Develop Reference

Using SpEL for non-string (xs:boolean) attributes in Spring XML

Consider the following Spring Security related piece of Spring XML context:
<authentication-manager erase-credentials="true">
<authentication-provider>
<user-service>
<user disabled="${auth.admin.enabled}" name="${auth.admin.user}"
password="*****"/>
</user-service>
</authentication-provider>
</authentication-manager>
This snippet was supposed to keep admin user enabled based on the property value. But XML validation is not passing for this snippet, because disabled attribute of user tag is declared with type xs:boolean, which means SpEL syntax is not allowed there.
Is there a way to achieve my purpose (user, enabled by a property) without refusing from Spring XML context?

No; the schema would need to be changed to accept a union of xsd:string and xsd:boolean. You might want to open an Improvement JIRA issue.

Spring security authentication-manager has no providers

I'm trying to setup a simple project with Spring security to enable Username / pwd login.
After pointing some breakpoint in the UsernamePasswordAuthenticationFilter I noticed that getAuthenticationManager has 0 providers
this.getAuthenticationManager()
However I did add this in the security-context.xml
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
It looks like the authenticationManager does get rightly autowired but for some reason the authentication-provider is not injected.
Did I forget to enable something somewhere?

By default SpringSecurity uses org.springframework.security.authentication.ProviderManager which initially should have at least one configured provider unless parent is set. Otherwise you will get IllegalArgumentException at initialization phase. Therefore you definitely should be able to find an authentication provider either in the authentication manager returned from the filter or in one of its parents (as long as there is no harmful code that removes providers intentionally of course).

We were facing this issue when upgrading from Spring security 3 to version 4.
We had a AuthenticationManager definied as follows
<authentication-manager alias="authenticationManager">
<authentication-provider ref="rememberMeAuthenticationProvider"/>
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
As it turned out using only an alias attribute the definied AuthenticationManager was not used by Spring.
We needed to define an id attribute to make it work.
<authentication-manager id="authenticationManager">
...
</authentication-manager>
When no id is specified Spring sets the id to "org.springframework.security.authenticationManager" during the beans parsing in the org.springframework.security.config.authentication.AuthenticationManagerBeanDefinitionParser.parse overriding the globally registered AuthenticationManager. This somehow seems to mess up the specified providers.

I'm very new to the spring security and OAuth2

Hi I'm very new to Spring Security and OAUTH2 can any one help .... I'm using the example provided in this example http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
What I'm trying to do is create 2 web applications where one app(mainApp) stores all the protected resources and does not know about the users and it needs to make a rest call to another app to get the details
Currently in my security config
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="abcd" password="1234" authorities="ROLE_APP" />
</user-service>
</authentication-provider>
</authentication-manager>
In my case, I want to let our custom API which is in another app do the authentication, then return a custom UserDetails object containing the roles and other attributes

Have you tried to follow https://spring.io/guides/tutorials/spring-security-and-angular-js/#_sso_with_oauth2_angular_js_and_spring_security_part_v? I think the guide is quite interesting and offers a wide perspective of implementing OAuth2 and other security methods. Is there any reason because you need to use OAuth2? I mean, you can maybe start using Basic Authorization or token based approaches before to start with OAuth2 (which maybe is so complicated if you have no much experience).

Spring Security 3.1 - Multiple Authentication Managers - Execute an action depends on the method succeeded

I have this on my app-security.xml, and I want to do some tasks if the user was logged in LDAP, other tasks if the user was logged in DB, etc.
<ldap-server url="ldap://192.168.0.55:389/dc=fluxit,dc=com,dc=ar"
manager-dn="uid=admin,ou=system"
manager-password="infra123"
/>
<authentication-manager>
<authentication-provider user-service-ref='databaseAuthManager'>
<password-encoder ref="encoder" />
</authentication-provider>
<authentication-provider>
<password-encoder ref="encoder" />
<user-service id="textFileAuthManager" properties="classpath:auth/users.properties" />
</authentication-provider>
<ldap-authentication-provider
user-search-filter="(uid={0})" user-search-base="ou=users"
group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
group-role-attribute="cn" role-prefix="ROLE_">
</ldap-authentication-provider>
</authentication-manager>
Can I do that in Spring? I've been Googling for a while and didn't find the answer.
Thank you so much!

I think the difficulty with your requirement is that the authentication manager doesn't retain the information which particular authentication provider was the one that actually authenticated the request. If you had that piece of information, you could easily write a custom AuthenticationSuccessHandler to implement some behavior that depends on the authentication method that succeeded.
If you really need this functionality, here is one possible solution I could come up with: Implement a custom ProviderManager, that would wrap the authentication object with a decorator that saves a reference to the successful authentication provider. Since the implementation of ProviderManager doesn't offer extension points you could use for this, you would basically need to copy the whole class to make the required enhancements. Then you would have to rewrite the whole <authentication-manager> part of your configuration without using the security namespace, because it doesn't allow you to replace the default AuthenticationManager implementation.
This is neither too elegant nor very easy solution, so there might be some better ways to do it.

Spring Security 3.1 using Active Directory

I'm trying to secure my Spring 3.1 web app with Spring Security 3.1, and I need to use Active Directory for user authentication.
However, I cant seem to find the complete configuration steps. I tried different bits of suggestions but they didn't work for me.
What are the complete steps of configuration to enable a Spring 3.1 web app to use Spring Security 3.1 with Active Directory?

<beans:bean id="adAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="[your domain]" />
<beans:constructor-arg value="ldap://[your AD server]:389" />
<beans:property name="userDetailsContextMapper">
<beans:bean class="[your user-details context mapper]" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="adAuthProvider" />
</authentication-manager>
If you need to provide custom logic for mapping user and authorities from the AD entry, you can implement your own UserDetailsContextMapper implementation and specify it in the userDetailsContextMapper property on the adAuthProvider bean.