I was able to use facebook api with Spring Social for a few days (3 months or more), but now the exception "org.springframework.social.ExpiredAuthorizationException: The authorization has expired" is occurring.
So I investigated this issue was resolved since the spring social version 1.1.0.M3 through a filter of reconnection but even following the recommendations I have not been able to update the token.
How can you recover from this exception?
After much analyzing the code I ended up solving making a direct modifying of the code to change the way ExpiredAuthorizationException exception is thrown by OAuth2Connection class in spring social core and through special filter (ReconnectFilter) of the spring social core (included since version 1.1.0.M3).
To do this, set the bean of the reconnection filter in the social configuration.
#Bean
public ReconnectFilter apiExceptionHandler() {
return new ReconnectFilter(usersConnectionRepository, userIdSource()) ;
}
do not forget to also set the filter in your web.xml
<filter>
<filter-name>apiExceptionHandler</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>apiExceptionHandler</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The last thing needed is to modify in org.springframework.social.connect.support.OAuth2Connection class of module spring-social-core the throwing of ExpiredAuthorizationException exception of ExpiredAuthorizationException(null) to throw new to ExpiredAuthorizationException(getKey().getProviderId())
After that the filter removes the old facebook connection and creates a new one through a POST in /connect/facebook?reconnect=true of the ConnectController.
The version 1.1.0.M4 social spring was used.
Related
I need to share session between two spring applications. One of them is very big old app written in spring 3.2 and with spring security 3.1.6. The second one is based on spring boot 1.3.3. Session should be shared via redis server. Users can communicate directly only with the old application. The new one will be accessible only by the old application.
The goal is to have access to username and be able to verify user rights in the new app based on the information stored in redis by the old application.
I tried to achieve this via spring-session. I managed to store session data in redis in the old application using very simple configuration. In pom.xml I added dependency to spring-session-data-redis
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
<version>1.1.1.RELEASE</version>
<type>pom</type>
</dependency>
In spring configuration I added two beans:
org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration
org.springframework.data.redis.connection.jedis.JedisConnectionFactory
And in web.xml one more filter:
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
But after configuring the new application to use spring session by adding two annotations to config class:
#EnableWebSecurity
#EnableRedisHttpSession
And adding HeaderHttpSessionStrategy bean, when I try to reach the new application with active session id in x-auth-token header I get exception:
java.io.InvalidClassException: org.springframework.security.core.context.SecurityContextImpl; local class incompatible: stream classdesc serialVersionUID = 310, local class serialVersionUID = 400
I do not need all information from the old apps session, only the username and user roles to verify some access credentials. I tried to google about custom session serialization and try to serialize only part of the session and in such way that it will be independent from spring-security version. Unfortunately I failed in this idea. I also try to configure the old spring-security version in the new app, but it also failed...
Is there any simple way to achieve my goal?
I'm working with ZK and spring.
I downloaded 2 different project that now I try to merge. My problem is in this part of code:
<html:form action="j_spring_security_check" method="POST" xmlns:html="native">
that is in the file login.zul. I found these lines in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I saw that if I change /* with /login.zul it happened that in my url becomes: localhost:8080/myProject/j_spring_security_check and I saw error 404.
If I didn't change my url is localhost:8080/myProject/ and the page index.zul works correctely.
But index.zul is in the same folder as login.zul.
I saw the same error also if I set /index.zul in state of "/*".
How can I decide another url in stead of /*?
Thanks!
The above URL pattern /* declares that you want to protect all your pages. It has nothing to with the fact, which page do you want to load after the successfull login.
The title is also missleading, j_spring_security_check is just the default URL for Spring Security login form submission: SpringSec will start his authentication module (that is username/password checking) when a request to this URL comes. You do not want to change it. You may change it if you for example do not want to tell the world that you uses Spring Security, or you do not want to change your existing login form that uses an other action attribute.
