Load Balancing using apache http and Spring security - spring

I am using apache http,mod-jk and two tomcat servers for load balancing of my application which uses spring security. When application is launched, I get below error
Error code: ERR_TOO_MANY_REDIRECTS
Has anyone seen this issue before?Is there any configuration to get load balancer work.
If I remove spring security from my application, load balancer works fine.
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- The definition of the Root Spring Container shared by all Servlets
and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml,/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>oAuth</servlet-name>
<servlet-class>org.springframework.web.context.support.HttpRequestHandlerServlet</servlet-class>
</servlet>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>oAuth</servlet-name>
<url-pattern>/oAuth</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
Spring-Security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--HTTP Interceptors for authentication -->
<http pattern="/templates/**" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/lib/**" security="none"></http>
<http pattern="/lib/css/**" security="none"></http>
<http pattern="/lib/js/**" security="none"></http>
<http pattern="/lib/fonts/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/rest/**" security="none"></http>
<http pattern="/oAuth" security="none"></http>
<http entry-point-ref="entryPoint"
auto-config="true" use-expressions="true">
<anonymous enabled="false"></anonymous>
<custom-filter ref="oAuthFilter" after="SECURITY_CONTEXT_FILTER"></custom-filter>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"></intercept-url>
</http>
<authentication-manager alias="upmAuthenticationManager"></authentication-manager>
<beans:bean id="entryPoint" class="auth.EntryPoint">
<beans:constructor-arg value="/index.html"></beans:constructor-arg>
</beans:bean>
<beans:bean id="oAuthEnd" name="auth.oAuthEnd"
class="oAuth.OAuthServlet">
<beans:property name="oAuthFilter" ref="oAuthFilter"></beans:property>
</beans:bean>
<beans:bean id="oAuthFilter" class="auth.filter">
<beans:property name="id"
value=""></beans:property>
<beans:property name="secret"
value=""></beans:property>
<beans:property name="url"
value=""></beans:property>
</beans:bean>
mod-jk configuration
worker.server1.port=8009
worker.server1.host=localhost
worker.server1.type=ajp13
worker.server2.port=9009
worker.server2.host=localhost
worker.server2.type=ajp13
worker.server1.lbfactor=1
worker.server2.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=server1,server2
worker.status.type=status
<VirtualHost *:80>
JkMount /status status
JkMount /* loadbalancer
ServerAdmin webmaster#localhost
DocumentRoot /data/www/
<location />
Require all granted
</location>
ErrorLog ${APACHE_LOG_DIR}/www_error.log
CustomLog ${APACHE_LOG_DIR}/www_access.log combined
</VirtualHost>


Apache httpd and mod_jk don't make the trouble I'm afraid.
Hard to say without seeing your config, but I bet that your Spring security config has configured a login page that is secured, so it's allways redirecting to a page you cannot reach.
Could you post your web.xml and security config? And maybe the mod_jk mappings to Tomcat would be helpfull too.
EDIT:
I think that setting sticky_session to true could solve the problem. Try adding this to your mod_jk config:
worker.loadbalancer.sticky_session=1
EDIT2: Setting jvmRoute property to values configured in worker.loadbalancer.members solved the problem.
What was happening is that mod_jk uses the value which comes as a suffix in the session cookie to check it against the loadbalancer member names to find out on which has the client the session opened. As the jvmRoute had no value, the JSESSIONID had no suffix so the mod_jk did not know which worker to send the request, so the balancer chooses one worker according to the lbfactor.
As this value is configured with same value to both workers, each incoming request was redirected to the worker that was not chosen in the previous request, so there was no chance to reach the login form neither perform the login (or whatever login mechanism is being used).

