I'm new in Spring and I'm trying to create a application using Spring Blazeds Integration (Flex + Blazeds + Spring + Java) and when I run the application I got this error:
02:51:21,852 INFO [XmlBeanDefinitionReader] Loading XML bean definitions from ServletContext resource [/WEB-INF/spring/security-config.xml]
02:51:23,937 ERROR [ContextLoader] Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: alias is required.
Offending resource: ServletContext resource [/WEB-INF/spring/security-config.xml]
The security-config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http>
<security:anonymous enabled="false" />
<security:form-login default-target-url="/myContext/Index.html"
login-page="/myContext/Login.html" />
<security:remember-me key="myAppKey" services-ref="rememberMeServices" />
</security:http>
<beans:bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<beans:property name="key" value="myAppKey" />
<beans:property name="alwaysRemember" value="true" />
</beans:bean>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="john" password="john" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="guest" password="guest" authorities="ROLE_GUEST" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
I'm using spring-flex 1.5.0, spring-security 2.0.6 and Spring 3.0.
Any ideas what is the problem?
Thanks in advance,
Andre
I'm not very sure, but try to put an alias in security:authentication-manager:
<security:authentication-manager alias="authenticationManager">
Why don't you use Spring security 3?
As listed in the reference manual, Spring Flex 1.5.0 will not work with Spring Security 2. You must use Spring Security 3.
Other than this, jbbarquero is correct, assuming this is actually your problem.
Related
I have an issue that seems something like this one but I'm not using AJAX for logging in/authentication.
When I access my local Tomcat 7 instance, I can correctly evaluate this block to true when the user is not logged in:
<security:authorize access="!isFullyAuthenticated()">
<div class="col-xs-12 col-md-2 login_button">
<button class="btn btn-success" style="line-height: 1.42857"><spring:message code="label.logIn"/> <i class="fa fa-sign-in"></i></button>
</div>
</security:authorize>
However, it evaluates to false when I deploy it to our public QA and public production instances, hiding the button. I also tried changing the access to !isAuthenticated() but the behavior didn't change.
I'm using Spring 4.1.0.RELEASE and Spring Security 3.2.4.RELEASE. I am not completely sure but it may not have had this behavior in a previous version of Spring.
What could cause a difference in the code block evaluation between servers?
UPDATE:
Spring security config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="authSuccessHandler" class="com.companyname.web.RoleBasedAuthenticationSuccessHandler" />
<http auto-config="true" use-expressions="true">
<form-login login-page="/login"
authentication-success-handler-ref="authSuccessHandler"
authentication-failure-url="/login?login_error=true"
login-processing-url="/j_spring_security_check" />
<intercept-url pattern="/sample/**" access="hasAnyRole('ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<intercept-url pattern="/other/**" access="hasAnyRole('ROLE_OTHER', 'ROLE_CO_OTHER','ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<logout logout-success-url="/index" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="com.companyname.service.UserDetailsServiceImpl" />
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator">
<beans:bean id="permissionEvaluator" class="com.companyname.web.security.MethodsPermissionEvaluator"/>
</beans:property>
</beans:bean>
</beans:beans>
EDIT:
Also tried Spring Security 3.2.8.RELEASE, but no luck.
This issue was solved by a fellow developer by updating the web.xml to contain the Spring Security Filter Chain higher up in the file:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<servlet-name>Spring Security Filter Chain</servlet-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
We also had to make sure that the updated file was deployed to the correct environment. The discrepancy in environments is attributed to different web.xml files for each environment.
when i am trying to authenticate by giving username name as "sumit1" and password as "123" it is redirecting me to the login error page, though i have defined the same role as i have defined for username "sumit" .
this is my spring-security xml file.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" access-denied-page="/sumit/auth/denied.jsp" >
<security:intercept-url pattern="/admin**" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/user**" access="ROLE_USER"/>
<security:form-login authentication-failure-url="/sumit/auth/invalid.jsp"/>
<!-- <security:form-login login-page="/sumit/auth/login.jsp"/> -->
<security:logout logout-success-url="/index.jsp"/>
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service><security:user name="sumit" password="123" authorities="ROLE_ADMIN"/></security:user-service>
<security:user-service><security:user name="sumit1" password="123" authorities="ROLE_ADMIN"/></security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- An in-memory list of users. No need to access an external database layer.
See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
<!-- john's password is admin, while jane;s password is user -->
</beans>
As Pavel mentioned in his comment, you've two <security:user-service> tags. You only need one and can define multiple users under the same.
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="sumit" password="123" authorities="ROLE_ADMIN"/>
<security:user name="sumit1" password="123" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
I have successfully enabled the '/oauth/check_token' endpoint using spring-security 3.2.* and javaconfig but currently I'm restricted to spring-security 3.1.4 and then i'm stucked to XML config. '/oauth/token' endpoint is working as i wish but I can't get the check_token endpoint to be enabled and I can't find any (non javaconfig) documentation explaining what to do.
Vanila Authorization server config:
<oauth:authorization-server
client-details-service-ref="client-service"
token-services-ref="tokenServices" >
<oauth:refresh-token disabled="false" />
<oauth:client-credentials disabled="false" />
<oauth:password authentication-manager-ref="userAuthenticationManager" />
</oauth:authorization-server>
http security config:
<sec:http
auto-config="true"
pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false"/>
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
</sec:http>
I've tried to add following http config without success.
<sec:http
auto-config="true"
pattern="/oauth/check_token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<sec:intercept-url pattern="/oauth/check_token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false"/>
<sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
</sec:http>
please, any suggestions. A working example would be great.
best
./Kristofer
You need to create a bean of type CheckTokenEndpoint (org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint).
Use the last version of spring oauth2:
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.10.RELEASE</version>
</dependency>
Ensure what the correct version of xsd is in use in spring security oauth file configuration:
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
Insert the option check-token-enabled="true" in the element authorization-server:
<oauth:authorization-server ... check-token-enabled="true">
...
</oauth:authorization-server>
I have found some solutions but they didn't worked for me. I added libraries to project but I am getting this error. I could reach security libraries from my controller classes. Any idea?
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
This my spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Use http://www.springframework.org/schema/security/spring-security-3.0.xsd as your namespace instead.
to avoid
"org.xml.sax.SAXParseException: schema_reference.4: Failed to read
schema document 'springframework.org/schema/security/…;, because 1)
could not find the document; 2) the document could not be read; 3) the
root element of the document is not <xsd:schema>."
change springframework.org/schema/security/spring-security-3.1.4.xsd to springframework.org/schema/security/spring-security-3.1.xsd
I am try for role based access in spring but got the following error:-
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'http'.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:131)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:384)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:318)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:410)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3165)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:1898)
at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:685)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:400)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2740)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:140)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:508)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:807)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:107)
And here is my spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="a" password="1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Seems, the required library files for Spring Security aren't at right place. Are you using Maven and have maven dependency of Spring Security library files in your pom.xml file?
If it is then do a maven clean-up and have a try again. Otherwise you can place Spring security library files in the class-path directly.
Please check if application has the necessary spring security library files in the classpath (if you are using Maven, check pom.xml file). Also, check for other Spring related xml files for syntax errors (or please post them also).