Spring security XML configuration not protecting URLs - spring

I have gone through a lot of questions similar to this but I couldn't find any solution.
I am using Spring-3.0.5RELEASE and Spring-security-3.1.2RELEASE.
Actually I am adding spring security to already exixsting application.
There are no errors in creating bean or filters but the urls are not protected.
spring-security.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/" access="permitAll" /> -->
<security:intercept-url pattern="/index" access="permitAll" />
<security:intercept-url pattern="/admin"
access="hasRole('Admin')" />
<security:intercept-url pattern="/dashboard" access="hasRole('Admin')
or hasRole('User')" />
<security:intercept-url pattern="/setup" access="hasRole('User')" />
<!-- access denied page -->
<security:access-denied-handler error-page="/logout" />
<security:form-login
login-processing-url="/loginAuth"
login-page="/index"
default-target-url="/dashboard"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/index"/>
<!-- enable csrf protection -->
<!-- <csrf/> -->
<http-basic />
</security:http>
<!-- Select users and user_roles from database -->
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select customerId, passcode from Users where customerId=?"
authorities-by-username-query=
"select customerId, roleName from Role where customerId=?" />
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
There is a warning here saying: Referenced bean 'dataSource' not found. I am not sure whether this may cause the problem.
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>sample</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/config/sample-servlet.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>sample</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/config/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
sample-servlet.xml
<context:property-placeholder location="classpath:resources/database.properties" />
<context:component-scan base-package="com.as.spark" />
<tx:annotation-driven transaction-manager="hibernateTransactionManager"/>
<bean id="jspViewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${database.driver}" />
<property name="url" value="${database.url}" />
<property name="username" value="${database.user}" />
<property name="password" value="${database.password}" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="annotatedClasses">
<list>
<value>com.as.spark.model.Users</value>
<value>com.as.spark.model.Role</value>
</list>
</property>
<property name="hibernateProperties">
<!-- properties -->
</property>
</bean>
<bean id="hibernateTransactionManager"
class="org.springframework.orm.hibernate3.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
</beans>
I don't want to shift to java configuration because that requires a higher version of spring.
All the pages /home, /dashboard, /admin are open to all users.
How do I check whether the filter is applied? How to protect the URL?

Related

Configuring DelegatingFilterProxy using spring security

I am trying custom filter with oauth authentication using spring security DelegatingFilterProxy below is my configuration
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets
and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
servlet-context.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<!-- <mvc:resources mapping="/" location="/index.html" /> -->
<mvc:resources mapping="/js/**" location="/assets/js/" />
<mvc:resources mapping="/css/**" location="/assets/css/" />
<mvc:resources mapping="/templates/**" location="/assets/templates/" />
<mvc:resources mapping="/lib/**" location="/assets/lib/" />
<mvc:resources mapping="/lib/css/**" location="/assets/lib/css/" />
<mvc:resources mapping="/lib/js/**" location="/assets/lib/js/" />
<mvc:resources mapping="/lib/fonts/**" location="/assets/lib/fonts/" />
<mvc:resources mapping="/img/**" location="/assets/img/" />
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<sec:http pattern="/template/**" security="none"></sec:http>
<sec:http pattern="/css/**" security="none"></sec:http>
<sec:http pattern="/js/**" security="none"></sec:http>
<sec:http pattern="/lib/**" security="none"></sec:http>
<sec:http pattern="/lib/css/**" security="none"></sec:http>
<sec:http pattern="/lib/js/**" security="none"></sec:http>
<sec:http pattern="/lib/fonts/**" security="none"></sec:http>
<sec:http pattern="/img/**" security="none"></sec:http>
<sec:http entry-point-ref="oAuth2AuthenticationEntryPoint">
<sec:anonymous enabled="false"></sec:anonymous>
<sec:custom-filter ref="oAuth2Filter" after="SECURITY_CONTEXT_FILTER"></sec:custom-filter>
<sec:intercept-url pattern="/**" access="ROLE_USER"></sec:intercept-url>
</sec:http>
<sec:authentication-manager alias="upmAuthenticationManager"></sec:authentication-manager>
<!-- Configure to plugin JSON as request and response in method handler -->
<bean
class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter">
<property name="messageConverters">
<list>
<ref bean="jsonMessageConverter" />
</list>
</property>
</bean>
<bean id="oAuth2AuthenticationEntryPoint" class="com.upm.oAuth.OAuthAuthenticationEntryPoint">
<constructor-arg value="/index.html"></constructor-arg>
</bean>
<bean id="oAuthEnd" name="oAuthEnd" class="com.upm.oAuth.OAuthEndServlet">
<property name="oAuth2Filter" ref="oAuth2Filter" />
</bean>
<bean id="oAuth2Filter" class="com.upm.oAuth.OAuth2Filter">
<property name="clientID" value="xxx" />
<property name="clientSecret" value="xxx" />
<property name="serviceURL" value="https://" />
</bean>
<bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:database.properties</value>
</property>
</bean>
<!-- Configure bean to convert JSON to POJO and vice versa -->
<bean id="jsonMessageConverter"
class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
</bean>
The application got deployed successfully and when trying to access the below URL. I am getting the Exception
http://localhost:8082/contex-path/index.html or
http://localhost:8082/contex-path
Exception
INFO: Starting ProtocolHandler ["http-bio-8082"]
Exception in thread "http-bio-8082-exec-1" java.lang.StackOverflowError
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:246)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
Could anyone please help me on the issue?

