminService 403 (Forbidden)
Here is my spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/grapl/auth/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/grapl/adminService/**" access="isAuthenticated()"/>
</security:http>
<b:bean id="graplAuthentication" class="com.lilly.rim.security.GraplAuthentication"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="graplAuthentication" />
</security:authentication-manager>
</b:beans>
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml, /WEB-INF/applicationContext.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Servlets -->
<servlet>
<servlet-name>AdminServiceServlet</servlet-name>
<servlet-class>com.foo.rim.server.AdminServiceImpl</servlet-class>
</servlet>
<servlet>
<servlet-name>LoaderServiceServlet</servlet-name>
<servlet-class>com.foo.rim.server.LoaderServiceImpl</servlet-class>
</servlet>
<servlet>
<servlet-name>authServlet</servlet-name>
<servlet-class>com.foo.rim.server.AuthServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>authServlet</servlet-name>
<url-pattern>/grapl/auth</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AdminServiceServlet</servlet-name>
<url-pattern>/grapl/adminService</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LoaderServiceServlet</servlet-name>
<url-pattern>/grapl/loaderService</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>grapl.html</welcome-file>
</welcome-file-list>
</web-app>
Login and authentication is fine. I am redirected to my gwt frontend. My backend for the Spring authentication is a custom provider. All the configuration is done in the spring-security.xml.
Do the GWT servlets need a Spring annotation? Any example I have seen seems like it should all work via the configuration.
I needed to disable the csrf check.
<security:http ...
<security:csrf disabled="true" />
</security:http>

Spring Security: No bean named 'springSecurityFilterChain' is defined

I just equipped a simple Spring test project with basic authentication functionality. When the server is loaded I get the well-known error
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined.
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Activate Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
servlet-context.xml contains the security related configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<sec:http auto-config='true'>
<sec:intercept-url pattern="/**" access="ROLE_USER" />
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider>
<sec:user-service>
<sec:user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<sec:user name="bob" password="bobspassword" authorities="ROLE_USER" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
<context:component-scan base-package="myproject" />
</beans:beans>
What am I missing?
Additionally to M. Deinum's comment I found out that I could just add the path of my servlet-context to the contextConfigLocation:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml /WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</context-param>
This solved the problem for me.

Spring security authentication Filter Exception

I'm trying to integrate spring security to my application after configuration i'm blocked in this error
I'm trying to implement Spring 3 Security in a project, but I can not get rid of the following error:
GRAVE: Servlet.service() for servlet [Faces Servlet] in context with path [/Gelt]
threw exception [L''exécution du filtre (Filter) a lancé une exception] with root
cause java.lang.NoSuchMethodError: org.springframework.security.access.intercept.AbstractSecurityInterceptor.finallyInvocation(Lorg/springframework/security/access/intercept/InterceptorStatusToken;)V
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:120)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<http use-expressions="true">
<intercept-url pattern="/pages/centres.jsf" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/pages/services.jsf" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/pages/medecins.jsf" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/pages/fiches.jsf" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/pages/users.jsf" access="hasRole('ROLE_ADMIN')" />
<!--
<access-denied-handler error-page="/403.jsf" />-->
<!-- access denied page
<access-denied-handler error-page="/403.jsf" />-->
<form-login />
<logout logout-success-url="/index.jsf" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT username , password , idrole FROM user U where U.username=?"
authorities-by-username-query="SELECT U.username as username, R.role as role FROM user U, role R WHERE U.idrole=R.idrole and U.username=?"
/>
</authentication-provider>
</authentication-manager>
<beans:bean id="LoginBean" name="LoginBean" class="com.mdsoft.gelt.bean.LoginBean" scope="prototype">
<beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
pom.xml
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.webflow</groupId>
<artifactId>spring-faces</artifactId>
<version>2.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.1.RELEASE</version>
<type>jar</type>
</dependency>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns
/javaee/web-app_2_5.xsd"
id="WebApp_ID"
version="2.5">
<display-name>GELT</display-name>
<!-- Spring Security Facelets Tag Library -->
<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
</context-param>
<!-- Spring Context Configuration' s Path definition -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- The Bootstrap listener to start up and shut down Spring's root WebApplicationContext. It is registered to Servlet Container -->
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
<!-- Project Stage Level -->
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<!-- Welcome Page -->
<welcome-file-list>
<welcome-file>/index.jsf</welcome-file>
</welcome-file-list>
<!-- JSF Servlet is defined to container -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Mapping with servlet and url for the http requests. -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
please help me
thanks for your helps
regards
You typically see such errors when your code is compiled against one version of a library but another version of the library is on the classpath at runtime.
If we look at the method in question we can see it does not exist in v3.1.1 of Spring Security
http://docs.spring.io/autorepo/docs/spring-security/3.1.1.RELEASE/apidocs/org/springframework/security/access/intercept/AbstractSecurityInterceptor.html
but was present in v3.1.5
http://docs.spring.io/autorepo/docs/spring-security/3.1.5.RELEASE/apidocs/org/springframework/security/access/intercept/AbstractSecurityInterceptor.html
I note the mismatch in your POM between spring-security-core (3.1.1) and the web and config modules (3.1.5). So we can guess that you code is compiled against 3.1.1 (look at the Maven dependency hierarchy) to confirm but that 3.1.5 is being used at runtime (look in WEB-INF/lib folder of your deployed web app to confirm 3.1.5 is present - this is being pull in as a transitive dependency of web and config modules).
Suggested fix is then to update your POM to point core module to 3.1.5.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.5.RELEASE</version>
<type>jar</type>
</dependency>

