I'm using Spring Security 3.0.5 and trying to get a count of currently logged in users. My scenario is Pre-Authenticated and using bean based configuration as opposed to <http> namespace based configuration (in which case this appears to be trivial.
My config file is as follows:
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/**/resources/**" filters="none" />
<filter-chain pattern="/**/logout/**" filters="none" />
<filter-chain pattern="/service/**" filters="none" />
<filter-chain pattern="/**"
filters="sif,concurrencyFilter,shibbolethFilter,smf,logoutFilter,etf,fsi" />
</filter-chain-map>
</beans:bean>
<beans:bean id="sif"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<beans:bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<beans:bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository"
ref="scr" />
<beans:property name="sessionAuthenticationStrategy"
ref="sas" />
</beans:bean>
<beans:bean id="shibbolethFilter"
class="PreAuthenticatedShibbolethAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="exceptionIfHeaderMissing" value="true" />
<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<beans:property name="developmentMode" value="true" />
<beans:property name="authenticationSuccessHandler"
ref="customAuthenticationSuccessHandlerBean" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.html" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='preauthAuthProvider' />
</authentication-manager>
<beans:bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="logoutHandlerBean"
class="LogoutSuccessHandlerImpl" />
<beans:bean id="userDetailsService"
class="CustomJdbcDaoImpl">
<beans:property name="dataSource" ref="projectDS" />
<beans:property name="enableGroups" value="true" />
<beans:property name="enableAuthorities" value="false" />
</beans:bean>
In my controller I have the following code:
#Resource(name="sessionRegistry")
private SessionRegistry sessionReg;
private void doTest() {
List<Object> principals = sessionReg.getAllPrincipals();
for (Object o : principals) {
List<SessionInformation> siList = sessionReg.getAllSessions(o,
true);
for (SessionInformation si : siList) {
logger.error(si.getSessionId() + " " + si.getPrincipal());
}
}
}
The list principals is always empty. I feel the PreAuthenticatedShibbolethAuthenticationFilter filter which extends AbstractPreAuthenticatedProcessingFilter should get a ref to ConcurrentSessionControlStrategy, however, there is no such property which could be set.
What am I missing?
SecurityContextPersistenceFilter requires a SecurityContextRespository
<bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" >
<property name="securityContextRepository" ref="scr" />
</bean>
Related
I need to save m messages in rabbit mq. I am using acknowledgeMode as MANUAL in SimpleMessageListenerContainer. This is helping me store the value in unacked in rabbit mq. But even after job completion the messages remain in the unacked. I need the messages to be deleted once job gets completed successfully. Please help me find a solution
<beans:bean id="PartitionHandler" class="org.springframework.batch.integration.partition.MessageChannelPartitionHandler" init-method="afterPropertiesSet" scope="job">
<beans:property name="messagingOperations" ref="messagingTemplate"></beans:property>
<beans:property name="stepName" value="slave" />
<beans:property name="gridSize" value="${spring.gridsize}" />
<beans:property name="pollInterval" value="5000"></beans:property>
<beans:property name="jobExplorer" ref="jobExplorer"></beans:property>
<beans:property name="replyChannel" ref="outboundReplies"></beans:property>
</beans:bean>
<beans:bean id="PeriodicTrigger" class="org.springframework.scheduling.support.PeriodicTrigger">
<beans:constructor-arg value="5000"></beans:constructor-arg>
</beans:bean>
<beans:bean id="requestQueue" class="org.springframework.amqp.core.Queue">
<beans:constructor-arg name="name" value="testQueue">
</beans:constructor-arg>
<beans:constructor-arg name="durable" value="true">
</beans:constructor-arg>
</beans:bean>
<int:poller id="PollerMetadata" default="true" trigger="PeriodicTrigger" task-executor="taskExecutor"></int:poller>
<beans:bean id="amqptemplate"
class="org.springframework.amqp.rabbit.core.RabbitTemplate">
<beans:property name="connectionFactory" ref="rabbitConnFactory" />
<beans:property name="routingKey" value="testQueue"/>
<beans:property name="queue" value="testQueue"/>
</beans:bean>
<beans:bean id="amqpOutboundEndpoint" class="org.springframework.integration.amqp.outbound.AmqpOutboundEndpoint">
<beans:constructor-arg ref="amqptemplate"/>
<beans:property name="expectReply" value="false"></beans:property>
<beans:property name="routingKey" value="testQueue"></beans:property>
<beans:property name="outputChannel" ref="inboundRequests"></beans:property>
</beans:bean>
<int:service-activator ref="amqpOutboundEndpoint" input-channel="outboundRequests"/>
<beans:bean id="SimpleMessageListenerContainer" class="org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer">
<beans:constructor-arg ref="rabbitConnFactory"/>
<beans:property name="queueNames" value="testQueue"></beans:property>
<beans:property name="autoStartup" value="false"></beans:property>