Spring oauth2 ver 2.0.7, 404 error on endpoint /oauth/token

I got problem when try to integrate our web app with Spring oauth2
the end point /oauth/token is mapped for both GET and POST method
o.s.s.o.p.e.FrameworkEndpointHandlerMapping- Mapped "{[/oauth/token],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException
o.s.s.o.p.e.FrameworkEndpointHandlerMapping- Mapped "{[/oauth/token],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException
when access: https://192.168.70.19:8072/oauth/token?grant_type=password&client_id=7CA42EA39288EC73212716FC6A51B8A2&username=admin&password=switch
**server return:**Bad client credentials
its ok, however when I add the client_secret
https://192.168.70.19:8072/oauth/token?grant_type=password&client_id=7CA42EA39288EC73212716FC6A51B8A2&client_secret=client_secret&username=admin&password=switch
server return 404 error (as I know this should happen when the API is not mapped only)
Some of my configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass"
value="org.springframework.security.core.context.SecurityContextHolder" />
<property name="targetMethod" value="setStrategyName" />
<property name="arguments">
<list>
<value>MODE_INHERITABLETHREADLOCAL</value>
</list>
</property>
</bean>
<bean id="authenticationEntryPoint"
class="com.alu.ov.ngnms.appserver.login.AuthenticationEntryPoint">
<constructor-arg name="loginUrl" value="/login.html" />
</bean>
<bean name="customUserDetailsAuthenticationProvider" class="com.alu.ov.ngnms.appserver.login.CustomUserDetailsAuthenticationProvider">
<property name="aaaServerRepository" ref="AAAServerRepository"></property>
</bean>
<security:authentication-manager alias="authenticationManager"
erase-credentials="false">
<security:authentication-provider ref="customUserDetailsAuthenticationProvider" />
</security:authentication-manager>
<bean id="checkTokenEndPoint"
class="org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint">
<constructor-arg name="resourceServerTokenServices" ref="tokenServices"/>
</bean>
<bean id="customAccessDeniedHandler"
class="com.alu.ov.ngnms.appserver.login.CustomAccessDeniedHandler"></bean>
<security:http pattern="/oauth/token" create-session="stateless" entry-point-ref="authenticationEntryPoint" authentication-manager-ref="clientAuthenticationManager">
<security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<security:anonymous enabled="false" />
<security:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="customAccessDeniedHandler" />
</security:http>
<security:http use-expressions="true" entry-point-ref="authenticationEntryPoint" create-session="never">
<!-- for all users (login & non-login) -->
<security:intercept-url pattern="/favicon.ico" access="permitAll" />
<security:intercept-url pattern="/bower_components/**" access="permitAll"/>
<security:intercept-url pattern="/locales/**" access="permitAll"/>
<security:intercept-url pattern="/ov_components/**" access="permitAll"/>
<security:intercept-url pattern="/scripts/**" access="permitAll"/>
<security:intercept-url pattern="/styles/**" access="permitAll"/>
<security:intercept-url pattern="/template/**" access="permitAll" />
<security:intercept-url pattern="/webstart/classes/**" access="permitAll" />
<security:intercept-url pattern="/assets/**" access="permitAll" />
<!-- only for non-login users -->
<security:intercept-url pattern="/login.html" access="!isAuthenticated()" />
<security:intercept-url pattern="/upgrade.html" access="!isAuthenticated()" />
<security:intercept-url pattern="/api/login" access="!isAuthenticated()" />
<!-- for all login users -->
<!-- only for admin user & no-license OV -->
<security:intercept-url pattern="/noLicense.html" access="hasAnyRole('ROLE_ADMIN_NO_LICENSE')" />
<security:intercept-url pattern="/**" access="isAuthenticated() and !hasRole('ROLE_ADMIN_NO_LICENSE')" />
<security:access-denied-handler ref="customAccessDeniedHandler"/>
<!-- Add filter to extract access token from request and perform authentication -->
<security:custom-filter ref="customOAuth2AuthenProcessingFilter" before="PRE_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<security:global-method-security authentication-manager-ref="authenticationManager" pre-post-annotations="enabled"
secured-annotations="enabled">
</security:global-method-security>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password authentication-manager-ref="authenticationManager"/>
</oauth:authorization-server>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" >
<property name="tokenStore" ref="mongoDBTokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
