Background
I have a Spring application with OAuth2 security.
I can easily obtain an OAuth Bearer token with the following request:
POST {{...}}/oauth/token
?grant_type=password
&client_id={{client_id}}
&username={{username}}
&password={{password}}
This returns a 200 OK request with my access_token in the response.
Problem
My problem is that one of my clients doesn't like the idea of sending plain text passwords in the query as a query parameter and they want to get the OAuth Bearer token using Basic Autentication.
However I can't make it work the following way:
POST {{...}}/oauth/token
Authorization: Basic base64encoded(username:password)
Content-Type: application/x-www-form-urlencoded
Request Body:
{
"grant_type": "password",
"client_id": {{client_id}}
}
It returns 401 Unauthorized, and
{
"error": "unauthorized",
"error_description": "Bad credentials"
}
My applicationContext.xml file looks like this:
<beans>
...
<!-- Definition of the Authentication Service -->
<security:http
pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:anonymous enabled="false"/>
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<security:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler"/>
</security:http>
<!-- Protected resources -->
<security:http
pattern="/v3/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false"/>
<security:intercept-url pattern="/v3/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler"/>
</security:http>
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="typeName" value="Basic"/>
</bean>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"/>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager"/>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<bean class="org.springframework.security.access.vote.RoleVoter"/>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService"/>
</security:authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="myAuthProvider"/>
</security:authentication-manager>
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore"/>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="accessTokenValiditySeconds" value="86400"/>
<property name="tokenStore" ref="tokenStore"/>
<property name="supportRefreshToken" value="true"/>
<property name="clientDetailsService" ref="clientDetails"/>
</bean>
<bean id="oAuth2RequestFactory" class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg ref="clientDetails"/>
</bean>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:password/>
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices"/>
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="web-console"
authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT"
scope="read,write,trust"
access-token-validity="86400"
refresh-token-validity="86400"/>
</oauth:client-details-service>
...
</beans>
Question
Ideally I should be able to call the /oauth/token endpoint with Authorization Basic xxxxxxxxxxxxxxx header, and I would be able to obtain the OAuth bearer token.
Related
I am attempting a very basic implementation of the Spring OAuth2 library; however, when I send a request off to the server I receive the following error:
{
"error": "invalid_client",
"error_description": "Bad client credentials"
}
When doing further debugging, I notice that for some reason the clientId is being passed in as the username within the resource owner flow.
I have included my XML configuration and am curious if anyone could tell me if anything seems inherently wrong or if anyone has any suggestions.
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetailsService" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<security:http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/oauth/token" access="isAuthenticated()" />
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<security:custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<authorization-server client-details-service-ref="clientDetailsService"
xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
<authorization-code />
<implicit />
<refresh-token />
<client-credentials />
<password authentication-manager-ref="authenticationManager" />
</authorization-server>
<oauth:resource-server id="resourceFilter" token-services-ref="tokenServices" authentication-manager-ref="authenticationManager" />
<security:authentication-manager id="authenticationManager">
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user name="user" password="password" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<client-details-service id="clientDetailsService"
xmlns="http://www.springframework.org/schema/security/oauth2">
<oauth:client client-id="my-trusted-client"
authorized-grant-types="password,authorization_code,refresh_token,implicit"
scope="read,write,trust" resource-ids="oauth2-resource"
access-token-validity="60" authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT"
redirect-uri="http://anywhere" />
<oauth:client client-id="my-client-with-registered-redirect"
authorized-grant-types="authorization_code" scope="read,trust"
resource-ids="oauth2-resource" authorities="ROLE_CLIENT"
redirect-uri="http://anywhere?key=value" />
<oauth:client client-id="my-client-with-secret" secret="secret"
authorized-grant-types="password,client_credentials" scope="read"
resource-ids="oauth2-resource" access-token-validity="60"
authorities="ROLE_CLIENT" />
</client-details-service>
Bellow is also the request that I am sending to the server, it is encoded as 'x-www-form-urlencoded'
grant_type:password
client_id:my-client-with-secret
client_secret:secret
username:user
password:password
scope:read write
The problem arises from here:
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
I am passing the user authentication manager rather than a client details authentication manager. Had to create an additional bean that is of type ClientDetailsAuthenticationManager and pass that within the ref.
I am adding spring security oauth2 to my spring boot application. I have followed a few of the examples on the web and in github from the spring team (had to make some mods for my use case), but I am still not able to return an oauth2 access token from the /oauth/token endpoint. I have been working on this for several days and started off trying to do it in JavaConfig, but then switched to xml config and was able to make some progress. I should note the only config I am doing in xml is the security config and related security beans, all other config is done via JavaConfig.
I am able to successfully authenticate my user (using username & password) using Basic auth, but when it comes to the next step to generate and return the bearer token, this is not happening. Note, I am using a database for storing my user credentials and to store my access tokens (once they get created).
