Concurrent Session Control - Spring Security - spring

HI I am trying to implement Spring Security: Concurrent Session Control to limit one session at a time. I see that I only need
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
I get this from the reference http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-config . The problem that I am facing is that i get this error saying, "Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute" I do not need to use a login page in the configuration here. I saw other posts, but I cannot find a solution to this problem. Please help me with a solution here. I will post my code below.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring- mvc.xsd">
<security:http>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>

Related

How to guarantee message processing with Spring Integration MQTT Inbound Adapter

We are consuming messages from a HiveMQ MQTT Broker and process the data with spring integration. As the last processing step it is common for us to execute an update/insert statement on a relational database using an int-jpa:outbound-channel-adapter.
Let's consider a situation where the database connection is lost but mqtt messages are still consumed by the inbound mqtt adataper. Currently we lose these messages as we are not handling the failed database operations.
How should we handle the messages if the database connection is currently not available?
Should we implement a Message Store backed by another highly available database which is persisting messages from spring integration?
Should we implement a retry advice and periodically retry database operations?
As our starting point we tried to implement the retry advice with the following spring-context.xml. As a result the message was retried once and then an exception occured as it is not able to perform the database operation. No further retry was executed after the exception occurred.
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:int="http://www.springframework.org/schema/integration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int-jpa="http://www.springframework.org/schema/integration/jpa"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd
http://www.springframework.org/schema/integration/jpa http://www.springframework.org/schema/integration/jpa/spring-integration-jpa.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.0.xsd">
<int:channel id="mqttInputChannel" />
<!-- MQTT INBOUND ADAPTER IS CONFIGURED IN JAVA -->
<int-jpa:outbound-channel-adapter
channel="mqttInputChannel"
flush-size=""
entity-class="com.iot.db.DefaultBean"
persist-mode="PERSIST"
entity-manager-factory="entityManagerFactory">
<int-jpa:transactional transaction-manager="transactionManager" />
<int-jpa:request-handler-advice-chain>
<ref bean="retryAdvice" />
</int-jpa:request-handler-advice-chain>
</int-jpa:outbound-channel-adapter>
<int:handler-retry-advice id="retryAdvice" />
</beans>
Another approach was to back up the messages via a message store but we weren't able to bind the message store to the jpa adapters transaction. Here is the corresponding spring-context.xml file with the message store:
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:int="http://www.springframework.org/schema/integration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:int-jpa="http://www.springframework.org/schema/integration/jpa"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/integration
http://www.springframework.org/schema/integration/spring-integration.xsd
http://www.springframework.org/schema/integration/jpa
http://www.springframework.org/schema/integration/jpa/spring-integration-jpa.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.0.xsd">
<int:channel id="mqttInputChannel">
<int:queue message-store="messageStore" />
</int:channel>
<bean
id="messageStore"
class="org.springframework.integration.jdbc.store.JdbcChannelMessageStore">
<property
name="dataSource"
ref="dataSource" />
<property
name="channelMessageStoreQueryProvider"
ref="queryProvider" />
</bean>
<bean
id="queryProvider"
class="org.springframework.integration.jdbc.store.channel.H2ChannelMessageStoreQueryProvider" />
<!-- MQTT INBOUND ADAPTER IS CONFIGURED IN JAVA -->
<int-jpa:outbound-channel-adapter
channel="mqttInputChannel"
flush-size=""
entity-class="com.iot.db.DefaultBean"
persist-mode="PERSIST"
entity-manager-factory="entityManagerFactory">
<int-jpa:transactional transaction-manager="transactionManager" />
<int-jpa:request-handler-advice-chain>
<ref bean="retryAdvice" />
</int-jpa:request-handler-advice-chain>
</int-jpa:outbound-channel-adapter>
<int:handler-retry-advice id="retryAdvice" />
</beans>
Are there any best practices or well known pattern how to handle this situation?
thanks in advance

Spring Security for RESTful API

I'm building a restful API using Spring 4.1.6 and spring-boot-starter-data-rest.
To make the rest api fully functional I need the last piece of the puzzle: security. Now I noticed spring has it's own spring-security-* packages that can aid with that task.
I tried using spring-security-config and spring-security-web and it works like a charm, with the exception that if the user is not authenticated, spring will redirect the user to login, thus giving a HTML login form.
Because it's a Restful API, I just need an error to be returned in a JSON object if the user lacks the credentials or does not have enough permissions to read a particular resource.
I'm sure I'm not the first to ask this question and searched all over the web for people asking the same thing, but couldn't quite find was I was looking for. So.. should I continue my research in this direction with spring-security, or should I find something?
Any advice is welcome,
thank you
To change the Login Form response to a custom Http Response you need to configure a custom http response handler for Http Security config. If you are using xml for your security configuration use the configuration shown below, failureHandler used is the one available in Spring Security package. Update the URL to match yours.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">
<!-- Rest authentication entry point configuration -->
<http use-expressions="true" entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/api/**" />
<sec:form-login authentication-failure-handler-ref="myFailureHandler" />
<logout />
</http>
<!-- Using default failure handler -->
<beans:bean id="myFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" />
</beans:beans>

SaxParseException when trying to set security="none" in URL interceptor

I am trying to ignore security checking (it gets its own encryption setting) on one of the URLs within current Spring application, by using
<sec:intercept-url pattern="/notimportant/url**" security="none" />
but I get
nested exception is org.xml.sax.SAXParseException: cvc
-complex-type.3.2.2: Attribute 'security' is not allowed to appear in element
'sec:intercept-url'.
Here is the namespace setting:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
So how can I avoid authentication for that url exactly
Try it with filters="none" instead of security="none".
<sec:intercept-url pattern="/notimportant/url**" filters="none" />
This is deprecated in Spring 3.1, though, so you can try this
<sec:http pattern="/notimportant/url**" security="none"/>
Check out the documentation for more details.
That's because security is not a valid attribute for element intercept-url. Try with access="IS_AUTHENTICATED_ANONYMOUSLY", like this:
<sec:intercept-url pattern="/notimportant/url**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

Access spring security from second application

I have two applications, each located on it's own server. Both of them use Spring security with the standart settings.
The problem that I need to access first application through the second one. I need to send password and login to the first application when logging in the second.
Can somebody help with samples or tips please? Thank you.
My spring-security.xml in both applications:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/favicon.ico" security="none" />
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="hey" password="there" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
you should use CAS for this instead of trying to access or pass user/pass across application.
please refer this link to get understanding how to use CAS in this kind of scenario.

How to enable Spring Security Annotations not using app-Context.xml file?

I've implemented my Application using SecurityContextImpl as SecurityContext. anything works well (Authentication and Authorization).
Now I want to use Spring Security Annotations (#Secured , ...) , I my searched result in a single comment :"USE in your context.xml file"
is there any other way to embed security annotations using non-file-based ContextImpls?
Here's the config snippet you need. Not sure why you don't want to enable via XML.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" />
</beans:beans>

Resources