when i am trying to authenticate by giving username name as "sumit1" and password as "123" it is redirecting me to the login error page, though i have defined the same role as i have defined for username "sumit" .
this is my spring-security xml file.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" access-denied-page="/sumit/auth/denied.jsp" >
<security:intercept-url pattern="/admin**" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/user**" access="ROLE_USER"/>
<security:form-login authentication-failure-url="/sumit/auth/invalid.jsp"/>
<!-- <security:form-login login-page="/sumit/auth/login.jsp"/> -->
<security:logout logout-success-url="/index.jsp"/>
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service><security:user name="sumit" password="123" authorities="ROLE_ADMIN"/></security:user-service>
<security:user-service><security:user name="sumit1" password="123" authorities="ROLE_ADMIN"/></security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- An in-memory list of users. No need to access an external database layer.
See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
<!-- john's password is admin, while jane;s password is user -->
</beans>
As Pavel mentioned in his comment, you've two <security:user-service> tags. You only need one and can define multiple users under the same.
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="sumit" password="123" authorities="ROLE_ADMIN"/>
<security:user name="sumit1" password="123" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
Related
I have an issue that seems something like this one but I'm not using AJAX for logging in/authentication.
When I access my local Tomcat 7 instance, I can correctly evaluate this block to true when the user is not logged in:
<security:authorize access="!isFullyAuthenticated()">
<div class="col-xs-12 col-md-2 login_button">
<button class="btn btn-success" style="line-height: 1.42857"><spring:message code="label.logIn"/> <i class="fa fa-sign-in"></i></button>
</div>
</security:authorize>
However, it evaluates to false when I deploy it to our public QA and public production instances, hiding the button. I also tried changing the access to !isAuthenticated() but the behavior didn't change.
I'm using Spring 4.1.0.RELEASE and Spring Security 3.2.4.RELEASE. I am not completely sure but it may not have had this behavior in a previous version of Spring.
What could cause a difference in the code block evaluation between servers?
UPDATE:
Spring security config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="authSuccessHandler" class="com.companyname.web.RoleBasedAuthenticationSuccessHandler" />
<http auto-config="true" use-expressions="true">
<form-login login-page="/login"
authentication-success-handler-ref="authSuccessHandler"
authentication-failure-url="/login?login_error=true"
login-processing-url="/j_spring_security_check" />
<intercept-url pattern="/sample/**" access="hasAnyRole('ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<intercept-url pattern="/other/**" access="hasAnyRole('ROLE_OTHER', 'ROLE_CO_OTHER','ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<logout logout-success-url="/index" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="com.companyname.service.UserDetailsServiceImpl" />
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator">
<beans:bean id="permissionEvaluator" class="com.companyname.web.security.MethodsPermissionEvaluator"/>
</beans:property>
</beans:bean>
</beans:beans>
EDIT:
Also tried Spring Security 3.2.8.RELEASE, but no luck.
This issue was solved by a fellow developer by updating the web.xml to contain the Spring Security Filter Chain higher up in the file:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<servlet-name>Spring Security Filter Chain</servlet-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
We also had to make sure that the updated file was deployed to the correct environment. The discrepancy in environments is attributed to different web.xml files for each environment.
I'm facing a problem on a pretty simple task and i don't know why.
I have a web application deployed under Jboss 7 that use Spring Security to allow access to different users and profiles.
I have 2 different security files one that is a global configuration file which configure the access to public/static stuff and another one that define specifically the users , roles and the paths that are allowed for each role.