I am making a POST request using grant_type=password with a client id and client secret.
I am under the impression spring oauth2 would handle creating the access token for me and returning it, but maybe this isn't correct or my xml config maybe wrong? Many thanks for any assistance!
Here is my security config xml below:
<http pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/**" method="GET" access="ROLE_DENY" />
<intercept-url pattern="/**" method="PUT" access="ROLE_DENY" />
<intercept-url pattern="/**" method="DELETE" access="ROLE_DENY" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters>
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" /-->
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http pattern="/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<!-- authentication-manager-ref="authenticationManager"
access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security"-->
<anonymous enabled="false" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<!-- property name="realmName" value="f2rRealm" /-->
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="f2r/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security" >
<!-- authentication-provider user-service-ref="clientDetailsUserService" /-->
<authentication-provider ref="authenticationProvider" />
</authentication-manager>
<bean id="clientDetails" class="com.f2r.security.oauth2.F2RJdbcClientDetailsService" >
<constructor-arg ref="dataSource" />
<property name="clientId" value="f2r" />
<property name="clientSecret" value="f2rsecret" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<!-- bean id="clientDetailsService"
class="com.f2r.security.oauth2.F2RJdbcClientDetailsService">
<constructor-arg ref="dataSource" />
<property name="clientDetails" ref="clientDetails" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean-->
<bean id="clientDetailsUserService"
class="com.f2r.security.oauth2.F2RClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<authentication-manager id="userAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<!-- authentication-provider ref="customUserAuthenticationProvider" /-->
<authentication-provider ref="authenticationProvider" />
</authentication-manager>
<!-- bean id="customUserAuthenticationProvider" class="com.f2r.security.F2RAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean-->
<bean id="authenticationProvider" class="com.f2r.security.F2RAuthenticationProvider">
<!-- property name="userDetailsService" ref="userDetailsService" /-->
<property name="userDetailsService" ref="clientDetailsUserService" />
</bean>
<bean id="userDetailsService" class="com.f2r.security.F2RUserDetailsService" />
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenStore" ref="tokenStore" />
<property name="clientDetailsService" ref="clientDetails" />
<property name="requestFactory" ref="requestFactory" />
</bean>
<bean id="requestFactory"
class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg ref="clientDetails" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
token-endpoint-url="/oauth/token"
authorization-endpoint-url="/oauth/authorize" >
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<!-- oauth:password authentication-manager-ref="userAuthenticationManager" /-->
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
token-services-ref="tokenServices" />
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" >
<constructor-arg ref="dataSource"/>
</bean>
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
i have a web application in spring which uses spring security. After successful deploy login page come. after login it again redirect to login page.
This is my securityContext.xml
<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>
<!-- secure the web layer -->
<sec:http pattern="/login.jsp" security="none" />
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<sec:http pattern="/favicon.ico" security="none" />
<sec:http pattern="/styles/**" security="none" />
<sec:http pattern="/images/**" security="none" />
<sec:http pattern="/qlogin.jsp" security="none" />
<sec:http pattern="/qloginWait/**" security="none" />
<sec:http pattern="/contract/ServiceContractPDFView.jsp" security="none" />
<sec:http pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" security="none" />
<sec:http pattern="/admin/subscription_thankyou.jsp" security="none" />
<sec:http pattern="/admin/related_analysts.jsp" security="none" />
<sec:http entry-point-ref="myAuthenticationEntryPoint" use-expressions="true">
<sec:session-management session-fixation-protection="newSession">
</sec:session-management>
<sec:csrf disabled="true"/>
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
<sec:custom-filter after="FORM_LOGIN_FILTER" ref="rememberMeProcessingFilter"/>
<sec:custom-filter after="REMEMBER_ME_FILTER" ref="logoutFilter"/>
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
<!-- <sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/> -->
</sec:http>
<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>
<bean id="customizedFormLoginFilter" class="com.prop.test.security.CustomAuthenticationProcessingFilter" >
<!--Here it is the custom authenticationManager, login magic goes here -->
<property name="authenticationManager" ref="myAuthenticationManager"/>
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="allowSessionCreation" value="true" />
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>
<bean id="myAuthenticationManager" class="com.prop.test.security.CustomAuthenticationManager" />
<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.prop.test.security.CustomAuthenticationEntryPoint" >
<constructor-arg value="/j_spring_security_check"/>
</bean>
<bean id="successHandler" class="com.prop.test.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site -->
<bean id="rememberMeProcessingFilter" class="com.prop.test.security.CustomRememberMeProcessingFilter">
<constructor-arg ref="authenticationManager"/>
<constructor-arg ref="rememberMeServices"/>
</bean>
<bean id="signleSignOnService" class="com.prop.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
class="com.prop.test.spring.SingleSignOnFilter">
<property name="signleSignOnService" ref="signleSignOnService"/>
<!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
