According to https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-deprecations-core-udsw
UserDetailsServiceWrapper was deprecated in favor of using RoleHierarchyAuthoritiesMapper
Given the following snippet from applicationContext-security.xml file, what does the following need to be migrated to?:
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userLogic"/>
</bean>
</property>
</bean>
Related
I am attempting to go through the Spring Security SAML Quick Start at:
http://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/chapter-quick-start.html
I've gone through the four steps listed, done the two simple edits to sample/src/main/webapp/WEB-INF/securityContext.xml, and attempt to start the app as described in step 5.
I receive this error:
Bean property 'signMetadata' is not writable or has an invalid setter method.
Does the parameter type of the setter match the return type of the getter?
I have only changed the few lines of XML as described in the QuickStart.
That section of the relevant file looks like this:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:test:chazlarson:waconia" />
<property name="signMetadata" value="false" />
</bean>
</constructor-arg>
</bean>
compared to the QuickStart's suggestion of:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="signMetadata" value="false"/>
</bean>
</constructor-arg>
</bean>
What have I missed? I am sure this is simple, but I've gone through this simple process on two different machines with the same result.
Did you try this example?
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
</constructor-arg></bean>
I looked into MetadataGenerator class and there is no property signMetadata.
I would recommend you to follow this doc
I cannot configure TypeRepresentationStrategy because of the following reason:
Failed to convert value of type 'org.neo4j.kernel.EmbeddedGraphDatabase' to required type 'org.springframework.data.neo4j.core.GraphDatabase';
I use Spring-Data-Neo4j 3.1.4 and Neo4j 2.1.2.
This is because the graphDatabaseService instance I define in my spring-context configuration is type of EmbeddedGraphDatabase, see my configuration:
<util:map id="config">
<entry key="remote_shell_enabled" value="true"/>
<entry key="cache-type" value="weak"/>
</util:map>
<bean id="graphDbFactory" class="org.neo4j.graphdb.factory.GraphDatabaseFactory"/>
<bean id="graphDbBuilder" factory-bean="graphDbFactory" factory-method="newEmbeddedDatabaseBuilder">
<constructor-arg value="target/neo4j-db-plain"/>
</bean>
<bean id="graphDbBuilderFinal" factory-bean="graphDbBuilder" factory-method="setConfig">
<constructor-arg ref="config"/>
</bean>
<bean id="graphDatabaseService" factory-bean="graphDbBuilderFinal" factory-method="newGraphDatabase"
destroy-method="shutdown"/>
<bean id="serverWrapper" class="org.neo4j.server.WrappingNeoServerBootstrapper" init-method="start"
destroy-method="stop">
<constructor-arg ref="graphDatabaseService"/>
</bean>
<neo4j:config base-package="com.hobbydeed.graph.model" graphDatabaseService="graphDatabaseService" />
<bean id="typeRepresentationStrategyFactory" class="org.springframework.data.neo4j.support.typerepresentation.TypeRepresentationStrategyFactory">
<constructor-arg index="0" ref="graphDatabaseService"/>
<constructor-arg type="org.springframework.data.neo4j.support.typerepresentation.TypeRepresentationStrategyFactory.Strategy">
<value>Indexed</value>
</constructor-arg>
</bean>
The question is how can I configure TypeRepresentation to "Indexed" when org.neo4j.kernel.EmbeddedGraphDatabase implements org.neo4j.graphdb.GraphDatabaseService, but TypeRepresentationFactory wants org.springframework.data.neo4j.core.GraphDatabase?
There is a nodeTypeRepresentationStrategy bean that you can override with your chosen strategy.
For the strategy factory as you've used you can just use the "graphDatabase" bean reference.
Or you use DelegatingGraphDatabase(graphDatabaseService) as a bean for graphDatabase which is the default.
This documentation explains how to configure Spring-Security LDAP:
http://docs.spring.io/spring-security/site/docs/3.2.4.CI-SNAPSHOT/reference/htmlsingle/#ldap
3.4.5. Spring Bean Configuration
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
<property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
<property name="password" value="password"/>
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns">
<list><value>uid={0},ou=people</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupRoleAttribute" value="ou"/>
</bean>
</constructor-arg>
</bean>
how can we achieve this without xml?
