I'm using spring security for the first time and when I thought that I finished I met a problem with the spring security sessions. The scenario is when I log in with a first user and after log in with another user in another machine
if I refresh the first user, the details of the second user are displayed.
It's like the session of the 1st user is crushed by the second user and I don't understand why. There is my spring security configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<sec:http auto-config="true" >
<sec:intercept-url pattern="/jsf/home.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:intercept-url pattern="/jsf/resultTestEligibilite_ADSL.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:intercept-url pattern="/jsf/resultTestEligibilite_SDSL.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:intercept-url pattern="/jsf/resultTestEligibilite_SDSLplus.xhtml"
access="ROLE_ECRITURE, ROLE_LECTURE, ROLE_ADMIN" />
<sec:logout invalidate-session="true"
delete-cookies="JSESSIONID"
success-handler-ref="customLogoutSuccessHandler"/>
<sec:form-login login-processing-url="/j_spring_security_check"
login-page="/index.xhtml" default-target-url="/jsf/home.xhtml"
authentication-failure-url="/index.xhtml?error=1" />
<sec:session-management invalid-session-url="/j_spring_security_logout" />
</sec:http>
<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="ignoreResourceNotFound" value="true" />
<property name="ignoreUnresolvablePlaceholders" value="false" />
<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
<property name="locations">
<list>
<value>
classpath:/jboss.properties
</value>
</list>
</property>
</bean>
<bean id="ldapUserSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="${ldap.user-search-base}" />
<constructor-arg index="1" value="${ldap.user-search-filter}" />
<constructor-arg index="2" ref="contextSource" />
<property name="searchSubtree" value="true" />
</bean>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}" />
<property name="userDn" value="${ldap.manager-dn}" />
<property name="password" value="${ldap.manager-password}" />
</bean>
<sec:ldap-server
url="${ldap.url}"
manager-dn="${ldap.manager-dn}"
manager-password="${ldap.manager-password}"
id = "contextSource"
root="${ldap.root}"/>
<sec:ldap-user-service id="ldapUserService"
server-ref="contextSource"
group-search-base="${ldap.group-search-base}"
group-role-attribute="${ldap.group-role-attribute}"
group-search-filter="${ldap.group-search-filter}"
user-search-base="${ldap.user-search-base}"
user-search-filter="${ldap.user-search-filter}" />
<sec:authentication-manager alias="MyManager">
<sec:ldap-authentication-provider
user-search-base="${ldap.user-search-base}"
user-search-filter="${ldap.user-search-filter}"
group-search-base="${ldap.group-search-base}"
group-search-filter="${ldap.group-search-filter}"
role-prefix="${ldap.role-prefix}"
user-context-mapper-ref="customUserDetailsMapper">
<sec:password-compare hash="{sha}" >
<sec:password-encoder ref="passwordEncoder" />
</sec:password-compare>
</sec:ldap-authentication-provider>
</sec:authentication-manager>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.LdapShaPasswordEncoder" >
<property name="forceLowerCasePrefix" value="true" />
</bean>
<bean id="LdapUserDetailManager"
class="org.springframework.security.ldap.userdetails.LdapUserDetailsManager">
<constructor-arg ref="contextSource" />
<property name="attributesToRetrieve" >
<list>
<value>wsEligXdslFaiUsername</value>
</list>
</property>
</bean>
<bean id="customUserDetailsMapper" class="com.axione.eligibilite.ihm.ldap.impl.CustomUserDetailsContextMapper" />
</beans>`enter code here`
Thank you in advance of your help, cause I really don't know where this problem comes from.
Related
Currently I use spring mvc oauth2 to secure my web application.
I tried to do curl -X POST "http://localhost:8080/project/oauth/token?client_id=the_client&grant_type=password&username=user&password=password&response_type=token"
I got reply.
{"error":"unauthorized","error_description":"There is no client authentication. Try adding an appropriate authentication filter."}
Then I checked the code of TokenEndpoint.java, It show the Principal is null.
