How to exclude URL in web.xml with # in the url-pattern - web.xml

<!-- Security constraint to require the users to login using Google authentication -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Public Link
I want to exclude this url with # in included but it is not working. The first filter always gets executed. How to do this?
<!-- Security constraint for public link -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<url-pattern>/#/optout/</url-pattern>
</web-resource-collection>
</security-constraint>

Related

Error creating bean Spring with name while deploying My Application on Wildfly 14

Hi am migrating my spring application from jboss 6 to wildfly 14.
I'm using Spring version 3
The application was deplyed with no issu in Jboss 6, When I tried de deploy it in Wildfly 14 I got the this exception:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'applicationSessionListener' defined in "/C:/Produits/LDEV-BACK/wildfly-14.0.1.Final-EXA/bin/content/muses-web.war/WEB-INF/classes/fr/bdf/muses/manager/ApplicationSessionListener.class": Initialization of bean failed; nested exception is java.lang.IllegalStateException: UT010041: The servlet context has already been initialized, you can only call this method from a ServletContainerInitializer or a ServletContextListener:
Is it possible de deploy a spring 3 application on Wildfly 14 ? If yes can someOne please guides me to resolve this.
Here is my web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<servlet>
<servlet-name>myApp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<welcome-file-list>
<welcome-file>catalogue-archive.jsp</welcome-file>
</welcome-file-list>
<servlet-mapping>
<servlet-name>myApp</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<error-page>
<error-code>403</error-code>
<location>/erreur/403.jsp</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/erreur/405.jsp</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/erreur/408.jsp</location>
</error-page>
<error-page>
<location>/erreur/default.jsp</location>
</error-page>
<security-constraint>
<display-name>MYAPP USERS</display-name>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<url-pattern>/css/*</url-pattern>
<url-pattern>/lib/*</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/wro/*</url-pattern>
<url-pattern>/erreur/*</url-pattern>
<url-pattern>/login-page.jsp</url-pattern>
<url-pattern>/logout.jsp</url-pattern>
<url-pattern>/auth.html</url-pattern>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>MYAPP USERS</display-name>
<web-resource-collection>
<web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method-omission>OPTIONS</http-method-omission>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>MYAPP admin</display-name>
<web-resource-collection>
<web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name>
<url-pattern>/admin-MYAPP/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>superviseur</role-name>
<role-name>FU1UA1416</role-name>
<role-name>FU_UA1416</role-name>
<role-name>FU1UA2113</role-name>
<role-name>FU_UA2113</role-name>
<role-name>FU1UA1482</role-name>
<role-name>FU_UA1482</role-name>
<role-name>FU1UA2504</role-name>
<role-name>FU_UA2504</role-name>
<role-name>FU1UA2109</role-name>
<role-name>FU_UA2109</role-name>
<role-name>AU_MYAPP_RSP</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>MYAPP debug</display-name>
<web-resource-collection>
<web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name>
<url-pattern>/debug-MYAPP/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>superviseur</role-name>
<role-name>FU_UA2109</role-name>
<role-name>FU_UA2113</role-name>
<role-name>FU1UA2113</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<security-role>
<role-name>FU1UA2113</role-name>
</security-role>
<security-role>
<role-name>FU1UA1416</role-name>
</security-role>
