Im new on vaadin and spring security, I want to know if anyone had a complete project example of the vaadin 7.1 + spring-security integration running in a tomcat server (not in jetty).
Vaadin 7 easy integrate with Spring Security. You should configure only 2 files. First - web.xml and second one spring-security.xml (user credentials and security settings). This is small example how to use base form for authentification.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Vaadin7SpringSecurity</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- filter declaration for Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config='true'>
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
For more details, how to extend spring-security.xml configuration you can use Spring resources.
You should have a look on this GitHub project. This is a Vaadin 7.1 + Spring 3.1.2.RELEASE + Spring-Vaadin integration 2.0.1 project. There is also a Jetty plugin inside, but you can run/deploy it also in tomcat without problems.
Here is a little project that integrates Vaadin and Spring Security. It's done in Scala, but obviously works in Java as well. Code is here.
For referring the above example by using the latest spring-security, I encountered the following errors and provide my soultions:
Error1
Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema with Spring Security 4.0. Please update your schema declarations to the 4.0 schema.
You should check your spring-* version and update the header tag of spring-security.xml.
For example: I use spring-beans-4.1.6.RELEASE and
spring-security-4.0.2.RELEASE. So I update it as:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
Error2
HTTP Status 500 - Failed to evaluate expression 'ROLE_USER'
...
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Property or field 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public?
...
According to hints of this resource, you should revise intercept-url tag as following:
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
Error3
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
That's because spring-security enables CSRF protection by default which conflicts with Vaadin. You should add a new tag inside http :
<csrf disabled="true" />
Here's my complete spring-security.xml for reference:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config='true'>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<csrf disabled="true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="yourUsername" password="yourPassoword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Related
I am using apache http,mod-jk and two tomcat servers for load balancing of my application which uses spring security. When application is launched, I get below error
Error code: ERR_TOO_MANY_REDIRECTS
Has anyone seen this issue before?Is there any configuration to get load balancer work.
If I remove spring security from my application, load balancer works fine.
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- The definition of the Root Spring Container shared by all Servlets
and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml,/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>oAuth</servlet-name>
<servlet-class>org.springframework.web.context.support.HttpRequestHandlerServlet</servlet-class>
</servlet>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>oAuth</servlet-name>
<url-pattern>/oAuth</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
Spring-Security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--HTTP Interceptors for authentication -->
<http pattern="/templates/**" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/lib/**" security="none"></http>
<http pattern="/lib/css/**" security="none"></http>
<http pattern="/lib/js/**" security="none"></http>
<http pattern="/lib/fonts/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/rest/**" security="none"></http>
<http pattern="/oAuth" security="none"></http>
<http entry-point-ref="entryPoint"
auto-config="true" use-expressions="true">
<anonymous enabled="false"></anonymous>
<custom-filter ref="oAuthFilter" after="SECURITY_CONTEXT_FILTER"></custom-filter>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"></intercept-url>
</http>
<authentication-manager alias="upmAuthenticationManager"></authentication-manager>
<beans:bean id="entryPoint" class="auth.EntryPoint">
<beans:constructor-arg value="/index.html"></beans:constructor-arg>
</beans:bean>
<beans:bean id="oAuthEnd" name="auth.oAuthEnd"
class="oAuth.OAuthServlet">
<beans:property name="oAuthFilter" ref="oAuthFilter"></beans:property>
</beans:bean>
<beans:bean id="oAuthFilter" class="auth.filter">
<beans:property name="id"
value=""></beans:property>
<beans:property name="secret"
value=""></beans:property>
<beans:property name="url"
value=""></beans:property>
</beans:bean>
mod-jk configuration
worker.server1.port=8009
worker.server1.host=localhost
worker.server1.type=ajp13
worker.server2.port=9009
worker.server2.host=localhost
worker.server2.type=ajp13
worker.server1.lbfactor=1
worker.server2.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=server1,server2
worker.status.type=status
<VirtualHost *:80>
JkMount /status status
JkMount /* loadbalancer
ServerAdmin webmaster#localhost
DocumentRoot /data/www/
<location />
Require all granted
</location>
ErrorLog ${APACHE_LOG_DIR}/www_error.log
CustomLog ${APACHE_LOG_DIR}/www_access.log combined
</VirtualHost>
Apache httpd and mod_jk don't make the trouble I'm afraid.
Hard to say without seeing your config, but I bet that your Spring security config has configured a login page that is secured, so it's allways redirecting to a page you cannot reach.
Could you post your web.xml and security config? And maybe the mod_jk mappings to Tomcat would be helpfull too.
EDIT:
I think that setting sticky_session to true could solve the problem. Try adding this to your mod_jk config:
worker.loadbalancer.sticky_session=1
EDIT2: Setting jvmRoute property to values configured in worker.loadbalancer.members solved the problem.
What was happening is that mod_jk uses the value which comes as a suffix in the session cookie to check it against the loadbalancer member names to find out on which has the client the session opened. As the jvmRoute had no value, the JSESSIONID had no suffix so the mod_jk did not know which worker to send the request, so the balancer chooses one worker according to the lbfactor.
As this value is configured with same value to both workers, each incoming request was redirected to the worker that was not chosen in the previous request, so there was no chance to reach the login form neither perform the login (or whatever login mechanism is being used).
I'm following this tutorial to secure my GWT application with Spring Security.
However, putting
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/app</url-pattern>
</filter-mapping>
<!-- END FILTERS -->
<!-- BEGIN Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- END Listeners -->
<context-param>
<param-name>
contextConfigLocation
</param-name>
<param-value>
classpath:/**/spring-config.xml
</param-value>
</context-param>
into my web.xml file results in an org.springframework.beans.factory.NoSuchBeanDefinitionException exception. Stack trace:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:660)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1157)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:280)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:198)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:962)
at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:324)
at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:235)
at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:199)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
...
