I'm trying to implement the solution of this question
Spring Security 3 Active Directory Authentication, Database Authorization
but i don't understand how to use the MyAuthoritySupplementingProvider .
Is there someone that can help me?
i think MyAuthoritySupplementingProvider should be specified in
<beans:bean id="activeDirectoryAuthenticationProvider"
class="xxx.package.MyAuthoritySupplementingProvider">
<beans:constructor-arg value="mydomain" />
<beans:constructor-arg value="ldap://my URL :389" />
<beans:property name="convertSubErrorCodesToExceptions" value="true"/>
</beans:bean>
i am not sure weather this will work or not but to get more detail you should refer to book "Spring Security 3" Chapter 9 for ldap and active directory configuration and options, this will help you understand this in better way instead of just going through SO post.
Related
I am working on a system that uses Spring 4.3.25.RELEASE and xml based configuration. I need to integrate with another system using OAuth2, and therefore trying to configure the system as an OAuth2 Client, but it's proving difficult to find examples and documentation.
I can redirect to the IdP ok, but on return I am seeing this error:
Possible CSRF detected - state parameter was required but no state
could be found
This is the configuration I have in place, which is obviously incomplete. Can you please help me identify what is missing?
Thanks.
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<custom-filter ref="oauth2AuthenticationFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
...
<oauth:client id="oauth2ClientFilter" />
<beans:bean id="oauth2AuthenticationFilter" class="org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter">
<beans:constructor-arg name="defaultFilterProcessesUrl" value="/oauth2/callback"/>
<beans:property name="restTemplate" ref="restTemplate"/>
</beans:bean>
<oauth:rest-template id="restTemplate" resource="oauth2Token"/>
<oauth:resource id="oauth2Token"
type="authorization_code"
client-id="my-client-id"
client-secret="my-client-secret"
access-token-uri="https://http://myurl/token"
user-authorization-uri="http://myurl/authorize"/>
I am new to Spring so please forgive me if my question is foolish...
I am trying to follow some examples for configuring security on a spring web application. I have configured it to work with ldap directory. Now I need to add caching to the process so that the credentials are not fetched from the ldap directory every time they are requested.
For this I have added cache-ref="userCache" as shown in the tutorial:
<authentication-manager>
<authentication-provider>
...
<ldap-user-service server-ref="ldapServer"
user-search-filter="uid={0}" user-search-base="ou=people"
group-search-filter="member={0}" group-search-base="ou=groups"
cache-ref="userCache" />
</authentication-provider>
</authentication-manager>
The bean userCache is defined like this :
<beans:bean id="userCache"
class="org.springframework.security.providers.
dao.cache.EhCacheBasedUserCache">
<beans:property name="cache" ref="userEhCache" />
</beans:bean>
<beans:bean id="userEhCache"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager" ref="cacheManager" />
<beans:property name="cacheName" value="userCache" />
</beans:bean>
The cache manager is defined as follows:
<bean id="cacheManager"
class="org.springframework.security.core.userdetails.cache.EhCacheManagerFactoryBean" />
The problem with this configuration is that I couldn't get the jars because they are based on an old version of spring 2. The cache manager I got it using
<bean id="cacheManager"
class="net.sf.ehcache.CacheManager" />
but the org.springframework.cache.ehcache.EhCacheFactoryBean and org.springframework.security.providers.dao.cache.EhCacheBasedUserCache I don't know where to get them beside from spring 2 which if I add to my project it brakes everything.
I would appreciate any help in this matter. If you have some other solution please make some suggestions. Thanks!
In Spring 3.0.x org.springframework.cache.ehcache.EhCacheFactoryBean is located in spring-context-support-3.0.x.RELEASE.jar.
There is no class org.springframework.security.providers.dao.cache.EhCacheBasedUserCache but there is class org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache located in spring-security-core-3.0.x.RELEASE.jar.
I'm trying to secure my Spring 3.1 web app with Spring Security 3.1, and I need to use Active Directory for user authentication.
However, I cant seem to find the complete configuration steps. I tried different bits of suggestions but they didn't work for me.
What are the complete steps of configuration to enable a Spring 3.1 web app to use Spring Security 3.1 with Active Directory?
<beans:bean id="adAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="[your domain]" />
<beans:constructor-arg value="ldap://[your AD server]:389" />
<beans:property name="userDetailsContextMapper">
<beans:bean class="[your user-details context mapper]" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="adAuthProvider" />
</authentication-manager>
If you need to provide custom logic for mapping user and authorities from the AD entry, you can implement your own UserDetailsContextMapper implementation and specify it in the userDetailsContextMapper property on the adAuthProvider bean.
I always thought that acegi security is the same as spring security 3.0... but It seems to be wrong.
Unfortunately I was unable to find any acegi security docs.
I need to have an anonymous user with special role assigned into Security Context what I found about that was this.
But there's no AnonymousAuthenticationFilter in ACEGI - only AnonymousProcessingFilter. But how should I call it's id?
I tried this code:
<bean id="anonymousAuthFilter"
class="net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
But I get nothing in my Security Context before I actually login. And that's bad=(
Any ideas?
acegi security is the old name of spring security. (in 2.0 or older I can't remember, it is to long ago)
I strongly recommend to use Spring Security 3.0. Attention: The Package Names and Jar Structure was Changed between Spring Security 3.0 und Spring Security 2.0.
So if you have current documentation you will need to translate it back to 2.0. This Blog Spring Security 3.0.0.M1 Released describe the changes.
We are using acegi security for my spring application.
Can you please help how to make user to session time out by 5 mins and go back to login screen?
I tried to configure session-timeout in web.xml. But it is not working.
Thank you for your help and time.
I realized that i need to keep 5 min = 300000 mill secconds on expiring tickets in acegi security configuration xml.
Now i have another questions that how to redirect to application home page on login. Currently it is trying to go to the page where it previously logged out. But i want to make it as home page on what ever condition.
Your help is greatly appreciated. Thank you.
to get forwared to a specific url after a timeout (defined in the web.xml), you may use
<http>
...
<session-management invalid-session-url="/sessionTimeout.htm" />
</http>
Session Management docu
Changing following expiration policy, we can make session log out within time
<bean
id="serviceTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<constructor-arg
index="0"
value="1" />
<constructor-arg
index="1"
value="600000" />
</bean>
Cas expiration policies gives more information.
To redirect to login page use following:
<property name="alwaysUseDefaultTargetUrl" value="true"/>
in casProcessingFilter bean configuration