I am new to Spring so please forgive me if my question is foolish...
I am trying to follow some examples for configuring security on a spring web application. I have configured it to work with ldap directory. Now I need to add caching to the process so that the credentials are not fetched from the ldap directory every time they are requested.
For this I have added cache-ref="userCache" as shown in the tutorial:
<authentication-manager>
<authentication-provider>
...
<ldap-user-service server-ref="ldapServer"
user-search-filter="uid={0}" user-search-base="ou=people"
group-search-filter="member={0}" group-search-base="ou=groups"
cache-ref="userCache" />
</authentication-provider>
</authentication-manager>
The bean userCache is defined like this :
<beans:bean id="userCache"
class="org.springframework.security.providers.
dao.cache.EhCacheBasedUserCache">
<beans:property name="cache" ref="userEhCache" />
</beans:bean>
<beans:bean id="userEhCache"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager" ref="cacheManager" />
<beans:property name="cacheName" value="userCache" />
</beans:bean>
The cache manager is defined as follows:
<bean id="cacheManager"
class="org.springframework.security.core.userdetails.cache.EhCacheManagerFactoryBean" />
The problem with this configuration is that I couldn't get the jars because they are based on an old version of spring 2. The cache manager I got it using
<bean id="cacheManager"
class="net.sf.ehcache.CacheManager" />
but the org.springframework.cache.ehcache.EhCacheFactoryBean and org.springframework.security.providers.dao.cache.EhCacheBasedUserCache I don't know where to get them beside from spring 2 which if I add to my project it brakes everything.
I would appreciate any help in this matter. If you have some other solution please make some suggestions. Thanks!
In Spring 3.0.x org.springframework.cache.ehcache.EhCacheFactoryBean is located in spring-context-support-3.0.x.RELEASE.jar.
There is no class org.springframework.security.providers.dao.cache.EhCacheBasedUserCache but there is class org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache located in spring-security-core-3.0.x.RELEASE.jar.
Related
I am working on a system that uses Spring 4.3.25.RELEASE and xml based configuration. I need to integrate with another system using OAuth2, and therefore trying to configure the system as an OAuth2 Client, but it's proving difficult to find examples and documentation.
I can redirect to the IdP ok, but on return I am seeing this error:
Possible CSRF detected - state parameter was required but no state
could be found
This is the configuration I have in place, which is obviously incomplete. Can you please help me identify what is missing?
Thanks.
<custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<custom-filter ref="oauth2AuthenticationFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
...
<oauth:client id="oauth2ClientFilter" />
<beans:bean id="oauth2AuthenticationFilter" class="org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter">
<beans:constructor-arg name="defaultFilterProcessesUrl" value="/oauth2/callback"/>
<beans:property name="restTemplate" ref="restTemplate"/>
</beans:bean>
<oauth:rest-template id="restTemplate" resource="oauth2Token"/>
<oauth:resource id="oauth2Token"
type="authorization_code"
client-id="my-client-id"
client-secret="my-client-secret"
access-token-uri="https://http://myurl/token"
user-authorization-uri="http://myurl/authorize"/>
Lately I found an example of Spring Boot CRUD. In the read me there is written :
This project is based on the Spring Boot project and uses these
packages :
Maven
Spring Core
Spring Data (Hibernate & MySQL)
Spring MVC (Tomcat)
Thymleaf
In the source code I do not see anything that would look like this app is somehow connected to the hibernate. Could you help me to solve this little problem? And if it is not connected to the Hibernate how can I connect CRUD like that to the Hibernate?
Thanks for your help :)
In example you've provided you're using spring-boot-starter-data-jpa which already contains predefined hibernate dependencies (see pom.xml).
How to work with SQL databases described in documentation section.
Basically you configure hibernate using application.properties using following prefix:
spring.jpa.properties.hibernate.*
for Spring boot with hibernate you can follow bellow link :-
https://github.com/netgloo/spring-boot-samples
you have to configure hibernate property and datasource property for database connection... but for example i can share some code for Spring hibernate and JPA but Spring boot with hibernate you can follow link:-
<bean id="hibernateJpaDialect" class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="packagesToScan" value="com.amstech.mayal.entity" />
<property name="jpaDialect" ref="hibernateJpaDialect" />
<property name="jpaVendorAdapter" ref="hibernateJpaVendorAdapter" />
<property name="jpaPropertyMap">
<map>
<entry key="hibernate.connection.driver_class" value="${database.jdbc.driver.class}" />
<entry key="hibernate.connection.url" value="${database.jdbc.url}" />
<entry key="hibernate.connection.username" value="${database.user}" />
<entry key="hibernate.connection.password" value="${database.password}" />
<entry key="hibernate.dialect" value="${hibernate.dialect}" />
<entry key="show_sql" value="true" />
<entry key="eclipselink.jdbc.exclusive-connection.is-lazy"
value="true" />
</map>
</property>
</bean>
I would suggest looking at the Spring Boot Data section of the main documentation. There is a lot less configuration that is needed and you can do it fluently and leave the xml behind. JPA + Hibernate is Spring data have become highly interlinked in boot.
