Hello I have a custom authentication provider but when I tried to include a password encoder in my authentication manager, It shows an error that I can not have child elements when used with ref attribute. Here's my problem code....
'
<security:authentication-provider ref="authProvider">
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
'
When you use custom authentication provider, you need to set password encoder on the referenced bean.
Here is example for xml-config:
<bean id="authProvider"
class="me.sample.CustomAuthenticationProvider">
<property name="passwordEncoder" ref="passwordEncoder"/>
... other properties ...
</bean>
And, as error suggests, you need to remove element from <security:authentication-provider/>
<security:authentication-provider ref="authProvider"/>
Related
How to use BCrypt password encoder with in-memory user service using XML namespace configuration? I tried the following:
<bean id="bcrypt" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder ref="bcrypt" />
<security:user-service id="userService">
<security:user name="123" password="123" authorities="123" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
In this case Spring expects the passwords to be already in salted form. How do I salt the passwords using the encoder with XML config?
For testing purposes you can generate BCrypt hashes by using an online tool like this.
The following is what I have to redirect a visitor to a page after successful login:
<bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" p:defaultTargetUrl="/account/quickview"/>
I would like to direct a visitor to a url with the following URL:
/account/quickview/id_of_account_object
How can I configure Spring security to append that account ID to the "/account/quickview" after successful login?
I am using Spring Security 3.1
Thanks and regards.
Here is how I solved this
I created a subclass of SavedRequestAwareAuthenticationSuccessHandler and I added a property called temporaryTargetUrl, which is set to "/account/quickview". When the class' onAuthenticationSuccess is called, I obtain the principal and the account id from the principal. At this moment, I append "/account_id" to temporaryTargetUrl and call the super:
super.setDefaultTargetUrl(this.temporaryTargetUrl + "/" + account.getId());
Note that getDetaulTargetUrl of SavedRequestAwareAuthenticationSuccessHandler is not available outside Spring's package, which is why I created temporaryTargetUrl in the first place.
Please feel free to comment.
Thanks!
You can save the account ID into the spring security session object and retrieve the object when is called the quickview url.
to redirect to the url add into the bean customAuthenticationSuccessHandler the following property
<property name="authenticationSuccessHandler" ref="successHandler" />
and create the successHandler bean:
<bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/account/quickview" />
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
regards
I have Spring Security configured to authenticate against LDAP server.
<security:authentication-manager >
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
</security:authentication-manager>
After authentication I want to load roles from local database for the same user. How can I load local database roles using "ldap-authentication-provider"?
If I add the second authentication provider as below:
<security:authentication-manager >
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
<security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>
daoAuthenticationProvider added, but Spring does not use the second provider when first auth provider authenticates the user. Only if the first auth provider fails to authenticate it goes next in the list.
So basically look like we have to customize
<security:ldap-authentication-provider user-dn-pattern="uid={0}" />
to load ROLEs from local database.
Any suggestions? How should this be implemented?
An authentication provider must deliver a fully populated authentication token on successfull authentication, so it's not possible to use one provider to check the user's credentials, and another one to assign authorities (roles) to it.
You can however customize an ldap auth provider to fetch user roles from database instead of the default behaviour (searching for the user's groups in ldap). The LdapAuthenticationProvider has two strategies injected: one that performs the authentication itself (LdapAuthenticator), and another one that fetches the user's authorities (LdapAuthoritiesPopulator). You can achieve your requirements if you supply an LdapAuthoritiesPopulator implementation that loads roles from database. In case you already have a UserDetailsService working against the database, you can easily integrate that by wrapping it in a UserDetailsServiceLdapAuthoritiesPopulator and injecting it in the LdapAuthenticationProvider.
Since this configuration is rather uncommon, the security xml namespace doesn't provide tags/attributes to set it up, but the raw bean config isn't too complicated. Here is the outline:
1) I suppose you have an ldap-server somewhere in your config. It's important to assign and id to it, which will allow us to reference it later.
<security:ldap-server url="..." id="ldapServer" .../>
2) From the authentication-manager section, you will only refer to the customized provider:
<security:authentication-manager>
<security:authentication-provider ref="customLdapAuthProvider"/>
</security:authentication-manager>
3) Now, the essential part:
<bean id="customLdapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg name="authenticator">
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg name="contextSource" ref="ldapServer"/>
<property name="userDnPatterns">
<list>
<value>uid={0}</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg name="authoritiesPopulator">
<bean class="org.springframework.security.ldap.authentication.UserDetailsServiceLdapAuthoritiesPopulator">
<constructor-arg name="userService" ref="userService"/>
</bean>
</constructor-arg>
</bean>
The authenticator is basically the same as the one that would be created by the namespace config. (Note the contextSource attribute referencing the ldap server.)
The authoritiesPopulator is a simple wrapper around your userService implementation which is supposed to be defined somewhere in your config.
i wonder "#{request.userPrincipal.name}" in configuration blow. when I run my spring social project it always has error at "#{request.userPrincipal.name}", if I set a value such as "123" my project runs well. what's wrong and is there any other configuration instead of "#{request.userPrincipal.name}" ?
<bean id="connectionRepository" factory-method="createConnectionRepository" factory-bean="usersConnectionRepository" scope="request">
<constructor-arg value="#{request.userPrincipal.name}" />
<aop:scoped-proxy proxy-target-class="false" />
</bean>
This is a Spring EL expression, which means getting the user identity from the Http request. Once you apply your own User Management component, you can replace #{request.userPrincipal.name} with your own way.
What is the best way to initialize a Spring context given pre-authentication through Websphere LTPA SSO token? Right now I have a custom filter that provides a PreAuthorizedAuthenticationToken to the Spring Security context. Is there an existing filter that would do this for me automatically? I have always run into trouble with GrantedAuthorities when I've tried to use the PreAuth classes.
Cheers
Best option is to have a custom preauthentication filter by extending AbstractPreAuthenticatedProcessingFilter.
You can fetch the token from request and return it in getPreAuthenticatedCredentials() method.
You can define your own AuthenticationUserDetailsService and pass it to PreAuthenticatedAuthenticationProvider, here you can fetch the granted authorities and return them in UserDetails Object
<bean id="preAuthAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="myUserDetailsService"
class="MyUserDetailsService">
</bean>
</property>
</bean>
If you have granted auth, not starting with default prefix ROLE, you can define your custom prefix
<bean id="myPermissionRoleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="myprefix"/>
</bean>