Related

GWT & Spring Security: org.springframework.beans.factory.NoSuchBeanDefinitionException

I'm following this tutorial to secure my GWT application with Spring Security.
However, putting
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/app</url-pattern>
</filter-mapping>
<!-- END FILTERS -->
<!-- BEGIN Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- END Listeners -->
<context-param>
<param-name>
contextConfigLocation
</param-name>
<param-value>
classpath:/**/spring-config.xml
</param-value>
</context-param>
into my web.xml file results in an org.springframework.beans.factory.NoSuchBeanDefinitionException exception. Stack trace:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:660)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1157)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:280)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:198)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:962)
at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:324)
at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:235)
at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:199)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
...
I don't understand why I'm getting this exception - what am I missing?

DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named “springSecurityFilterChain”, which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you've added this to your web.xml, you're ready to start editing your application context file. Web security services are configured using the element.
You should check your spring configuration, dependencies...
Also here is good example of simple Spring security
http://www.mkyong.com/spring-security/spring-security-hello-world-example/

Have you defined context-param in your web.xml? for e.g,
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:/META-INF/spring/applicationContext-security.xml
classpath*:/META-INF/spring/applicationContext.xml
classpath*:/META-INF/spring/applicationContext-gwt-dispatch.xml
</param-value>
</context-param>
And in your Spring application context, you have to declare a Spring beans XML file "applicationContext-security.xml" in this case as below,
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<context:property-placeholder location="classpath*:/META-INF/spring/gwtsecurity.properties" />
<security:user-service id="userService">
<security:user name="user" password="user" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
...
<alias name="filterChainProxy" alias="springSecurityFilterChain" />
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain
filters="securityContextFilter, logoutFilter, formLoginFilter, requestCacheFilter,
servletApiFilter, rememberMeFilter, anonFilter, sessionMgmtFilter, exceptionTranslator, filterSecurityInterceptor"
pattern="/**" />
</security:filter-chain-map>
</bean>
<bean
...
</bean>
...
</beans>
Ref: https://github.com/dmartinpro/gwt-security/tree/master/gwt-security-sample

Spring 4 websocket + Tomcat 7.54 async-supported not working

I am creating a sample chat application using the Spring websockets and stomp.js , I am using the tomcat 7.54 but while runing the application I am gettting a async-supported error when browser is making xhr request.
Server info: Apache Tomcat/7.0.54
Servlet version: 3.0
JSP version: 2.2
Java version: 1.7.0_25
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<servlet>
<async-supported>true</async-supported>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
dispatcher-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:websocket="http://www.springframework.org/schema/websocket"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
http://www.springframework.org/schema/websocket http://www.springframework.org/schema/websocket/spring-websocket-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd">
<bean class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping"/>
<bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="index.htm">indexController</prop>
</props>
</property>
</bean>
<context:component-scan base-package="hello" />
<websocket:message-broker application-destination-prefix="/app">
<websocket:stomp-endpoint path="/hello">
<websocket:sockjs/>
</websocket:stomp-endpoint>
<websocket:simple-broker prefix="/topic"/>
</websocket:message-broker>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp" />
<bean name="indexController"
class="org.springframework.web.servlet.mvc.ParameterizableViewController"
p:viewName="index" />
</beans>
ERROR
java.lang.IllegalArgumentException: Async support must be enabled on a servlet and for all filters involved in async request processing. This is done in Java code using the Servlet API or by adding "<async-supported>true</async-supported>" to servlet and filter declarations in web.xml. Also you must use a Servlet 3.0+ container
at org.springframework.util.Assert.isTrue(Assert.java:65)

I guess you don't show entire web.xml.
<async-supported>true</async-supported> should be configured for <filter>, too.
UPDATE
Well, your issue is very simple:
<servlet-name>dispatcher</servlet-name>
<url-pattern>/*</url-pattern>
You really should map for all requests, not only the root.

The <async-supported>true</async-supported> should be included in both the
servlet and filter tags. Use the following snippet as reference:
<web-app ...>
...
<servlet>
<servlet-name>instantaction</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:META-INF/spring/web/my-servlet-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
...
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

Add the below in nginx.conf file if you are using the reverse proxy.
# For WebSocket upgrade header
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

Try upgrade you jdk and tomcat version. I encountered this problem also, I upgrade jdk from 1.7 to 1.8, upgrade tomcat form 7.0.54 to 7.0.75, and resolved this problem.

