Spring i18n Vs Spring security - spring

I configured my project to be internation but now i am trying to change spring security custom messages without success... I already read and tried some things but without success. I can se usual messages, but not spring security messages.
here is my servlet-context.xml:
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Tiles -->
<beans:bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
<beans:property name="definitions">
<beans:list>
<beans:value>/WEB-INF/tiles.xml</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean class="org.springframework.web.servlet.view.tiles2.TilesViewResolver">
<beans:property
name="viewClass" value="org.springframework.web.servlet.view.tiles2.TilesView"/>
</beans:bean>
<context:component-scan base-package="com.company.projectMvc" />
<!-- default locale -->
<beans:bean class="org.springframework.web.servlet.i18n.SessionLocaleResolver" id="localeResolver">
<beans:property name="defaultLocale" value="es"/>
</beans:bean>
<interceptors>
<beans:bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<beans:property name="paramName" value="language"/>
</beans:bean>
</interceptors>
<!-- Messages files -->
<beans:bean id="messageSource" name="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<beans:property name="basename" value="/resources/messages/messages" />
</beans:bean>
here is my spring-security.xml:
<http auto-config="true" use-expressions="true" >
<intercept-url pattern="/test" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/home" access="permitAll" />
<form-login default-target-url="/home"/>
<logout logout-success-url="/test" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select username,password,enabled,fullname
from users where username=?"
authorities-by-username-query="
select u.username, ur.authority from users u, user_roles ur
where u.user_id = ur.user_id and u.username =? "
/>
</authentication-provider>
</authentication-manager>
UPDATE 1
I tried your solution, copying spring security files and change them without success..
After i read this thread Spring Security with AcceptHeaderLocaleResolver and i18n i tried that solution too without success
here is my updated servlet-context.xml file:
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Tiles -->
<beans:bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
<beans:property name="definitions">
<beans:list>
<beans:value>/WEB-INF/tiles.xml</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean class="org.springframework.web.servlet.view.tiles2.TilesViewResolver">
<beans:property
name="viewClass" value="org.springframework.web.servlet.view.tiles2.TilesView"/>
</beans:bean>
<context:component-scan base-package="com.company.projectMvc" />
<!-- default locale pt_PT -->
<beans:bean class="org.springframework.web.servlet.i18n.SessionLocaleResolver" id="localeResolver">
<beans:property name="defaultLocale" value="pt_PT"/>
</beans:bean>
<!-- Messages files -->
<beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<beans:property name="basenames">
<beans:list>
<beans:value>/resources/messages/messages</beans:value>
<beans:value>/resources/messages/securityMessages</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<!-- com o parametro locale no URL conseguimos definir o locale que quisermos -->
<interceptors>
<beans:bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<beans:property name="paramName" value="lang"/>
</beans:bean>
</interceptors>
Here is my updated web.xml
part1
part2

Probably a little late answer, but someone else facing similar issue might find it useful:
Your problem is that security beans are in root web application context, but messageSource is in the servlet application context source. This means that security beans are unaware of your message source. Simply move your message source definition to the root web application context.

I do not know if you tried this,
Copy message files from org.springframework.security and change
them.
Configure your message source with these files.
By default Spring security uses org.springframework.security.core.SpringSecurityMessageSource This is from javadocs
All Spring Security classes requiring messge localization will by
default use this class. However, all such classes will also implement
MessageSourceAware so that the application context can inject an
alternative message source. Therefore this class is only used when the
deployment environment has not specified an alternative message
source.

Related

spring mvc project not displaying home page after making changes to configuration files(root.xml,servlet-context.xml)

*HI all,
I am doing java project using spring mvc in STS(spring tool suite).
when I first created spring mvc project from existing template and ran it, it displayed home page like intended. but, after adding few classes to my project( dao classes, service classes, and few controller classes and few view files(.jsp files)) and changed **root.xml as follows***
**
</context:component-scan> -->
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/jobportal_db" />
<property name="username" value="root" />
<property name="password" value="pswd" />
</bean>**
and servlet-context.xml as follow:
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="com.practice.jobportal.controller" />
its not displaying home page anymore, instead giving me
HTTP Status 404 - /jobportal/ as output.

Spring/Hibernate No session found for current thread (config)

I'm trying to understand the configuration for Spring and Hibernate together. Every time I make calls to the database, I get a no session found for current thread error in my console (doesn't stop the app since I just create a new session if it can't find one). I have a standard STS Maven setup. The below is how I have the configuration currently setup. However, if I take everything in the root-context.xml and put it at the bottom of servlet-context.xml, it works without any errors. So I'm guessing something within servlet-context.xml is "overwriting" something and not taking the #Transactional annotations I have on my service. But how do you config around that?
root-context.xml
<!-- Configure JDBC Connection-->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="org.apache.derby.jdbc.EmbeddedDriver" />
<property name="url" value="jdbc:derby:C:\Users\Steven\Desktop\Programming\db-derby-10.10.1.1-bin\db-derby-10.10.1.1-bin\bin\mydb" />
</bean>
<!-- Configure Hibernate 4 Session Factory -->
<bean id="sessionFactory" class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource">
<ref bean="dataSource" />
</property>
<property name="packagesToScan" value="com.css.genapp" />
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.DerbyTenSevenDialect</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
</bean>
<tx:annotation-driven transaction-manager="transactionManager" />
<bean id="transactionManager" class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
servlet-context.xml
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<beans:bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<beans:property name="basenames">
<beans:list>
<beans:value>format</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />
<context:component-scan base-package="com.css.genapp" />
You must define component scan on both servlet-context.xml and root-context.xml
root-context.xml: for service, repository...
servlet-context.xml: for controller and web relate component.
Hope it can help. You can check detail on this sample Spring, JPA and hibernate integration
I think in your Hibernate configuration you configured <prop key="hibernate.current_session_context_class">thread</prop> Like this.
Remove the property because it really breaks proper session/transaction management in spring.
You have to import root-context.xml since only servlet-context.xml will be read by dispatcher servlet. Add the following line in your servlet-context.xml :