<!-- Access token & Refresh token will be expired in 1 year 1 second after being granted -->
<property name="accessTokenValiditySeconds" value="31536001"></property>
<property name="refreshTokenValiditySeconds" value="31536001"></property>
</bean>
<bean id="ovTokenExtractor" class="com.alu.ov.ngnms.appserver.login.OVTokenExtractor"></bean>
<bean id="oauth2AuthenticationManager" class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager">
<property name="tokenServices" ref="tokenServices"></property>
</bean>
<bean id="customOAuth2AuthenProcessingFilter" class="org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint"></property>
<property name="authenticationManager" ref="oauth2AuthenticationManager"></property>
<property name="tokenExtractor" ref="ovTokenExtractor"></property>
</bean>
<bean id="clientDetails" class="com.alu.ov.ngnms.appserver.token.CustomClientDetailsService"/>
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>
--------EDIT 1--------
added web.xml:
<servlet>
<servlet-name>atmoSpring</servlet-name>
<servlet-class>org.atmosphere.cpr.MeteorServlet</servlet-class>
<init-param>
<!-- When MeteorServlet is used, this is the parameter that will be looked
and all requests will be delegated to this servlet, Of course, since we are
using, Spring MVC, we delegate to DispatcherServlet -->
<param-name>org.atmosphere.servlet</param-name>
<param-value>org.springframework.web.servlet.DispatcherServlet</param-value>
</init-param>
<!-- Bunch of Atmosphere specific properties -->
<init-param>
<param-name>org.atmosphere.cpr.broadcasterClass</param-name>
<param-value>org.atmosphere.cpr.DefaultBroadcaster</param-value>
</init-param>
<!-- Set Atmosphere to use the container native Comet support. -->
<init-param>
<param-name>org.atmosphere.useNative</param-name>
<param-value>true</param-value>
</init-param>
<!-- Force Atmosphere to use stream when writing bytes. -->
<init-param>
<param-name>org.atmosphere.useStream</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.AtmosphereInterceptor</param-name>
<param-value>org.atmosphere.interceptor.SSEAtmosphereInterceptor</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.interceptor.SSEAtmosphereInterceptor.contentType</param-name>
<param-value>text/event-stream</param-value>
</init-param>
<!-- Use this interceptor to prevent firewall/proxies from canceling the
connection after a specific idle time -->
<init-param>
<param-name>org.atmosphere.cpr.AtmosphereInterceptor</param-name>
<param-value>org.atmosphere.interceptor.HeartbeatInterceptor</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.interceptor.HeartbeatInterceptor.heartbeatFrequencyInSeconds</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.useWebSocketAndServlet3</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.AtmosphereInterceptor.disableDefaults</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.broadcasterCacheClass</param-name>
<param-value>org.atmosphere.cache.UUIDBroadcasterCache</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.broadcaster.shareableThreadPool</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.sessionSupport</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>atmoSpring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/webContext.xml</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ASYNC</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter>
<filter-name>cacheControlFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>cacheControlFilterChain</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<!-- Session Listener for Webstart -->
<listener>
<listener-class>com.alu.ov.ngnms.appserver.controller.SessionListener</listener-class>
</listener>
You can't define the Authorization Server endpoints in a ContextLoaderListener. I don't really know how that MeteorServlet works, but you have to get the configuration into the DispatcherServlet so it can handle the "/oauth/token" requests (the handler is created by the <authorization-server/> declaration).
I also got 404 on /servlet/oauth/token requests. In my case I had the DispatcherServlet mapped to /servlet/*, instead of /* in the web.xml file. I had to update the AuthorizationServerConfigurerAdapter to use a prefix, so that both the authorization filter and the request mapping handler adapter can handle the oauth requests (ie: /servlet/oauth/token for me)
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.prefix("/servlet").authenticationManager(authenticationManager);
}
It was also important to set the DispatcherWebApplicationContextSuffix in the AbstractSecurityWebApplicationInitializer to reference the Dispatcher servlet name from web.xml file.