Here we have a sample which uses a local ldif file:
https://github.com/spring-projects/spring-security/blob/master/samples/ldap-jc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
I've modified SecurityConfig.java as follows:
public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception {
DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(ldap_url);
contextSource.setUrl(ldap_user);
contextSource.setPassword(ldap_password);
DefaultLdapAuthoritiesPopulator ldapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(contextSource, "ou=groups");
ldapAuthoritiesPopulator.setGroupRoleAttribute("ou");
LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthenticationProviderConfigurer = auth.ldapAuthentication();
ldapAuthenticationProviderConfigurer
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource(contextSource)
.ldapAuthoritiesPopulator(ldapAuthoritiesPopulator);
}
}
but when I login using the web form, I get this error:
java.lang.NullPointerException
at java.util.Hashtable.<init>(Hashtable.java:296)
at org.springframework.ldap.core.support.AbstractContextSource.getAuthenticatedEnv(AbstractContextSource.java:499)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:114)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:110)
at org.springframework.security.ldap.authentication.BindAuthenticator.bindWithDn(BindAuthenticator.java:112)
Is there a similar documentation to http://docs.spring.io/spring-security/site/docs/3.2.4.CI-SNAPSHOT/reference/htmlsingle/#ldap explaining how to achieve this without spring xml?
You need to call
contextSource.afterPropertiesSet()
if you are using the class outside an application context (see the source and Javadoc for Spring LDAP's AbstractContextSource for more information). Either that or you can just make it an #Bean and Spring will call the method and initialize it for you.
Also
contextSource.setUrl(ldap_user);
doesn't look right. Shouldn't that be setUserDn ?
Can you please give me some links or solutions to manage my problem?
The problem is the follows. I have an LDAP server. How can I make http basic authorization through this LDAP server?
Thanks in advance.
You need to set up two different fetures of Spring Security:
LDAP Authentication. Actual config described here.
HTTP Basic Authentication. This feature is described here.
Thanks. I made such a config:
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/index.jsp" access="isAuthenticated()"/>
<security:http-basic/>
</security:http>
Then, BasicAuthenticationFilter
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationEntryPoint" ref="BauthenticationEntryPoint"/>
<property name="authenticationManager" ref="BauthenticationManager"/>
</bean>
Entry point and manager were descrbed like that:
<bean id="BauthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Name Of Your Realm"/>
</bean>
<bean id="BauthenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthProvider"/>
</list>
</property>
</bean>
And finally
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns">
<list>
<value>sAMAccountName={0}</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value=""/>
</bean>
</constructor-arg>
</bean>
When I try to access /index.jsp I shown an stadart http auth window that requesting me my username and password. When I type it into form and press Enter nothing goes on - an auth window just reloads and nothing more.
Where I made a mistake?
Thanks.
I need to do spring security authentication where users whose passwords are stored in LDAP MD5 Hex encoding format using password comparison. For LDAP SHA encoding I can use LDAPShaPasswordEncoder. Which encoder should I use for LDAP MD5 encoding ?
<bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator">
<constructor-arg ref="contextSource" />
<property name="passwordEncoder">
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
</property>
<property name="userDnPatterns">
<list>
<value>uid={0},ou=people</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="ou=groups" />
<property name="groupSearchFilter" value="(member={0})" />
<property name="rolePrefix" value="ROLE_" />
<property name="searchSubtree" value="true" />
<property name="convertToUpperCase" value="true" />
</bean>
</constructor-arg>
</bean>
There isn't one that supports MD5. You'd have to implement PasswordEncoder yourself. You can use LdapShaPasswordEncoder as a guide. It should be pretty straightforward, especially without salt involved.
You should probably start looking at migrating to a more secure system which includes salt in the hashes. For example, perhaps your directory can support multiple formats and you can use SSHA for new users or password changes.