Blank page coming after migrate spring security 2 To 3 - spring

Url those assigned to access roles not working only blank page coming. Only few urls working those have filter="none".
No error or no exception coming.
Blank page coming after login.
Url like: /indexPage
/test/indexPage
securityContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:c="http://www.myPro.com/schema/system-config"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd
http://www.myPro.com/schema/system-config http://www.myPro.com/schema/system-config/system-config-1.0.xsd">
<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>
<!-- secure the web layer -->
<sec:http auto-config="false" entry-point-ref="myAuthenticationEntryPoint" lowercase-comparisons="false">
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
<sec:custom-filter after="FORM_LOGIN_FILTER" ref="rememberMeProcessingFilter"/>
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/>
<sec:custom-filter after="REMEMBER_ME_FILTER" ref="logoutFilter" />
<sec:intercept-url pattern="/login.jsp" filters="none" />
<sec:intercept-url pattern="/**" access="ROLE_USER" />
<sec:intercept-url pattern="/contract/ServiceContractPDFView.jsp" filters="none" />
<sec:intercept-url pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" filters="none" />
<sec:intercept-url pattern="/admin/subscription_form.jsp" filters="none" />
<sec:intercept-url pattern="/admin/subscription_thankyou.jsp" filters="none" />
<sec:intercept-url pattern="/admin/related_analysts.jsp" filters="none" />
<sec:intercept-url pattern="/favicon.ico" filters="none" />
<sec:intercept-url pattern="/styles/**" filters="none" />
<sec:intercept-url pattern="/images/**" filters="none" />
<sec:intercept-url pattern="/qlogin.jsp" filters="none" />
<sec:intercept-url pattern="/qloginWait/**" filters="none" />
<sec:intercept-url pattern="/js/**" filters="none" />
<sec:intercept-url pattern="/scripts/**" filters="none" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
</sec:http>
<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>
<bean id="customizedFormLoginFilter" class="com.myPro.test.security.CustomAuthenticationProcessingFilter" >
<!--Authentication failed? take him to error page-->
<!--Here it is the custom authenticationManager, login magic goes here -->
<property name="authenticationManager" ref="myAuthenticationManager"/>
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="allowSessionCreation" value="true" />
</bean>
<bean id="myAuthenticationManager" class="com.myPro.test.security.CustomAuthenticationManager" />
<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.myPro.test.security.CustomAuthenticationEntryPoint" >
<property name="loginFormUrl" value="/login.jsp"/>
</bean>
<bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site -->
<bean id="rememberMeProcessingFilter" class="com.myPro.test.security.CustomRememberMeProcessingFilter">
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="signleSignOnService" class="com.myPro.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
class="com.myPro.test.spring.SingleSignOnFilter">
<property name="signleSignOnService" ref="signleSignOnService"/>
<!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
<property name="userService" ref="myProUserServiceImpl"/>
<property name="ssoUserUrl">
<value>/sso</value>
</property>
<!-- Code Review Starts -->
<property name="ssoTargetUrl">
<value>/search/ServiceContractSearch.do</value>
</property>
<!-- Code Review Ends -->
<property name="ssoFailureUrl">
<value>/login.jsp</value>
</property>
<property name="order" value="123456"/>
</bean>
<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
<bean id="myUserDetailsService" class="com.myPro.test.security.CustomUserDetailsService" > </bean>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="jdbcTokenRepository" />
<property name="userDetailsService" ref="myUserDetailsService" />
<property name="key" value="springRocks" />
<property name="alwaysRemember" value="false" />
</bean>
<!-- Uses a database table to maintain a set of persistent login data -->
<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<!-- <sec:custom-authentication-provider/> -->
<property name="key" value="springRocks"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
<property name="invalidateHttpSession" value="true" />
</bean>
<bean id="mySecurityContextHandler" class="com.myPro.test.security.CustomSecurityContextLogoutHandler"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/" />
<constructor-arg>
<list>
<ref bean="mySecurityContextHandler" />
<ref bean="rememberMeServices" />
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>
<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
</beans>

There are 2 things wrong.
First the order of the url-intercept patterns is important. The order in which they are defined is also the order in which they are consulted! Having a /** makes every url-intercept element after that useless. So a `/** should always come last.
Second in newer Spring Security versions you shouldn't be using the filters="none" anymore. You should create separate <sec:http /> elements for those. See this part of the Spring Security Reference guide.
<sec:http pattern="/login.jsp" security="none" />
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<!--- All other patterns here. -->

