We are trying to implement Spring security in our application. We are extending RememberMeAuthenticationFilter. But trouble is that our application Controllers are getting called before RememberMeAuthenticationFilter. Is there anyway to force RememberMeAuthenticationFilter to be called before application Controllers?
Below are my configuaations. In debug mode I could see that FilterChainProxy.VirtualFilterChain has two sets of filters - original filters and additional filters. Original filters has springSecurityFilterChain but it doesn't call custom RememberMeAuthenticationFilter. And additional filters has RememberMeAuthenticationFilter. Controller is getting called via DispatcherServlet at the end of original filters.
Web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security-context.xml
<http use-expressions="true" auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint" create-session="ifRequired" >
<long list of intercept-url here>
<intercept-url pattern="/**" access="permitAll" requires-channel="any"/>
<custom-filter ref="rememberMeProcessingFilter" position="REMEMBER_ME_FILTER" />
<custom-filter ref="authenticationProcessingFilter" position="FORM_LOGIN_FILTER" />
</http>
<beans:bean id="rememberMeProcessingFilter" class="uk.co.and.dealofday.security.SecurityRememberMeAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="rememberMeServices" ref="rememberMeServices" />
</beans:bean>
<beans:bean id="authenticationProcessingFilter" class="uk.co.and.dealofday.security.SecurityUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="rememberMeServices" ref="rememberMeServices" />
<beans:property name="userService" ref="userService"/>
<beans:property name="securityHelper" ref="securityHelper" />
</beans:bean>
declare custom remember filter after custom authentication filter
<custom-filter ref="authenticationProcessingFilter" position="FORM_LOGIN_FILTER" />
<custom-filter ref="rememberMeProcessingFilter" position="REMEMBER_ME_FILTER" />
Related
I am new to spring security and I am confused over how spring security works. I have a filter chain defined as follows:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/rest/internal/*</url-pattern>
<url-pattern>/user/*</url-pattern>
<url-pattern>/http/*</url-pattern>
</filter-mapping>
and my security config looks as follows:
<global-method-security pre-post-annotations="enabled"/>
<http entry-point-ref="aligneUnauthorisedEntryPoint" use-expressions="true" create-session="never">
<!--<intercept-url pattern="/user/login" access="isAuthenticated()"/>-->
<intercept-url pattern="/rest/internal/**" access="isAuthenticated()"/>
<intercept-url pattern="/http/**" access="isAuthenticated()"/>
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
<csrf disabled="true"/>
<http-basic/>
</http>
<authentication-manager alias="aligneAuthenticationManager">
<authentication-provider ref="aligneUserAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="loginFilter" class="com.altra.middleware.security.AligneAuthenticationFilter">
<beans:property name="authenticationManager" ref="aligneAuthenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="aligneAuthenticationFailureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="aligneAuthenticationSuccessHandler"/>
<beans:property name="filterProcessesUrl" value="/user/login"/>
</beans:bean>
When i am hitting the following URL from my browser:
http://localhost:9099/jedi/rest/internal/main/dropdown
I get the following error.
Secondly, same exception comes occurs when i try to invoke the service from another spring controller using RestTemplate.
HTTP ERROR 503 Problem accessing /jedi/rest/internal/main/dropdown.
Reason:
Full authentication is required to access this resource
where /jedi is the application context.
If i comment out <intercept-url pattern="/rest/internal/**" access="isAuthenticated()"/> then the correct controller's method is called.
What is the significance of access="isAuthenticated()" ? We have this method overridden but it never gets called.
How should i go about this problem ?
I'm setting up Spring Security in my project and I'm having some trouble hitting one of my rest endpoints. I receive an "Error: Forbidden" response from the server when I hit the endpoint through my client.
What I'm doing is going to the login page (I assume at this point I'm an anonymous user with ROLE_ANONYMOUS) and clicking a tab that shows me a create new account form.
When I fill out the fields and hit submit then the rest endpoint is called and the JSON data is sent to the server. In my security configuration I have posted below the endpoint url I'm using, /createUserAccount/submit, is set to work with the ROLE_ANONYMOUS and ROLE_ADMIN roles in the filterSecurityInterceptor bean xml.
Since I'm an anonymous user on the login page I thought that hitting that endpoint would work, but it's not. All the files relevant to my problem are below.