<security-role>
<role-name>FU_UA2109</role-name>
</security-role>
<security-role>
<role-name>FU1UA2109</role-name>
</security-role>
<security-role>
<role-name>FU_UA2113</role-name>
</security-role>
<security-role>
<role-name>FU_UA1416</role-name>
</security-role>
<security-role>
<role-name>FU1UA1482</role-name>
</security-role>
<security-role>
<role-name>FU_UA1482</role-name>
</security-role>
<security-role>
<role-name>FU1UA2504</role-name>
</security-role>
<security-role>
<role-name>FU_UA2504</role-name>
</security-role>
<security-role>
<role-name>AU_MYAPP_RSP</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldapm</realm-name>
<form-login-config>
<form-login-page>/loginController.html</form-login-page>
<form-error-page>/erreur/auth.jsp</form-error-page>
</form-login-config>
</login-config>
<mime-mapping>
<extension>woff</extension>
<mime-type>application/font-woff</mime-type>
</mime-mapping>
<mime-mapping>
<extension>tff</extension>
<mime-type>application/font-tff</mime-type>
</mime-mapping>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>WebResourceOptimizer</filter-name>
<filter-class>ro.isdc.wro.http.WroFilter</filter-class>
</filter>
<!-- <filter> <filter-name>WebResourceOptimizer</filter-name> <filter-class>ro.isdc.wro.http.WroFilter</filter-class>
<init-param> <param-name>configuration</param-name> <param-value>${muses.wro4j.profile}</param-value>
</init-param> <init-param> <param-name>gzipResources</param-name> <param-value>FALSE</param-value>
</init-param> <init-param> <param-name>cacheUpdatePeriod</param-name> <param-value>60</param-value>
</init-param> <init-param> <param-name>modelUpdatePeriod</param-name> <param-value>600</param-value>
</init-param> <init-param> <param-name>jmxEnabled</param-name> <param-value>false</param-value>
</init-param> <init-param> <param-name>disableCache</param-name> <param-value>true</param-value>
</init-param> </filter> -->
<filter-mapping>
<filter-name>WebResourceOptimizer</filter-name>
<url-pattern>/wro/*</url-pattern>
</filter-mapping>
</web-app>
Here is myApp-servlet.xm file
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.0.xsd">
<import resource="classpath*:/data-access-config.xml" />
<context:component-scan base-package="fr.sg.myApp"/>
<mvc:resources mapping="/**" location="/" />
<mvc:annotation-driven />
<bean id="sessionListener" class="fr.sg.myApp.manager.ApplicationSessionListener"></bean>
<mvc:interceptors>
<bean class="fr.sg.myApp.manager.CurrentUserInterceptor"></bean>
</mvc:interceptors>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
<property name="prefix" value="/"/>
<property name="suffix" value=".jsp"/>
<property name="order" value="0"/>
</bean>
</beans>
And here is my Bean Spring
#Component
public class ApplicationSessionListener implements HttpSessionListener,
ApplicationContextAware {
private static int totalActiveSessions;
#Autowired
private ReportService reportService;
public static int getTotalActiveSession() {
return totalActiveSessions;
}
#Override
public void sessionCreated(HttpSessionEvent arg0) {
totalActiveSessions++;
HttpSession session = arg0.getSession();
Date now = new Date(session.getCreationTime());
reportService.createSession(session.getId(), now);
}
#Override
public void sessionDestroyed(HttpSessionEvent arg0) {
totalActiveSessions--;
HttpSession session = arg0.getSession();
Date now = new Date(session.getLastAccessedTime());
reportService.updateSession(session.getId(), now);
}
#Override
public void setApplicationContext(ApplicationContext applicationContext)
throws BeansException {
if (applicationContext instanceof WebApplicationContext) {
((WebApplicationContext) applicationContext).getServletContext()
.addListener(this);
} else {
// Either throw an exception or fail gracefully, up to you
throw new RuntimeException(
"Must be inside a web application context");
}
}
}