The exception is Handling error: InsufficientAuthenticationException, There is no client authentication. Try adding an appropriate authentication filter.
Here is the spring-security.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />
<bean id="accessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler" />
<!--client -->
<bean id="clientDetailsService" class="oauth2.CustomJdbcClientDetailsService">
<constructor-arg index="0" ref="dataSource" />
</bean>
<bean id="clientDetailsUserDetailsService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetailsService" />
</bean>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider
user-service-ref="clientDetailsUserDetailsService" />
</security:authentication-manager>
<oauth2:authorization-server
client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth2:authorization-code />
<oauth2:implicit />
<oauth2:refresh-token />
<oauth2:client-credentials />
<oauth2:password />
</oauth2:authorization-server>
<security:http pattern="/oauth/token" create-session="stateless">
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<security:custom-filter ref="clientCredentialsTokenEndpointFilter"
before="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="accessDeniedHandler" />
</security:http>
<!--client -->
<!--user -->
<bean id="userService" class="services.UserServicesImpl" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="userService">
<!--<security:password-encoder hash="md5"/> -->
</security:authentication-provider>
</security:authentication-manager>
<!--user -->
<oauth2:resource-server id="mobileResourceServer"
resource-id="mobile-resource" token-services-ref="tokenServices" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<security:http pattern="/rest/**" create-session="never"
entry-point-ref="clientAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager" use-expressions="false">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/rest/**"
access="ROLE_DRIVER" />
<security:custom-filter ref="mobileResourceServer"
before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="accessDeniedHandler" />
</security:http>
I don't know why it is wrong, Please help me thanks.
You have to provide a query parameter named "client_secret" for the client authentication.
I have just upgrade spring security from 2 to 4. Some custom filters used for login,remember me and single sign on process.
Two login mechanism used in my application.
First simple form login and second SSO login.
This is my securityContext.xml
<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>
<!-- secure the web layer -->
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<sec:http pattern="/favicon.ico" security="none" />
<sec:http pattern="/styles/**" security="none" />
<sec:http pattern="/images/**" security="none" />
<sec:http pattern="/qlogin.jsp" security="none" />
<sec:http pattern="/qloginWait/**" security="none" />
<sec:http pattern="/contract/ServiceContractPDFView.jsp" security="none" />
<sec:http pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" security="none" />
<sec:http pattern="/admin/subscription_form.jsp" security="none" />
<sec:http pattern="/admin/subscription_thankyou.jsp" security="none" />
<sec:http pattern="/admin/related_analysts.jsp" security="none" />
<sec:http pattern="/login.jsp" security="none" />
<sec:http entry-point-ref="myAuthenticationEntryPoint" use-expressions="true">
<sec:session-management session-fixation-protection="newSession">
</sec:session-management>
<sec:headers>
<sec:frame-options policy="SAMEORIGIN"/>
<sec:content-type-options disabled="true"/>
</sec:headers>
<sec:csrf disabled="true"/>
<sec:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeProcessingFilter"/>
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/>
<sec:custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
</sec:http>
<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>
<bean id="customizedFormLoginFilter" class="com.myPro.test.security.CustomAuthenticationProcessingFilter" >
<!--Here it is the custom authenticationManager, login magic goes here -->
<property name="authenticationManager" ref="myAuthenticationManager"/>
<property name="usernameParameter" value="username"/>
<property name="passwordParameter" value="password"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="allowSessionCreation" value="true" />
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>
<bean id="myAuthenticationManager" class="com.myPro.test.security.CustomAuthenticationManager" />
<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.myPro.test.security.CustomAuthenticationEntryPoint" >
<constructor-arg value="/login.jsp"/>
</bean>
<bean id="successHandler" class="com.myPro.test.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