Here's my controller:
#Controller
#RequestMapping("/createUserAccount")
#SessionAttributes("userAccount")
public class CreateUserAccountController {
private final String loginViewName = "login";
private CreateUserAccountValidator validator;
private UserAccountManager userAccountManager;
#Autowired
public CreateUserAccountController(
#Qualifier("createUserAccountValidator") CreateUserAccountValidator validator,
#Qualifier("userAccountManager") UserAccountManager userAccountManager) {
this.validator = validator;
this.userAccountManager = userAccountManager;
}
#RequestMapping(value="/submit", method = RequestMethod.POST)
#ResponseBody
public GenericJsonDTO submitForm(#RequestBody UserAccount userAccount, BindingResult result, SessionStatus status){
JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
validator.validate(userAccount, result);
if(!result.hasErrors()) {
userAccountManager.createUserAccount(userAccount);
status.setComplete();
}
return jsonFactory.getDto();
}
}
I have my server setup so I can debug during runtime, I put a breakpoint on the line
JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
to see if the function is ever entered when the /createUserAccount/submit endpoint is called. The function is never entered.
Below is my security configuration. I've been starting to incorporate ACL security so the configuration file is pretty long. I think the problem is in either the http element or filterSecurityInterceptor bean configuration xml. The filterSecurityInterceptor XML is where my URI permissions are defined.
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>
<http use-expressions="true">
<intercept-url pattern="/**" requires-channel="https" />
<!--<intercept-url pattern="/gravytrack/dashboard**" requires-channel="https" access="ROLE_USER"/>-->
<http-basic />
<session-management>
<concurrency-control max-sessions="10"
error-if-maximum-exceeded="true" />
</session-management>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
</http>
<beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" />
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder ref="passwordEncoder"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT email, password, enabled FROM user_account
WHERE email = ?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<util:list>
<filter-chain pattern="/images/**" filters="" />
<filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCFalse,
basicAuthenticationFilter,
basicExceptionTranslationFilter,
filterSecurityInterceptor" />
</util:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCFalse"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<!--......................-->
<!-- basic authentication -->
<!--......................-->
<beans:bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<beans:constructor-arg name="authenticationManager">
<beans:ref bean="authenticationManager" />
</beans:constructor-arg>
<beans:constructor-arg name="authenticationEntryPoint">
<beans:ref bean="basicAuthenticationEntryPoint" />
</beans:constructor-arg>
</beans:bean>
<beans:bean id="basicAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="gravytrack.com" />
</beans:bean>
<beans:bean id="basicExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:constructor-arg name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
<beans:property name="accessDeniedHandler" ref="basicAccessDeniedHandler" />
</beans:bean>
<beans:bean id="basicAccessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</beans:bean>
<!--......................-->
<!-- security -->
<!--......................-->
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource">
<filter-security-metadata-source use-expressions="false">
<intercept-url pattern="/login.jsp*"
access="ROLE_ANONYMOUS,ROLE_ADMIN" />
<intercept-url pattern="/gravytrack/createUserAccount/*"
access="ROLE_ANONYMOUS,ROLE_ADMIN" />
<intercept-url pattern="/images/**"
access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
<intercept-url pattern="/admin.htm*" access="ROLE_ADMIN" />
<intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<beans:bean id="permissionEvaluator"
class="org.springframework.security.acls.AclPermissionEvaluator">
<beans:constructor-arg ref="aclService" />
</beans:bean>
<beans:bean id="aclService"
class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
<beans:constructor-arg ref="dataSource" />
<beans:constructor-arg ref="lookupStrategy" />
<beans:constructor-arg ref="aclCache" />
<beans:property name="sidIdentityQuery"
value="SELECT max(id) FROM acl_sid" />
<beans:property name="classIdentityQuery"
value="SELECT max(id) FROM acl_class" />
<!--
<beans:property name="sidIdentityQuery"
value="select currval(pg_get_serial_sequence('acl_sid', 'id'))" />
<beans:property name="classIdentityQuery"
value="select currval(pg_get_serial_sequence('acl_class', 'id'))" />
-->
</beans:bean>
<beans:bean id="consoleAuditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
<beans:bean id="lookupStrategy"
class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<beans:constructor-arg ref="dataSource" />
<beans:constructor-arg ref="aclCache" />
<beans:constructor-arg ref="aclAuthorizationStrategy" />
<beans:constructor-arg ref="consoleAuditLogger"/>
</beans:bean>
<beans:bean id="aclAuthorizationStrategy"
class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
<beans:constructor-arg ref="consoleAuditLogger"/>
</beans:bean>
<beans:bean id="aclCache"
class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<beans:constructor-arg>
<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager">
<beans:bean