Spring security error while creating bean expected single matching bean but found 2

I am trying to implementing spring security with My Rest easy web services in spring application.I tried some basic authentications and it works perfectly.Next step I tried to create custom filters My security-context.xml is
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- SPRING SECURITY SETUP -->
<beans:bean id="userDao" class="com.cheasyy.cofinding.dao.UserDAO">
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder">
<beans:constructor-arg value="ThisIsASecretSoChangeMe" />
</beans:bean>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider
user-service-ref="userDao">
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<security:http realm="Protected API" use-expressions="true"
auto-config="false" create-session="stateless" entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/loginService/authenticate"
access="permitAll" />
<security:intercept-url method="GET"
pattern="/profileService/**" access="hasRole('user')" />
<security:intercept-url method="PUT"
pattern="/profileService/**" access="hasRole('admin')" />
<security:intercept-url method="POST"
pattern="/profileService/**" access="hasRole('admin')" />
<security:intercept-url method="DELETE"
pattern="/profileService/**" access="hasRole('admin')" />
</security:http>
<beans:bean id="unauthorizedEntryPoint"
class="com.cheasyy.cofinding.util.UnauthorizedEntryPoint" />
<beans:bean
class="com.cheasyy.cofinding.util.AuthenticationTokenProcessingFilter"
id="authenticationTokenProcessingFilter">
<beans:constructor-arg ref="userDao" />
</beans:bean>
</beans:beans>
My web.xml is
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- Context Param -->
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
<param-value>/</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/appServlet/servlet-context.xml
/WEB-INF/spring/appServlet/security-context.xml
</param-value>
</context-param>
<!-- Enables Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/profileService/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
</listener>
<!-- This SpringCotextLoader absolutely has to come after the reasteasy
configuration -->
<listener>
<listener-class>org.jboss.resteasy.plugins.spring.SpringContextLoaderListener</listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
</servlet>
<servlet>
<servlet-name>SpringMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value> /WEB-INF/spring/appServlet/servlet-context.xml </param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Error pages -->
<error-page>
<error-code>400</error-code>
<location>/400</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/404</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/500</location>
</error-page>
<!-- ALL NEW SERVICE PATHS MUST BE SPECIFIED HERE. WHENEVER A NEW SERVICE
IS INTRODUCED INTO THE API IT MUST BE ADDED INTO THE RESTEASY SERVLET-MAPPING -->
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/deal/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SpringMVC</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
My LoginLogoutServiceImpl is
#Service
#Path("/loginService")
public class LoginLogoutServiceImpl extends BaseService {
#Autowired
private UserDetailsService userService;
#Autowired
#org.springframework.beans.factory.annotation.Qualifier("authenticationManager")
private AuthenticationManager authManager;
/**
* Authenticates a user and creates an authentication token.
*
* #param username
* The name of the user.
* #param password
* The password of the user.
* #return A transfer containing the authentication token.
*/
#Path("authenticate")
#POST
#Produces(MediaType.APPLICATION_JSON)
public TokenTransfer authenticate(#FormParam("username") String username,
#FormParam("password") String password) {
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
username, password);
Authentication authentication = this.authManager
.authenticate(authenticationToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
/*
* Reload user as password of authentication principal will be null
* after authorization and password is needed for token generation
*/
UserDetails userDetails = this.userService.loadUserByUsername(username);
return new TokenTransfer(TokenUtils.createToken(userDetails));
}
}
When I run application it gives error like
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.core.userdetails.UserDetailsService] is defined: expected single matching bean but found 2: [loginLogoutBusinessServiceImpl, userDao]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:800)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:707)
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:478)
... 25 more
Caused by:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No
unique bean of type
[org.springframework.security.core.userdetails.UserDetailsService] is
defined: expected single matching bean but found 2:
[loginLogoutBusinessServiceImpl, userDao]
Looking at the error it seems there are two beans loginLogoutBusinessServiceImpl and userDao both referring implementing of the interface UserDetailsService.
Either two different classes (both spring managed) are implementing UserDetailsService or single class implementing it but configured twice as two different beans with Spring.
So spring is not able to decide which needs to be injected.
Use #Qualifer annotation in LoginLogoutServiceImpl to tell spring which one needs to be injected.
Ex:
#Autowired()
#Qualifier("loginLogoutBusinessServiceImpl") or #Qualifier("userDao")
private UserDetailsService userService;

Java EE container authentication on Jboss using Spring Security

I'm trying to implement client authentication on Jboss EAP 6.2 with Spring Security in order to protect my REST api (with no login page), but I've stucked.
Trying to send authentication request with ajax:
$.ajax({
type : "POST",
url : '/client-web/j_security_check',
data : {
j_username : user,
j_password : pass
}
}).done(function(data) {
$('div#result').append($('div').text('Login ' + user + ' OK'));
}).fail(function(data) {
console.log(data)
$('div#result').append($('div').text('Login ' + user + ' FAIL'));
});
I received '404 Not Found' as response. I've also tried to access j_spring_security_check but result was the same.
Sending request to one of my /rest/ methods always returned '403 Forbidden', even if I sent username and password fields in ajax request or provided "Authorization" : "Basic *XXXX*" header.
So now I cannot realize what should I do to authenticate my user against my application and how to check the authentication on subsequent requests.
I'm new to Spring Security and security at all as well as Java EE technologies and a spent two whole days trying make it work but with no luck. So that's why I'm here asking you guys for help. I would appreciate any useful advice or the link to appropriate resources.
Here are the contents of my configuration files which I messed with:
root-context.xml:
<http entry-point-ref="preAuthEntryPoint"
authentication-manager-ref="authenticationManager" auto-config="false"
realm="ApplicationRealm">
<intercept-url pattern="/rest/**" access="ROLE_CUSTOMER" />
<!-- <form-login /> -->
<http-basic />
<logout />
<jee mappable-roles="customer" />
</http>
<beans:bean name="preAuthEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<authentication-manager alias="authenticationManager"
id="authenticationManager">
<sec:authentication-provider
ref="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider" />
</authentication-manager>
<beans:bean
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"
id="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService">
</beans:bean>
</beans:property>
</beans:bean>
web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>clientServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/clientServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>clientServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/resources/home.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Content</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_CUSTOMER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ROLE_CUSTOMER</role-name>
</security-role>
jboss-web.xml has only one node: <security-domain>mySecurity</security-domain>
And in the jboss standalone.xml config file there is a <security-domain>:
<security-domain name="mySecurity" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDs"/>
<module-option name="principalsQuery" value="select u.password from users u where u.username=?"/>
<module-option name="rolesQuery" value="select r.name as rolename, 'Roles' as rolegroup from users u inner join users_roles ur on (ur.users_id = u.id) inner join roles r on (ur.roles_id = r.id) where u.username=?"/>
</login-module>
</authentication>
</security-domain>

