I am trying to add Content-Security-Policy using spring security using following spring-security-config.xml
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config="true">
<security:intercept-url
pattern="/ResetPassword**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<headers defaults-disabled="true">
<content-type-options />
<hsts include-subdomains="true" max-age-seconds="31536000" />
<content-security-policy
policy-directives="script-src 'self'
https://trustedscripts.example.com; object-src
https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
report-only="true" />
</headers>
</security:http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="abc" authorities="IS_AUTHENTICATED_ANONYMOUSLY" />
</user-service>
</authentication-provider>
</authentication-manager>
I am getting the following error:
Caused by: org.xml.sax.SAXParseException; lineNumber: 19; columnNumber: 26; cvc-complex-type.2.4.a: Invalid content was found starting with element 'content-security-policy'. One of '{"http://www.springframework.org/schema/security":cache-control, "http://www.springframework.org/schema/security":xss-protection, "http://www.springframework.org/schema/security":hsts, "http://www.springframework.org/schema/security":frame-options, "http://www.springframework.org/schema/security":content-type-options, "http://www.springframework.org/schema/security":header}' is expected.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
Related
I am trying to place session-management in my security-application.xml file.
Error:
Invalid content was found starting with element 'session-management'. One of '{"http://www.springframework.org/schema/security":intercept-url,
I tried to put in other places but without success.
Advice?
------------------------UPDATE ONE------------------------
I tried:
<security:session-management invalid-session-url="/logonTimeOut.jsp">
<security:concurrency-control expired-url="/logonTimeOut.jsp"/>
</security:session-management>
and it is still not working.
I think your xml configuration is not correct .Change xml configuration like this
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"
>
<http create-session="always" use-expressions="true">
<intercept-url pattern="/anonymous*" access="isAnonymous()"/>
<intercept-url pattern="/login*" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<csrf disabled="true"/>
<form-login login-page='/login.html' authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/login.html?error=true"/>
<logout delete-cookies="JSESSIONID"/>
<remember-me key="uniqueAndSecret" token-validity-seconds="86400"/>
<session-management invalid-session-url="/invalidSession.html">
<concurrency-control max-sessions="2" expired-url="/sessionExpired.html"/>
</session-management>
</http>
<beans:bean id="myAuthenticationSuccessHandler" class="org.baeldung.security.MySimpleUrlAuthenticationSuccessHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="user1Pass" authorities="ROLE_USER"/>
<user name="admin1" password="admin1Pass" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I‘m start to use spring security to protect my project, but I have a problem with the namespace configuration. Here is my applicationContext-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<intercept-url pattern="/**/query/**" access="none" />
</http>
<http>
<intercept-url pattern="/**/edit/**" access="ROLE_USER" />
<form-login />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
These code are copied from the reference of spring security. However, the IDE gives following errors:
1, Element authentication-manager doesn't have required attribute alias.
2, Element authentication-provider is not allowed here.
3, Cannot resolve symbol user-service.
4, Cannot resolve symbol user.
What should I do? Thx!
I am developing application in spring for first time.Getting error at line no 11.Can any one solve this. I have added spring-security-config.jar.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
You haven't set the schemaLocation for the security namespace. Copy the examples from the reference manual or one of the sample applications.
You've also tried to use version 2.0.4, which won't work. The csrf element is only available from 3.2 onwards.
I'd also forget about auto-config and add what you want explicitly.
I know very little or nothing about xml and I have to write a spring-security.xml file . The problem i guess has something to do with my xml not following xsd. Here is the xml.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<s:http auto-config="true">
<s:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/**" access="ROLE_USER" />
<s:intercept-url pattern="/" access="ROLE_USER" />
<s:form-login login-page="/login" default-target-url="/getemp"/>
<s:logout logout-success-url="/logout" />
</s:http>
<s:authentication-manager>
<s:authentication-provider>
<s:ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
</s:authentication-provider>
</s:authentication-manager>
<s:ldap-server id="ldapServer" url="ldap://test.com:389" />
</beans>
When I try to run the web application I am getting an error.
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 's:ldap-authentication-provider'. One of '{"http://www.springframework.org/schema/security":any-user-service, "http://www.springframework.org/schema/security":password-encoder}' is expected.
Here is the xsd
spring security xsd
The xsd says that <s:authentication-manager> accepts as children an authentication-provider OR an ldap-authentication-provider. So, remove the <s:authentication-provider> that is wrapping your <s:ldap-authentication-provider> and that should get you past this problem. Your final code should look like:
<s:authentication-manager>
<s:ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
</s:authentication-manager>
I've tried to configure Spring Security through XML for some time now, but I can't seem to get it to work. Here is what I have so far:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
[...]
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
[???] <!-- What goes here? -->
</security:authentication-provider>
</security:authentication-manager>
</beans>
All the tutorials that I've found seem to want me to put <user-service> in the placeholder, but NetBeans won't auto-complete to that element. The only thing resembling that element is any-user-service which, as far as I understand, is an "abstract" element.
I just want to configure an in-memory list of users and passwords. How do I do that in Spring Security version 3?
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
</security:authentication-provider>
<bean id="userService" class="path.to.your.implementation.of.UserDetailsService" />
or you can have a basic in memory authentication (instead of, as well as) :
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
</security:authentication-provider>
<security:authentication-provider user-service-ref="customAdmin">
</security:authentication-provider>
</security:authentication-manager>
<security:user-service id="customAdmin">
<security:user name="yourUserName" password="yourPassword" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="yourOtherUserName" password="yourOtherPassword" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
The offical spring docs are always the best place to read, imho.
Write your own org.springframework.security.authentication.AuthenticationProvider, create the bean and provide a reference to your authentication manager:
<authentication-manager>
<authentication-provider ref="com.example.CustomAuthenticationProvider"/>
</authentication-manager>
Alternatively you can just supply usernames and passwords with their relevant authorities (I use this when mocking)
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="test" authorities="ROLE_AUTHENTICATED" />
</user-service>
</authentication-provider>
</authentication-manager>