I always thought that acegi security is the same as spring security 3.0... but It seems to be wrong.
Unfortunately I was unable to find any acegi security docs.
I need to have an anonymous user with special role assigned into Security Context what I found about that was this.
But there's no AnonymousAuthenticationFilter in ACEGI - only AnonymousProcessingFilter. But how should I call it's id?
I tried this code:
<bean id="anonymousAuthFilter"
class="net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
But I get nothing in my Security Context before I actually login. And that's bad=(
Any ideas?
acegi security is the old name of spring security. (in 2.0 or older I can't remember, it is to long ago)
I strongly recommend to use Spring Security 3.0. Attention: The Package Names and Jar Structure was Changed between Spring Security 3.0 und Spring Security 2.0.
So if you have current documentation you will need to translate it back to 2.0. This Blog Spring Security 3.0.0.M1 Released describe the changes.
Related
I was creating a spring oath2 application. It works. I have a doubt.
Based on this URL http://projects.spring.io/spring-security-oauth/docs/oauth2.html there are only 2 real options:
JdbcTokenStore, JwtTokenStore.
Is it possible to use JDBCTokenStore but not refer to it in the resourceServers?
I mean can we not have it referred directly only in the AuthorizationServer and the resource servers could use an endpoint from AuthorizationServer instead of configuring another direct JDBCTokenStore reference.
Motive: Want to avoid sharing a database between AuthorizationServer and multiple ResourceServers. Is there any other way to achieve this motive.
R
In your Resource Servers you can use RemoteTokenServices. This class queries the /check_token endpoint present in Authorization Server to verify tokens.
You can have a database only for authentication server and another databases for your resource servers.
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${auth.service.url:https://localhost:8443/auth-service}/oauth/check_token"/>
<property name="clientId" value="${auth.client.name:TEST_API}"/>
<property name="clientSecret" value="${auth.client.secret:password}"/>
<property name="accessTokenConverter" ref="accessTokenConverter"/>
<property name="restTemplate" ref="oauth2RestTemplate"/>
</bean>
I implemented the Spring SAML sample application using ssocircle and it worked fine. Now I have been trying to implement it for the client's ADFS. Following is the configuration I think that is required, please correct me if I am wrong:
Change the first parameter below, to the federationMetadata.xml url provided by client
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<constructor-arg>
<value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
</constructor-arg>
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
Replace the entity id of SP metadata below:
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
I haven't been able to figure out the following:
All I have received is a url to adfs/../federationMetadata.xml, who is supposed to create the SP metadata?
Am I supposed to create SP metadata and provide to the client, to add it in adfs? Because, that's what I did using sample application. I added the generated metadata to ssocircle
Is my understanding, that point 1 would be adfs url, and point 2 will be SP entity id, correct?
I would be grateful if you could clarify the above to me, also if possible, point me to straightforward tutorial that helps in integrating SAML with Spring security enabled application as I haven't been able to find the same.
Many thanks
To make SAML between SP and IdP (ADFS) work, you have to mutually exchange metadata.
The ADFS metadata are available on the URL https://adfs-host/FederationMetadata/2007-06/FederationMetadata.xml and you can register them in your SP either with HTTPMetadataProvider, or download them and read them from classpath, or file system with ResourceBackedMetadataProvider.
For SP metadata, you have to configure MetadataGenerator (as you have it in your question) and then expose it via FilterChainProxy. Here is a Java configuration (it's equivalent for XML):
#Bean
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
chains.add(new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter()));
return new FilterChainProxy(chains);
}
Than, you can access SP metadata on the URL https://sp-host/saml/metadata and register them on ADFS as a Relying Party Trust. Again, you can do this either via URL, or import data from the (downloaded) file.
Basically, you should be fine if you follow Spring Security SAML Reference Documentation which uses XML configuration. In case, you'll need to switch to Java configuration, you can find handy either referenced vdenotaris/spring-boot-security-saml-sample, or my working prototype sw-samuraj/blog-spring-security.
I have looked at spring-cloud-config client without Spring Boot and many others and have not found a convincing answer. So here it goes again:
Question:
Is it possible, in a Spring app, to use Spring Cloud Config server/client without the automagic configuration of Spring Boot? Is using Spring Boot a requirement for using these frameworks?
If it is:
Is there any documentation that clearly describes what needs to be done in order to enable Spring Cloud Config server/client without Spring Boot?
Is there any sample project that clearly describes what needs to be done in order to enable Spring Cloud Config server/client without Spring Boot??
I'm not aware of documentation or a sample project. However we are doing it in our projects.
You just need to include the configuration server URI as a property source, assuming you are using PropertySourcesPlaceholderConfigurer:
<bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer" id="propertyPlaceholder">
<property name="locations">
<list>
<value>http://your-config-server.com:8888/application-${spring.profiles.active}.properties</value>
</list>
</property>
<property name="ignoreUnresolvablePlaceholders" value="false"/>
</bean>
You have to make sure to pass -Dspring.profiles.active=current_profile to the java command line, like you probably would have done with boot.