<beans:property name="acknowledgeMode" value="MANUAL"></beans:property>
<beans:property name="concurrentConsumers" value="5"></beans:property>
</beans:bean>
<beans:bean id="AmqpInboundChannelAdapter" class="org.springframework.integration.amqp.inbound.AmqpInboundChannelAdapter" init-method="afterPropertiesSet">
<beans:constructor-arg ref="SimpleMessageListenerContainer"/>
<beans:property name="outputChannel" ref="inboundRequests"></beans:property>
</beans:bean>
<beans:bean id="StepExecutionRequestHandler" class="org.springframework.batch.integration.partition.StepExecutionRequestHandler">
<beans:property name="jobExplorer" ref="jobExplorer"/>
<beans:property name="stepLocator" ref="stepLocator"/>
</beans:bean>
<int:service-activator ref="StepExecutionRequestHandler" input-channel="inboundRequests" output-channel="outboundStaging"/>
<bean id="rabbitConnFactory"
class="org.springframework.amqp.rabbit.connection.CachingConnectionFactory">
<constructor-arg><value>localhost</value></constructor-arg>
<property name="username" value="guest" />
<property name="password" value="guest" />
<property name="virtualHost" value="/" />
<property name="port" value="5672" />
</bean>
<bean id="admin" class="org.springframework.amqp.rabbit.core.RabbitAdmin">
<constructor-arg ref="rabbitConnFactory" />
</bean>
<bean id="messagingTemplate"
class="org.springframework.integration.core.MessagingTemplate">
<constructor-arg ref="outboundRequests" />
<property name="receiveTimeout" value="60000000"/>
</bean>
<bean id="outboundRequests" class="org.springframework.integration.channel.DirectChannel" >
<property name="maxSubscribers" value="5"></property>
</bean>
<int:channel id="outboundReplies" scope="job"><int:queue/></int:channel>
<bean id="outboundStaging" class="org.springframework.integration.channel.NullChannel"></bean>
<bean id="inboundRequests" class="org.springframework.integration.channel.QueueChannel"></bean>
<bean id="stepLocator" class="org.springframework.batch.integration.partition.BeanFactoryStepLocator"/>
When using MANUAL acks, you are responsible for the acknowledgment.
See my answer to this question.
I have implemented spring security ajax login. .
I defined my own customAuthenticationEntryPoint, authenticationFilter, securityLoginSuccessHandler. It can successfully authenticate the user. However, when I add the remember me part. It does not work. There is no SQL run in the database to insert token into persistent_logins. I do not know if there is anything wrong with my configuration? Please help.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.2.xsd">
<http pattern="/resources/**" security="none" />
<http auto-config="false" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
<intercept-url pattern="/**" access="permitAll" />
<access-denied-handler error-page="/denied" />
<logout invalidate-session="true" delete-cookies="JSESSIONID"
success-handler-ref="securityLogoutSuccessHandler" logout-url="/logout" />
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<csrf />
<!-- enable remember me -->
<remember-me
services-ref = "rememberMeServices"
key = "_spring_security_remember_me" />
</http>
<beans:bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="key" value="_spring_security_remember_me"/>
<beans:property name="alwaysRemember" value="true"/>
<beans:property name="tokenRepository" ref="jdbcTokenRepository"/>
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
<beans:bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="createTableOnStartup" value="false"/>
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<beans:bean id="customAuthenticationEntryPoint"
class="com.tong.beau.service.security.CustomAuthenticationEntryPoint">
<beans:property name="loginPageUrl" value="/login" />
<beans:property name="returnParameterEnabled" value="true" />
<beans:property name="returnParameterName" value="r" />
</beans:bean>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/security_check" /><!--
change here if customize form action -->
<!-- handler are for login with ajax POST -->
<beans:property name="authenticationFailureHandler"
ref="securityLoginFailureHandler" />
<beans:property name="authenticationSuccessHandler"
ref="securityLoginSuccessHandler" />
<beans:property name="PasswordParameter" value="password" /><!--
change here for password field name in the form -->
<beans:property name="UsernameParameter" value="username" /><!--
change here for username field name in the form -->
</beans:bean>
<beans:bean id="securityLoginSuccessHandler"
class="com.tong.beau.service.security.SecurityLoginSuccessHandler">
<beans:property name="defaultTargetUrl" value="/" />
<beans:property name="targetUrlParameter" value="return-url"/>
</beans:bean>
<beans:bean id="securityLoginFailureHandler"
class="com.tong.beau.service.security.SecurityLoginFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/failure" />
</beans:bean>
<beans:bean id="securityLogoutSuccessHandler"
class="com.tong.beau.service.security.SecurityLogoutSuccessHandler">
</beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>
Since I implemented my CustomAuthenticationEntryPoint, do I need to handle the remember me service in the entry point?
