I am try for role based access in spring but got the following error:-
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http'.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:131)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:384)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:318)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:410)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3165)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1898)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:685)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:400)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2740)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:508)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
And here is my spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="a" password="1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Seems, the required library files for Spring Security aren't at right place. Are you using Maven and have maven dependency of Spring Security library files in your pom.xml file?
If it is then do a maven clean-up and have a try again. Otherwise you can place Spring security library files in the class-path directly.
Please check if application has the necessary spring security library files in the classpath (if you are using Maven, check pom.xml file). Also, check for other Spring related xml files for syntax errors (or please post them also).
Related
My spring security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="suvajit" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
i am using
org.springframework.security.config-3.0.3.RELEASE.jar
org.springframework.security.core-3.0.3.RELEASE.jar
org.springframework.security.web-3.0.2.RELEASE.jar
for spring security..
It is giving me compilation error
cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'authentication-manager
and multiple annotations found at this line:
schema_reference.4: Failed to read schema document 'http://www.springframework.org/schema/security/
spring-security-3.2.xsd', because
could not find the document;
the document could not be read;
the root element of the document is not .
cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http'.
for authentication-manager and http tags respectively
please clarify me where i am wrong
Your jars are
org.springframework.security.config-3.0.3.RELEASE.jar
org.springframework.security.core-3.0.3.RELEASE.jar
org.springframework.security.web-3.0.2.RELEASE.jar
But your xml document references version 3.2 - make them compatible, by upgrading your jars to 3.2.3 RELEASE version.
I have found some solutions but they didn't worked for me. I added libraries to project but I am getting this error. I could reach security libraries from my controller classes. Any idea?
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
This my spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Use http://www.springframework.org/schema/security/spring-security-3.0.xsd as your namespace instead.
to avoid
"org.xml.sax.SAXParseException: schema_reference.4: Failed to read
schema document 'springframework.org/schema/security/…;, because 1)
could not find the document; 2) the document could not be read; 3) the
root element of the document is not <xsd:schema>."
change springframework.org/schema/security/spring-security-3.1.4.xsd to springframework.org/schema/security/spring-security-3.1.xsd
I have a web application in the following environment.
Spring 3.2.2 (recently upgraded from Spring 3.2.0).
Spring Security 3.2.0 M1.
Hibernate 4.2.0 CR1.
Apache Tomcat 7.0.35.0.
Oracle 10g.
NetBeans 7.2.1 with jdk-7u11.
The application runs on this base URL : http://localhost:8080/wagafashion/. It has no problem, everything goes fine.
Since I'm using Spring security, the action of the login page is mapped with j_spring_security_check.
After successful login, if I enter this URL : http://localhost:8080/wagafashion/j_spring_security_check in the address bar (either accidentally or deliberately), then the page is redirected to the home page, the first page which is given to an authenticated user, with the following message in Google Chrome,
This webpage has a redirect loop
As can be seen in the following snap shot.
No page can be accessed once this happens. I'm currently using the following browsers.
Google Chrome 26.0.1410.64 m
FireFox 20.0.1
Internet Explorer 8
This requires cookies to be cleared to resume the application. Can this be a problem somewhere in my application. How to fix this?
My spring-security.xml file is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/Login.htm*" security="none"></http>
<http auto-config='true' use-expressions="true" disable-url-rewriting="true">
<!--<remember-me key="myAppKey"/>-->
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<intercept-url pattern="/admin_side/**" access="hasRole('ROLE_ADMIN')" requires-channel="any"/>
<form-login login-page="/" default-target-url="/admin_side/Home.htm" authentication-failure-url="/LoginFailed.htm" authentication-success-handler-ref="loginSuccessHandler"/>
<logout logout-success-url="/Login.htm" invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select email_id, password, enabled from user_table where lower(email_id)=lower(?)"
authorities-by-username-query="select ut.email_id, ur.authority from user_table ut, user_roles ur where ut.user_id=ur.user_id and lower(ut.email_id)=lower(?)"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="loginSuccessHandler" class="loginsuccesshandler.LoginSuccessHandler"/>
<global-method-security secured-annotations="enabled" proxy-target-class="false">
<protect-pointcut expression="execution(* dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
I tried your setup it gave the same result as you. To solve the problem I did this,
In security.xml change:
<form-login login-page="/"...
