Develop Reference

Can't get Spring security "remember me" feature to work

I'm new to Spring and Java. Trying to set up security remember me feature.
Here is my security.xml and login.jsp files. What am I doing wrong?
security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"/>
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/createplayer" access="isAuthenticated()"/>
<security:intercept-url pattern="/players" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/createaccount" access="permitAll"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/logout" access="permitAll"/>
<security:intercept-url pattern="/welcome" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/**" access="denyAll"/>
<security:form-login login-page="/login" authentication-failure-url="/login?error=true"/>
<security:remember-me key="MyAppKey" remember-me-parameter="remember-me"
remember-me-cookie="remember-me"
token-validity-seconds="604800"
data-source-ref="dataSource"/>
</security:http>
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
</bean>
</beans>
login.jsp
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h1>Login</h1>
<c:if test="${param.error != null}">
Login failed. Check if username or password are correct!
</c:if>
<form action = "/login", method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
Name <br>
<input name="username"/> <br>
Password<br>
<input type="password" name="password"/> <br>
Remember me <br>
<input type="checkbox" name="remember-me">
<br><br>
<input type="submit"> <br><br>
</form>
<h2>${msg}</h2>
<br>
Create account <br>
</body>
</html>
P.S. I tried adding
<session-config>
<session-timeout>1</session-timeout>
</session-config>
to web.xml to check if "remember me" works, but instead it "remembering me" it always logs out in one minute.

Add id to your jdbc-user-service
<security:jdbc-user-service data-source-ref="dataSource" id="jdbcUserService/>
and refer to your service from remember-me by it's id like this:
<security:remember-me key="MyAppKey"
user-service-ref="jdbcUserService"/>

Spring POST method not working

I am a beginner in Spring Security, When i try to post a data the following error is shown:
HTTP Status 405 - Request method 'POST' not supported
My controller method is:
#RequestMapping(value="/save", method=RequestMethod.POST)
public String create(#ModelAttribute(value="employee") Employee employee,ModelMap modelMap,#PathVariable String save)
{
//Validation code start
boolean error = false;
System.out.println(employee); //Verifying if information is same as input by user
System.out.println("get");
//validation code ends
//Store the employee information in database
//manager.createNewRecord(employee);
//Mark Session Complete
return "redirect:user";
}
My Spring security configuration is:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/admin/**" access="isAuthenticated()" />
<intercept-url pattern="/user**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/user/**" access="isAuthenticated()" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
<logout logout-success-url="/user" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password, enabled from users where username=?"
authorities-by-username-query=
"select username, role from user_roles where username =? " />
</authentication-provider>
</authentication-manager>
</beans:beans>
My jsp page is:
<%# page contentType="text/html;charset=UTF-8"%>
<%# taglib prefix="form" uri="http://www.springframework.org/tags/form"%>
<%# taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<html>
<head>
<title>Add Employee Form</title>
<style>
.error
{
color: #ff0000;
font-weight: bold;
}
</style>
</head>
<body>
<h2><spring:message code="lbl.page" text="Add New Employee" /></h2>
<br/>
<form:form action="save?${_csrf.parameterName}=${_csrf.token}" method='POST' modelAttribute="employee">
<table>
<tr>
<td>name:</td>
<td><input type='text' name='username'></td>
</tr>
<tr>
<td>address:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" /></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form:form>
</body>
</html>
Web.xml Spring security content is:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping
Please give your valuable suggestions...

Spring security remember me cause 404

I am trying to use remember me, that seems to be very simple but I get a 404 when I launch the application (404 not found).
My jsp looks like that :
<form class="login" name='loginForm' action="<c:url value='/j_spring_security_check' />" method='POST'>
<input id="j_username" name="j_username" type="text" placeholder="Username" />
<input id="j_password" name="j_password" type="password" placeholder="Password" />
<input name="submit" type="submit" value="Sign In" class="btn btn-success btn-sm" />
<div class="remember-forgot">
<div class="row">
<div class="col-md-6">
<div class="checkbox">
<label>
<input type="checkbox" name="_spring_security_remember_me" />
Remember Me
</label>
</div>
</div>
<div class="col-md-6 forgot-pass-content">
Forgot Password
</div>
</div>
</div>
</form>
and My spring security xml :
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/j_spring_security_check" access="permitAll" />
<intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
<form-login
login-page="/login"
login-processing-url="/j_spring_security_check"
default-target-url="/admin"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-url="/login?error" ></form-login>
<logout logout-success-url="/login?logout" />
<csrf disabled="true"/>
<remember-me key="myAppKey" />
</http>
<beans:bean id="CustomAuthenticationProvider" class="com.meltum.springconfiguration.CustomAuthenticationProvider" />
<authentication-manager>
<authentication-provider ref="CustomAuthenticationProvider" />
</authentication-manager>
Does anybody know how to solve it ?

