Consider the following Spring Security related piece of Spring XML context:
<authentication-manager erase-credentials="true">
<authentication-provider>
<user-service>
<user disabled="${auth.admin.enabled}" name="${auth.admin.user}"
password="*****"/>
</user-service>
</authentication-provider>
</authentication-manager>
This snippet was supposed to keep admin user enabled based on the property value. But XML validation is not passing for this snippet, because disabled attribute of user tag is declared with type xs:boolean, which means SpEL syntax is not allowed there.
Is there a way to achieve my purpose (user, enabled by a property) without refusing from Spring XML context?
No; the schema would need to be changed to accept a union of xsd:string and xsd:boolean. You might want to open an Improvement JIRA issue.
Related
I'm trying to setup a simple project with Spring security to enable Username / pwd login.
After pointing some breakpoint in the UsernamePasswordAuthenticationFilter I noticed that getAuthenticationManager has 0 providers
this.getAuthenticationManager()
However I did add this in the security-context.xml
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
It looks like the authenticationManager does get rightly autowired but for some reason the authentication-provider is not injected.
Did I forget to enable something somewhere?
By default SpringSecurity uses org.springframework.security.authentication.ProviderManager which initially should have at least one configured provider unless parent is set. Otherwise you will get IllegalArgumentException at initialization phase. Therefore you definitely should be able to find an authentication provider either in the authentication manager returned from the filter or in one of its parents (as long as there is no harmful code that removes providers intentionally of course).
We were facing this issue when upgrading from Spring security 3 to version 4.
We had a AuthenticationManager definied as follows
<authentication-manager alias="authenticationManager">
<authentication-provider ref="rememberMeAuthenticationProvider"/>
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
As it turned out using only an alias attribute the definied AuthenticationManager was not used by Spring.
We needed to define an id attribute to make it work.
<authentication-manager id="authenticationManager">
...
</authentication-manager>
When no id is specified Spring sets the id to "org.springframework.security.authenticationManager" during the beans parsing in the org.springframework.security.config.authentication.AuthenticationManagerBeanDefinitionParser.parse overriding the globally registered AuthenticationManager. This somehow seems to mess up the specified providers.
Hi I'm very new to Spring Security and OAUTH2 can any one help .... I'm using the example provided in this example http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
What I'm trying to do is create 2 web applications where one app(mainApp) stores all the protected resources and does not know about the users and it needs to make a rest call to another app to get the details
Currently in my security config
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="abcd" password="1234" authorities="ROLE_APP" />
</user-service>
</authentication-provider>
</authentication-manager>
In my case, I want to let our custom API which is in another app do the authentication, then return a custom UserDetails object containing the roles and other attributes
Have you tried to follow https://spring.io/guides/tutorials/spring-security-and-angular-js/#_sso_with_oauth2_angular_js_and_spring_security_part_v? I think the guide is quite interesting and offers a wide perspective of implementing OAuth2 and other security methods. Is there any reason because you need to use OAuth2? I mean, you can maybe start using Basic Authorization or token based approaches before to start with OAuth2 (which maybe is so complicated if you have no much experience).
I need to customize my authentication process in such manner:
Client sends request (REST API) with a "special" URL param
Server calls third-party service passing a param and receiving user name
Server lookups database by name and this is authenticated principal.
I split my server side (2+3) on two parts - custom filter for (2), that obtains user name - and a custom userdetailservice for(3) that builds principal by looking up name in database.
But I cannot build my security.xml correctly - every time it seems that it doesn't process filter at all. I think the problem is in the first (http) node, but I cannot understand what position should I set up for filter. Here is my config:
<http use-expressions="true" auto-config="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/*" access="isAuthenticated" />
<custom-filter ref="casServiceTicketFilter" position="FIRST"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="wliAuthenticationService"/>
</authentication-manager>
<b:bean id="casServiceTicketFilter" class="org.WLICASAuthenticationFilter">
<b:property name="casTicketValidateURL" value="${cas.ticket.validate.url}"/>
<b:property name="authenticationManager" ref="authenticationManager"/>
</b:bean>
<b:bean id="wliAuthenticationService" class="org.WLIUserDetailService"/>
PS- Please don't tell me that Spring has CAS support out-of-the-box. It's a bit various configuration so I need to create my own implementation of service ticket validator
Your custom authentication filter shouldn't be first in the filter chain. It needs to come after the SecurityContextPersistenceFilter. Use
<custom-filter ref="casServiceTicketFilter" after="SECURITY_CONTEXT_FILTER"/>
instead.
If you enable debug logging, you should be able to see clearly what order the filters are called in for each request and whether yours is invoked.
I am trying to implement a salt source as part of my security in Spring security 3. I want to salt the username, but in order to use this as shown below, which domain do I need to implement in order to take advantage of spring security's default implementations???
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha-256">
<salt-source user-property="username" />
</password-encoder>
</authentication-provider>
</authentication-manager>
I guess with domain you're referring to the Security Namespace. The location of the Spring Security Namespace Configuration is: http://www.springframework.org/schema/security/spring-security.xsd (don't specify the version to resolve against the latest one). Have a look at the documentation: Spring Security Namespace Configuration
I have this on my app-security.xml, and I want to do some tasks if the user was logged in LDAP, other tasks if the user was logged in DB, etc.
<ldap-server url="ldap://192.168.0.55:389/dc=fluxit,dc=com,dc=ar"
manager-dn="uid=admin,ou=system"
manager-password="infra123"
/>
<authentication-manager>
<authentication-provider user-service-ref='databaseAuthManager'>
<password-encoder ref="encoder" />
</authentication-provider>
<authentication-provider>
<password-encoder ref="encoder" />
<user-service id="textFileAuthManager" properties="classpath:auth/users.properties" />
</authentication-provider>
<ldap-authentication-provider
user-search-filter="(uid={0})" user-search-base="ou=users"
group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
group-role-attribute="cn" role-prefix="ROLE_">
</ldap-authentication-provider>
</authentication-manager>
Can I do that in Spring? I've been Googling for a while and didn't find the answer.
Thank you so much!
I think the difficulty with your requirement is that the authentication manager doesn't retain the information which particular authentication provider was the one that actually authenticated the request. If you had that piece of information, you could easily write a custom AuthenticationSuccessHandler to implement some behavior that depends on the authentication method that succeeded.
If you really need this functionality, here is one possible solution I could come up with: Implement a custom ProviderManager, that would wrap the authentication object with a decorator that saves a reference to the successful authentication provider. Since the implementation of ProviderManager doesn't offer extension points you could use for this, you would basically need to copy the whole class to make the required enhancements. Then you would have to rewrite the whole <authentication-manager> part of your configuration without using the security namespace, because it doesn't allow you to replace the default AuthenticationManager implementation.
This is neither too elegant nor very easy solution, so there might be some better ways to do it.