Spring Security Multiple Authentication Filters

In my project i have declared two authentication filters as mentioned below in spring-security-context.xml file
<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/**" filters="authenticationProcessingFilterWithDB, authenticationProcessingFilterWithXML" />
</sec:filter-chain-map>
</beans:bean>
I have declared authentication manager for each filter in following way:
<beans:bean id="authenticationProcessingFilterWithDB" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManagerWithDB" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check_with_db" />
</beans:bean>
<beans:bean id="authenticationProcessingFilterWithXML" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManagerWithXML" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check_with_xml" />
</beans:bean>
but when i try to access /j_spring_security_check_with_xml from jsp then it is giving resource not found error. The same is working if give default '/j_spring_security_check' with single authentication manager. Please give the solution for adding multiple authentication manager in spring security as i should be able to verify login details against xml file (where username and password will be provided),against Data base

Pre Authentication Issue

Hi all I have a huge issue in my project.
I have configured my project to use Java EE Security for Authentication and Spring Security for authorization using spring Pre Authentication.
After the Java EE login the application comes to the pre-authentication filter classes where i set the granted authorities. But after that without navigating to my home page the application triggers me to login again through Java EE container security. IF i login the second time it navigates to the home page of the application.
I want to get rid of this second login.
I'm using vaadin for UI. Following are my classes
web.xml
-------------------------------------------------------------------
<security-constraint>
<display-name>SecureApplicationConstraint</display-name>
<web-resource-collection>
<web-resource-name>Vaadin application</web-resource-name>
<description>The entire Vaadin application is
protected</description>
<url-pattern>/application/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only valid users are allowed</description>
<role-name>authenticated</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description />
<role-name>authenticated</role-name>
</security-role>
=====================================================================
security.xml
======================================================================
<sec:http realm="My Realm" auto-config='true' create-session="ifRequired" disable-url-rewriting="true">
<sec:intercept-url pattern="/application/**" access="ROLE_XXXUSER"/>
<sec:custom-filter ref="myPreAuthFilter" position="PRE_AUTH_FILTER"/>
<sec:session-management session-fixation-protection="newSession"/>
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
</sec:authentication-manager>
<bean id="myPreAuthFilter"
class="com.xxx.yyy.web.security.xxxPreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
<property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
</bean>
<bean id="authenticationDetailsSource"
class="com.xxx.yyy.web.security.xxxAuthenticationDetailsSource" />
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<list>
<ref bean="preAuthenticatedAuthenticationProvider"/>
</list>
</constructor-arg>
</bean>
<bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</bean>
<bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
</beans>

How do I get Spring security to generate the same password as what the Jasypt command line tool generates?

I'm using Jasypt 1.9.0, Spring 3.1.1.RELEASE, and Maven 3.0.3. Using the Jasypt command line tool, I generate passwords like so …
./digest.sh input=admin providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider algorithm=SHA-256 saltGeneratorClassName=org.jasypt.salt.ZeroSaltGenerator
However, when I configure Spring security to attempt to match a password someone entered at the login screen …
<beans:bean id="bcProvider" class="org.bouncycastle.jce.provider.BouncyCastleProvider" />
<beans:bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester">
<beans:property name="algorithm">
<beans:value>SHA-256</beans:value>
</beans:property>
<beans:property name="provider">
<beans:ref bean="bcProvider" />
</beans:property>
<beans:property name="saltGenerator">
<beans:bean id="saltGenerator" class="org.jasypt.salt.ZeroSaltGenerator"/>
</beans:property>
</beans:bean>
<!-- This Spring Security-friendly PasswordEncoder implementation will -->
<!-- wrap the StringDigester instance so that it can be used from -->
<!-- the security framework. -->
<beans:bean id="passwordEncoder" class="org.jasypt.spring.security3.PasswordEncoder">
<property name="stringDigester">
<ref bean="jasyptStringDigester" />
</property>
</beans:bean>
<authentication-manager alias="authenticationManager" id="authenticationManager">
<authentication-provider user-service-ref="sbdUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
Spring is generating a different password than what is stored, and hence I'm not able to authenticate my user. Is there some configuration I'm missing? Why, during authentication, does SPring generate something different than what Jasypt has?
if you run digest.sh multiple times you will get different hashes for same input values. i assume Jasypt uses a timestamp or a random string as a salt.
to be able to generate same hash, you must know the salt, which is used or control the way it is generated. There is a cli parameter called saltGeneratorClassName. By providing a class, which implements the SaltGenerator interface you can control the salt generation.
UPDATE:
forget what i said about position of the salt. you just need to change the jasyptStringDigester a little bit:
<beans:bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester">
<beans:property name="algorithm">
<beans:value>SHA-256</beans:value>
</beans:property>
<beans:property name="provider">
<beans:ref bean="bcProvider" />
</beans:property>
<beans:property name="saltGenerator">
<beans:ref bean="saltGenerator" />
</beans:property>
</beans:bean>
<beans:bean class="impl.of.your.SaltGenerator" id="saltGenerator" />
and then you need to provide impl.of.your.SaltGenerator to digest.sh:
./digest.sh input=admin \
providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider \
algorithm=SHA-256 \
saltGeneratorClassName=impl.of.your.SaltGenerator

Resources