I'm trying to extend a Spring MVC class which is the ConcurrentSessionControlAuthenticationStrategy and override the getMaximumSessionsForThisUser method with my own implementation.
How do I register or communicate to Spring to use my implementation of it's method rather than it's own?
For XML configuration, see Spring Security Reference:
21.2 SessionAuthenticationStrategy
SessionAuthenticationStrategy is used by both SessionManagementFilter and AbstractAuthenticationProcessingFilter, so if you are using a customized form-login class, for example, you will need to inject it into both of these. In this case, a typical configuration, combining the namespace and custom beans might look like this:
<http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
...
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
For Java configuration, see SessionManagementConfigurer#sessionAuthenticationStrategy:
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Allows explicitly specifying the SessionAuthenticationStrategy. The default is to use SessionFixationProtectionStrategy. If restricting the maximum number of sessions is configured, then CompositeSessionAuthenticationStrategy delegating to ConcurrentSessionControlAuthenticationStrategy, SessionFixationProtectionStrategy (the default) OR SessionAuthenticationStrategy the supplied sessionAuthenticationStrategy, RegisterSessionAuthenticationStrategy. NOTE: Supplying a custom SessionAuthenticationStrategy will override the default provided SessionFixationProtectionStrategy.
Related
<beans:bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter>
<beans:property name="messageConverters">
<beans:list>
<beans:bean class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter" />
</beans:list>
</beans:property>
</beans:bean>
what is the exact meaning of the above code? can anybody explain this.?
AnnotationMethodHandlerAdapter is deprecated and is replace by RequestMappingHandlerAdapter
These classes (as your configuration) are used to extend the HTTP request/response processing.
The class MappingJacksonHttpMessageConverter is a Jackson Json Framework converter which supports Json to Java Bean and vise-a-versa conversion.
Using this configuration, you don't have to convert Json to Java or Java to json. You can accept Java pojo in your controller method and return Java pojo from controller method. Conversion is handled by spring using mentioned converter class.
This way you can use annotations provided by Jackson on your pojo to control the output
I am trying to configure Spring : LocalValidatorFactoryBean to set my custom TraversableResolver
I do the following in my applicationContext.xml :
<bean id="customTraversableResolver" class="com.package.core.resolver.SimpleTraversableResolver" />
<bean id="validator"
class="org.springframework.validation.beanvalidation.LocalValidatorFactoryBean">
<property name="traversableResolver" ref="customTraversableResolver" />
</bean>
But at runtime, #Valid bean in controller are validated with default traversable resolver (from hibernate validator).
So, how to configure default bean validation configuration in spring ?
Have you tried adding validation.xml and adding the traversable resolver configuration in there? Btw, what do you want to achieve with your custom resolver?
While you’re using Spring MVC, you must register your validator in this way:
<mvc:annotation-driven validator="validator" />
If you want method-level validation, then define bean:
<!-- Enable method-level validation on annotated methods via JSR-303 -->
<bean class="org.springframework.validation.beanvalidation.MethodValidationPostProcessor"
p:validatorFactory-ref="validator" />
Then you don’t need validator.xml anymore.
Note: This works with Spring 3.2.x and Hibernate Validator 4.x.
I am having issues while trying to inject custom permission evaluator in spring security:
My front-end code looks like this:
<sec:accesscontrollist hasPermission="VIEW_HEADER,VIEW_ANYTHING" domainObject="${userWebsiteLocationContext}" >
<b>This is a TEST</b>
</sec:accesscontrollist>
and I am trying the following within my spring security config :
...
...
<security:global-method-security>
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="permissionEvaluator" class="org.atd.storefront.security.impl.DefaultPermissionsEvaluator" >
</bean>
<bean id="defaultExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" >
<property name="permissionEvaluator" ref="permissionEvaluator" ></property>
</bean>
my custom permission evaulator simply returns false but the text is always displayed. I've also tried the solution at https://jira.springsource.org/browse/SEC-1749 and tried to use the custom defined decision manager bean: access-decision-manager-ref="webAccessDecisionManager" with no avail.
I don't get any exceptions, the hasPermission of my custom permissionevaluator just isn't called.
It should be enough to register an implementation of PermissionEvaluator for the accesscontrollist tag to pick it up and use it.
My advice would be to set a breakpoint in the doStartTag() method of the org.springframework.security.taglibs.authz.AccessControlListTag method and inspect which PermissionEvaluator it's really using.
I'm trying to secure my Spring 3.1 web app with Spring Security 3.1, and I need to use Active Directory for user authentication.
However, I cant seem to find the complete configuration steps. I tried different bits of suggestions but they didn't work for me.
What are the complete steps of configuration to enable a Spring 3.1 web app to use Spring Security 3.1 with Active Directory?
<beans:bean id="adAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="[your domain]" />
<beans:constructor-arg value="ldap://[your AD server]:389" />
<beans:property name="userDetailsContextMapper">
<beans:bean class="[your user-details context mapper]" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="adAuthProvider" />
</authentication-manager>
If you need to provide custom logic for mapping user and authorities from the AD entry, you can implement your own UserDetailsContextMapper implementation and specify it in the userDetailsContextMapper property on the adAuthProvider bean.
i've a service ,
<bean id="myservicie" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
<property name="service" ref="aService"/>
<property name="serviceInterface" value="com.statestr.oms.fx.ws.service.IService"/>
</bean>
inside this aservice,
#Secured ({"ROLE_USER"})
private void mythod(),
but it's not working,
however, if i move this method to another bean, say, mybean,the security annotation will work,
i've enabled both in the configuration like below, can anyone help? thx.
<global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Mybean*.*(..))" access="ROLE_USER"/>
<protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Service*.*(..))" access="ROLE_USER"/>
</global-method-security>
I guess it is because your application uses Spring Proxy AOP. And this AOP Style has no influence if the method is invoked directly (from the same bean). And I think that is what you do, because the method you mentioned is a private method.
So what you can do is:
use AspectJ (I strongly recommend it),
put the #Secured annotation to a method that is invoked from outside of the bean
Anyway your configuration looks a bit strange - why do you use #Secured AND <protect-pointcut... for the same Class? One of them should be enough.