<form-login login-page="/Login.htm"...
I have searched here, google and springsource for this and could not find a solution that worked for me. I have the below spring-security.xml and when I use the pattern
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
This gives me a 404 error when it redirects to the login page. But this does not happen if I use
<intercept-url pattern="/index*" access="hasRole('ROLE_USER')" />
But obviously this does not secure the rest of the app.
I'm sure this is something simple I am overlooking but the closest thing I could find was this stack overflow question, Which I have already incorperated in my xml file below but still have the same issue. I have tried this without use-expressions="true" and I have tried switching the intercept-url's around (I'm not 100% but I am fairly sure that the /** pattern should be the last one as I believe urls are matched in the same order as declared)
Any advice/help would be great
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" filters="none" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="username" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Update
Just in case it is a factor I'm using Spring and Spring security 3.0.4.RELEASE
Answer
Following Kris's advice I changed
<intercept-url pattern="/login" filters="none" access="permitAll" />
to:
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
This caused a 500 Error due to the exception
SpelEvaluationException: EL1008E:(pos 0): Field or property
'IS_AUTHENTICATED_ANONYMOUSLY' cannot be found on object of
type'org.springframework.security.web.access.expression.WebSecurityExpressionRoot
I solved this by changing the IS_AUTHENTICATED_ANONYMOUSLY to isAnonymous()
<intercept-url pattern="/login" access="isAnonymous()" />
For completeness, here's the real reason this requires a change to isAnonymous().
The <http> element has an attribute use-expressions which defaults to true. In the default situation, you are required then to use "security expressions" instead of role names. If you wish to use only role names in access= declarations, you need to turn off expressions with
<http use-expressions="false"> ... </http>
Adds an AnonymousAuthenticationFilter to the stack and an AnonymousAuthenticationProvider. Required if you are using the IS_AUTHENTICATED_ANONYMOUSLY attribute.
spring secuirty
or use isAnonymous() instead.
Change this <intercept-url pattern="/login" filters="none" access="permitAll" />
to
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
The config looks fine to me. Could it be that the /login page is actually not there? The second config (with /index*) might have only worked, because then the request you made wasn't intercepted, and consequently didn't get redericted to the non-existent /login page. If it was a problem with the config, Spring Security would respond with 403 not 404.
Double-check without any Spring Security configured if the /login url works.
I'm new in Spring and I'm trying to create a application using Spring Blazeds Integration (Flex + Blazeds + Spring + Java) and when I run the application I got this error:
02:51:21,852 INFO [XmlBeanDefinitionReader] Loading XML bean definitions from ServletContext resource [/WEB-INF/spring/security-config.xml]
02:51:23,937 ERROR [ContextLoader] Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: alias is required.
Offending resource: ServletContext resource [/WEB-INF/spring/security-config.xml]
The security-config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http>
<security:anonymous enabled="false" />
<security:form-login default-target-url="/myContext/Index.html"
login-page="/myContext/Login.html" />
<security:remember-me key="myAppKey" services-ref="rememberMeServices" />
</security:http>
<beans:bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<beans:property name="key" value="myAppKey" />
<beans:property name="alwaysRemember" value="true" />
</beans:bean>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="john" password="john" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="guest" password="guest" authorities="ROLE_GUEST" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
I'm using spring-flex 1.5.0, spring-security 2.0.6 and Spring 3.0.
Any ideas what is the problem?
Thanks in advance,
Andre
I'm not very sure, but try to put an alias in security:authentication-manager:
<security:authentication-manager alias="authenticationManager">
Why don't you use Spring security 3?
As listed in the reference manual, Spring Flex 1.5.0 will not work with Spring Security 2. You must use Spring Security 3.
Other than this, jbbarquero is correct, assuming this is actually your problem.