Try to name remember me checkbox same as in the spring security configuration -"remember_me". Or you can use default value "_spring_security_remember_me" with just "key" property in configuration.

Spring Basic authentication

Hi I have some login form configuration for authentication and i want to replace my simple login form by
response.setHeader("WWW-Authenticate", "Basic realm=\"/\"");
response.setStatus(401);
response.setHeader("Location", url);
to behave like this form and used spnegoAuthenticationProcessingFilter:
<div id="login-box">
<h3>Login with Username and Password</h3>
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<form name='loginForm' action="<c:url value='j_spring_security_check' />" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username' value=''></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit" value="submit" /></td>
</tr>
</table>
</form>
</div>
This is my spring security configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<sec:http entry-point-ref="spnegoEntryPoint" auto-config="false" >
<sec:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/**" access="ROLE_USER" />
<sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
<sec:form-login login-page="/login" default-target-url="/hello" always-use-default-target="true"/>
</sec:http>
<bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="kerberosAuthenticationProvider"/>
</sec:authentication-manager>
<!-- Login form auth -->
<bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
<property name="kerberosClient">
<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
<property name="debug" value="true" />
</bean>
</property>
<property name="userDetailsService" ref="dummyUserDetailsService" />
</bean>
<bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
<property name="debug" value="true" />
<property name="krbConfLocation" value="/apps/bin/krb5/krb5.conf" />
</bean>
<bean id="dummyUserDetailsService" class="com.web.ldap.DummyUserDetailsService"/>
</beans>
This is possible ?

I do this by that
<sec:http>
<sec:intercept-url pattern="/**" access="ROLE_USER" />
<sec:http-basic entry-point-ref="spnegoEntryPoint"/>
<!-- <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> -->
</sec:http>
but now i don't have spnegoAuthenticationProcessingFilter working...
If i uncomment custom-filter my application will not work

Spring Security: jdbc-user-query, PreparedStatementCallback

I got a problem with my query but I don't know what has caused it so I need your help =)
I got the following exception:
PreparedStatementCallback; bad SQL grammar [select USERNAME as username, PASSWORD as password, from ams.user where USERNAME=?]; nested exception is com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from ams.user where USERNAME='admin'' at line 1
Here's my login.jsp:
<div class="box">
<h1><spring:message code="login.description" /></h1>
<br/>
<form name='f' action="<c:url value='j_spring_security_check' />" method='POST'>
<ol>
<li>
<label><spring:message code="user.user" />:</label>
<em><img src="images/star_red.png" alt="required"></img></em>
<input type='text' name='j_username'>
</li>
<li>
<label><spring:message code="user.password" />:</label>
<em><img src="images/star_red.png" alt="required"></img></em>
<input type='password' name='j_password' />
</li>
<li>
<label> </label>
<input type='hidden' name='remember_me' id="remember_hidden" value="false"/>
<input type='checkbox' id='remember_checkbox' onchange="toggleRememberMe()" class="checkbox"/>
<spring:message code="login.remember" />
</li>
<li>
<label> </label>
<input type="submit" value="<spring:message code="login"/>"/>
</li>
</ol>
<br />
<br />
</form>
<c:if test="${not empty param.login_error}">
<div class="error">
<br />
<spring:message code="login.error" />
<br />
<spring:message code="login.errorReason" />:
<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</div>
</c:if>
</div>
Here's my Security-Context code:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
<security:http auto-config="true">
<security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
<security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
<security:logout logout-success-url="/login/login.do" invalidate-session="true" />
<security:remember-me key="rememberMe"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME as username, PASSWORD as password, from ams.user where USERNAME=?"
authorities-by-username-query="
select distinct user.USERNAME as username, permission.NAME as authority
from ams.user, ams.user_role, ams.role, ams.role_permission, ams.permission
where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.EMAIL=?"/>
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256" />
</bean>
</beans>
Does anyone have an idea what might have caused this error?
Would really appreciate your help on this one =)

There is a comma in the sql after password, remove that
change sql from
select USERNAME as username, PASSWORD as password, from ams.user where USERNAME=?
to
select USERNAME as username, PASSWORD as password from ams.user where USERNAME=?