I need to create a "keep me signed-in" functionality, my application is currently using spring 2.5, I checked it on :
http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/remember-me.html#remember-me-persistent-token
which tells about the remember-me tag which does it part, I also tried extending AbstractPreAuthenticatedProcessingFilter but I'm unable to get through.
Can someone please guide me to the solution for the requirement.
Any help would be highly appreciated.
Thanks,
Vaibhav
This can simply be accomplished using the Spring security remember me authentication mechanism. What I did was made changes in the application-context-security.xml added the tag
<remember-me services-ref="rememberMeServices" key="vaib1q2w3e4r5tazsxdc"/>
and
<beans:bean id="rememberMeProcessingFilter"
class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
<beans:property name="rememberMeServices" ref="rememberMeServices" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="rememberMeServices"
class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="key" value="vaib1q2w3e4r5tazsxdc" />
<beans:property name="tokenValiditySeconds" value="120"/>
<beans:property name="alwaysRemember" value="false" />
</beans:bean>
<beans:bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
<custom-authentication-provider />
<beans:property name="key" value="vaib1q2w3e4r5tazsxdc" />
</beans:bean>
By adding the above a new cookie by the name 'SPRING_SECURITY_REMEMBER_ME_COOKIE' would be created and would make things work like charm.
Thanks,
-V
Related
I am building an online Examination project with spring mvc and Hibernate as Frameworks and it is almost done, Now I am getting the problem with session
xml configuration of the session
<beans:bean id="hibernate4AnnotatedSessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="annotatedClasses">
<beans:list>
<beans:value>com.app.spring.model.Result</beans:value>
</beans:list>
</beans:property>
<beans:property name="hibernateProperties">
<beans:props>
<beans:prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect
</beans:prop>
<beans:prop key="hibernate.show_sql">true</beans:prop>
<beans:prop key="hibernate.hbm2ddl.auto">true</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
<!-- Inject the transaction manager -->
<tx:annotation-driven transaction-manager="transactionManager"/>
<beans:bean id="transactionManager" class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<beans:property name="sessionFactory" ref="hibernate4AnnotatedSessionFactory" />
</beans:bean>
and queries in dao impl are like this
#Override
public void addObject(Object p) {
Session session = this.sessionFactory.getCurrentSession();
session.persist(p);
logger.info("Customer saved successfully, Customer Details=" + p);
}
The Exam users will login to application and he have to attempt 20 questions
The application is in my local machine and which is connected with in network for testing While the Exam is started with two people I am getting the problem like below
Exam pattern is to attempt 20 questions if two people started exam suppose one attempted 10 questions and other attempted 10 questions then the exam is getting completed I am thinking that the session is divided between the users can any one help me how can I overcome this problem.
When I make an implementation for
org.springframework.security.core.userdetails.UserDetailsService
and use the statement
sessionRegistry.registerNewSession(user.getUsername(), user);
within it after successful authentication, then the
sessionRegistry.getAllPrincipals();
list is not empty (but when I log out from application the session still remain within list) otherwise this list will be empty. how can I make the session registration (and also unregistration during user log out or session expiration) within sessionRegistry automatically? my spring config is as below:
<sec:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsf">
<sec:form-login login-page="/login.jsf" />
<sec:session-management session-authentication-strategy-ref="sas" />
</sec:http>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository"
ref="scr" />
<property name="sessionAuthenticationStrategy"
ref="sas" />
</bean>
<bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<property name="maximumSessions" value="10" />
</bean>
Most likely you have forgotten to add an HttpSessionEventPublisher to your web.xml.
Another possibility is that the principal in question has other sessions still active which haven't timed-out or been invalidated. You have a maximum session value of 10. Try setting that to "1" instead for testing.
Also, version 3.0.5 is out of date. You should use the latest version and keep up to date with patches to avoid vulnerabilities.
I am having trouble displaying a logout link in a JSP page only if the user is authenticated. Here is the exception I have at this line of the JSP page:
<sec:authorize access="isAuthenticated()">
Exception:
Stacktrace:
....
root cause
javax.servlet.jsp.JspException: No visible WebSecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in JSP 'authorize' tags.
org.springframework.security.taglibs.authz.AuthorizeTag.getExpressionHandler(AuthorizeTag.java:100)
org.springframework.security.taglibs.authz.AuthorizeTag.authorizeUsingAccessExpression(AuthorizeTag.java:58)
Here is my application-context-Security.xml:
<http auto-config='true' >
<intercept-url pattern="/user/**" access="ROLE_User" />
<logout logout-success-url="/hello.htm" />
</http>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
I understand that I could use use-expression="true" in the http tag but that means I would have to use expression in the intercept-url tags and in the java code. Is there a workaround?
You can just add one to your application context
<bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
but the easiest way is just to enable expressions in your <http> configuration, and one will be added for you. This only means that you have to use expressions within that block, not in Java code such as method #Secured annotations.
I am new to Spring so please forgive me if my question is foolish...
I am trying to follow some examples for configuring security on a spring web application. I have configured it to work with ldap directory. Now I need to add caching to the process so that the credentials are not fetched from the ldap directory every time they are requested.
For this I have added cache-ref="userCache" as shown in the tutorial:
<authentication-manager>
<authentication-provider>
...
<ldap-user-service server-ref="ldapServer"
user-search-filter="uid={0}" user-search-base="ou=people"
group-search-filter="member={0}" group-search-base="ou=groups"
cache-ref="userCache" />
</authentication-provider>
</authentication-manager>
The bean userCache is defined like this :
<beans:bean id="userCache"
class="org.springframework.security.providers.
dao.cache.EhCacheBasedUserCache">
<beans:property name="cache" ref="userEhCache" />
</beans:bean>
<beans:bean id="userEhCache"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager" ref="cacheManager" />
<beans:property name="cacheName" value="userCache" />
</beans:bean>
The cache manager is defined as follows:
<bean id="cacheManager"
class="org.springframework.security.core.userdetails.cache.EhCacheManagerFactoryBean" />
The problem with this configuration is that I couldn't get the jars because they are based on an old version of spring 2. The cache manager I got it using
<bean id="cacheManager"
class="net.sf.ehcache.CacheManager" />
but the org.springframework.cache.ehcache.EhCacheFactoryBean and org.springframework.security.providers.dao.cache.EhCacheBasedUserCache I don't know where to get them beside from spring 2 which if I add to my project it brakes everything.
I would appreciate any help in this matter. If you have some other solution please make some suggestions. Thanks!
In Spring 3.0.x org.springframework.cache.ehcache.EhCacheFactoryBean is located in spring-context-support-3.0.x.RELEASE.jar.
There is no class org.springframework.security.providers.dao.cache.EhCacheBasedUserCache but there is class org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache located in spring-security-core-3.0.x.RELEASE.jar.
How to Detect session expired or session timeout using spring3.
The key is this:
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>
expiredUrl points to the page to display when a session has expired. Read the full solution in the spec :
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html#concurrent-sessions