I'm writing a GWT application secured with Spring security. Logging in works fine, but authorization doesn't.
I've tried using #Secured and #PreAuthorize annotations on my methods and that didn't work either.
For instance, this is a code snippet from AppUserServiceImpl
#Secured("ROLE_ADMINISTRATOR")
#Override
public List<AppUser> fetch(Integer startRow, Integer endRow, Map criteria) {
return appUserManagerBean.getUsers(criteria);
}
ApplicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="true">
<intercept-url pattern="/testapplication/**" access="ROLE_USER"/>
<intercept-url pattern="/gwt/**" access="ROLE_USER"/>
<intercept-url pattern="/**/*.html" access="ROLE_USER"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/security/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/testapplication/appUserService*" access="ROLE_ADMIN"/>
<form-login
login-page="/login.jsp"
authentication-failure-url="/security/error.html"
login-processing-url="/j_spring_security_check"
/>
</http>
<beans:bean id="appUserService" class="com.test.testapplication.server.admin.appuser.AppUserServiceImpl"/>
<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
[DATASOURCE CONFIGURATION]
</beans:bean>
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
<authentication-manager>
<authentication-provider>
<password-encoder hash="sha" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username,password,DECODE(enabled,'Y',1,'N',0) as enabled from APP_USER where username=?"
authorities-by-username-query="select u.username, ur.role from APP_USER u, APP_USER_ROLE ur
where u.id = ur.APP_USER_ID and u.username =? "
/>
</authentication-provider>
</authentication-manager>
To test, I'm trying to secure 'appUserService'.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<servlet>
<servlet-name>appUserService</servlet-name>
<servlet-class>com.test.testapplication.server.admin.appuser.AppUserServiceImpl</servlet-class>
</servlet>
<!-- Spring security filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring listener -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Default page to serve -->
<welcome-file-list>
<welcome-file>testapplication.html</welcome-file>
</welcome-file-list>
I'm looking for the simplest solution and I would prefer not to use AspectJ, help would be greatly appreciated
Where are you mapping your servlet to particular path?
I'm using gwt-sl for integration of RemoteServiceServlets and Spring.
Define Dispatcher servlet in your web.xml:
<servlet>
<servlet-name>gwtservice</servlet-name>
<servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
And declaration and mapping for your gwt-servlet:
<bean name="DeviceListenerServlet" class="your.package.your.SomeService"/>
<bean id="urlMappingGWT" class="org.gwtwidgets.server.spring.GWTHandler">
<property name="mappings">
<map>
<entry key="/service" value-ref="DriverServiceImpl"/>
</map>
</property>
</bean>
And change Annotation in your RemoteService class (in my example it will be #RemoteServiceRelativePath("gwtservice/service")).
Now you can use you #Secured annotation (if you added )
Hope this help.
Related
I am using spring security and some mvc controllers. I am not able to make it work. Below is the error I get.
org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/auth/ping] in DispatcherServlet with name 'application'
It would be great if anyone can figure out what's wrong with my code
below are my files
web.xml
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Out of school network backend</display-name>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.properties</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/application-context.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- CORS Filter -->
<filter>
<filter-name>corsFilter</filter-name>
<filter-class>com.myproj.filters.SimpleCORSFilter</filter-class>
</filter>
<!-- Spring Security Filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>corsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>application</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>application</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
Below is my application context:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:mongo="http://www.springframework.org/schema/data/mongo"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/data/mongo http://www.springframework.org/schema/data/mongo/spring-mongo-1.5.xsd">
<context:annotation-config />
<context:component-scan base-package="com.myproj.controllers" />
<mvc:annotation-driven />
<!-- mongodb -->
<mongo:db-factory id="mongoDbFactory"
host="<ip address>"
port="27017"
dbname="mongotest"
username="username"
password="password"/>
<bean id="mongoTemplate" class="org.springframework.data.mongodb.core.MongoTemplate">
<constructor-arg ref="mongoDbFactory" />
</bean>
<mongo:repositories base-package="com.myproj.repositories" />
<!-- Global Security Settings -->
<sec:global-method-security pre-post-annotations="enabled" />
<sec:http use-expressions="true" disable-url-rewriting="true" auto-config="true"
entry-point-ref="authenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/auth/*" access="isAnonymous()" />
<sec:intercept-url method="POST" pattern="/be/user" access="isAnonymous()" />
<sec:intercept-url pattern="/home" access="isAnonymous()" />
<sec:intercept-url pattern="/api/*" access="hasRole('ROLE_USER')" />
<sec:form-login login-processing-url="/auth/login"
default-target-url="/account"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/login?loginError"/>
<sec:logout logout-success-url="/login?logout" />
</sec:http>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="userDetailsService" class="com.myproj.security.UserDetailsServiceImpl" />
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="userDetailsService" />
</sec:authentication-manager>
Below is the controller:
package com.myproj.controllers;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.http.HttpStatus;
public class PingController {
#RequestMapping(value = "auth/ping", method = RequestMethod.GET)
#ResponseStatus(HttpStatus.OK)
public #ResponseBody String login() {
return "unprotected";
}
#RequestMapping(value = "api/protected", method = RequestMethod.GET)
#ResponseStatus(HttpStatus.OK)
public #ResponseBody String getpro() {
return "protected";
}
}
You forgot #Controller on your PingController class.