Make sure no other injected component disables async support.
DETAILS
I learned that Spring comes with asynchronous support by default.
And (remotely related) sync logging configuration may disable async handling for entire service.
Specifically, my logback integration was missing IMPORTANT line:
public EmbeddedServletContainerCustomizer containerCustomizer(
final String logbackAccessClasspathConfig
) {
return container -> {
if (container instanceof TomcatEmbeddedServletContainerFactory) {
((TomcatEmbeddedServletContainerFactory) container)
.addContextCustomizers(context -> {
LogbackValve logbackValve = new LogbackValve();
logbackValve.setFilename(logbackAccessClasspathConfig);
// IMPORTANT:
logbackValve.setAsyncSupported(true);
context.getPipeline().addValve(logbackValve);
}
);
}
};
}
Thanks to other answer:
LogbackValve is configured for synchronous processing by default
disable the bean that was injecting LogbackAccess
set the asyncSupported="true" attribute where you configure the valve

I was having the same issue with SpringBoot app and for me, it started working
1) after adding asyncSupported to the filter like #WebFilter(urlPatterns="/api-acess/*",asyncSupported = true )
2) added sameOrigin() support to WebSecurityConfigurerAdapter extended class like http.headers().frameOptions().sameOrigin();
I hope it will help someone else.

Picking up Tomcat's Context.xml parameters via SpEL

Deploying war to Apache Tomcat 8 the following way.
Placing myApp.xml under $CATALINA_HOME/conf/[enginename]/[hostname]/
with the following contents:
<Context>
<Parameter name="myApp_configs" value="file:/the/path/to/configs/folder"
type="java.lang.String" override="false"/>
</Context>
B.t.w. I do not place any kind of Context.xml into war.
Then copying myApp.war to $CATALINA_HOME/webapps
This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>service</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/beans.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<servlet>
<servlet-name>CXFServlet</servlet-name>
<display-name>CXF Servlet</display-name>
<servlet-class>
org.apache.cxf.transport.servlet.CXFServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
And this way I try loading properties-file in beans.xml (referenced in web.xml above).
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd">
<!-- Imported resources for cxf -->
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<bean class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor"/>
<!--context:property-placeholder
location="#{contextParameters['myApp_configs']}/myApp.properties"/-->
<bean id="configurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location"
value="#{contextParameters['myApp_configs']}/myApp.properties"/>
</bean>
...other lines follow here...
</beans>
However I am getting following error upon beans loading:
Field or property 'contextParameters' cannot be found on object of type 'org.springframework.beans.factory.config.BeanExpressionContext'
Could you help me understand the error and propose a fix so that I can access Context-defined parameters?
P.S. I have not put here, but I also have some <Environment>-nodes in Context, and they are successfully accessible via JNDI in other places.

So as we were not able to solve the root cause - why contextParameters bean is not available, the following workaround (using ol' syntax) took place:
<bean id="myConfigsLocation"
class="org.springframework.web.context.support.ServletContextParameterFactoryBean">
<property name="initParamName" value="myApp_configs" />
</bean>
<context:property-placeholder
location="#{myConfigsLocation}/myApp.properties" />
And it worked successfully.

Vaadin 7.1 + Spring-Security Integration running in Tomcat Server

Im new on vaadin and spring security, I want to know if anyone had a complete project example of the vaadin 7.1 + spring-security integration running in a tomcat server (not in jetty).

Vaadin 7 easy integrate with Spring Security. You should configure only 2 files. First - web.xml and second one spring-security.xml (user credentials and security settings). This is small example how to use base form for authentification.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Vaadin7SpringSecurity</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- filter declaration for Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config='true'>
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
For more details, how to extend spring-security.xml configuration you can use Spring resources.