Unable to display page on spring custom login page

I'm having problems trying to create a custom login page for Spring web application.
The default login form works normally.
But when I add
**<form-login login-page="/login" />**
the app runs without errors but "unable to display page" shows up.
Have you got any ideas?
Thanks
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>testweb</display-name>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the root application context of this web app at startup.
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Location of the XML file that defines the root application context
- Applied by ContextLoaderListener.
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<!-- Processes application requests -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
Here is my spring config file
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Scans within the base package of the application for #Components to configure as beans -->
<!-- #Controller, #Service, #Configuration, etc. -->
<context:component-scan base-package="myPACKAGE" />
<!-- Enables the Spring MVC #Controller programming model -->
<mvc:annotation-driven />
<!-- Resolve logical view names to .jsp resources in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
Here is my spring security file
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
**<form-login login-page="/login" />**
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="myuser" password="mypwd" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
The custom login page is login.jsp inside WEB-INF/views/login.jsp
You need to give access for anonymous users to the login page. Add following snippet to your http element
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
EDIT. Order is matter. It must be inserted before this line:
<intercept-url pattern="/*" access="ROLE_USER" />
your login - what is it? HTML? JSP? you need to write the URI of your login page (e.g. /login.html), and not just /login.
try to put your login page in a sub-dir (e.g. /login) that enables anonymous users to see it:
< http pattern="/login/**" security="none" />
and then
<security:form-login
login-page="/login/login.jsp"
...
You said you are using spring so I will assume you are using spring-mvc, have you added
<!-- selects a static view for rendering without the need for an explicit controller -->
<mvc:view-controller path="/login" view-name="login"/>
to your webmvc configuration.
Also to change the login page mapping you can add
<definition extends="default" name="/login">
<put-attribute name="body" value="/WEB-INF/views/login.jspx"/>
</definition>
This should do I guess.
<intercept-url pattern="/login.htm" access="permitAll()"/>
<form-login login-page="/login.htm"
authentication-failure-url = "/positionViewer/login.htm?login_error=1" />

Spring Security Method Level Security Annotations NOT working

I am making a simple web application using Struts 2 + Spring Security 3. And I want to use Pre-Post Annotations for Method Level Security.
But the Annotations are not working.
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>MyCustomSpringSecurity</display-name>
<context-param>
<param-name>contextConfiguration</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
This is my struts.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.1//EN" "http://struts.apache.org/dtds/struts-2.1.dtd">
<struts>
<package name="default" extends="struts-default">
<action name="firstPage" class="code.action.MyAction" method="showPage">
<result name="success">/firstPage.jsp</result>
</action>
</package>
</struts>
This is my applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" >
</global-method-security>
<beans:bean id="myAction" class="code.action.MyAction">
<intercept-methods>
<protect access="ROLE_ADMIN" method="showPage"/>
</intercept-methods>
</beans:bean>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/firstPage" access="hasRole('ROLE_USER')" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Finally This is MyAction.java
package code.action;
import org.springframework.security.access.prepost.PreAuthorize;
public class MyAction {
#PreAuthorize("hasRole('ROLE_ADMIN')")
public String showPage(){
System.out.println("in showPage");
return "success";
}
}
You can clearly see that I am assigning role to user is ROLE_USER but I want it to be ROLE_ADMIN when accessing that method, so logically there should be error of 403 Access Denied when running this code. But it is able to access that method and shows next page.
So I think the annotations are not working.
Any body knows whats going on ?
In order for Spring annotations to be meaningful in a Struts 2 action you must use the Struts 2 Spring Plugin. This will use Spring to instantiate Struts 2 objects, allowing annotation processing, injection, etc.
We cannot directly use Spring annotations like this.
There is another plugin Struts 2 - Spring Plugin for the same purpose. You can download the jar file from the link and include it in your project.

Resources