Problem in my Spring bean configuration file. I am using Spring Tool Suite 3.4 and Spring 3.1.1 jars (MVC, jdbc, security). This is just an warning in IDE but when the application is loading into APP Server it is showing the following error
Spring Configuration File - login-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<beans:import resource='login-service.xml'/>
<security:http>
<security:intercept-url pattern='/home*' access='ROLE_USER,ROLE_ADMIN' />
<security:intercept-url pattern='/admin*' access='ROLE_ADMIN' />
<security:form-login login-page='/login.jsp' default-target-url='/home' authentication-failure-url='/login.jsp?error=true'/>
<security:logout logout-success-url='/login.jsp' />
<security:anonymous username='guest' granted-authority='ROLE_GUEST'/>
<security:remember-me/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref='myDataSource'
users-by-username-query="select username, password, 'true' as enabled from USER_DETAILS where username=?"
authorities-by-username-query="select USER_DETAILS.username , USER_AUTH.AUTHORITY as authorities from USER_DETAILS,USER_AUTH
where USER_DETAILS.username = ? AND USER_DETAILS.username=USER_AUTH.USERNAME"></security:jdbc-user-service>
</security:authentication-provider>
</security:authentication-manager>
WARNING. ERROR IN CONSOLE - org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring/appServlet/login-security.xml]
I think you are probably missing the spring security config dependency in your pom.
try adding this to your pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.1.RELEASE</version>
</dependency>
Hope this helps.
Related
I'm facing a problem on a pretty simple task and i don't know why.
I have a web application deployed under Jboss 7 that use Spring Security to allow access to different users and profiles.
I have 2 different security files one that is a global configuration file which configure the access to public/static stuff and another one that define specifically the users , roles and the paths that are allowed for each role.
Below both configurations:
General configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cache="http://www.springframework.org/schema/cache"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/cache http://www.springframework.org/schema/cache/spring-cache-3.2.xsd">
<context:component-scan base-package="mypackage.*" />
<!-- STATIC RESOURCES For which security context is not enabled -->
<security:http pattern="/css/**" security="none" />
<security:http pattern="/images/**" security="none" />
<security:http pattern="/js/**" security="none" />
<beans:import resource="classpath*:instance-security.xml" />
<bean id="myFilter" class="mypackage.filters.SessionFilter" />
<!-- setting timeout on success login -->
<bean id="loginSucessHandler"
class="mypackage.login.handlers.LoginSucessHandler">
<property name="defaultTargetUrl" value="/list/all" />
<property name="timeout" value="3600" />
</bean>
<!-- handler for failing login attempts -->
<bean id="loginFailureHandler"
class="mypackage.login.handlers.LoginFailureHandler">
</bean>
</beans>
Specific Configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cache="http://www.springframework.org/schema/cache"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/cache http://www.springframework.org/schema/cache/spring-cache-3.2.xsd">
<context:component-scan base-package="mypackage.*" />
<security:http auto-config="true" use-expressions="true">
<security:access-denied-handler error-page="/home?err=403"/>
<security:headers>
<security:cache-control />
<security:content-type-options />
<security:xss-protection />
</security:headers>
<security:intercept-url pattern="/home" access="permitAll()" />
<security:intercept-url pattern="/dashboard**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<security:intercept-url pattern="/dashboard/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<security:intercept-url pattern="/configurations/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/configurations**" access="hasRole('ROLE_ADMIN')" />
<!-- form login definition -->
<security:form-login login-page="/home"
login-processing-url="/login.do"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/home?err=1"
authentication-success-handler-ref="loginSucessHandler"
/>
<security:logout logout-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/home" />
<security:csrf />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="test" authorities="ROLE_ADMIN,ROLE_USER" />
<security:user name="user" password="test" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
The above configurations works perfectly if i put both of them in my web application, the import is processed correctly and the users and roles are added correctly.
For my project i need to move the specific configuration file under JBoss classpath.
To allow Spring security to import the file from the Jboss classpath i used the new "module" concept they have in Jboss creating a custom module which basically has only my file in it.
The module folder structure is like this:
${JBOSS_HOME}>modules>mycustom>conf>main
and in the main folder i have the module.xml and the instance-security.xml. (which is the specifi configuration posted above)
The module.xml is like this:
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ JBoss, Home of Professional Open Source.
~ Copyright 2010, Red Hat, Inc., and individual contributors
~ as indicated by the #author tags. See the copyright.txt file in the
~ distribution for a full listing of individual contributors.
~
~ This is free software; you can redistribute it and/or modify it
~ under the terms of the GNU Lesser General Public License as
~ published by the Free Software Foundation; either version 2.1 of
~ the License, or (at your option) any later version.
~
~ This software is distributed in the hope that it will be useful,
~ but WITHOUT ANY WARRANTY; without even the implied warranty of
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
~ Lesser General Public License for more details.
~
~ You should have received a copy of the GNU Lesser General Public
~ License along with this software; if not, write to the Free
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
<module xmlns="urn:jboss:module:1.1" name="mycustom.conf">
<resources>
<resource-root path="."/>
</resources>
</module>
If i use this approach the file seems still loaded , because the "import" from the general security file does not throw any exception but the security is not applied. So i can access any path without logging in.
Does anyone knows which could be the problem ?
Any tip could be useful.
Seems i solved the problem.
My web app is included in an .ear with more others application/libraries and in this ear i had the following deployment configuration:
<deployment>
<ear-subdeployments-isolated>true</ear-subdeployments-isolated>
<dependencies>
<module name="mycustom.conf" />
</dependencies>
<sub-deployment name="somelibrary.jar">
.....
