Right now i have this oAUth2 token store configuration
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="120" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
I want to store my token in database so i need some other custom implementation to store & retrieve token. I checked jdbcTokenStore but it need DataStore and i am using cassandra so its not possible to pass DataStore instance. So is there any other solution apart of jdbcTokenStore to store toke in db?
I guess the only way is to create your own class that implements org.springframework.security.oauth2.provider.token.TokenStore.
You may refer to the JdbcTokenStore implementation on how they do things.
Related
In my application I have fill some user fields from its information in a LDAP, I use LdapTemplate configured in the servlet-context.xml (with a properties file to set the values) and everything works perfect but I don't want to have the login of a user set in plain text in the application so I wonder if it is possible to configure the LDAPTemplate using the user logged in the application and if possible get a way to do it.
My actual configuration is this:
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="${ldap.url}" />
<property name="base" value="${ldap.base}" />
<property name="userDn" value="${ldap.userDn}" />
<property name="password" value="${ldap.password}" />
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
<property name="ignorePartialResultException" value="true" />
</bean>
Any help will be appreciated, thanks in advance.
I have a problem with a Legacy Application.
The application have two context, a Spring MVC context and a Spring Integration context.
The Spring MVC and the Spring Integration have two separates Entity Manager, but uses the same #Query repositories.
The application have and high load database access (for Read, Write and Updates) because receive millions of JMS messages all the days, and sometimes a DEADLOCK occurred.
If I put #Lock(OPTIMISTIC) in all the Querys in the repository, the problem is solved, but the Web application stop working “requiredTransactionException” says, this is normal because #Lock requires a Transaction and the MVC context don’t use transactions.
The question is, ¿How can I specify the #Lock in my Spring-Integration entity-manager-factory?
This is my Spring-Integration Entity Manager:
<bean id="entity-manager-factory" parent="entity-manager-factory-parent" depends-on="springJtaPlatformAdapter">
<property name="dataSource" ref="dataSourceInt" />
<property name="jpaPropertyMap">
<map>
<entry key="javax.persistence.transactionType" value="JTA" />
<entry key="hibernate.current_session_context_class" value="jta" />
<entry key="hibernate.transaction.jta.platform" value="XXXXXXXXX (InternalClass, I Can't show name)" />
<entry key="hibernate.connection.autocommit" value="false" />
</map>
</property>
EDIT:
The parent entity manager:
<bean id="entity-manager-factory-parent" abstract="true"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="packagesToScan" value="es.com.bbdd.entities" />
<property name="jpaVendorAdapter">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="showSql" value="false" />
<property name="databasePlatform" value="org.hibernate.dialect.Oracle10gDialect" />
</bean>
</property>
<property name="jpaProperties">
<props>
<prop key="hibernate.default_schema">SALES_SCHEMA</prop>
</props>
</property>
Problem solved. Thanks all the people for the answers.
The problem was that tablas are partitioned by foreign key reference , and the FK are not indexed , causing deadlocks by Oracle that blocks all the child table.
I have created all the indexes for the foreign keys and the problem is solved.
I have Spring JPA configuration as below
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" >
<property name="driverClassName" value="${jdbc.driverClassName}" />
<property name="url" value="${jdbc.url}" />
<property name="username" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
</bean>
<bean id="emf" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" >
<property name="dataSource" ref="dataSource" />
<property name="jpaVendorAdapter" ref="vendorAdaptor" />
<property name="packagesToScan" value="pk.training.model"/>
<property name="jpaProperties">
<props>
...
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
</bean>
I have properties file in which i have password like
jdbc.password=abc123
When my application runs, spring context loads and makes connection to database. Fine. Now I want to ask suppose i give password in encrypted form, like
jdbc.password=$53ytg##!
Now how JPA connect to database ? Is there any property by which JPA handles encrypted password by itself or I have to do some thing on my own ?
Thanks.
You have to do this your own. Security wise, it doesn't add much, though. An attacker can
Set a breakpoint in Spring, wait until the bean is created and read the password from the field
Look at your code, find out where you store the key to decrypt the DB password, extract and use your code to decrypt it
Since most DB driver don't encrypt the data exchanged between your app and the database by default, your password (and all the data) is sent as plain text over the wire (unless the database is on the same server as your application).
So in most scenarios, the thing to do is to put the DB user and password in a file on your server's disk and make sure only authorized people can access this file (plus your app can read it). Encrypting the password only adds obscurity, no real security.
I am new in quartz
I am trying to integrate spring with quartz i want to take repeatInterval and startDelay dynamically is it possible.
<bean id="sampleJobTrigger" class="org.springframework.scheduling.quartz.SimpleTriggerBean">
<property name="jobDetail" ref="sampleJobBean" />
<property name="repeatInterval" value="5000"/>
<property name="startDelay" value="4000" />
</bean>
When I make an implementation for
org.springframework.security.core.userdetails.UserDetailsService
and use the statement
sessionRegistry.registerNewSession(user.getUsername(), user);
within it after successful authentication, then the
sessionRegistry.getAllPrincipals();
list is not empty (but when I log out from application the session still remain within list) otherwise this list will be empty. how can I make the session registration (and also unregistration during user log out or session expiration) within sessionRegistry automatically? my spring config is as below:
<sec:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsf">
<sec:form-login login-page="/login.jsf" />
<sec:session-management session-authentication-strategy-ref="sas" />
</sec:http>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository"
ref="scr" />
<property name="sessionAuthenticationStrategy"
ref="sas" />
</bean>
<bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<property name="maximumSessions" value="10" />
</bean>
Most likely you have forgotten to add an HttpSessionEventPublisher to your web.xml.
Another possibility is that the principal in question has other sessions still active which haven't timed-out or been invalidated. You have a maximum session value of 10. Try setting that to "1" instead for testing.
Also, version 3.0.5 is out of date. You should use the latest version and keep up to date with patches to avoid vulnerabilities.