After looking at the source code of Spring Security 4.0.3, I found out that the default parameter is actually defined as this:
public static final String DEFAULT_PARAMETER = "remember-me";
So what I did was to edit the front end to send the data with name "remember-me".
Before Spring Security 4.0.3, the default parameter was _spring_security_remember_me
That would be worth of mention. The configuration also has some problems.
My working configuration is as following.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd">
<http pattern="/resources/**" security="none" />
<http auto-config="false" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
<intercept-url pattern="/**" access="permitAll" />
<access-denied-handler error-page="/denied" />
<logout invalidate-session="true" delete-cookies="JSESSIONID"
success-handler-ref="securityLogoutSuccessHandler" logout-url="/logout" />
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<custom-filter ref="rememberMeFilter" after="FORM_LOGIN_FILTER" />
<csrf />
<remember-me key = "remember-me" services-ref="rememberMeServices"/>
</http>
<beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:constructor-arg ref="authenticationManager"/>
<beans:constructor-arg ref="rememberMeServices"/>
</beans:bean>
<beans:bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:constructor-arg value="remember-me"/>
<beans:constructor-arg ref="userDetailsService"/>
<beans:constructor-arg ref="jdbcTokenRepository"/>
</beans:bean>
<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:constructor-arg value="remember-me"/>
</beans:bean>
<beans:bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="createTableOnStartup" value="false"/>
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<beans:bean id="customAuthenticationEntryPoint"
class="com.tong.beau.service.security.CustomAuthenticationEntryPoint">
<beans:property name="loginPageUrl" value="/login" />
<beans:property name="returnParameterEnabled" value="true" />
<beans:property name="returnParameterName" value="r" />
</beans:bean>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="rememberMeServices" ref="rememberMeServices" />
<beans:property name="filterProcessesUrl" value="/security_check" />
<!-- change here if customize form action -->
<!-- handler are for login with ajax POST -->
<beans:property name="authenticationFailureHandler"
ref="securityLoginFailureHandler" />
<beans:property name="authenticationSuccessHandler"
ref="securityLoginSuccessHandler" />
<beans:property name="PasswordParameter" value="password" />
<!-- change here for password field name in the form -->
<beans:property name="UsernameParameter" value="username" />
<!-- change here for username field name in the form -->
</beans:bean>
<beans:bean id="securityLoginSuccessHandler"
class="com.tong.beau.service.security.SecurityLoginSuccessHandler">
<beans:property name="defaultTargetUrl" value="/" />
<beans:property name="targetUrlParameter" value="return-url"/>
</beans:bean>
<beans:bean id="securityLoginFailureHandler"
class="com.tong.beau.service.security.SecurityLoginFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/failure" />
</beans:bean>
<beans:bean id="securityLogoutSuccessHandler"
class="com.tong.beau.service.security.SecurityLogoutSuccessHandler">
</beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="rememberMeAuthenticationProvider">
</authentication-provider>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>
I have a requirement that on the login page I have a userId , password field and also another text entry field called customer. If a user logins in with userId and password , the spring-security configuration which I have works good.