We have developed a data persistence framework using Mybatis. The framework uses plain MyBatis APIs. (We were prohibited from using any mybatis-spring, do not ask… why?)
Now we have to integrate this persistence framework with another framework developed by other teams. This other framework heavily uses spring transactions for everything. Our persistent framework DAOs will be used by this framework within its own API ….that means the spring managed transactions will be propagated to MyBatis DAO. It is expected that our MyBatis based persistence framework should participate in spring managed transactions without any issues.
There are two options for us to make this work
(1)Change our persistent framework to use mybatis-spring module. Change DAOs to use mappers directly injected using spring and spring’s SqlSessionFactoryBean. I did build a small example simulating both the frameworks and everything works without any issue. The problem is with this approach that it requires changing almost all the DAOs to use spring injected mapper, extensively test the framework again. We simply do not have time available due to delivery timeline.
(2)Use mybatis-spring, define SqlSeeionFactory using spring – set the datasource and transaction manager used by other framework. Something like
<bean id="smpDataSource" class="oracle.jdbc.pool.OracleDataSource" destroy-method="close">
<property name="connectionCachingEnabled" value="true" />
<property name="URL"> <value>${db.thin.url}</value></property>
<property name="user"> <value>${db.user}</value></property>
<property name="password"><value>${db.password}</value>
</property>
</bean>
<bean id="dbTransactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="smpDataSource" />
</bean>
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="smpDataSource" />
<property name="typeAliasesPackage" value="spike.smp51.domain" />
<property name="mapperLocations" value="classpath*:spike/smp51/mappers/*.xml" </bean>
Then in applicataion code MyBatis DAO gets the sqlseesionfactory from spring like
public static SqlSessionFactory getSqlSessionFactory() throws Exception
{
DefaultSqlSessionFactory sessionFactory = (DefaultSqlSessionFactory)ctx.getBean("sqlSessionFactory");
return sessionFactory;
}
All DAOs already use SqlSeesionFactory to open and close sessions. Just replace that mybatis created sqlseeionfactory with spring created sqlseeionfactory. That way we will have only few lines of changes.
This approach is outlined here
http://mybatis.github.io/spring/using-api.html
The mybatis documentation warns about this approach – specifically that it will not participate in spring transactions.
When I tried the 2nd approach, our framework was able to participate in spring transactions. This is strange. Is the MyBatis documentation incorrect then? I did verify it extensively by creating various transaction boundaries using spring transactions + AOP . MyBatis DAOs are able to participate in spring managed transactions every time. Since this second approach will save us 90% of the development time – we really like to use it – but worried since MyBatis warns following this approach. Has anyone tried this approach? Any feedback is greatly appreciated.
Did you have any return on that ?
I'm wondering if in the doc they're talking about org.apache.ibatis.session.SqlSessionFactory from Mybatis-api while the SqlSessionFactory you're using is from the mybatis-spring lib : org.mybatis.spring.SqlSessionFactoryBean
I am newbie in spring. using spring 3.0 mvc. I am creating a spring application, I have a login form,Any one please suggest how to integrate hibernate and its set up...
You can define Hibernate's Session Factory bean in Spring's application context of your application. Look at this example:
<bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
<property name="dataSource"><ref local="dataSource"/></property>
<property name="mappingResources">
<list>
<value>dao/hibernate/Login.hbm.xml</value>
</list>
</property>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
</bean>
where:
dataSource - reference to some implementation of javax.sql.DataSource
mappingResources - list of Hibernate ORM mapping files (shoul be on the classpath)
hibernateProperties - some basic set of Hibernate properties, you should tell Hiberante at least what type of DB you are using
Then you can wire this bean into DAO classes of your application and perform CRUD operations using wired sessionFactory object.
Suggestion for the future: you should be more specific in your questions!
You can use Springfuse. It's a tool which build a maven projet with Spring, Spring-mvc and Hibernate. It can provides you some demos (very usefull for newbies).
Not really a tutorial but, for an overview of the Spring 3.0 web stack, I'd recommend... Overview of the Spring 3.0 Web Stack.
In this presentation from SpringOne 2009, Keith Donald discusses the Spring 3.0 web stack, key Spring Framework and Spring MVC features, demos of Spring MVC capabilities, REST support, validation support, automatic data conversion, data binding and validation, Joda Time support, Spring JavaScript, Dojo, Spring Web Flow, Spring Security, Spring BlazeDS, and the roadmap for the Spring web stack.
For the persistence, maybe have a look at JPA 2.0 and Spring 3.0 with Maven. But the documentation is still the best resource IMO. See the 13. "Object Relational Mapping (ORM) Data Access"
Regarding the IDE, Spring Tool Suite will indeed give you the best user experience
For example, refer below links:
http://www.mkyong.com/struts/struts-spring-hibernate-integration-example/
http://www.vaannila.com/spring/spring-hibernate-integration-1.html