Securing REST API using Spring-security #PreAuthorize annotation and OAuth2

I'm struggling with some spring-security OAuth2 configuration.
I'm using:
Spring.version: 4.0.5.RELEASE
Spring security version: 3.2.5.RELEASE
Spring security oauth version: 2.0.2.RELEASE
Jersey version: 1.18.1
I want to secure my REST API using the PreAuthorize annotation of Spring security where I define the role that is authorized to access the method:
#Transactional
#POST
#PreAuthorize("hasRole('ROLE_ADMIN')")
#Consumes(MediaType.APPLICATION_JSON)
#Produces(MediaType.APPLICATION_JSON)
public Response create(User user) throws BusinessException {
LOG.info("POST Request: Creation of a new user with username [{}]", user.getUsername());
UserValidator.validateUser(user);
User createdUser = userDao.create(user);
return Response.ok(createdUser).build();
}
When I call the API method with a valid bearer token for a user with role "ROLE_ADMIN", I get following exception:
09-Sep-2014 16:13:40.977 SEVERE [http-nio-8080-exec-6] com.sun.jersey.spi.container.ContainerResponse.mapMappableContainerException The RuntimeException could not be mapped to a response, re-throwing to the HTTP container
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AbstractAccessDecisionManager.checkAllowIfAllAbstainDecisions(AbstractAccessDecisionManager.java:70)
at org.springframework.security.access.vote.UnanimousBased.decide(UnanimousBased.java:107)
at ...
When using postman, I see the following error description:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
This is my security config:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<context:property-placeholder location="classpath:main.properties"/>
<sec:global-method-security pre-post-annotations="enabled" />
<oauth:expression-handler id="oauthExpressionHandler" />
<!-- Definition of the Authentication Service -->
<sec:http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager">
<sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<sec:anonymous enabled="false"/>
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<!-- include this only if you need to authenticate clients via request parameters -->
<sec:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
<sec:access-denied-handler ref="oauthAccessDeniedHandler"/>
</sec:http>
<!-- Protected resources -->
<sec:http auto-config="true"
entry-point-ref="oauthAuthenticationEntryPoint"/>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="dstest" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="dstest/client"/>
<property name="typeName" value="Basic"/>
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager"/>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<bean class="org.springframework.security.access.vote.RoleVoter"/>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<!-- Authentication in config file -->
<sec:authentication-manager id="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService"/>
</sec:authentication-manager>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider>
<sec:jdbc-user-service data-source-ref="securityDataSource"/>
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails"/>
</bean>
<!-- Token Store -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
<constructor-arg ref="securityDataSource" />
</bean>
<bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg ref="clientDetails"/>
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore"/>
<property name="supportRefreshToken" value="true"/>
<property name="clientDetailsService" ref="clientDetails"/>
<!-- VIV -->
<property name="accessTokenValiditySeconds" value="10"/>
</bean>
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenStore" ref="tokenStore"/>
<property name="requestFactory" ref="oAuth2RequestFactory"/>
</bean>
<!-- Token management -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler" token-endpoint-url="/oauth/token">
<oauth:authorization-code/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:password/>
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="dstest"
token-services-ref="tokenServices"/>
<!-- Client Definition -->
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="healthdata-client"
authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
redirect-uri="/web"
scope="read,write,trust"
access-token-validity="300"
refresh-token-validity="6000"/>
</oauth:client-details-service>
</beans>
And this is my web.xml configuration:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<display-name>Spring MVC Application BASIC AUTH</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext.xml
/WEB-INF/rest-dispatcher-servlet.xml
/WEB-INF/security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>rest-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>rest-dispatcher</servlet-name>
<url-pattern>/oauth/token</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Spring servlets</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>be.spring.security.api</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>be.spring;org.codehaus.jackson.jaxrs</param-value>
</init-param>
<!-- optional: JSON support apart from jaxb -->
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Spring servlets</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
I found the solution to my problem. Web security services are configured using the element and I had to alter my protected resource definition from:
<sec:http auto-config="true"
entry-point-ref="oauthAuthenticationEntryPoint"/>
to:
<sec:http auto-config="true">
<sec:custom-filter ref="resourceServerFilter"
before="PRE_AUTH_FILTER"/>
<sec:access-denied-handler
ref="oauthAccessDeniedHandler"/>
</sec:http>
The resourceServerFilter must be referenced in order to be picked up by the security mechanism and the before attribute had to be set to "PRE_AUTH_FILTER".
Also the access-denied-handler is needed if you want proper error handling in a JSON format in the case you can't access the service.