You should have a look on this GitHub project. This is a Vaadin 7.1 + Spring 3.1.2.RELEASE + Spring-Vaadin integration 2.0.1 project. There is also a Jetty plugin inside, but you can run/deploy it also in tomcat without problems.

Here is a little project that integrates Vaadin and Spring Security. It's done in Scala, but obviously works in Java as well. Code is here.

For referring the above example by using the latest spring-security, I encountered the following errors and provide my soultions:
Error1
Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema with Spring Security 4.0. Please update your schema declarations to the 4.0 schema.
You should check your spring-* version and update the header tag of spring-security.xml.
For example: I use spring-beans-4.1.6.RELEASE and
spring-security-4.0.2.RELEASE. So I update it as:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
Error2
HTTP Status 500 - Failed to evaluate expression 'ROLE_USER'
...
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Property or field 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public?
...
According to hints of this resource, you should revise intercept-url tag as following:
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
Error3
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
That's because spring-security enables CSRF protection by default which conflicts with Vaadin. You should add a new tag inside http :
<csrf disabled="true" />
Here's my complete spring-security.xml for reference:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config='true'>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<csrf disabled="true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="yourUsername" password="yourPassoword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

getting exception: No bean named 'springSecurityFilterChain' is defined

I am learning spring security from reference material. release 3.1.2.RELEASE. As stated in that I have configured security:http tag like this
security-context.xml
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:*-context.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>security</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>security</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
security-servlet.xml
<context:component-scan base-package="com.pokuri.security.mvc.controllers"/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
<property name="prefix" value="/WEB-INF/page/"/>
<property name="suffix" value=".jsp"/>
</bean>
But I am getting this exception when I start the application. If I remove security configuration my spring web application working fine. I went through the same kind of questions in stackoverflow. But no luck.

I think that the reason of your problem can be in that your xml configuration file for spring security isn't loaded when you start your web app.
To fix this you should specify all your XML config files in web.xml like that:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml, /WEB-INF/applicationContext.xml</param-value>
</context-param>
If you have your config files in classpath (not WEB-INF folder or it's subfolders) then you can specify list of config files in such way;
...
<param-value>
classpath:applicationContext.xml,
classpath:spitter-security.xml
</param-value>
...
And also you need to add special listener that will load your config files:
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>

I just added the bean definition in applicationContext.xml as Spring asked:
<bean id="springSecurityFilterChain" class="org.springframework.web.filter.DelegatingFilterProxy"/>

add this your web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/root-context.xml, /WEB-INF/spring-security.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- filter declaration for Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

In case it helps anyone, I had renamed one of my packages but Eclipse doesn't auto-update your #ComponentScan paths, so make sure you change that too:
#ComponentScan(basePackages = "com.package.spring")

As of Spring Security 5.2.1-SNAPSHOT, this error occurred to me when I hadn't declared the <http/> element in security XML configuration.
I was trying a sample and I had configuration like
<b:beans xmlns="http://www.springframework.org/schema/security" xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
<user-service>
<user name="user" password="{noop}password" authorities="ROLE_USER" />
</user-service>
</b:beans>
I had to change it to add <http/> like below.
<b:beans xmlns="http://www.springframework.org/schema/security" xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
<http />
<user-service>
<user name="user" password="{noop}password" authorities="ROLE_USER" />
</user-service>
</b:beans>

For those who learning spring without xml may be this helps.
I faced the same exception when learning the spring without xml.
Found that i have register the spring security filter by extending the class AbstractSecurityWebApplicationInitializer but did not configure the spring security.
To configure the spring security i added below code and it works.
#Configuration
#EnableWebSecurity
public class SpringSecurityConfigInitializer extends
WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
UserBuilder users = User.withDefaultPasswordEncoder();
auth.inMemoryAuthentication().withUser(users.username("test").
password("test123").roles("EMPLOYEE"));
}
}
Above is just sample for my case but the exception was due to the missing configuration.

Resources