Below both configurations:
General configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cache="http://www.springframework.org/schema/cache"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/cache http://www.springframework.org/schema/cache/spring-cache-3.2.xsd">
<context:component-scan base-package="mypackage.*" />
<!-- STATIC RESOURCES For which security context is not enabled -->
<security:http pattern="/css/**" security="none" />
<security:http pattern="/images/**" security="none" />
<security:http pattern="/js/**" security="none" />
<beans:import resource="classpath*:instance-security.xml" />
<bean id="myFilter" class="mypackage.filters.SessionFilter" />
<!-- setting timeout on success login -->
<bean id="loginSucessHandler"
class="mypackage.login.handlers.LoginSucessHandler">
<property name="defaultTargetUrl" value="/list/all" />
<property name="timeout" value="3600" />
</bean>
<!-- handler for failing login attempts -->
<bean id="loginFailureHandler"
class="mypackage.login.handlers.LoginFailureHandler">
</bean>
</beans>
Specific Configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cache="http://www.springframework.org/schema/cache"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/cache http://www.springframework.org/schema/cache/spring-cache-3.2.xsd">
<context:component-scan base-package="mypackage.*" />
<security:http auto-config="true" use-expressions="true">
<security:access-denied-handler error-page="/home?err=403"/>
<security:headers>
<security:cache-control />
<security:content-type-options />
<security:xss-protection />
</security:headers>
<security:intercept-url pattern="/home" access="permitAll()" />
<security:intercept-url pattern="/dashboard**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<security:intercept-url pattern="/dashboard/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<security:intercept-url pattern="/configurations/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/configurations**" access="hasRole('ROLE_ADMIN')" />
<!-- form login definition -->
<security:form-login login-page="/home"
login-processing-url="/login.do"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/home?err=1"
authentication-success-handler-ref="loginSucessHandler"
/>
<security:logout logout-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/home" />
<security:csrf />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="test" authorities="ROLE_ADMIN,ROLE_USER" />
<security:user name="user" password="test" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
The above configurations works perfectly if i put both of them in my web application, the import is processed correctly and the users and roles are added correctly.
For my project i need to move the specific configuration file under JBoss classpath.
To allow Spring security to import the file from the Jboss classpath i used the new "module" concept they have in Jboss creating a custom module which basically has only my file in it.
The module folder structure is like this:
${JBOSS_HOME}>modules>mycustom>conf>main
and in the main folder i have the module.xml and the instance-security.xml. (which is the specifi configuration posted above)
The module.xml is like this:
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ JBoss, Home of Professional Open Source.
~ Copyright 2010, Red Hat, Inc., and individual contributors
~ as indicated by the #author tags. See the copyright.txt file in the
~ distribution for a full listing of individual contributors.
~
~ This is free software; you can redistribute it and/or modify it
~ under the terms of the GNU Lesser General Public License as
~ published by the Free Software Foundation; either version 2.1 of
~ the License, or (at your option) any later version.
~
~ This software is distributed in the hope that it will be useful,
~ but WITHOUT ANY WARRANTY; without even the implied warranty of
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
~ Lesser General Public License for more details.
~
~ You should have received a copy of the GNU Lesser General Public
~ License along with this software; if not, write to the Free
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
<module xmlns="urn:jboss:module:1.1" name="mycustom.conf">
<resources>
<resource-root path="."/>
</resources>
</module>
If i use this approach the file seems still loaded , because the "import" from the general security file does not throw any exception but the security is not applied. So i can access any path without logging in.
Does anyone knows which could be the problem ?
Any tip could be useful.
Seems i solved the problem.
My web app is included in an .ear with more others application/libraries and in this ear i had the following deployment configuration:
<deployment>
<ear-subdeployments-isolated>true</ear-subdeployments-isolated>
<dependencies>
<module name="mycustom.conf" />
</dependencies>
<sub-deployment name="somelibrary.jar">
.....
</sub-deployment>
</deployment>
While the module was still correctly loaded and dependency satisfied i had the problem described above (with the security roles and user not being applied).
After i changed the deployment configuration to this:
<jboss-deployment-structure>
<ear-subdeployments-isolated>true</ear-subdeployments-isolated>
<sub-deployment name="somelibrary.jar">
.....
</sub-deployment>
<sub-deployment name="myapp.war">
<dependencies>
<module name="mycustom.conf" />
</dependencies>
</sub-deployment>
</jboss-deployment-structure>
the security roles are correctly applied.
I do not really understand why moving the dependency to the specific "sub-deployment" solved the problem.
But that is what worked for me.
Regards.
I have a web application in the following environment.
Spring 3.2.2 (recently upgraded from Spring 3.2.0).
Spring Security 3.2.0 M1.