Second login scenario is If the customer puts in only their customer Id , they are supposed to login to a different page as well. How do I make the two different logins works with the same spring-security xml configuration from the same login page.
<security:http auto-config="true" use-expressions="true" >
<!-- URL restrictions (order is important!) Most specific matches should be at top -->
<!-- Don't set any role restrictions on login.jsp. Any requests for the login page should be available for anonymous users -->
<security:intercept-url pattern="/login.jsp*" access="isAuthenticated()" />
<security:access-denied-handler error-page="/noaccess.jsp" />
<security:intercept-url pattern="/board.htm" access="hasRole('ROLE_ALL_USER')" />
<security:intercept-url pattern="/AddItems.htm*" access="hasRole('ROLE_USER')" />
<!-- Set the login page and what to do if login fails -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
<!-- Set the logout page and where to go after logout is successful -->
<security:logout logout-url="/logout" logout-success-url="/logoutSuccess.jsp" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="customPreAuthFilter" />
<security:custom-filter ref="switchUserFilter" position="SWITCH_USER_FILTER" />
</security:http>
<security:http>
</security:http>
<beans:bean id="customPreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<!-- Load the UserDetails object for the user. -->
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="currentUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<!-- Aliasing (Switch User) -->
<beans:bean id="switchUserFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="currentUserDetailsService" />
</beans:bean>
Thanks
Dhiren
#Ritesh Thanks for the link.. I tried your solution but My Filter does not get invoked.
does web.xml need to be modified.
Any way I tried to implement the entire springSecurityFilterChain but still I have not able to invoke my Filter from my login form. My filter that I need invoked is customBadgeAuthFilter
<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<beans:list>
<security:filter-chain pattern="/resources/**" filters="none"/>
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCTrue,
logoutFilter,
customBadgeAuthFilter,
formLoginFilter,
formLoginExceptionTranslationFilter,
filterSecurityInterceptor" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="formLoginExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login"/>
</beans:bean>
</beans:constructor-arg>
<beans:property name="accessDeniedHandler">
<beans:bean
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/exception" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="formLoginFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="allowSessionCreation" value="true"/>
<beans:property name="authenticationSuccessHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:constructor-arg value="/"/>
<beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="authenticationFailureHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:constructor-arg value="/login?error=true"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="runAsManager" ref="runAsManager" />
<beans:property name="securityMetadataSource">
<security:filter-security-metadata-source use-expressions="true">
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
</security:filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="allowIfAllAbstainDecisions" value="false"/>
</beans:bean>
<beans:bean id="runAsManager"
class="org.springframework.security.access.intercept.RunAsManagerImpl">
<beans:property name="key" value="TELCO_RUN_AS"/>
</beans:bean>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login"/>
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<beans:constructor-arg>
<beans:list>
<beans:value>JSESSIONID</beans:value>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="customBadgeAuthFilter" class="com.company.security.filter.BadgeProcessingSecurityFilter">
<beans:constructor-arg value="/login.jsp"></beans:constructor-arg>
<beans:property name="authenticationManager" ref="authManager" />
</beans:bean>
<security:authentication-manager alias="authManager" >
<security:authentication-provider ref='normalAuthenticationProvider ' />
<security:authentication-provider ref='badgeAuthenticationProvider ' />
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<beans:bean id="badgeAuthenticationProvider" class="com.company.security.filter.BadgeAuthenticationProvider">
</beans:bean>
I think I finally figured how to get my securityFilter to get invoked.
I was doing debugging to see the springsecurity flow and see that there is a method called. requestAuthorization in the subclass of AbstractAuthenticationProcessingFilter. It compares the uri which is configured for the default value for the filter to get invoked and if they don't match the filter is bypassed. For some reason even thought the POSt request is /j_security_check .. it transforms into FSS/home.htm when it is being compared and so the filter was getting bypassed.