<property name="alwaysUseDefaultTargetUrl" value="true"/>
<property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site -->
<bean id="rememberMeProcessingFilter" class="com.myPro.test.security.CustomRememberMeProcessingFilter">
<constructor-arg ref="authenticationManager"/>
<constructor-arg ref="rememberMeServices"/>
</bean>
<bean id="signleSignOnService" class="com.myPro.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
class="com.myPro.test.spring.SingleSignOnFilter">
<property name="signleSignOnService" ref="signleSignOnService"/>
<!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
<property name="userService" ref="myProUserServiceImpl"/>
<property name="ssoUserUrl">
<value>/sso</value>
</property>
<!-- Code Review Starts -->
<property name="ssoTargetUrl">
<value>/search/ServiceContractSearch.do</value>
</property>
<!-- Code Review Ends -->
<property name="ssoFailureUrl">
<value>/login.jsp</value>
</property>
<property name="order" value="123456"/>
</bean>
<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
<bean id="myUserDetailsService" class="com.myPro.test.security.CustomUserDetailsService" > </bean>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="springRocks"/>
<constructor-arg ref="myUserDetailsService"/>
<constructor-arg ref="jdbcTokenRepository"/>
</bean>
<!-- Uses a database table to maintain a set of persistent login data -->
<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<constructor-arg value="springRocks"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
<property name="invalidateHttpSession" value="true" />
</bean>
<bean id="mySecurityContextHandler" class="com.myPro.test.security.CustomSecurityContextLogoutHandler"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login.jsp" />
<constructor-arg>
<list>
<ref bean="mySecurityContextHandler" />
<ref bean="rememberMeServices" />
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_security_logout" />
</bean>
<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
changed securityContext.xml according spring Security 4.
if I removed this filter
sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnF
ilter"
from http, application worked fine. All Urls accessible after login.
If I add this line then pattern (/**) not working for me. Blank page will come.
Please help to solve this problem
Url those assigned to access roles not working only blank page coming. Only few urls working those have filter="none".
No error or no exception coming.
Blank page coming after login.
Url like: /indexPage
/test/indexPage
securityContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:c="http://www.myPro.com/schema/system-config"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd
http://www.myPro.com/schema/system-config http://www.myPro.com/schema/system-config/system-config-1.0.xsd">
<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>
<!-- secure the web layer -->
<sec:http auto-config="false" entry-point-ref="myAuthenticationEntryPoint" lowercase-comparisons="false">
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
<sec:custom-filter after="FORM_LOGIN_FILTER" ref="rememberMeProcessingFilter"/>
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/>
<sec:custom-filter after="REMEMBER_ME_FILTER" ref="logoutFilter" />
<sec:intercept-url pattern="/login.jsp" filters="none" />
<sec:intercept-url pattern="/**" access="ROLE_USER" />
<sec:intercept-url pattern="/contract/ServiceContractPDFView.jsp" filters="none" />
<sec:intercept-url pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" filters="none" />
<sec:intercept-url pattern="/admin/subscription_form.jsp" filters="none" />
<sec:intercept-url pattern="/admin/subscription_thankyou.jsp" filters="none" />
<sec:intercept-url pattern="/admin/related_analysts.jsp" filters="none" />
<sec:intercept-url pattern="/favicon.ico" filters="none" />
<sec:intercept-url pattern="/styles/**" filters="none" />
<sec:intercept-url pattern="/images/**" filters="none" />
<sec:intercept-url pattern="/qlogin.jsp" filters="none" />
<sec:intercept-url pattern="/qloginWait/**" filters="none" />
<sec:intercept-url pattern="/js/**" filters="none" />
<sec:intercept-url pattern="/scripts/**" filters="none" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
</sec:http>
<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>
<bean id="customizedFormLoginFilter" class="com.myPro.test.security.CustomAuthenticationProcessingFilter" >
<!--Authentication failed? take him to error page-->
<!--Here it is the custom authenticationManager, login magic goes here -->
<property name="authenticationManager" ref="myAuthenticationManager"/>
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="allowSessionCreation" value="true" />
