My application is having embedded jetty integrated with spring security for authentication and authorization. Authentication and authorization works fine for REST api calls to the application, but method authorization using #PreAuthorize is not working.
My spring-security.xml file has <global-method-security pre-post-annotations="enabled" />
After some search I found that it is recommended to move global-method-security to servlet-context.xml under application context, but I cannot do it because we are not using "org.springframework.web.servlet.DispatcherServlet". We are already using "org.glassfish.jersey.servlet.ServletContainer" as dispatcher.
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://www.springframework.org/schema/c"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
<http realm="Protected API" use-expressions="true"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="edbAuthenticationManager">
<custom-filter ref="edbAuthenticationFilter" position="FORM_LOGIN_FILTER"/>
<intercept-url pattern="/api/*/login" access="authenticated"/>
<intercept-url pattern="/api/*/clusters/*/datasupport/**" access="hasRole('data-scientist')"/>
<intercept-url pattern="/api/*/clusters/*/job/**" access="hasRole('data-scientist')"/>
<intercept-url pattern="/api/*/clusters/*/task/**" access="hasRole('data-scientist')"/>
<intercept-url pattern="/api/*/clusters/**" access="hasRole('cluster-admin')"/>
<http-basic />
</http>
<beans:bean id="unauthorizedEntryPoint" class="edbServer.server.security.EntryPoint"/>
<beans:bean id="userDetailService" class="edbServer.server.security.UserDetailsServiceImp"/>
<beans:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager id="edbAuthenticationManager">
<authentication-provider user-service-ref="userDetailService">
<password-encoder ref="bcryptEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="tokenManager" class="edbServer.server.security.TokenManager"/>
<beans:bean id="authenticationService" class="edbServer.server.security.EDBAuthenticationService"
c:authenticationManager-ref="edbAuthenticationManager" c:tokenManager-ref="tokenManager" c:inactivityTimeoutSeconds="1800" />
<beans:bean id="edbAuthenticationFilter" class="edbServer.server.security.EDBTokenAuthenticationFilter"
c:authenticationService-ref="authenticationService" c:loginLink="/api/v1/login" c:logoutLink="/api/v1/logout"/>
</beans:beans>
Relevant code to initialize jetty server
String SPRING_CONTEXT_LOCATION = "classpath:/webapp/WEB-INF/spring-security.xml";
ClassPathXmlApplicationContext parentSpringAppContext = new ClassPathXmlApplicationContext(contextLocations);
parentSpringAppContext.refresh();
ClassPathXmlApplicationContext springAppContext = new ClassPathXmlApplicationContext(
parentSpringAppContext);
springAppContext.refresh();
ServletContextHandler contextHandler = new ServletContextHandler(ServletContextHandler.SECURITY
| ServletContextHandler.SESSIONS);
contextHandler.setContextPath(CONTEXT_PATH);
GenericWebApplicationContext springWebAppContext = new GenericWebApplicationContext();
springWebAppContext.setServletContext(contextHandler.getServletContext());
springWebAppContext.setParent(springAppContext);
contextHandler.getServletContext().setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
springWebAppContext);
DelegatingFilterProxy springSecurityFilter = new DelegatingFilterProxy();
springSecurityFilter.setTargetBeanName("springSecurityFilterChain");
contextHandler.addFilter(new FilterHolder(springSecurityFilter), "/api/*", EnumSet.of(DispatcherType.REQUEST));
ServletHolder sh = new ServletHolder(ServletContainer.class);
sh.setInitParameter("org.glassfish.jersey.server.ResourceConfig", "JacksonFeature.class");
sh.setInitParameter("jersey.config.server.provider.packages", "edbServer.server.api.services;");
sh.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature", "true");
contextHandler.addServlet(sh, "/api/v1/*");
HandlerList handlerList = new HandlerList();
handlerList.addHandler(contextHandler);
server.setHandler(handlerList);
springAppContext.start();
server.start();
how can I set global-method-security in app context here?
Thanks,
Saurabh
Related
In my application i want to have separate spring security implementation based on url patterns.
Eg. /rest/ ** will have its own authentication provider(basic auth) and
/web/ ** will have its own authentication provider(form login).
please find below configuration i have done
<?xml version="1.0"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- config for rest services using basic auth-->
<http pattern="/rest/**">
<intercept-url pattern="/MyAppRestServices" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<http-basic />
</http>
<!-- AUTHENTICATION MANAGER FOR CUSTOM AUTHENTICATION PROVIDER -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<!-- config for web using form login-->
<http pattern="/web/**">
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="nimda" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
In above config first config is working fine ie restservice with basic auth but web with form login config is not working. its not even intercepting the url ?