I am using Spring MVC and JQUERY to implement a 2 step process to submit data from a form to the server:
A JQUERY ajax POST request would submit the file data from form to the server on click of file browse. This would store the file on file server and create an entry into the database storing the file information, with the mode set as draft.
When user clicks on form submit button, the other form data such as 'File Title' and so on, would be submitted to the server. The entry into database should now set the mode to 'Complete'.
At step 1 I am setting the file data such as Id of the column in database, name of file into a session attribute.
/**
* Upload single file using Spring Controller
*/
#RequestMapping(value = "/uploadFileDraft", method = RequestMethod.POST)
#ResponseStatus(value = HttpStatus.OK)
public void uploadFileDraft(#RequestParam("file") MultipartFile file,Model map, HttpSession httpSession) {
PostDto draftPost = new PostDto();
draftPost.setPostedDate(new Date());
draftPost.setStrRawFileName(file.getOriginalFilename());
//Logic to save this object into database.
postService.uploadPostDraft(draftPost);
//now set the data into session object
httpSession.setAttribute("filePostDraftDto", draftPost);
}
Now in step 2 I trying to retrieve this Dto object from session and calling another service. But he object does not exist into the session.
#RequestMapping(value = "/uploadFilePublish", method = RequestMethod.POST)
#ResponseStatus(value = HttpStatus.OK)
public void uploadVideoPublish(#RequestParam("strVideoTitle") String strVideoTitle, Model map, HttpSession httpSession) {
PostDto postDtoDraft = null;
if(null!= httpSession.getAttribute("filePostDraftDto"))
{
postDtoDraft = (PostDto)httpSession.getAttribute("filePostDraftDto");
}
if(null!=postDtoDraft )
{
System.out.println("file name from session is: "+postDtoDraft.getStrFileName());
}
else
{
System.out.println("error: postDtoDraft is null");
}
}
}
The following gets printed everytime: error: postDtoDraft is null
My web.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>WebConnect</display-name>
<!-- Spring Security Configuration File -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlet and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.htm</welcome-file>
</welcome-file-list>
<!-- session time out set as 30 minites -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
The applicationConfig.xml is:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">
<context:annotation-config />
<context:component-scan base-package="com.mycomp.myproj" />
<context:spring-configured />
<neo4j:config graphDatabaseService="graphDatabaseService" />
<neo4j:repositories base-package="com.mycomp.myproj.repository" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/jsp/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<!-- setting maximum upload size -->
<property name="maxUploadSize" value="10000000000" />
</bean>
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:default-servlet-handler />
<mvc:annotation-driven />
<tx:annotation-driven mode="aspectj"
transaction-manager="transactionManager" />
The spring-security.xml is:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/resources/**" security="none" />
<http authentication-manager-ref="userAuthManager">
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/register" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/' authentication-failure-url="/" />
<logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout" />
<session-management invalid-session-url="/">
<concurrency-control max-sessions="1"
expired-url="/" />
</session-management>
</http>
<beans:bean id="userAuthManager" class="com.inw.pyt.security.UserAuthManager">
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
The solution to this issue was with the class PostDto not being serializable. Once I changed PostDto to implement Serializable it started working. Seems like there is a restriction with Spring, which does not let objects to be stored in session unless they are serializable.