</bean>
<bean id="myAuthenticationManager" class="com.myPro.test.security.CustomAuthenticationManager" />
<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.myPro.test.security.CustomAuthenticationEntryPoint" >
<property name="loginFormUrl" value="/login.jsp"/>
</bean>
<bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site -->
<bean id="rememberMeProcessingFilter" class="com.myPro.test.security.CustomRememberMeProcessingFilter">
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="signleSignOnService" class="com.myPro.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
class="com.myPro.test.spring.SingleSignOnFilter">
<property name="signleSignOnService" ref="signleSignOnService"/>
<!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
<property name="userService" ref="myProUserServiceImpl"/>
<property name="ssoUserUrl">
<value>/sso</value>
</property>
<!-- Code Review Starts -->
<property name="ssoTargetUrl">
<value>/search/ServiceContractSearch.do</value>
</property>
<!-- Code Review Ends -->
<property name="ssoFailureUrl">
<value>/login.jsp</value>
</property>
<property name="order" value="123456"/>
</bean>
<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
<bean id="myUserDetailsService" class="com.myPro.test.security.CustomUserDetailsService" > </bean>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="jdbcTokenRepository" />
<property name="userDetailsService" ref="myUserDetailsService" />
<property name="key" value="springRocks" />
<property name="alwaysRemember" value="false" />
</bean>
<!-- Uses a database table to maintain a set of persistent login data -->
<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<!-- <sec:custom-authentication-provider/> -->
<property name="key" value="springRocks"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
<property name="invalidateHttpSession" value="true" />
</bean>
<bean id="mySecurityContextHandler" class="com.myPro.test.security.CustomSecurityContextLogoutHandler"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/" />
<constructor-arg>
<list>
<ref bean="mySecurityContextHandler" />
<ref bean="rememberMeServices" />
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
</bean>
<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
</beans>
There are 2 things wrong.
First the order of the url-intercept patterns is important. The order in which they are defined is also the order in which they are consulted! Having a /** makes every url-intercept element after that useless. So a `/** should always come last.
Second in newer Spring Security versions you shouldn't be using the filters="none" anymore. You should create separate <sec:http /> elements for those. See this part of the Spring Security Reference guide.
<sec:http pattern="/login.jsp" security="none" />
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<!--- All other patterns here. -->
I'm using Spring Security in my Spring Project. Following is my springSecurityConfiguration.xml File. After I try to log in by using correct credentials, the page redirects to
https://localhost:8443/j_spring_security_check.
Please note that it falls beyond my application which is terror movies. The custom_login page is presented at
https://localhost:8443/terrormovies/custom_login
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true" use-expressions="true">
<security:expression-handler ref="expressionHandler" />
<security:intercept-url pattern="/admin/*"
access="hasIpAddress('127.0.0.1')
and (isAnonymous() ? false : principal.lastname== 'Scarioni') and over18" />
<security:intercept-url pattern="/movies/**/*"
access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/movies/*"
access="hasAnyRole('ROLE_USER','ROLE_VIP')" />
<security:intercept-url pattern="/j_spring_security_switch_user"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/j_spring_security_exit_user"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/custom_login"
requires-channel="https" />
<security:intercept-url pattern="/j_spring_security_check"
requires-channel="https" />
<security:remember-me key="terror-key" />
<security:logout delete-cookies="JSESSIONID"
success-handler-ref="logoutRedirectToAny" />
<security:custom-filter ref="switchUser"
before="FILTER_SECURITY_INTERCEPTOR" />
<security:form-login login-page="/custom_login"
authentication-failure-handler-ref="serverErrorHandler"
username-parameter="user_param" password-parameter="pass_param" />
<security:session-management>
<security:concurrency-control
max-sessions="1" />
</security:session-management>
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="inMemoryUserServiceWithCustomUser" />
</security:authentication-manager>