Please let me know whats wrong with above config ?
Kindly refer below working configuration for web authentication::
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/js/**" security="none" />
<http auto-config="false" authentication-manager-ref="dev" use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/admin/login" access="permitAll" />
<intercept-url pattern="/admin/*" access="isAuthenticated()" />
<form-login
login-page="/admin/login"
default-target-url="/admin/workbench"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/admin/login"
/>
<logout logout-success-url="/admin/login" logout-url="/j_spring_security_logout" invalidate-session="true" delete-cookies="JSESSIONID" />
</http>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<!-- STATIC USER -->
<authentication-manager id="dev" alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="abc" password="pwd" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I am trying to secure my REST web services at the url /dispatcher/rest/**
My current design works fine if accessing the web service through browser - when I try to go to the REST url it redirects me to a login page to enter credentials, then redirects me to the web service data once logged in.
The problem is that when I try to access the web service through java code using RestTemplate, my code breaks. This occurs even if the user has already logged in and authenticated.
My spring-security.xml config file:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/dispatcher/admin**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/dispatcher/rest/**" access="hasRole('ROLE_ADMIN')"/>
<!-- access denied page -->
<access-denied-handler error-page="/dispatcher/403" />
<form-login
login-page="/dispatcher/login"
default-target-url="/dispatcher/admin"
login-processing-url="/dispatcher/login_process"
authentication-failure-url="/dispatcher/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/dispatcher/login?logout" logout-url = "/dispatcher/logout"/>
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService" >
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService" class="com.shopping.services.MyUserDetailsService" />
</beans:beans>
Any help would be greatly appreciated!
The solution I found to access the web service is the following:
String username = ((UserDetails) principal).getUsername();
String password = ((UserDetails) principal).getPassword();
HttpClient client = new HttpClient();
client.getParams().setAuthenticationPreemptive(true);
Credentials defaultcreds = new UsernamePasswordCredentials(username, password);
restTemplate.setRequestFactory(new CommonsClientHttpRequestFactory(client));
client.getState().setCredentials(AuthScope.ANY, defaultcreds);
User x = restTemplate.getForObject("http://localhost:8080/Online_Shopping/dispatcher/rest/hello",User.class);
I'm trying to integrate two simple Spring Web Applications with Spring Integration, and I want to propagate the Spring SecurityContext between the two applications, but I've not yet found a working solution.
The two applications are very similar between each other, there are only a few differences in the configuration: one of them has to be the "caller", the other one has to be the "receiver".
In order to getting the expected result, I'm using Spring Security and I've configured both applications with the following Spring Security configuration:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd">
<http auto-config="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/service/**" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/accessDenied" />
</http>
<authentication-manager id="authenticationManager">
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
<user name="dba" password="dba" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
</beans:beans>
This is working: if I go to the url http://localhost:8080/caller/login, the login process is correctly managed by the Spring Security layer.
So I'm trying to configure the Spring Integration module in order to "integrate" the two applications; my idea (wrong?) is to use an http:outbound-gateway from the "caller", that invoke the "receiver" at a specific URL.
On the other side, there is an http:inbound-gateway that manage the requests.