<property name="userService" ref="propUserServiceImpl"/>
<property name="ssoUserUrl">
<value>/sso</value>
</property>
<!-- Code Review Starts -->
<property name="ssoTargetUrl">
<value>/search/ServiceContractSearch.do</value>
</property>
<!-- Code Review Ends -->
<property name="ssoFailureUrl">
<value>/login.jsp</value>
</property>
<property name="order" value="123456"/>
</bean>
<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
<bean id="myUserDetailsService" class="com.prop.test.security.CustomUserDetailsService" > </bean>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="springRocks"/>
<constructor-arg ref="myUserDetailsService"/>
<constructor-arg ref="jdbcTokenRepository"/>
</bean>
<!-- Uses a database table to maintain a set of persistent login data -->
<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<constructor-arg value="springRocks"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
<property name="invalidateHttpSession" value="true" />
</bean>
<bean id="mySecurityContextHandler" class="com.prop.test.security.CustomSecurityContextLogoutHandler"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login.jsp" />
<constructor-arg>
<list>
<ref bean="mySecurityContextHandler" />
<ref bean="rememberMeServices" />
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>
<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
Logs in logger file -
org.springframework.security.access.event.LoggerListener - Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: org.springframework.security.authentication.AnonymousAuthenticationToken#90579aae: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#2eb76: RemoteIpAddress: 127.0.0.1; SessionId: 6C81F0D37667C08742208FC0B8BA3E86; Granted Authorities: ROLE_ANONYMOUS; secure object: FilterInvocation: URL: /j_spring_security_check; configuration attributes: [hasRole('ROLE_USER')]
According to your config, only ROLE_USER has access to all pages /**
And you tried to login as anonymousUser whose granted authority is ROLE_ANONYMOUS
Hence you can't go forward with anonymousUser and access is denied.
So if you wish you can allow access for anonymousUser as access="hasAnyRole(ROLE_USER,ROLE_ANONYMOUS)"
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
I have an app with uses a Digest authentication. I want to customize the authentication process by checking a custom HTTP header in addition to the Digest method. If the header is present in the request the authentication should proceed as before, if it isn't then the user should be rejected. I tried to do this by defining a custom preauthentication filter, but somehow it doesn't work together with the Digest filter.
<security:http entry-point-ref="digestEntryPoint">
<security:custom-filter ref="customPreauthFilter" position="PRE_AUTH_FILTER"/>
<security:custom-filter ref="digestFilter" before="BASIC_AUTH_FILTER"/>
<security:anonymous enabled="false"/>
</security:http>
<bean id="customPreauthFilter" class="com.myapp.messaging.security.SoundianRequestHeaderAuthenticationFilter">
<property name="authenticationManager" ref="appControlAuthenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="customUserDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="appControlAuthenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
<security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="customUserDetailsService"/>
</bean>
<!-- Digest authentication -->
<bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
<security:authentication-provider ref="preauthAuthProvider" />
<!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->
</bean>
<bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
<property name="realmName" value="myvalue"/>
<property name="key" value="acegi"/>
<property name="nonceValiditySeconds" value="10"/>
</bean>
The Preauthentication filter succeeds, but I am still getting 401 results.
If I uncomment
<!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->
then the preauthentication filter is disregarded.
I am implementing the control of concurrent session by Spring Security.
But when I login in the system by a Chrome with a User and after on the FireFox with the same User, does not display the error message. Also I get no exception in my console.
my web.xml :
<!-- ... -->
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<!-- .... -->
my security.xml :
<-- .... -->
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:form-login login-page="/login" default-target-url="/home"
authentication-failure-url="/login?logout=true"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"/>
<security:logout logout-url="/j_spring_security_logout" invalidate-session="true" success-handler-ref="logoutHandler"/>
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="concurrentSessionManager" session-authentication-error-url="/login?msg=SessionError"/>
</security:http>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="sessionAuthenticationStrategy" ref="concurrentSessionManager"/>
</bean>
<!-- Authentication Manager -->
<security:authentication-manager alias="authenticationManager">
<!-- Custom Authentication provider -->
<security:authentication-provider ref="hemisphereAuthenticationProvider"/>
</security:authentication-manager>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry"/>
<property name="expiredUrl" value="/login?msg=SessionError" />
</bean>
<bean id="concurrentSessionManager" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<property name="maximumSessions" value="1"/>
<property name="exceptionIfMaximumExceeded" value="true" />
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<bean id="hemisphereAuthenticationProvider" class="security.HemisphereAuthenticationProvider">
<property name="userDetailsService" ref="userDetailService"/>
</bean>
<bean id="authenticationSuccessHandler" class="security.HemisphereAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/home" />
<property name="alwaysUseDefaultTargetUrl" value="no" />
</bean>
<bean id="authenticationFailureHandler" class="security.HemisphereAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login" />
</bean>
<bean id="logoutHandler" class="security.HemisphereLogoutHandler"/>
what am I doing wrong?
Thanks for your attention!