404 Error on /spring_security_login Spring Security 3.2 after migrating from Tomcat 6 to Tomcat 7

It's been now three days that I'm battling to make my application work again.
The pitch : I had an application using Spring Security 3.2 and running well on Tomcat 6.
I want to migrate all my apps on Tomcat 7, so that's why I'm trying that.
BUT : every time I access to the root of my app, I get a 404 error page, with /spring_security_login written in the URL.
For the /spring_security_login written, it seems partially legit, because Spring is set to create the login form on its own. But why the 404 error ?
On Tomcat 6, with the same web.xml and applicationContext-security, the site is running well.
Last but not least, my login is made through the Spring Security ldap provider, so it adds one more level of complexity...
Here is my web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>MYAPP</display-name>
<!-- où se trouve la conf spring: -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- Reads request input using UTF-8 encoding -->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- configuration spring -->
<servlet>
<servlet-name>myapp-webapp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>myapp-webapp</servlet-name>
<url-pattern>*.do</url-pattern>
<url-pattern>/remoting/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.png</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.css</url-pattern>
<url-pattern>*.gif</url-pattern>
</servlet-mapping>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/myapp_database</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
And my applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:s="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<s:global-method-security secured-annotations="disabled">
</s:global-method-security>
<s:http pattern="/styles/**" security="none"/>
<s:http pattern="/js/**" security="none"/>
<s:http pattern="/img/**" security="none"/>
<s:http pattern="/html/**" security="none"/>
<s:http pattern="/remoting/**" security="none"/>
<!-- config ldap activee use-expressions="true" -->
<s:http auto-config="true" create-session="always" access-decision-manager-ref="accessDecisionManager">
<s:intercept-url pattern="/cancelPreviousAction.do" access="P_MYAPP_RW" />
<s:intercept-url pattern="/**" access="P_MYAPP_RO" />
<s:session-management>
<s:concurrency-control max-sessions="1" />
</s:session-management>
<s:form-login />
<s:logout/>
</s:http>
<s:authentication-manager>
<s:authentication-provider ref="ldapProvider"></s:authentication-provider>
</s:authentication-manager>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="..." />
<property name="userDn" value="..." />
<property name="password" value="..." />
</bean>
<bean id="ldapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch">
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="..." />
<constructor-arg index="1" value="..." />
<constructor-arg index="2" ref="..." />
</bean>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="..." />
<property name="rolePrefix" value="" />
<property name="searchSubtree" value="true" />
<property name="convertToUpperCase" value="false" />
</bean>
</constructor-arg>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
</property>
</bean>
</beans>
Anybody has a clue ?
I though one time that it might be my Tomcat conf that would be the cause, but now when I call the root url of my app, the /spring_security_login appends itself in the url, so I think the redirection inside Spring Seuciryt works well...