Hibernate 4.2.0 CR1.
Apache Tomcat 7.0.35.0.
Oracle 10g.
NetBeans 7.2.1 with jdk-7u11.
The application runs on this base URL : http://localhost:8080/wagafashion/. It has no problem, everything goes fine.
Since I'm using Spring security, the action of the login page is mapped with j_spring_security_check.
After successful login, if I enter this URL : http://localhost:8080/wagafashion/j_spring_security_check in the address bar (either accidentally or deliberately), then the page is redirected to the home page, the first page which is given to an authenticated user, with the following message in Google Chrome,
This webpage has a redirect loop
As can be seen in the following snap shot.
No page can be accessed once this happens. I'm currently using the following browsers.
Google Chrome 26.0.1410.64 m
FireFox 20.0.1
Internet Explorer 8
This requires cookies to be cleared to resume the application. Can this be a problem somewhere in my application. How to fix this?
My spring-security.xml file is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/Login.htm*" security="none"></http>
<http auto-config='true' use-expressions="true" disable-url-rewriting="true">
<!--<remember-me key="myAppKey"/>-->
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<intercept-url pattern="/admin_side/**" access="hasRole('ROLE_ADMIN')" requires-channel="any"/>
<form-login login-page="/" default-target-url="/admin_side/Home.htm" authentication-failure-url="/LoginFailed.htm" authentication-success-handler-ref="loginSuccessHandler"/>
<logout logout-success-url="/Login.htm" invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select email_id, password, enabled from user_table where lower(email_id)=lower(?)"
authorities-by-username-query="select ut.email_id, ur.authority from user_table ut, user_roles ur where ut.user_id=ur.user_id and lower(ut.email_id)=lower(?)"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="loginSuccessHandler" class="loginsuccesshandler.LoginSuccessHandler"/>
<global-method-security secured-annotations="enabled" proxy-target-class="false">
<protect-pointcut expression="execution(* dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
I tried your setup it gave the same result as you. To solve the problem I did this,
In security.xml change:
<form-login login-page="/"...
<form-login login-page="/Login.htm"...
I am try for role based access in spring but got the following error:-
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http'.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:131)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:384)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:318)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:410)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3165)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1898)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:685)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:400)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2740)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:508)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
And here is my spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="a" password="1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Seems, the required library files for Spring Security aren't at right place. Are you using Maven and have maven dependency of Spring Security library files in your pom.xml file?
If it is then do a maven clean-up and have a try again. Otherwise you can place Spring security library files in the class-path directly.
Please check if application has the necessary spring security library files in the classpath (if you are using Maven, check pom.xml file). Also, check for other Spring related xml files for syntax errors (or please post them also).
I'm new in Spring and I'm trying to create a application using Spring Blazeds Integration (Flex + Blazeds + Spring + Java) and when I run the application I got this error:
02:51:21,852 INFO [XmlBeanDefinitionReader] Loading XML bean definitions from ServletContext resource [/WEB-INF/spring/security-config.xml]
02:51:23,937 ERROR [ContextLoader] Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: alias is required.
Offending resource: ServletContext resource [/WEB-INF/spring/security-config.xml]
The security-config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http>
<security:anonymous enabled="false" />
<security:form-login default-target-url="/myContext/Index.html"
login-page="/myContext/Login.html" />
<security:remember-me key="myAppKey" services-ref="rememberMeServices" />
</security:http>
<beans:bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<beans:property name="key" value="myAppKey" />
<beans:property name="alwaysRemember" value="true" />
</beans:bean>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="john" password="john" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="guest" password="guest" authorities="ROLE_GUEST" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
I'm using spring-flex 1.5.0, spring-security 2.0.6 and Spring 3.0.
Any ideas what is the problem?
Thanks in advance,
Andre
I'm not very sure, but try to put an alias in security:authentication-manager:
<security:authentication-manager alias="authenticationManager">
Why don't you use Spring security 3?
As listed in the reference manual, Spring Flex 1.5.0 will not work with Spring Security 2. You must use Spring Security 3.
Other than this, jbbarquero is correct, assuming this is actually your problem.