I don't understand why I'm getting this exception - what am I missing?
DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named “springSecurityFilterChain”, which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you've added this to your web.xml, you're ready to start editing your application context file. Web security services are configured using the element.
You should check your spring configuration, dependencies...
Also here is good example of simple Spring security
http://www.mkyong.com/spring-security/spring-security-hello-world-example/
Have you defined context-param in your web.xml? for e.g,
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:/META-INF/spring/applicationContext-security.xml
classpath*:/META-INF/spring/applicationContext.xml
classpath*:/META-INF/spring/applicationContext-gwt-dispatch.xml
</param-value>
</context-param>
And in your Spring application context, you have to declare a Spring beans XML file "applicationContext-security.xml" in this case as below,
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<context:property-placeholder location="classpath*:/META-INF/spring/gwtsecurity.properties" />
<security:user-service id="userService">
<security:user name="user" password="user" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
...
<alias name="filterChainProxy" alias="springSecurityFilterChain" />
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain
filters="securityContextFilter, logoutFilter, formLoginFilter, requestCacheFilter,
servletApiFilter, rememberMeFilter, anonFilter, sessionMgmtFilter, exceptionTranslator, filterSecurityInterceptor"
pattern="/**" />
</security:filter-chain-map>
</bean>
<bean
...
</bean>
...
</beans>
Ref: https://github.com/dmartinpro/gwt-security/tree/master/gwt-security-sample
I have an issue that seems something like this one but I'm not using AJAX for logging in/authentication.
When I access my local Tomcat 7 instance, I can correctly evaluate this block to true when the user is not logged in:
<security:authorize access="!isFullyAuthenticated()">
<div class="col-xs-12 col-md-2 login_button">
<button class="btn btn-success" style="line-height: 1.42857"><spring:message code="label.logIn"/> <i class="fa fa-sign-in"></i></button>
</div>
</security:authorize>
However, it evaluates to false when I deploy it to our public QA and public production instances, hiding the button. I also tried changing the access to !isAuthenticated() but the behavior didn't change.
I'm using Spring 4.1.0.RELEASE and Spring Security 3.2.4.RELEASE. I am not completely sure but it may not have had this behavior in a previous version of Spring.
What could cause a difference in the code block evaluation between servers?
UPDATE:
Spring security config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="authSuccessHandler" class="com.companyname.web.RoleBasedAuthenticationSuccessHandler" />
<http auto-config="true" use-expressions="true">
<form-login login-page="/login"
authentication-success-handler-ref="authSuccessHandler"
authentication-failure-url="/login?login_error=true"
login-processing-url="/j_spring_security_check" />
<intercept-url pattern="/sample/**" access="hasAnyRole('ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<intercept-url pattern="/other/**" access="hasAnyRole('ROLE_OTHER', 'ROLE_CO_OTHER','ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<logout logout-success-url="/index" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="com.companyname.service.UserDetailsServiceImpl" />
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator">
<beans:bean id="permissionEvaluator" class="com.companyname.web.security.MethodsPermissionEvaluator"/>
</beans:property>
</beans:bean>
</beans:beans>
EDIT:
Also tried Spring Security 3.2.8.RELEASE, but no luck.
This issue was solved by a fellow developer by updating the web.xml to contain the Spring Security Filter Chain higher up in the file:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<servlet-name>Spring Security Filter Chain</servlet-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
We also had to make sure that the updated file was deployed to the correct environment. The discrepancy in environments is attributed to different web.xml files for each environment.
Problem in my Spring bean configuration file. I am using Spring Tool Suite 3.4 and Spring 3.1.1 jars (MVC, jdbc, security). This is just an warning in IDE but when the application is loading into APP Server it is showing the following error
Spring Configuration File - login-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<beans:import resource='login-service.xml'/>
<security:http>
<security:intercept-url pattern='/home*' access='ROLE_USER,ROLE_ADMIN' />
<security:intercept-url pattern='/admin*' access='ROLE_ADMIN' />
<security:form-login login-page='/login.jsp' default-target-url='/home' authentication-failure-url='/login.jsp?error=true'/>
<security:logout logout-success-url='/login.jsp' />
<security:anonymous username='guest' granted-authority='ROLE_GUEST'/>
<security:remember-me/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref='myDataSource'
users-by-username-query="select username, password, 'true' as enabled from USER_DETAILS where username=?"
authorities-by-username-query="select USER_DETAILS.username , USER_AUTH.AUTHORITY as authorities from USER_DETAILS,USER_AUTH
where USER_DETAILS.username = ? AND USER_DETAILS.username=USER_AUTH.USERNAME"></security:jdbc-user-service>
</security:authentication-provider>
</security:authentication-manager>
WARNING. ERROR IN CONSOLE - org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring/appServlet/login-security.xml]
I think you are probably missing the spring security config dependency in your pom.
try adding this to your pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.1.RELEASE</version>
</dependency>
Hope this helps.
I have found some solutions but they didn't worked for me. I added libraries to project but I am getting this error. I could reach security libraries from my controller classes. Any idea?
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
This my spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Use http://www.springframework.org/schema/security/spring-security-3.0.xsd as your namespace instead.
to avoid
"org.xml.sax.SAXParseException: schema_reference.4: Failed to read
schema document 'springframework.org/schema/security/…;, because 1)
could not find the document; 2) the document could not be read; 3) the
root element of the document is not <xsd:schema>."
change springframework.org/schema/security/spring-security-3.1.4.xsd to springframework.org/schema/security/spring-security-3.1.xsd