Related

Spring security 4 not intercepting role assigned Url after login

I have just upgrade spring security from 2 to 4. Some custom filters used for login,remember me and single sign on process.
Two login mechanism used in my application.
First simple form login and second SSO login.
This is my securityContext.xml
<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>
<!-- secure the web layer -->
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<sec:http pattern="/favicon.ico" security="none" />
<sec:http pattern="/styles/**" security="none" />
<sec:http pattern="/images/**" security="none" />
<sec:http pattern="/qlogin.jsp" security="none" />
<sec:http pattern="/qloginWait/**" security="none" />
<sec:http pattern="/contract/ServiceContractPDFView.jsp" security="none" />
<sec:http pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" security="none" />
<sec:http pattern="/admin/subscription_form.jsp" security="none" />
<sec:http pattern="/admin/subscription_thankyou.jsp" security="none" />
<sec:http pattern="/admin/related_analysts.jsp" security="none" />
<sec:http pattern="/login.jsp" security="none" />
<sec:http entry-point-ref="myAuthenticationEntryPoint" use-expressions="true">
<sec:session-management session-fixation-protection="newSession">
</sec:session-management>
<sec:headers>
<sec:frame-options policy="SAMEORIGIN"/>
<sec:content-type-options disabled="true"/>
</sec:headers>
<sec:csrf disabled="true"/>
<sec:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeProcessingFilter"/>
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/>
<sec:custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
</sec:http>
<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>
<bean id="customizedFormLoginFilter" class="com.myPro.test.security.CustomAuthenticationProcessingFilter" >
<!--Here it is the custom authenticationManager, login magic goes here -->
<property name="authenticationManager" ref="myAuthenticationManager"/>
<property name="usernameParameter" value="username"/>
<property name="passwordParameter" value="password"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="allowSessionCreation" value="true" />
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>
<bean id="myAuthenticationManager" class="com.myPro.test.security.CustomAuthenticationManager" />
<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.myPro.test.security.CustomAuthenticationEntryPoint" >
<constructor-arg value="/login.jsp"/>
</bean>
<bean id="successHandler" class="com.myPro.test.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
<property name="alwaysUseDefaultTargetUrl" value="true"/>
<property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site -->
<bean id="rememberMeProcessingFilter" class="com.myPro.test.security.CustomRememberMeProcessingFilter">
<constructor-arg ref="authenticationManager"/>
<constructor-arg ref="rememberMeServices"/>
</bean>
<bean id="signleSignOnService" class="com.myPro.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
class="com.myPro.test.spring.SingleSignOnFilter">
<property name="signleSignOnService" ref="signleSignOnService"/>
<!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
<property name="userService" ref="myProUserServiceImpl"/>
<property name="ssoUserUrl">
<value>/sso</value>
</property>
<!-- Code Review Starts -->
<property name="ssoTargetUrl">
<value>/search/ServiceContractSearch.do</value>
</property>
<!-- Code Review Ends -->
<property name="ssoFailureUrl">
<value>/login.jsp</value>
</property>
<property name="order" value="123456"/>
</bean>
<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
<bean id="myUserDetailsService" class="com.myPro.test.security.CustomUserDetailsService" > </bean>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="springRocks"/>
<constructor-arg ref="myUserDetailsService"/>
<constructor-arg ref="jdbcTokenRepository"/>
</bean>
<!-- Uses a database table to maintain a set of persistent login data -->
<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<constructor-arg value="springRocks"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
<property name="invalidateHttpSession" value="true" />
</bean>
<bean id="mySecurityContextHandler" class="com.myPro.test.security.CustomSecurityContextLogoutHandler"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login.jsp" />
<constructor-arg>
<list>
<ref bean="mySecurityContextHandler" />
<ref bean="rememberMeServices" />
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_security_logout" />
</bean>
<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
changed securityContext.xml according spring Security 4.
if I removed this filter
sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnF
ilter"
from http, application worked fine. All Urls accessible after login.
If I add this line then pattern (/**) not working for me. Blank page will come.
Please help to solve this problem