<bean id="switchUser"
class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<property name="userDetailsService" ref="inMemoryUserServiceWithCustomUser" />
<property name="targetUrl" value="/" />
</bean>
<bean id="expressionHandler"
class="com.apress.pss.terrormovies.security.CustomWebSecurityExpressionHandler" />
<bean id="inMemoryUserServiceWithCustomUser"
class="com.apress.pss.terrormovies.spring.CustomInMemoryUserDetailsManager">
<constructor-arg>
<list>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="admin" />
<constructor-arg value="admin" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_ADMIN" />
</bean>
</list>
</constructor-arg>
<constructor-arg value="Scarioni" />
<constructor-arg value="19" />
</bean>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="paco" />
<constructor-arg value="tous" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_USER" />
</bean>
</list>
</constructor-arg>
<constructor-arg value="Miranda" />
<constructor-arg value="20" />
</bean>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="lucas" />
<constructor-arg value="fernandez" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_VIP" />
</bean>
<bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_USER" />
</bean>
</list>
</constructor-arg>
<constructor-arg value="Silva" />
<constructor-arg value="20" />
</bean>
</list>
</constructor-arg>
</bean>
<bean id="logoutRedirectToAny"
class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="targetUrlParameter" value="redirectTo" />
</bean>
<bean id="serverErrorHandler"
class="com.apress.pss.terrormovies.security.ServerErrorFailureHandler" /></beans>
In your
<security:form-login>
tags, add the following so that the application knows where to re-direct to upon successful login attempt:
default-target-url="/movies"
check your login-form configuration. i guess there is something like "defaultSuccessUrl" missing...
"Sir, It is working well with other spring security configuration files. – Ankit yesterday"
Ok; do you have a redirect in your welcome file/controller somewhere that points to the login-page?
"Yes Sir. There is a redirect to login"
If i am right this might your problem. Here on my spring application my welcome-file (index.html) is pointing to my dashboard page and not to my login-page. the login page is reached by automatic redirect of the interceptor when the user is not authenticated.
I'm trying to set up the LDAP Spring Security. And I've stucked with some strange exception:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList'
...
No UserDetailsService registered
My security-config.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<sec:global-method-security secured-annotations="enabled"
access-decision-manager-ref="accessDecisionManager" />
<sec:http auto-config="true">
<sec:intercept-url pattern="/css/**" filters="none" />
<sec:intercept-url pattern="/js/**" filters="none" />
<sec:intercept-url pattern="/img/**" filters="none" />
<sec:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" method="POST" />
<sec:intercept-url pattern="/uzivatel/registrace" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/**" access="ROLE_UZIVATEL" />
<sec:form-login default-target-url="/vlakna" login-page="/login" />
</sec:http>
<bean id="accessDecisionManager" class="org.springframework.security.vote.ConsensusBased">
<property name="decisionVoters">
<list>
<ref bean="rightsAccessDecisionVoter" />
</list>
</property>
</bean>
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://111.111.111.111"/>
<property name="userDn" value="cn=auth-user,ou=System,dc=sh,dc=company,dc=com"/>
<property name="password" value="secret"/>
</bean>
<bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<sec:custom-authentication-provider/>
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userSearch">
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=People,dc=sh,dc=company,dc=com"/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="contextSource" />
</bean>
</property>
<property name="userDnPatterns">
<list><value>uid={0},ou=people</value></list>
</property>
<property name="userAttributes">
<list><value></value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="cz.rohan.dusps.services.UzivatelAuthoritiesPopulator" />
</constructor-arg>
</bean>
<bean id="rightsAccessDecisionVoter" class="com.company.RightsAccessDecisionVoter" />
</beans>
I thought that it should take "ldapAuthProvider" as an user details service but it doesn't. Does anybody see any problem in my config?
Thanks for any help,
Mateo
I think...
<bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<security:custom-authentication-provider />
// MISSING ABOVE
<property name="userDetailsService" ref="ldapUserDetailsService" />
.....