</sub-deployment>
</deployment>
While the module was still correctly loaded and dependency satisfied i had the problem described above (with the security roles and user not being applied).
After i changed the deployment configuration to this:
<jboss-deployment-structure>
<ear-subdeployments-isolated>true</ear-subdeployments-isolated>
<sub-deployment name="somelibrary.jar">
.....
</sub-deployment>
<sub-deployment name="myapp.war">
<dependencies>
<module name="mycustom.conf" />
</dependencies>
</sub-deployment>
</jboss-deployment-structure>
the security roles are correctly applied.
I do not really understand why moving the dependency to the specific "sub-deployment" solved the problem.
But that is what worked for me.
Regards.
Im new on vaadin and spring security, I want to know if anyone had a complete project example of the vaadin 7.1 + spring-security integration running in a tomcat server (not in jetty).
Vaadin 7 easy integrate with Spring Security. You should configure only 2 files. First - web.xml and second one spring-security.xml (user credentials and security settings). This is small example how to use base form for authentification.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Vaadin7SpringSecurity</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- filter declaration for Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config='true'>
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
For more details, how to extend spring-security.xml configuration you can use Spring resources.
You should have a look on this GitHub project. This is a Vaadin 7.1 + Spring 3.1.2.RELEASE + Spring-Vaadin integration 2.0.1 project. There is also a Jetty plugin inside, but you can run/deploy it also in tomcat without problems.
Here is a little project that integrates Vaadin and Spring Security. It's done in Scala, but obviously works in Java as well. Code is here.
For referring the above example by using the latest spring-security, I encountered the following errors and provide my soultions:
Error1
Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema with Spring Security 4.0. Please update your schema declarations to the 4.0 schema.
You should check your spring-* version and update the header tag of spring-security.xml.
For example: I use spring-beans-4.1.6.RELEASE and
spring-security-4.0.2.RELEASE. So I update it as:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
Error2
HTTP Status 500 - Failed to evaluate expression 'ROLE_USER'
...
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Property or field 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public?
...
According to hints of this resource, you should revise intercept-url tag as following:
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
Error3
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
That's because spring-security enables CSRF protection by default which conflicts with Vaadin. You should add a new tag inside http :
<csrf disabled="true" />
Here's my complete spring-security.xml for reference:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config='true'>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<csrf disabled="true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="yourUsername" password="yourPassoword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I have found some solutions but they didn't worked for me. I added libraries to project but I am getting this error. I could reach security libraries from my controller classes. Any idea?
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
This my spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Use http://www.springframework.org/schema/security/spring-security-3.0.xsd as your namespace instead.
to avoid
"org.xml.sax.SAXParseException: schema_reference.4: Failed to read
schema document 'springframework.org/schema/security/…;, because 1)
could not find the document; 2) the document could not be read; 3) the
root element of the document is not <xsd:schema>."
change springframework.org/schema/security/spring-security-3.1.4.xsd to springframework.org/schema/security/spring-security-3.1.xsd
I am try for role based access in spring but got the following error:-
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http'.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:131)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:384)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:318)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:410)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3165)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1898)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:685)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:400)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2740)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:508)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
And here is my spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="a" password="1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Seems, the required library files for Spring Security aren't at right place. Are you using Maven and have maven dependency of Spring Security library files in your pom.xml file?
If it is then do a maven clean-up and have a try again. Otherwise you can place Spring security library files in the class-path directly.
Please check if application has the necessary spring security library files in the classpath (if you are using Maven, check pom.xml file). Also, check for other Spring related xml files for syntax errors (or please post them also).
I have problem with my spring-security.xml file. I have wanted to configure some session settings and first of all create login form to maintain guests and logged in users.
This is my spring-security.xml headline:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
As you can see I am using Spring Security in latest version - 3.1. When I try to change the schema versione to lower, I have got errors. In terms of 3.1 version I have only yellow warnings in Eclipse.
My http tag looks like:
<security:http auto-config='true'>
<security:intercept-url pattern="/wellcome*" access="ROLE_USER" />
<security:form-login login-page="/login" default-target-url="/wellcome" authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
<security:session-management invalid-session-url="/invalidsession" />
</security:http>
And at the first line of this tag I have long list of warnings:
Multiple annotations found at this line:
- Method 'setAuthenticationEntryPoint' is marked deprecated [config set: SpringMVC/web-context]
- Method 'setSessionAuthenticationStrategy' is marked deprecated [config set: SpringMVC/web-
context]
- Method 'setUserAttribute' is marked deprecated [config set: SpringMVC/web-context]
- Method 'setRequestCache' is marked deprecated [config set: SpringMVC/web-context]
- Method 'setKey' is marked deprecated [config set: SpringMVC/web-context]
- Method 'setSecurityContextRepository' is marked deprecated [config set: SpringMVC/web-context]
Additionaly I have also one warning on the third line:
Method 'setLoginFormUrl' is marked deprecated [config set: SpringMVC/web-context]
Could you explain me how I should properly define my spring-security.xml file with http tag in Spring Security 3.1?
EDIT: This issue is now fixed in Spring Security 3.1.2, so if you're using 3.1 or 3.1.1, please upgrade it to newer version.
Original answer:
Your config is fine. It's a known bug in Spring Security with STS in Eclipse (see also forum topic mentioned there in Reference URL).
For now you can ignore the warnings, login on https://jira.springsource.org and vote up the issue and wait until it's fixed (or remove spring nature for your project if you can't stand those warnings).
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" disable-url-rewriting="true" use-expressions="true">
<form-login login-processing-url="/login"
login-page="/login.html"
default-target-url='/index.html'
always-use-default-target='true'
/>
<logout logout-url="/logout" />