You may have a configuration XML for Spring Security like spring-security.xml or an equivalent Java based configuration) - with a tag in it. You need to set the default-target-url attribute of that tag as
<form-login login-page="/some_dir/login.zul" default-target-url="/some_other_dir/panel.zul"
You should use relative URLs inside your webapp.
You may have an authentication-success-handler-ref instead of default-target-urlin a more complicated situation, but you should not mix them .
I have a Grails application running that uses an external CAS login method and uses a local user list for authorization. I am using the spring-security and spring-security-cas plugins and everything is working great.
I am now implementing a RESTful API under a sub-domain of the application (/api) and want to provide security for that as well. I have read that setting up HTTP basic AuthN is easy with Grails, but have found nothing on using 2 security paradigms within one application. Aside from separating the API to a separate application, is there a way to implement a separate authentication method for just the /api sub-domain on my application?
Any feedback would be greatly appreciated. Thanks!
I found no simple way to accomplish this, so I ended up using IP-based access control for the API (since only a few people will be using it). I did this by editing the web.xml file in my grails app and adding a Remote Address Filter:
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>**IP ADDRESSES HERE**</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
I also had to disable CAS authentication for the api, which I accomplished by adding permissions in the interceptUrlMap in Config.groovy:
'/api/**': ['IS_AUTHENTICATED_REMEMBERED', 'IS_AUTHENTICATED_ANONYMOUSLY']
We (my team) are currently developing a POC; to build a front-end with GWT but uses Spring for the back-end.
So far, we have not encountered any significant problems integrating the two.
However, when we decided to use Spring Security 3.2 (just recently released), we encountered some issues with the security headers.
After some research, we discovered that it has to do with click jacking prevention (the X-Frame-Options).
Our approach is as follows.
The login page is not part of GWT but simple page (e.g., login.jsp).
Once authentication is successful, it should change to the GWT start page.
However, with the default security headers, once an authentication succeeds, only a blank page is shown.
For now, we simply disabled the security headers as follows (using Spring Java Configuration).
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.headers().disable();
}
With the security headers disabled, the GWT page shows up correctly.
We would prefer keep the security headers enabled.
Any help would be greatly appreciated.
Updated: In the web.xml file, we use the following.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I have a WAR file that defines a filter to run on all URLs:
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
...
<filter>
<filter-name>OurRedirectServletFilter</filter-name>
<filter-class>com.mycompany.RedirectServletFilter</filter-class>
</filter>
...
<filter-mapping>
<filter-name>OurRedirectServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The filter is designed to perform some redirects from 'convenience' URLs to a corresponding 'actual' URL, but I don't think that's really relevant to the problem.
On WebSphere 7.0, this filter doesn't run for requests to the root URL, e.g. /ctxroot or /ctxroot/; instead I just get a 404 response. It does run for /ctxroot/blah, whether blah is a valid or invalid path.
I've tried adding additional filter mappings for URL patterns <url-pattern>/</url-pattern> and <url-pattern></url-pattern>, but I get the same behavior.
I've tested on base WAS 7.0.0.0, and with the latest fix pack applied, i.e. WAS 7.0.0.27.
The filter works as expected on WAS 8.5 and I'm pretty sure on WAS 8.0, as well as on every version of WebLogic, JBoss, and Tomcat that I've tried. This then seems to be a bug with WAS 7.0, but I'd still like to find a workaround. Anybody know of one?
I eventually looked at the body of the 404 error response and saw error code SRVE0190E, which led me to this helpful page. The issue is that filters aren't called by default for URLs that correspond to resources that don't exist (though I swear I tested that for a URL other than the context root, and my filter was called).
It's possible to configure WebSphere to call filters in this situation by setting a custom property as further described in the linked page:
com.ibm.ws.webcontainer.invokefilterscompatibility=true
I also found that for the case of the context root URL, setting a welcome-file entry in web.xml that maps to an existing resource causes the filter to be called:
<welcome-file-list>
<welcome-file>fakehome.html</welcome-file>
</welcome-file-list>