NB : When I remove the spring Security filter from the web.xml file, the app works well (except the login/security part needless to say).
Thanks in advance !
In fact the problem was that under Tomcat 6, I had overrided the definition of the default servlet.
After having searched long times and long times, I tried commenting the default servlet definition... and everything worked.
So in web.xml, comment the following lines to have the same :
<!--
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.png</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.css</url-pattern>
<url-pattern>*.gif</url-pattern>
</servlet-mapping> -->
And it fixed everything.

spring mvc: resources path outside the context root

I have seen the other solution on stackoverflow but it does not help. I am doing the same thing but I don't know why its not working for me.
I am uploading the images in /home/images folder on ubuntu machine and in spring-servlet.xml I have written the following lines
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:resources mapping="/images/**" location="file:/home/images/"/>
<mvc:default-servlet-handler/>
Images are getting uploaded at /home/images/ folder but I am not able to access these images
In JSP I have written
<img src="/images/image.jpg"/>
but its not showing this image I don't understand the problem here. Please let me know if anything else is required.
---Update ---
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
<context:annotation-config />
<context:component-scan
base-package="com.mycom.myproject" />
<!-- Enable annotation driven controllers, validation etc... -->
<mvc:annotation-driven />
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:resources mapping="/images/**" location="file:/home/images/"/>
<mvc:default-servlet-handler/>
<!-- Declare a datasource that has pooling capabilities -->
<bean id="datasource" class="com.mchange.v2.c3p0.ComboPooledDataSource"
destroy-method="close" p:driverClass="com.mysql.jdbc.Driver"
p:jdbcUrl="jdbc:mysql://localhost/dbtest" p:user="root" p:password="root"
p:acquireIncrement="10" p:idleConnectionTestPeriod="60" p:maxPoolSize="100"
p:maxStatements="50" p:minPoolSize="10" />
<bean id="transactionManager"
class="org.springframework.jdbc.datasource.DataSourceTransactionManager"
p:dataSource-ref="datasource" />
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="datasource" />
</bean>
<!-- scan for mappers and will automatically scan the whole classpath for xmls -->
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="sqlSessionFactory" ref="sqlSessionFactory" />
<property name="basePackage" value="com.mycom.myproject.db.mybatis.dao" />
</bean>
<!-- Configure the multipart resolver -->
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<!-- one of the properties available; the maximum file size in bytes -->
<property name="maxUploadSize" value="100000"/>
</bean>
<bean class="org.springframework.web.servlet.view.json.MappingJacksonJsonView"
p:extractValueFromSingleKeyModel="true" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.UrlBasedViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:project-config" />
</bean>
Web.xml
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
oooook, your dispatcher servlet is mapped to .htm, so you're dispatcher servlet is never gonna be invoked, since it handles those /resources/* requests and calls a ResourceHttpRequestHandler to write the static content.

Resources