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
</beans:property>
<beans:property name="cacheName" value="aclCache" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="permissionGrantingStrategy" />
<beans:constructor-arg ref="aclAuthorizationStrategy" />
</beans:bean>
</beans:beans>
Last but not least here's my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- Log4j configuration loading -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.xml</param-value>
</context-param>
<!-- Bootstrapping context loading -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/gravytrack-servlet.xml
/WEB-INF/gravytrack-services.xml
/WEB-INF/gravytrack-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>gravytrack.root</param-value>
</context-param>
<!-- session management listener -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-config>
<!-- session times out if no activities for 30 minutes -->
<session-timeout>30</session-timeout>
</session-config>
<!-- defining the DispatcherServlet -->
<servlet>
<servlet-name>gravytrack</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<!--<servlet-mapping>-->
<!--<servlet-name>gravytrack</servlet-name>-->
<!--<url-pattern>*.html</url-pattern>-->
<!--</servlet-mapping>-->
<!-- Security entry point -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- webflow -->
<!--
<servlet-mapping>
<servlet-name>soba</servlet-name>
<url-pattern>/flow/*</url-pattern>
</servlet-mapping>
-->
<!-- defining the DefaultServlet -->
<servlet>
<servlet-name>DefaultServlet</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>DefaultServlet</servlet-name>
<url-pattern>*.jpg</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DefaultServlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/notfound.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>
login.jsp
</welcome-file>
</welcome-file-list>
<!-- Spring jsp tag lib -->
<jsp-config>
<taglib>
<taglib-uri>/spring</taglib-uri>
<taglib-location>/WEB-INF/tld/spring-form.tld</taglib-location>
</taglib>
</jsp-config>
</web-app>
I'm having a hard time trying to figure out what's wrong so any help is greatly appreciated.
By default Spring security enables CSRF and every POST request as it expects a csrf token.
Check the Spring CSRF documentation..
You can switchoff CSRF like this in your config to test already if it's the problem
<http auto-config="false">
<csrf disabled="true"/>
if you dont want to switchoff CSRF, you must POST the csrf tokens like this
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
So I'm trying to send a request to my oauth server (with no headers): grant_type=password&username=blah&password=blah&client_id=blahblah.
I have 2 authentication-manager (one for the client and another for the user validation). The problem is, none of my authentication managers are being passing the username to verify. In both cases, they are being called with the client_id. What I want is one to verify the client and the other to verify the user.
My bean configuration is this:
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="ROLE_USER" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<http pattern="/api/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api" access="ROLE_USER,SCOPE_READ" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<sec:authentication-provider user-service-ref="clientDetailsUserService" />
<sec:authentication-provider user-service-ref="customUserDetailService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</authentication-manager>
<beans:bean id="customUserDetailService" class="com.cointraders.api.securities.UserDetailsServiceImpl" />
<beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.JdbcClientDetailsService">
<beans:constructor-arg ref="dataSource" />
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:refresh-token />
<oauth:password authentication-manager-ref="authenticationManager" />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" resource-id="api" token-services-ref="tokenServices" />
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<beans:bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="api/" />
</beans:bean>
<beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<beans:constructor-arg ref="dataSource" />
</beans:bean>
<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="tokenStore" />
<beans:property name="supportRefreshToken" value="true" />
<beans:property name="clientDetailsService" ref="clientDetails" />
</beans:bean>
<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails" />
</beans:bean>
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="api" />
</beans:bean>
This is my Web.XML
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/*.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
My User Detail Service Class
public class UserDetailsServiceImpl extends PersonServiceImpl implements
UserDetailsService {
#Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
UserDetails details = null;
Specification<Person> specs = Specifications.where(PersonSpecification.equalsUserName(username));
Person person = this.personRepository.findOne(specs);
if(person!=null)
{
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority(person.getRole().getRole().name()));
details = new User(person.getUserName(), person.getPassword(), person.getActive(), false, false, false, authorities);
}
return details;
}
}
In your <authorization-server/> you haven't set the AuthenticationManager in the <password/> grant type (so it is using the default bean name "authenticationManager" which you have mapped to the client credentials).