spring security stop crushed session

I'm using spring security for the first time and when I thought that I finished I met a problem with the spring security sessions. The scenario is when I log in with a first user and after log in with another user in another machine
if I refresh the first user, the details of the second user are displayed.
It's like the session of the 1st user is crushed by the second user and I don't understand why. There is my spring security configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<sec:http auto-config="true" >
<sec:intercept-url pattern="/jsf/home.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:intercept-url pattern="/jsf/resultTestEligibilite_ADSL.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:intercept-url pattern="/jsf/resultTestEligibilite_SDSL.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:intercept-url pattern="/jsf/resultTestEligibilite_SDSLplus.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:logout invalidate-session="true"
delete-cookies="JSESSIONID"
success-handler-ref="customLogoutSuccessHandler"/>
<sec:form-login login-processing-url="/j_spring_security_check"
login-page="/index.xhtml" default-target-url="/jsf/home.xhtml"
authentication-failure-url="/index.xhtml?error=1" />
<sec:session-management invalid-session-url="/j_spring_security_logout" />
</sec:http>
<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="ignoreResourceNotFound" value="true" />
<property name="ignoreUnresolvablePlaceholders" value="false" />
<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
<property name="locations">
<list>
<value>
classpath:/jboss.properties
</value>
</list>
</property>
</bean>
<bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="${ldap.user-search-base}" />
<constructor-arg index="1" value="${ldap.user-search-filter}" />
<constructor-arg index="2" ref="contextSource" />
<property name="searchSubtree" value="true" />
</bean>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}" />
<property name="userDn" value="${ldap.manager-dn}" />
<property name="password" value="${ldap.manager-password}" />
</bean>
<sec:ldap-server
url="${ldap.url}"
manager-dn="${ldap.manager-dn}"
manager-password="${ldap.manager-password}"
id = "contextSource"
root="${ldap.root}"/>
<sec:ldap-user-service id="ldapUserService"
server-ref="contextSource"
group-search-base="${ldap.group-search-base}"
group-role-attribute="${ldap.group-role-attribute}"
group-search-filter="${ldap.group-search-filter}"
user-search-base="${ldap.user-search-base}"
user-search-filter="${ldap.user-search-filter}" />
<sec:authentication-manager alias="MyManager">
<sec:ldap-authentication-provider
user-search-base="${ldap.user-search-base}"
user-search-filter="${ldap.user-search-filter}"
group-search-base="${ldap.group-search-base}"
group-search-filter="${ldap.group-search-filter}"
role-prefix="${ldap.role-prefix}"
user-context-mapper-ref="customUserDetailsMapper">
<sec:password-compare hash="{sha}" >
<sec:password-encoder ref="passwordEncoder" />
</sec:password-compare>
</sec:ldap-authentication-provider>
</sec:authentication-manager>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.LdapShaPasswordEncoder" >
<property name="forceLowerCasePrefix" value="true" />
</bean>
<bean id="LdapUserDetailManager"
class="org.springframework.security.ldap.userdetails.LdapUserDetailsManager">
<constructor-arg ref="contextSource" />
<property name="attributesToRetrieve" >
<list>
<value>wsEligXdslFaiUsername</value>
</list>
</property>
</bean>
<bean id="customUserDetailsMapper" class="com.axione.eligibilite.ihm.ldap.impl.CustomUserDetailsContextMapper" />
</beans>`enter code here`
Thank you in advance of your help, cause I really don't know where this problem comes from.

The page is directed to /j_spring_security_check even after entering correct credentials