I found the issue when I tried to use Spring's own #SessionAttributes to set and get from the session, instead of the HttpSession. Then while setting the attribute into the Spring model I got the following error in the console:
StandardWrapperValve[mvc-dispatcher]: Servlet.service() for servlet mvc-dispatcher threw exception
java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute with name filePostDraftDto
at org.apache.catalina.session.ManagerBase.checkSessionAttribute(ManagerBase.java:835)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1840)
at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:178)
at org.springframework.web.context.request.ServletRequestAttributes.setAttribute(ServletRequestAttributes.java:131)
at org.springframework.web.bind.support.DefaultSessionAttributeStore.storeAttribute(DefaultSessionAttributeStore.java:55)
at org.springframework.web.method.annotation.SessionAttributesHandler.storeAttributes(SessionAttributesHandler.java:124)
my jsps are under views,
web.xml :
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Spring-MVC-Security</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/servletDispatcher-servlet.xml,/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>servletDispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>servletDispatcher</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>login</welcome-file>
</welcome-file-list>
</web-app>
servletDispatcher-servlet.xml :
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
<mvc:annotation-driven/>
<!-- <mvc:default-servlet-handler/> -->
<context:component-scan base-package="com.spring.controller"></context:component-scan>
<context:component-scan base-package="com.spring.util"></context:component-scan>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/"/>
<property name="suffix" value=".jsp"/>
</bean>
</beans>
spring-security.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:intercept-url pattern="/accessdenied" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/login" default-target-url="/list" authentication-failure-url="/accessdenied" />
<security:logout logout-success-url="/logout" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="lokesh" password="password" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
Controller :
package com.spring.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
#Controller
public class LoginController {
#RequestMapping({"/","/login"})
public String login()
{
return "login";
}
}
When I am trying to hit
http://localhost:8080/Spring-MVC-Security/ ,
url is getting redirected to
http://localhost:8080/Spring-MVC-Security/login
but I am getting 404 error from tomcat and getting following warning at the console:
Jan 13, 2014 12:03:41 PM org.springframework.web.servlet.DispatcherServlet noHandlerFound
WARNING: No mapping found for HTTP request with URI [/Spring-MVC-Security/WEB-INF/views/login.jsp] in DispatcherServlet with name 'servletDispatcher'
It seems like servletDispatcher is hit again after view resolution.
Please advise. Thanks
First off, you're loading the servletDispatcher context twice. The dispatcher servlet will automatically discover the /WEB-INF/servletDispatcher-servlet.xml file based on conventions - so this does not need to be specified in the contextConfigLocation
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
<!-- Remove servletDispatcher-servlet.xml -->
/WEB-INF/spring-security.xml
</param-value>
</context-param>
Try changing your dispatcher servlet mapping from /* to /
<servlet-mapping>
<servlet-name>servletDispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
Also - since your login controller is not doing anything other than returning the login view, you could replace it with a view controller.
<mvc:view-controller path="/login" />
Given the following users :
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="dev" password="devpass" authorities="DEV" />
<user name="user" password="userpass" authorities="USER" />
</user-service>
</authentication-provider>
</authentication-manager>
I want to be 'user' and then access a secured method
#Secured("DEV")
public void devOnly() {
// .. dev stuff
}
So far I've tried a lot of things and cannot get #Secured to throw an AccessDeniedException
EDIT: Added configuration files
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.5"
xmlns="http://www.java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://www.java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Spring MVC Application</display-name>
<!-- Spring MVC -->
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/mvc-dispatcher-servlet.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/mvc-dispatcher-servlet.xml
classpath:/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security secured-annotations="enabled" />
<http auto-config="true">
<form-login/>
<http-basic/>
<!--<intercept-url pattern="/welcome*" access="ROLE_USER" />-->
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="password" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
mvc-dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan base-package="com.rodly.testapp" />
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/frontend/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
It's seems so easy to use spring security following a tutorial, but when I try to do the same with this app I can get it to work (I must admit that I haven't written ) .
/-----------------Edit-------------------/
Now with the help of some great people, I finally got the application to ask the user to authenticate himself,but now I've run into a new problem: When I try to access the application using one of the users listed below(applicationContext-security.xml), I get this message :
Here's web.xml code:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<welcome-file-list>
<welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>403</error-code>
<location>/sinacceso.jsp</location>
</error-page>
</web-app>
context.xml :
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/Test01"/>
dispatcher-servlet.xml:
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<!-- GENERALES -->
<bean id="viewResolver"
class="org.springframework.web.servlet.view.UrlBasedViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.tiles2.TilesView" />
</bean>
<bean id="tilesConfigurer"
class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
<property name="definitions">
<list>
<value>/WEB-INF/tiles.xml</value>
</list>
</property>
</bean>
<bean name="/index.htm" class="paginas.index"/>
<bean name="secure/villancicos.htm" class="paginas.villancicos"/>
<bean name="secure/administracion.htm" class="paginas.administracion"/>
</beans>
applicationContext-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<intercept-url pattern="/index.htm" filters="none" />
<intercept-url pattern="/secure/administracion.htm" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/secure/**" access="ROLE_USER" />
<form-login />
<anonymous />
<http-basic />
<logout logout-success-url="/index.htm" />
</http>
<authentication-manager alias="myAuthenticationManager">
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
<user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
<user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
<user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
This application is currently using spring 2.5 with spring-security-2.0.4 (the same version from the tutorial I've been following).
Have you tried what the error suggests and added an alias attribute to your authentication-manager? Something like:
<authentication-manager alias="myAuthenticationManager">
<authentication-provider>
...