Here is the configuration of the "caller" side:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int="http://www.springframework.org/schema/integration"
xmlns:int-http="http://www.springframework.org/schema/integration/http"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:int-security="http://www.springframework.org/schema/integration/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration-4.3.xsd
http://www.springframework.org/schema/integration/http http://www.springframework.org/schema/integration/http/spring-integration-http-4.3.xsd
http://www.springframework.org/schema/integration/security http://www.springframework.org/schema/integration/security/spring-integration-security-4.2.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd">
<int:channel id="requestChannel">
<int:dispatcher task-executor="executor"/>
</int:channel>
<int:channel-interceptor ref="requestChannelInterceptor" pattern="requestChannel">
</int:channel-interceptor>
<task:executor id="executor" pool-size="5"/>
<bean id="requestChannelInterceptor" class="org.springframework.integration.security.channel.SecurityContextPropagationChannelInterceptor"></bean>
<bean id="requestChannelBean" class="test.spring.webapp.client.MessagingChannel">
<property name="requestChannel" ref="requestChannel"></property>
</bean>
<int-http:outbound-gateway id="gateway" request-channel="requestChannel"
encode-uri="true" url="http://localhost:8080/receiver/service/{request}"
http-method="GET" >
<int-http:uri-variable name="request" expression="payload"/>
</int-http:outbound-gateway>
<int-security:secured-channels access-decision-manager="accessDecisionManager">
<int-security:access-policy pattern="requestChannel" send-access="ROLE_ADMIN,ROLE_USER,ROLE_DBA,ROLE_ANONYMOUS"/>
</int-security:secured-channels>
</beans>
Here is the configuration of the "receiver" side instead:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int="http://www.springframework.org/schema/integration"
xmlns:int-http="http://www.springframework.org/schema/integration/http"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:int-security="http://www.springframework.org/schema/integration/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration-4.3.xsd
http://www.springframework.org/schema/integration/http http://www.springframework.org/schema/integration/http/spring-integration-http-4.3.xsd
http://www.springframework.org/schema/integration/security http://www.springframework.org/schema/integration/security/spring-integration-security-4.2.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd">
<int:channel id="requestChannel">
<int:dispatcher task-executor="executor"/>
</int:channel>
<int:channel-interceptor ref="requestChannelInterceptor" pattern="requestChannel">
</int:channel-interceptor>
<task:executor id="executor" pool-size="5"/>
<bean id="requestChannelInterceptor" class="org.springframework.integration.security.channel.SecurityContextPropagationChannelInterceptor"></bean>
<int-http:inbound-gateway id="gateway" request-channel="requestChannel"
path="/service/**"
supported-methods="GET">
</int-http:inbound-gateway>
<int-security:secured-channels access-decision-manager="accessDecisionManager">
<int-security:access-policy pattern="requestChannel" send-access="ROLE_ADMIN,ROLE_USER,ROLE_DBA,ROLE_ANONYMOUS"/>
</int-security:secured-channels>
<bean id="channelService"
class="test.spring.webapp.server.ChannelService"/>
<int:service-activator id="channelServiceActivator"
ref="channelService"
input-channel="requestChannel"
method="manage"/>
</beans>
As you can see, I'm using the component SecurityContextPropagationChannelInterceptor of Spring Integration, that is intended to make the "propagation" of the security context.
I'm also using the int-security:secured-channels in the configuration, as illustrated in the documentation.
But this configuration doesn't work: when I call the URL http://localhost:8080/caller/service/hello (logged or not logged is the same), I'm getting the following Exception:
org.springframework.messaging.MessageHandlingException: HTTP request execution failed for URI [http://localhost:8080/receiver/service/hello];
nested exception is org.springframework.web.client.HttpServerErrorException: 500 Internal Server Error
Furthermore, the class org.springframework.integration.channel.interceptor.ThreadStatePropagationChannelInterceptor has the following method:
#Override
#SuppressWarnings("unchecked")
public final Message<?> postReceive(Message<?> message, MessageChannel channel) {
if (message instanceof MessageWithThreadState) {
MessageWithThreadState<S> messageWithThreadState = (MessageWithThreadState<S>) message;
Message<?> messageToHandle = messageWithThreadState.message;
populatePropagatedContext(messageWithThreadState.state, messageToHandle, channel);
return messageToHandle;
}
return message;
}
The message instance contains the logged Principal.
Debugging this method, I noticed that the logged Principal (for example "admin") is obtained only on the "caller" side, not in the "receiver" side (where there is always the "anonymousUser"): why the propagation of the SecurityContext is not working?
I believe that something is totally wrong or missing in my configuration...
It can't be propagated to the another process (application) by its premise.
See the implementation of SecurityContextPropagationChannelInterceptor. It is based on ThreadStatePropagationChannelInterceptor. One more time Thread State, not one process to another via network.
Since there is no one common solution for inter-process SecurityContext transfer, there is no anything as out-of-the-box.
As I answered you in another your question (Spring Integration: the SecurityContext propagation), you should transfer credential via HTTP only as headers. I even think that much better would be to do that using standard Apache HTTPClient CredentialProvider (or BasicAuthorizationInterceptor from Spring Framework 4.3.1) approach to send request with the Basic Authentication header. Really to achieve security via network with Base64 encoding for credentials.