An additional problem is that you use <authentication-manager/> twice without giving an explicit "id=" for either, which actually has the effect of defining only one AuthenticationManager since the second one overrides the first (they both have the same id). Try using "id=" instead of "alias=".
You really need to send the client credentials in a header if you can (but you probably know that).
I tried to implement a role hierarchy but it doesn't want to work. everything else works perfectly except that. Here is my spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Enable method-level security via annotations -->
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
<!-- Configure form-based authentication -->
<http auto-config="true" use-expressions="true" entry-point-ref="securityEntryPoint" >
<intercept-url pattern="/resources/script/jquery-ui/**" access="permitAll" />
<intercept-url pattern="/resources/script/jquery*" access="permitAll" />
[....]
<intercept-url pattern="/**" access="isAuthenticated()" />
<session-management invalid-session-url="/login.jsp?info=invalid" >
<concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" expired-url="/login.jsp?info=expired" />
</session-management>
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=credentials" />
<logout logout-url="/logout" invalidate-session="true" logout-success-url="/login.jsp" />
</http>
<!-- Configure a spring security logger listener for logging authentication attempts. -->
<beans:bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!-- Configure a delegating entry point -->
<beans:bean id="securityEntryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
<!-- Requests of type text/html or application/xhtml+xml should be handled by form-based authentication -->
<beans:constructor-arg>
<beans:map>
<beans:entry>
<beans:key>
<beans:bean class="com.test.security.AcceptHeaderRequestMatcher"/>
</beans:key>
<beans:bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp" />
</beans:bean>
</beans:entry>
</beans:map>
</beans:constructor-arg>
<!-- Otherwise use BASIC authentication by default -->
<beans:property name="defaultEntryPoint">
<beans:bean class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="test Web Service" />
</beans:bean>
</beans:property>
</beans:bean>
<!-- Configure an authentication manager via our defaultUserService -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="defaultUserService">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleVoter" />
<beans:ref bean="authenticatedVoter" />
</beans:list>
</beans:property>
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
PERM_READ_ALL_USER_LIST > PERM_READ_USER_LIST
</beans:value>
</beans:property>
</beans:bean>
If i try to access a resource for which PERM_READ_USER_LIST is required, #PreAuthorize("hasRole('PERM_READ_USER_LIST')"), with a user who has the PERM_READ_ALL_USER_LIST it doesn't work, but if he has PERM_READ_USER_LIST, it works. So obviously the rolevoter is not doing its job but I don't get why...
Thank you.
You have to specify the hirarchy explicite for the MethodSecurityExpressionHandler.
See this Stack Overflow question and answer for more details.
How to use role-hierarchy in Spring Security 3 with Spring EL?
Hi I am using Spring Security 3.0.5 with Spring Framework 3.0.6. I have configured concurrency as per the documentation. It is not working. I login to the application from a browser session and then attemp to login again from another tab in the same browser - it lets me log in instead of denying the attempt.
Here is my security config file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="false" use-expressions="true"
access-denied-page="/jsp/accessDenied.jsp"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true"/>
<custom-filter ref="authenticationFilter"
position="FORM_LOGIN_FILTER"/>
<custom-filter ref="concurrencyFilter"
position="CONCURRENT_SESSION_FILTER"/>
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/>
</beans:bean>
<beans:bean id="customAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp?authfailed=true"/>
</beans:bean>
<beans:bean id="customAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.jsp" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder"/>
<user-service id="userDetailsService">
<user name="username" password="ee11cbb19052e40b07aac0ca060c23ee"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="test" password="21232f297a57a5a743894a0e4a801fc3"
authorities="ROLE_USER" />
</user-service>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry"/>
<beans:property name="expiredUrl" value="/login.jsp?loggedout=true" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:property name="maximumSessions" value="1" />
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>Spring security web application (series)</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<!--
- Loads the root application context of this web app at startup. - The
application context is then available via -
WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>springsecuritywebapp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springsecuritywebapp</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
Regards,
Nazir
Add <beans:property name="exceptionIfMaximumExceeded" value="true" /> to org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy bean definition. It will throw exception if allowed sessions are exceeded.
This will have a side effects. Suppose user logged in a browser and close the browser which clears session data. Then the user has to wait for session in server to expire before allowed to login again.I prefer your existing configuration to this unless you have explicit requirement.