ignored declarative Security in IBM WebShere application server - spring

I have a spring MVC rest application that is deployed as a war file to IBM WebSphere application server v 8.5, i want to secure some of the rest api in this application, hence, i used the application web.xml and declare the security role i want, then i enabled the application security from the WAS console, but for some reason my security roles are ignored and i can access all rest API that are supposed to be secured, any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>LBS_System</web-resource-name>
<url-pattern>/LBS/*</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name>
</login-config>
<security-role>
<role-name>Administrators</role-name>
</security-role>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<resource-ref>
<res-ref-name>jdbc/MoictDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
</resource-ref>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/MoICTAppUnit</persistence-unit-ref-name>
<persistence-unit-name>MoICTAppUnit</persistence-unit-name>
</persistence-unit-ref>
</web-app>

You should not include your context-root (LBS in your case) in the url-pattern. It is relative to your application context-root. The /* pattern protects all urls, but only in your application, not others. So if you just want to protect for example rest api, it is usually mapped to some sub path e.g. /LBS/rest/something, in that case you would put /rest/* in the pattern.
You should not include context-root in any mappings and url patterns in the web.xml, especially that application might be deployed under different context-root and in that case it would be broken.

Related

My welcome-file is returning an empty page in Open Liberty

On Open Liberty 21.0.0.6., instead of presenting my welcome JSF page, my browser returns empty content when I point it to http://<host>:<port>/<ctxRoot>,
web.xml
<web-app id="WebApp_ID" version="4.0"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd">
<display-name>MyJSF</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
and a feature set of:
server.xml
<server>
<featureManager>
<feature>jaxrs-2.1</feature>
<feature>cdi-2.0</feature>
<feature>jpa-2.2</feature>
<feature>jdbc-4.3</feature>
<feature>jsf-2.3</feature>
<feature>mpHealth-3.0</feature>
</featureManager>
ADDITIONAL INFO
I also have some other stuff in my app like JPA and JAX-RS.
ROOT CAUSE - JAX-RS application with "/" application path
In my case the problem is that I had a JAX-RS Application configured to use: #ApplicationPath("/") which was colliding with my goal of having the "/" application path serve up the welcome-file.
SOLUTION
Move the JAX-RS app to its own path within the WAR, e.g:
import javax.ws.rs.core.Application;
#ApplicationPath("/api")
public class TestApp extends Application { }
THOUGHTS
This was easy to stumble into by taking an existing simple JAX-RS app using "/" as the app path, and then adding JSF to it. Then I thought I was having trouble with the JSF implementation.

Spring OAuth2 resource classes not getting called

In reference to the below questions asked on StackOverflow, I have included a class
annotated with #Configuration, #EnableResourceServer and #EnableWebSecurity.
The code is building fine but the control is not going in this class which have been annotated the aforementioned way.
Do I need resource server with Spring Security OAuth2?
I checked that Security filters were disabled in my web.xml. Now, I have enabled them. Even though I am not getting the intended result when I hit my request, I think the initial issue is fixed.
That issue got solved but now I am facing another issue:
HTTP Status 500 - Failed to evaluate expression 'ROLE_USER'
root cause: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public?
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>hk-pensions</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:META-INF/spring/*.xml</param-value>
</context-param>
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Jetty CORS works fine on Heroku with cometd but fails when cometd returns

I am running a Java app with Jetty-Runner on Heroku (let's call it Website A)
Then I have a Web app running on Website B, connecting to A using Cometd.
Comet connection stays open for 30 seconds and then it returns if no data is received from the server.
I have setup CORS parameters on Jetty's web.xml so that B accesses A with no problem.
Now the problem: if the comet's 30 seconds finishes and the server does not return anything, then the browser throws this error:
XMLHttpRequest cannot load [Website A]/cometd.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin '[Website B]' is therefore not allowed access.
I am running the same Java Application using Embedded Jetty on another Website (Website C) with the same CORS settings and everything works fine. In particular, when comet connection returns after 30 seconds, the response has all the headers including the 'Access-Control-Allow-Origin'. But, on Website A, after comet returns, the response do not have the headers.
So, to me, the problem is caused by Jetty-Runner not returning a response after 30 seconds, versus embedded jetty returning the response with correct headers.
My web.xml content:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>[Website B]</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>origin, content-type, cache-control, accept</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>cometd</servlet-name>
<servlet-class>org.cometd.server.CometdServlet</servlet-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>timeout</param-name>
<param-value>30000</param-value>
</init-param>
<init-param>
<param-name>jsonDebug</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<!--
To use async-supported in a servlet 3.0 compliant container,
uncomment the following tag:
<async-supported>true</async-supported>
and change the web-app tag of this document to:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
-->
</servlet>
<servlet-mapping>
<servlet-name>cometd</servlet-name>
<url-pattern>/cometd/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>admin</servlet-name>
<servlet-class>org.coweb.servlet.AdminServlet</servlet-class>
<load-on-startup>2</load-on-startup>
<init-param>
<param-name>ConfigURI</param-name>
<param-value>/WEB-INF/cowebConfig.json</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>admin</servlet-name>
<url-pattern>/admin/*</url-pattern>
</servlet-mapping>
</web-app>
Any idea how to fix this probem?
If A does not send the Access-Control-Allow-Origin header for B but it does for C, perhaps your CORS configuration is wrong ?
You did not specify how you have configured CORS on A (are you using Jetty's CrossOriginFilter ?).
I see no reason why Jetty Runner (which is just a Jetty embedded that deploys your war) should mess with the CORS configuration of a web application ?