There are multiple ways in which spring boot interact with hibernate. In the example you shared it is picking up the db properties from application.properties file and setting up the configuration. Rest of the things it will pick from the dependency provide in pom.xml.
Yes, it is connected with the hibernate. Things you need to do apart from setting up the project is to setting up a database with some username and password. And creating a db schema.Rest of the things will be done by spring boot. Make sure your db username password matches with the application file properties.
I'm trying to secure my Spring 3.1 web app with Spring Security 3.1, and I need to use Active Directory for user authentication.
However, I cant seem to find the complete configuration steps. I tried different bits of suggestions but they didn't work for me.
What are the complete steps of configuration to enable a Spring 3.1 web app to use Spring Security 3.1 with Active Directory?
<beans:bean id="adAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="[your domain]" />
<beans:constructor-arg value="ldap://[your AD server]:389" />
<beans:property name="userDetailsContextMapper">
<beans:bean class="[your user-details context mapper]" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="adAuthProvider" />
</authentication-manager>
If you need to provide custom logic for mapping user and authorities from the AD entry, you can implement your own UserDetailsContextMapper implementation and specify it in the userDetailsContextMapper property on the adAuthProvider bean.
Hi there I have developed a dynamic web application that uses Ajax to fetch data from databases and keep the GUI up to date but while testing it with IE8 I am experiencing caching issues.
I used the following code in my webmvc-config.xml file to stop the browser from caching:
<mvc:annotation-driven />
<mvc:interceptors>
<bean id="webContentInterceptor"
class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0"/>
<property name="useExpiresHeader" value="true"/>
<property name="useCacheControlHeader" value="true"/>
<property name="useCacheControlNoStore" value="true"/>
</bean>
</mvc:interceptors>
and it works exactly as it should, but the problem is that now the browser obviously doesn't cache anything. what I want to know is how to modify that xml code so that it applies to the Ajax parts of the web app (which are controlled using 5 Controller files); so that the icons..etc are still cached? The path to these controller files would be something like "/admin/**"
I know that the Spring WebContentInterceptor has properties such as "setCacheMappings" and "setPathMatcher" but there is nowhere online that I can find examples of these being using in the xml config file.
ANY help would be much appreciated, it's really doing my head in.. Thanks. Jake
In your <mvc:interceptors> you can restrict the URL path each interceptor should apply to, as follows:
<mvc:interceptors>
<mvc:interceptor>
<mapping path="/admin/*"/>
<bean id="webContentInterceptor" ..... />
</mvc:interceptor>
<mvc:interceptors>
It's all explained here.
I'm using the latest release of Spring Blzeds integration which has some features making it easier to secure invocations on destination objects. However the basic setup I use which uses the ChannelSet login approach form the flex side looses the authentication information (sessions) on each page refresh. Here's the configuration I'm using:
<http entry-point-ref="preAuthenticatedEntryPoint" >
</http>
<beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
<beans:bean id="userAccountManager" class="com.comp.service.managers.jpa.UserAccountJpaManager" />
<beans:bean id="userService" class="com.comp.auth.JpaUserDetailsService" />
<beans:bean id="defaultPasswordEncoder" class="com.comp.auth.DefaultPasswordEncoder" />
<authentication-provider user-service-ref="userService">
<password-encoder ref="defaultPasswordEncoder"/>
</authentication-provider>
<flex:message-broker>
<flex:secured />
</flex:message-broker>
<bean id="testService" class="com.comp.service.TestService">
<flex:remoting-destination channels="comp-amf" />
<security:intercept-methods>
<security:protect method="say*" access="ROLE_USER" />
</security:intercept-methods>
</bean>
Is there another way to configure/implement this so I could get persistent sessions (remember me). Is it possible to do the logins from flex over standard HTTP POST (like forms) and still get the same level of granularity for protecting remote object calls?
Try adding this to your config:
<http entry-point-ref="preAuthenticatedEntryPoint" create-session="always">