On the receiver side your should do something similar what is in the https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java#L224:
byte[] base64Token = header.substring(6).getBytes("UTF-8");
byte[] decoded;
try {
decoded = Base64.decode(base64Token);
}
catch (IllegalArgumentException e) {
throw new BadCredentialsException(
"Failed to decode basic authentication token");
}
String token = new String(decoded, getCredentialsCharset(request));
int delim = token.indexOf(":");
if (delim == -1) {
throw new BadCredentialsException("Invalid basic authentication token");
}
return new String[] { token.substring(0, delim), token.substring(delim + 1) };
First of all I kept the listener in web.xml
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Then my springSecurity.xml goes like
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/*" access="permitAll" />
<security:session-management invalid-session-url="/" session-fixation-protection="newSession">
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" session-registry-alias="sessionRegistry"/>
</security:session-management>
<!-- access denied page -->
<security:access-denied-handler error-page="/loginerror" />
<security:form-login
login-page="/login?login_error=1"
default-target-url="/employee/listEmployee"
authentication-failure-url="/login/error"
/>
<security:logout invalidate-session="true" logout-success-url="/login" delete-cookies="JSESSIONID" />
<!-- enable csrf protection -->
<!-- <csrf/>-->
</security:http>
<!-- Select users and user_roles from database -->
<security:authentication-manager>
<security:authentication-provider ref="authenticationProvider"></security:authentication-provider>
</security:authentication-manager>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<bean id="userAuthenticationService" class="com.elitenet.los.security.UserDetailsServiceImpl" />
</property>
<property name="passwordEncoder">
<bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
</property>
</bean>
The controller goes like:I need the list of userNames which are logged in. But the sessionRegistry isn't working.
#Autowired
#Qualifier("sessionRegistry")
private SessionRegistry sessionRegistry;
#RequestMapping(value = "/showUserStatus",method = RequestMethod.GET)
public ModelAndView showUserStatus() {
List<String> usersNamesList = new ArrayList<String>();
List<User> userList = new ArrayList<User>();
try {
List<Object> principals =sessionRegistry.getAllPrincipals();//the principals here is empty
for (Object principal: principals) {
//import org.springframework.security.core.userdetails for User class
//User is a built in class of spring security core
if (principal instanceof User) {
getLog().info(((User) principal).getUserName());
getLog().info("going to list userNameList");
usersNamesList.add(((User) principal).getUserName());
}
}
getLog().info("going to list user");
userList = getUserService().getList();
} catch (Exception er) {
getLog().error("error while listing userList" + er);
}
return new ModelAndView("/user/showUserStatus", "userList", userList);
}
Can anyone help me what am I doing wrong
Please try mentioning in xml file
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
#Controller class
Try injecting like below
#Resource(name="sessionRegistry")
private SessionRegistryImpl sessionRegistry;
I think you are almost there. The only thing you've probably missed is the use of session-registry-alias. By using that attribute on the concurrency-control element you expose the session registry, so that it can be injected to your own beans.
Now you have a reference to the session registry that will be populated by the ConcurrentSessionControlStrategy which is set up implicitly by the above configuration. To use it you would just inject it to your bean as normal:
<security:session-management>
<security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/>
</security:session-management>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
or something like below
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="1" >
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
i am running small spring mvc 3 application (Spitter from spring in action 3 book ) which is downloaded from github . In spring security file they have written beans for authenticationManager and daoAuthenticationProvider like this
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/home*" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<intercept-url pattern="/spitters/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-processing-url="/static/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-success-url="/home"/>
</http>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
or this link https://github.com/karolgornicki/spitter/blob/master/src/main/webapp/WEB-INF/spring-security.xml
What is the use of these two beans authenticationManager and daoAuthenticationProvider . After commenting also this application works perfectly .
I think the AuthenticationManager delegates the fetching of persistent user information to one or more AuthenticationProviders. The authentication-providers (DaoAuthenticationProvider, JaasAuthenticationProvider, LdapAuthenticationProvider, OpenIDAuthenticationProvider for example) specialize in accessing specific user-info repositories. Something else is mentioned in this part of the reference manual. It says:
You may want to register additional AuthenticationProvider beans with the ProviderManager and you can do this using the element with the ref attribute, where the value of the attribute is the name of the provider bean you want to add.
In other words, you can specify multiple AuthenticationProviders, for example one that looks for users in an LDAP database and another that looks in an SQL database.