#Autowired does not work Spring 3

I looked all around to find a solution and couldn't find.
I am using Tomcat, Spring 3 with the jars:
org.springframework.aop-3.0.5.RELEASE.jar
org.springframework.asm-3.0.5.RELEASE.jar
org.springframework.beans-3.0.5.RELEASE.jar
org.springframework.context-3.0.5.RELEASE.jar
org.springframework.core-3.0.5.RELEASE.jar
org.springframework.expression-3.0.5.RELEASE.jar
org.springframework.jdbc-3.0.5.RELEASE.jar
org.springframework.orm-3.0.5.RELEASE.jar
org.springframework.test-3.0.5.RELEASE.jar
org.springframework.transaction-3.0.5.RELEASE.jar
org.springframework.web-3.0.5.RELEASE.jar
and my code is like this:
public class EmailResource {
#Autowired
EmailManager emailManager;
}
in applicationContext I have:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<bean
class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor" />
<bean id="emailManager" class="com.mycompany.manager.impl.EmailManagerImpl" />
<context:component-scan base-package="com.mycompany.component" />
and the web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
However, the emailManager is always null! What am I missing?
EDITED
The EmailResource is jersey servlet for rest calls and is defined like this:
<servlet>
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.mycompany.resource</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Jersey Web Application</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
You need to use a Jersey/Spring connecter to get Jersey to recognize your Spring context on startup.
Replace:
<servlet>
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.mycompany.resource</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
With:
<servlet>
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
....
</init-param>
</servlet>
You'll also need the jersey-spring dependency:
<dependency>
<groupId>com.sun.jersey.contribs</groupId>
<artifactId>jersey-spring</artifactId>
<version>${jersey.version}</version>
</dependency>
The problem is that the Jersey servlet is specified in web.xml as a servlet and thus is not under control of Spring. Spring can't wire the dependencies.
I don't know much about Jersey, but I found this article that is maybe useful to you.
Further, you've to consider EmailManager is an instance variable of a Servlet, and you declared it as Spring Singleton (the default):
<bean id="emailManager" class="com.mycompany.manager.impl.EmailManagerImpl" />
Thus emailManager should not have any state or it will be non-thread safe.
To explain the problem: suppose that emailManager contains a state, such as a destination address, a subject and a message body. Since is defined as a Singleton, there is only one instance for the whole application. If the servlet is called at the same time by two different people, it could happen that the first process inserts the subject and that same subject is rewritten by the second process before the first was able to send the email. So the data of the two emails will be mixed.
Alternatively it can be defined with scope request, so each request will have a different instance.

RESTEasy Asynchronous HTTP with Spring MVC

Is there any handy way to use RESTEasy Asynchronous HTTP support (in my case on Tomcat 6) in conjunction with the Spring MVC framework. I've found useful articles on using RESTEasy with Spring, but none that cover asynchronous support, which appears to be a bit of a thorn at present, due to requring a different Servlet class depending on the container (Tomcat6CometDispatcherServlet for Tomcat, for example).
Thanks,
FB
I have created a sample app using Comet, Bayeux, Java, Maven and a Raphael JS frontend and wrote a blog post about it, you can use it as a base for your app, just wrapping the current service code in REST.
http://geeks.aretotally.in/thinking-in-reverse-not-taking-orders-from-yo
Hopefully it will help you.
For anybody interested, I ended up having to use the Tomcat6CometDispatcherServlet in preference to the Spring DispatcherServlet to get my application working.
I still have the Spring ContextLoaderListener in place to create the various beans within my Application Context, but have to use less than ideal means of accessing these from within my Controller classes, which are now JAX-RS annotated rather than Spring MVC annotated. (There are various articles a quick Google will uncover on accessing the Spring context programmatically.)
Here's a cleaned up version of my web.xml (nothing earth-shattering, but perhaps it will have some useful hints for somebody!):
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>myapp</display-name>
<description>My App</description>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>classpath:log4j.properties</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>myapp.root</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>TrustedIPFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>TrustedIPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>PollServlet</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.Tomcat6CometDispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>PollServlet</servlet-name>
<url-pattern>/poll/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/WEB-INF/jsp/uncaughtException.jsp</location>
</error-page>
</web-app>

Resources