I'm using Spring Security in my Spring Project. Following is my springSecurityConfiguration.xml File. After I try to log in by using correct credentials, the page redirects to
https://localhost:8443/j_spring_security_check.
Please note that it falls beyond my application which is terror movies. The custom_login page is presented at
https://localhost:8443/terrormovies/custom_login
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true" use-expressions="true">
<security:expression-handler ref="expressionHandler" />
<security:intercept-url pattern="/admin/*"
access="hasIpAddress('127.0.0.1')
and (isAnonymous() ? false : principal.lastname== 'Scarioni') and over18" />
<security:intercept-url pattern="/movies/**/*"
access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/movies/*"
access="hasAnyRole('ROLE_USER','ROLE_VIP')" />
<security:intercept-url pattern="/j_spring_security_switch_user"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/j_spring_security_exit_user"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/custom_login"
requires-channel="https" />
<security:intercept-url pattern="/j_spring_security_check"
requires-channel="https" />
<security:remember-me key="terror-key" />
<security:logout delete-cookies="JSESSIONID"
success-handler-ref="logoutRedirectToAny" />
<security:custom-filter ref="switchUser"
before="FILTER_SECURITY_INTERCEPTOR" />
<security:form-login login-page="/custom_login"
authentication-failure-handler-ref="serverErrorHandler"
username-parameter="user_param" password-parameter="pass_param" />
<security:session-management>
<security:concurrency-control
max-sessions="1" />
</security:session-management>
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="inMemoryUserServiceWithCustomUser" />
</security:authentication-manager>
<bean id="switchUser"
class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<property name="userDetailsService" ref="inMemoryUserServiceWithCustomUser" />
<property name="targetUrl" value="/" />
</bean>
<bean id="expressionHandler"
class="com.apress.pss.terrormovies.security.CustomWebSecurityExpressionHandler" />
<bean id="inMemoryUserServiceWithCustomUser"
class="com.apress.pss.terrormovies.spring.CustomInMemoryUserDetailsManager">
<constructor-arg>
<list>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="admin" />
<constructor-arg value="admin" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_ADMIN" />
</bean>
</list>
</constructor-arg>
<constructor-arg value="Scarioni" />
<constructor-arg value="19" />
</bean>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="paco" />
<constructor-arg value="tous" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_USER" />
</bean>
</list>
</constructor-arg>
<constructor-arg value="Miranda" />
<constructor-arg value="20" />
</bean>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="lucas" />
<constructor-arg value="fernandez" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_VIP" />
</bean>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_USER" />
</bean>
</list>
</constructor-arg>
<constructor-arg value="Silva" />
<constructor-arg value="20" />
</bean>
</list>
</constructor-arg>
</bean>
<bean id="logoutRedirectToAny"
class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="targetUrlParameter" value="redirectTo" />
</bean>
<bean id="serverErrorHandler"
class="com.apress.pss.terrormovies.security.ServerErrorFailureHandler" /></beans>
In your
<security:form-login>
tags, add the following so that the application knows where to re-direct to upon successful login attempt:
default-target-url="/movies"
check your login-form configuration. i guess there is something like "defaultSuccessUrl" missing...
"Sir, It is working well with other spring security configuration files. – Ankit yesterday"
Ok; do you have a redirect in your welcome file/controller somewhere that points to the login-page?
"Yes Sir. There is a redirect to login"
If i am right this might your problem. Here on my spring application my welcome-file (index.html) is pointing to my dashboard page and not to my login-page. the login page is reached by automatic redirect of the interceptor when the user is not authenticated.

