Is it possible via configuration to change the default name of the the remember me cookie ?
By default the cookie name is: SPRING_SECURITY_REMEMBER_ME_COOKIE and I would like to have a less obvious cookie name.
<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userService"/>
<property name="key" value="remember-me-security"/>
<property name="cookieName" value="remember_me_cookie" />
</bean>
For Spring Security 4 , the below works .
<remember-me
key="<yourKey>"
remember-me-parameter="remember-me"
token-validity-seconds="1209600"
user-service-ref="userDetailsService"
remember-me-cookie="<whateveryouwanttonamethecookie>"
/>
Related
I'm using:
- Spring 3.1.3
And the problem is I'm unable to connect with the Active Directory via LDAP using valid credentials.
i don't know if is caused by a malformed pattern or a configuration issue about userdn or url's rootDn. Although , at first glance , it seems that everything is correct.
This is my current spring security config file:
...
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean id="bindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userDnPatterns">
<list><value>sAMAccountName={0}</value></list>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://remotehost:port/OU=My%20Company,dc=domain,dc=subdomain"/>
<property name="userDn" value="CN=managerUserCN,OU=Users,OU=Test Accounts,OU=My Company,dc=domain,dc=subdomain/>
<property name="password" value="thePass"/>
</bean>
...
*I have replaced the real urls, organizations, groups, etc by descriptive data
*It's a requeriment searching by sAMAccountName.
And the NamingException throwed by doAuthentication:bindWithDn is the next:
*org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1*
And 52e code interpretation which I read on the LDAP wiki is not entirely correct because is launching both typing a existing username and nonexistent username.
I'm refering to:
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
Not for me.
I have found the answer for my question.
I got it specifying user-Search property in the bindAuthentication. Previously I had tested the userSearch option without including base directory (first parameter). So, almost for me, it's mandatory and let the authentication works.
In code:
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean id="bindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource" />
<property name="userSearch" ref="userSearch"/>
</bean>
</constructor-arg>
</bean>
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg>
<value>OU=My Company,DC=domain,DC=subdomain</value>
</constructor-arg>
<constructor-arg>
<value>(sAMAccountName={0})</value>
</constructor-arg>
<constructor-arg ref="contextSource" />
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
Perhaps I can help someone with a similar issue.
pD: Another option would be use the specified ActiveDirectoryLdapAuthenticationProvider
<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="domain.subdomain" />
<constructor-arg value="ldap://host:port" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
It seems to work fine too.
Iam working on a small project, when i try to implement i18n in spring,it not working,even when i try to change default language its not working. here is my spring-servlet.xml code
<bean id="messageSource"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:messages" />
</bean>
<bean id="localeResolver"
class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
<property name="defaultLocale" value="fr" />
<!-- <property name="cookieName" value="myAppLocaleCookie"></property>
<property name="cookieMaxAge" value="3600"></property>-->
</bean>
<mvc:interceptors>
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
</mvc:interceptors>
i have 4 messages.properties in classpath messages.properties,messages_en.properties,messages_fr.properties,messages_de.properties
the default language not changing always its using messages_en.properties if remove messages_en.properties file ,then its using messages.properties.
And my hyperlinks are not working in jsp file
Language : English | French | german
when i use ${locale} in jsp it prints nothing..
plz help me tia..
Try ${requestContext.locale} instead of ${locale}.
And maybe jsp you test, has already '?' character in path, so lands on page with 2x'?' ?
I have an existing Spring/GWT Application which i need to add internationalisation to. My understanding is that i can use Spring's "ResourceBundleMessageSource" to automatically select the appropriate messages_* file depending on the users location. I tried following this tutorial but i can't seem to get the Application to display my strings in French. As it stands, I've added 2 files messages_en_US.properties and messages_fr_FR.properties into my src/main/resources/i18n folder and added the following to the applicationContext.XML:
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename">
<value>classpath:i18n/messages</value>
</property>
</bean>
<bean id="localeChangeInterceptor"
class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping" >
<property name="interceptors">
<list>
<ref bean="localeChangeInterceptor" />
</list>
</property>
</bean>
Just wondering 1) if i need additional configuration/glue code and 2) if i can test this easily without having to set the Language/Locale to French on my Redhat Server?