How to enable jax-rs 2 mvc

I am struggling whit Jersey MVC but anything does not work for me in Tomcat 7. I searched in Google but I have not found any that works for me.My jsp pages are placed in WEB-INF/protected/ directory, That is my code :
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web- app_2_5.xsd">
<session-config>
<session-timeout>
5
</session-timeout>
</session-config>
<filter>
<filter-name>REST Service</filter-name>
<filter-class>org.glassfish.jersey.servlet.ServletContainer</filter-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.onlinebook.servey.services.resources</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.scanning.recursive</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.mvc.templateBasePath.jsp</param-name>
<param-value>/WEB-INF/protected/</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>org.glassfish.jersey.server.mvc.jsp.JspMvcFeature</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.tracing</param-name>
<param-value>ALL</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.staticContentRegex</param-name>
<param-value>(/index.jsp)|(/(content|(WEB-INF/jsp))/.*)</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>REST Service</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jboss.weld.environment.servlet.Listener</listener-class>
</listener>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/onlineBookDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>tomcat datasourcerealm administration</web-resource-name>
<description/>
<url-pattern>/protected/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
<security-constraint>
<display-name>User</display-name>
<web-resource-collection>
<web-resource-name>Online Book administration</web-resource-name>
<description/>
<url-pattern>/protected/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
<form-login-config>
<form-login-page>/signin.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
<error-page>
<error-code>403</error-code>
<location>/access_denied.jsp</location>
</error-page>
</web-app>
And my REST service:
#Path("userdata")
public class UserDataRestService {
#Inject
private AccessCodeBean accessCodeBean;
#Inject
UserDataBean userDataBean;
public UserDataRestService() {
}
#GET
public Viewable redirectTo() throws ServletException, IOException {
return new Viewable("accessCodeEntry");
}
}

Getting Error 403 Forbidden

I am using Apache Tomcat 8.0.0-RC3 Server and spring dispatcher servlet. I am getting 403 forbidden while using HTTP PUT method but HTTPGET method is working properly. I am trying to solve this with security constraint but it is giving me 409 conflict error because I am using spring dispatcher servlet and It is not working.But It is working perfect on tomcat 7 .Please help me to get rid of this . This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>abc</display-name>
<description>ABC Web application</description>
<!-- Enable escaping of form submission contents -->
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:META-INF/spring/applicationContext*.xml</param-value>
</context-param>
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>HttpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpMethodFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Handles Spring requests -->
<servlet>
<servlet-name>ABC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/spring/webmvc-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/persistenceUnit</persistence-unit-ref-name>
<persistence-unit-name>persistenceUnit</persistence-unit-name>
</persistence-unit-ref>
<servlet-mapping>
<servlet-name>ABC</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>10</session-timeout>
</session-config>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/uncaughtException</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/resourceNotFound</location>
</error-page>
</web-app>
factory.js
angular.module('cnitch').factory('configFactory', ['$http',
function ($http) {
var urlBase = '/ABC/api/mode';
var urlrootmode = '/ABC/api/mode/host/all/tranx/all';
var configFactory = {};
configFactory.getConfig = function (id) {
return $http.get(urlBase + "/" + id);
};
configFactory.getConfigs = function () {
return $http.get(urlBase);
};
configFactory.getConfignew = function () {
return $http.get(urlrootmode);
};
configFactory.insertConfig = function (configString) {
return $http.post(urlBase, configString);
};
configFactory.updateConfig = function (id, configString) {
return $http.put(urlBase + '/' + id, configString);
};
configFactory.updateConfignew = function (id, configString) {
return $http.put(urlBase, configString);
};
configFactory.deleteConfig = function (id) {
return $http.delete(urlBase + '/' + id);
};
return configFactory;
}
]);
ApplicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/main/**" access="permitAll" />
<intercept-url pattern="/api/**" access="permitAll" />
<intercept-url pattern="/**" access="permitAll" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<!-- SHA-256 values can be produced using 'echo -n your_desired_password |
sha256sum' (using normal *nix environments) -->
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select u.username, ur.authority from users u, user_roles ur where u.user_id = ur.user_id and u.username =? " />
</authentication-provider>
</authentication-manager>
</beans:beans>
You should probably confirm the default web.xml located in $TOMCAT_HOME/conf/web.xml.
Make sure the PUT method is removed from the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>

Resources