I'm creating application with spring security 3 using the protocole Ldap,and JSF 2 the problem is that I have always authentication failure !
this is my configuration :
<http use-expressions="true" >
<intercept-url pattern="/pages/DRH/**" access="hasRole('ROLE_ADM')" />
<intercept-url pattern="/pages/Employe/**" access="hasRole('ROLE_EMP')" />
<!-- Custom login page -->
<form-login login-page="/login.jsf" authentication-success-handler-ref="loginSuccessHandler"
authentication-failure-handler-ref="loginFailureHandler" />
<!-- Custom logout page -->
<logout />
</http>
<beans:bean id="loginSuccessHandler" class="exp.customloginpage.AuthSuccessHandler" />
<beans:bean id="loginFailureHandler" class="exp.customloginpage.AuthFailureHandler" />
<!-- Use authentication provider. -->
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg index="0" value="ldap://192.168.6.42:389/cn=Users,dc=exp,dc=com" />
</beans:bean>
<beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value=""/>
<beans:constructor-arg index="1" value="(uid={0})"/>
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" /> <!-- Recherche dans les sous-branches -->
</beans:bean>
<beans:bean id="userDetailsAuthoritiesPopulator" class="exp.customloginpage.UserDetailsAuthoritiesPopulator" />
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg index="0">
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg index="0" ref="contextSource" />
<beans:property name="userSearch" ref="ldapUserSearch" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg index="1">
<beans:bean class="exp.customloginpage.UserDetailsAuthoritiesPopulator" />
</beans:constructor-arg>
</beans:bean>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
this is my managedBean
public String doLogin() throws ServletException, IOException {
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
.getRequestDispatcher("/j_spring_security_check");
dispatcher.forward((ServletRequest) context.getRequest(),
(ServletResponse) context.getResponse());
FacesContext.getCurrentInstance().responseComplete();
return null;
}
Any Idea ?
I have a Spring 3 application I use:
<authentication-manager>
<authentication-provider ref='myAuthenticationProvider'/>
</authentication-manager>
What would be the name space equivalent spring 2.
is because I login with my LDAP application with Spring 3 and want to implement the same method in spring 2
CODE spring-secutiy-ldap.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/app/Out*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/app/Login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/app/Out" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/app/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
<!-- Server -->
<ldap-server id="ldapServer" url="ldap://${ldap.server.ip}:${ldap.server.port}/${ldap.server.root}"/>
<!-- Authenticator -->
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator" id="ldapBindAuthenticator">
<beans:constructor-arg ref="ldapServer"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people"/>
<beans:constructor-arg index="1" value="(uid={0})"/>
<beans:constructor-arg index="2" ref="ldapServer" />
</beans:bean>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator" id="ldapAuthoritiesPopulator">
<beans:constructor-arg ref="ldapServer"/>
<beans:constructor-arg value="${ldap.springrole.rdn}"/>
<beans:property name="groupRoleAttribute" value="${ldap.springrole.attribute}"/>
<beans:property name="rolePrefix" value="${ldap.springrole.prefix}"/>
<beans:property name="groupSearchFilter" value="(objectClass=organizationalRole)"/>
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg ref="ldapBindAuthenticator"/>
<beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
<beans:property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/>
</beans:bean>
<beans:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="ldapServer"/>
</beans:bean>
<beans:bean class="com.test.ladp.security.UserLdapMapper" id="ldapUserDetailsContextMapper">
<beans:property name="template" ref="ldapTemplate"/>
</beans:bean>
Exception :
Caused by: org.springframework.security.config.SecurityConfigurationException: No UserDetailsService registered.
at org.springframework.security.config.UserDetailsServiceInjectionBeanPostProcessor.getUserDetailsService(UserDetailsServiceInjectionBeanPostProcessor.java:110)
at org.springframework.security.config.UserDetailsServiceInjectionBeanPostProcessor.injectUserDetailsServiceIntoRememberMeServices(UserDetailsServiceInjectionBeanPostProcessor.java:55)
at org.springframework.security.config.UserDetailsServiceInjectionBeanPostProcessor.postProcessBeforeInitialization(UserDetailsServiceInjectionBeanPostProcessor.java:36)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:350)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1330)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
... 69 more
The equivalent definition without namespace support for authentication manager should be as follows
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<list>
<ref bean="ldapAuthProvider" />
</list>
</constructor-arg>
</bean>
<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="ldapBindAuthenticator"/>
<constructor-arg ref="ldapAuthoritiesPopulator"/>
<property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/>
</bean>
<bean id="userDetailsService" class="org.springframework.security.ldap.userdetails. LdapUserDetailsService">
<constructor-arg ref="userSearch" />
<constructor-arg ref="ldapAuthoritiesPopulator" />
<property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/>
</bean>