It's likely that your browser sends just "fr" language tag in Accept-Header. Spring is notorious for problems with fall-back, so you may need to copy the messages_fr_FR.properties as messages_fr.properties.
I am sure there must be some ways to configure fall-back, so you want have to use messages_en.properties (try your application with other English locales...), just messages.properties should do, but I am just too lazy/tired to look for solution at the moment.
Here you need to specify below bean in spring.xml.
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:messages" />
<property name="defaultEncoding" value="UTF-8" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
<property name="defaultLocale" value="en"/>
</bean>
<mvc:interceptors>
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
</mvc:interceptors>
This works perfectly fine when you pass lang=es in query string. If still any issue remain.you can check the working example Here .
I never seen this but I wondering if somebody has come across. Having a web server which access a database. I want to pass the database password encrypted and have spring context decrypting it before setting the datasource. I know the spring security can do some of this like using a salt file in the web server, etc.
The challenge here is that I don't want to give a clear user,password,url to the web server team. Just an encrypted password and have spring decrypted before using it.
Is there something like this already? I know I could code something but is it already done?
Thanks
By using an org.jasypt.properties.EncryptableProperties object, an application would be able to correctly read and use a .properties file like this:
datasource.driver=com.mysql.jdbc.Driver
datasource.url=jdbc:mysql://localhost/reportsdb
datasource.username=reportsUser
datasource.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)
Note that the database password is encrypted (in fact, any other property could also be encrypted, be it related with database configuration or not).
More information :
http://www.jasypt.org/encrypting-configuration.html
I actually found exactly what I was looking for in this thread:
How to use encrypted password in apache BasicDataSource?
Here are the details from jasyp http://www.jasypt.org/spring3.html
This problem and solution to it is explained here..(link)
db.Properties.
#driverClassName=oracle.jdbc.driver.OracleDriver
#url=jdbc:oracle:thin:#localhost:1521:XE
#username=ITEM_INVENTORY
driverClassName=com.mysql.jdbc.Driver
url=jdbc:mysql://localhost:3306/ITEM_INVENTORY?zeroDateTimeBehavior=convertToNull
username=root
Encrypt db.Properties
##password=cGFzc3dvcmQ=
password=cm9vdA==
The spring beans configuration for the datasource would look like this
(here you may use only password part)
spring-beans.xml
<bean id="dataSource" destroy-method="close" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="db#[driverClassName]" />
<property name="url" value="db#[url]" />
<property name="username" value="db#[username]" />
<property name="password" value="encryptedDb#[password]" />
</bean>
<bean id="dbPropertyPlaceholder" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:db.properties</value>
</list>
</property>
<property name="placeholderPrefix" value="db#[" />
<property name="placeholderSuffix" value="]" />
</bean>
<bean id="encryptedDbPropertyPlaceholder" class="com.inventory.api.util.DecryptPropertyConfigurer">
<property name="locations">
<list>
<value>classpath:encryped_db.properties</value>
</list>
</property>
<property name="placeholderPrefix" value="encryptedDb#[" />
<property name="placeholderSuffix" value="]" />
</bean>
And so on.. please refer given link for more information..
I used spring security to login option. Now i want to add a change password option.first time user login to the system change password option need to be appear or redirect to change password page.
this is my spring security file
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder">
<security:salt-source ref="saltSource"/>
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean id="saltSource" class="com.rcfi.lankaweb.linklk.support.service.SaltService"></bean>
<bean id="passwordEncoder" class="com.rcfi.lankaweb.linklk.support.service.PasswordVerifier"></bean>
<bean id="userDetailsService"
class="com.rcfi.lankaweb.linklk.support.service.UserDetailsServiceImpl">
</bean>
Create a change password method in your com.rcfi.lankaweb.linklk.support.service.UserDetailsServiceImpl
this will take the new String and save to database for the logged in user, via your user dao (probably)