#PreAuthorize does not work on Spring

I implemented spring security 3.2.5 but unfortunately #PreAuthorize does not work on classes and methods. As I read from the documentations, #PreAuthorize should allow methods and classes to work if user has specified role inside the annotation but I am able to run all the methods or classes without any difference of roles. You can see security-config.xml and security.context.xml and my class where I declared #PreAuthorize annotation below. I would be glad if you can help me about this problem.
security-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">
<http pattern="/securityNone" security="none" />
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic />
</http>
<global-method-security pre-post-annotations="enabled" />
<authentication-manager>
<authentication-provider>
<user-service>
<user name="alperk" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
security-context.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans /spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="defaultAuthEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher"/>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref bean="authenticationProvider"/>
</list>
</property>
<property name="authenticationEventPublisher" ref="defaultAuthEventPublisher"/>
</bean>
<!-- Authentication service reference -->
<bean id="customUserDetailsService" class="tr.com.sistek.utak.authentication.AuthenticationUserDetailsService"/>
<!-- Authentication yapilirken MD5 password sifreleme kullaniliyor -->
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="customUserDetailsService"/>
<!--<property name="passwordEncoder" ref="passwordEncoder"/>-->
</bean>
<bean id="authenticationSuccessHandler" class="tr.com.sistek.utak.authentication.CustomAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/faces/private/MainMenu.jsf"/>
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="exceptionMappings">
<props>
<prop key="org.springframework.security.authentication.BadCredentialsException">/login-failure.jsf?err=HATALI_PWD</prop>
<prop key="org.springframework.security.authentication.CredentialsExpiredException">/change-password.jsf</prop>
<prop key="org.springframework.security.authentication.LockedException">/login-failure.jsf?err=HESAP_KILITLI</prop>
<prop key="org.springframework.security.authentication.DisabledException">/login-failure.jsf?err=HESAP_PASIF</prop>
</props>
</property>
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/error401.jsf"/>
</bean>
<!-- Login Esnasinda Girilen Bilgileri Kontrol Etmek Icin Kullanilmistir -->
<bean id="customPreAuthenticationLoginHandler" class="tr.com.sistek.utak.authentication.CustomPreAuthenticationLoginHandler">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<property name="filterProcessesUrl" value="/j_security_check" />
<property name="sessionAuthenticationStrategy" ref="sas" />
<property name="postOnly" value="false" />
</bean>
<sec:http pattern="/assets/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/resources/**" security="none"/>
<sec:http pattern="/themes/**" security="none"/>
<sec:http pattern="/javax.faces.resource/**" security="none"/>
<sec:global-method-security
pre-post-annotations="enabled"
mode="aspectj"
proxy-target-class="true">
</sec:global-method-security>
<sec:http auto-config="true" use-expressions="true"
authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/dashboard/**" access="isAuthenticated()"/>
<sec:custom-filter before="FORM_LOGIN_FILTER" ref="customPreAuthenticationLoginHandler"/>
<sec:form-login login-page="/login.jsf"
authentication-failure-handler-ref = "authenticationFailureHandler"
default-target-url="/faces/private/MainMenu.jsf"/>
<sec:access-denied-handler ref = "accessDeniedHandler"/>
<sec:logout invalidate-session="true"
logout-success-url="/login.jsf"
logout-url="/logout"/>
<sec:session-management invalid-session-url="/login.jsf" session-authentication-strategy-ref="sas"/>
<sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
</sec:http>
<bean id="jsfRedirectStrategy" class="tr.com.sistek.utak.jsf.filter.JsfRedirectStrategy"/>
<bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
<!-- Authentication logout handler -->
<bean id="customAuthenticationLogoutHandler" class="tr.com.sistek.utak.authentication.CustomAuthenticationLogoutHandler"/>
<!-- ******************************************************************* -->
<!-- Concurrent Session Management Configuration-->
<!-- ******************************************************************* -->
<bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry" />
<property name="expiredUrl" value="/session-expired.jsf" />
<!-- this permits redirection to session timeout page from javascript/ajax or http -->
<property name="redirectStrategy" ref="jsfRedirectStrategy" />
</bean>
<bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<property name="maximumSessions" value="1" />
<!-- <property name="alwaysCreateSession" value="true" />
<property name="exceptionIfMaximumExceeded" value="true" />-->
</bean>
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
Bean :
#ManagedBean
#ViewScoped
#PreAuthorize("hasRole('ROLE_ADMIN')")
public class OrderDetView implements Serializable {
......
This is only my first thought:
Your annotations #ManagedBean and #ViewScoped indicate that you use a JSF Framework and maybe your OrderDetView bean ins just a JSF bean but not a Spring bean. But #PreAuthorize works only for Spring beans.

Spring Security LDAP - No UserDetailsService registered

I'm trying to set up the LDAP Spring Security. And I've stucked with some strange exception:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList'
...
No UserDetailsService registered
My security-config.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<sec:global-method-security secured-annotations="enabled"
access-decision-manager-ref="accessDecisionManager" />
<sec:http auto-config="true">
<sec:intercept-url pattern="/css/**" filters="none" />
<sec:intercept-url pattern="/js/**" filters="none" />
<sec:intercept-url pattern="/img/**" filters="none" />
<sec:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" method="POST" />
<sec:intercept-url pattern="/uzivatel/registrace" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/**" access="ROLE_UZIVATEL" />
<sec:form-login default-target-url="/vlakna" login-page="/login" />
</sec:http>
<bean id="accessDecisionManager" class="org.springframework.security.vote.ConsensusBased">
<property name="decisionVoters">
<list>
<ref bean="rightsAccessDecisionVoter" />
</list>
</property>
</bean>
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://111.111.111.111"/>
<property name="userDn" value="cn=auth-user,ou=System,dc=sh,dc=company,dc=com"/>
<property name="password" value="secret"/>
</bean>
<bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<sec:custom-authentication-provider/>
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userSearch">
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=People,dc=sh,dc=company,dc=com"/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="contextSource" />
</bean>
</property>
<property name="userDnPatterns">
<list><value>uid={0},ou=people</value></list>
</property>
<property name="userAttributes">
<list><value></value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="cz.rohan.dusps.services.UzivatelAuthoritiesPopulator" />
</constructor-arg>
</bean>
<bean id="rightsAccessDecisionVoter" class="com.company.RightsAccessDecisionVoter" />
</beans>
I thought that it should take "ldapAuthProvider" as an user details service but it doesn't. Does anybody see any problem in my config?
Thanks for any help,
Mateo
I think...
<bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<security:custom-authentication-provider />
// MISSING ABOVE
<property name="userDetailsService" ref="ldapUserDetailsService" />
.....

Resources