Error when trying to use session-management - spring-security

I am trying to place session-management in my security-application.xml file.
Error:
Invalid content was found starting with element 'session-management'. One of '{"http://www.springframework.org/schema/security":intercept-url,
I tried to put in other places but without success.
Advice?
------------------------UPDATE ONE------------------------
I tried:
<security:session-management invalid-session-url="/logonTimeOut.jsp">
<security:concurrency-control expired-url="/logonTimeOut.jsp"/>
</security:session-management>
and it is still not working.

I think your xml configuration is not correct .Change xml configuration like this
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"
>
<http create-session="always" use-expressions="true">
<intercept-url pattern="/anonymous*" access="isAnonymous()"/>
<intercept-url pattern="/login*" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<csrf disabled="true"/>
<form-login login-page='/login.html' authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/login.html?error=true"/>
<logout delete-cookies="JSESSIONID"/>
<remember-me key="uniqueAndSecret" token-validity-seconds="86400"/>
<session-management invalid-session-url="/invalidSession.html">
<concurrency-control max-sessions="2" expired-url="/sessionExpired.html"/>
</session-management>
</http>
<beans:bean id="myAuthenticationSuccessHandler" class="org.baeldung.security.MySimpleUrlAuthenticationSuccessHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="user1Pass" authorities="ROLE_USER"/>
<user name="admin1" password="admin1Pass" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Related

Spring Security 5 return 403 on login

I am evaluating Spring 5 (MVC) and Spring Security 5.
When I am posting username and password from a custom form I get a 403 return code.
When using instead of or the Spring default login form everything is workin fine.
Here my applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/assets/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/pages/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/index.do**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/app2/**" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/index.do#/login"
login-processing-url="/login"
default-target-url="/index.do"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>

Spring security namespace configuration: cannot put authentication-provider inside a authentication-manager

I‘m start to use spring security to protect my project, but I have a problem with the namespace configuration. Here is my applicationContext-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<intercept-url pattern="/**/query/**" access="none" />
</http>
<http>
<intercept-url pattern="/**/edit/**" access="ROLE_USER" />
<form-login />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
These code are copied from the reference of spring security. However, the IDE gives following errors:
1, Element authentication-manager doesn't have required attribute alias.
2, Element authentication-provider is not allowed here.
3, Cannot resolve symbol user-service.
4, Cannot resolve symbol user.
What should I do? Thx!

Form login in spring security doesn't work

I have a problem with Spring Security in the form login: they don't find the URL login even if I give them the path
<form-login login-page="/login" default-target-url="/index" />
when I execute the browser gives :\ :
Cette page Web présente une boucle de redirection.
English translation of above to assist debug:
This web page has a redirect loop.
this is controller :
#Controller
public class LoginController{
#RequestMapping("/login")
public String doLogin() {
return "login";
}
}
this is spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:p="http://www.springframework.org/schema/p"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx/spring-tx.xsd" >
<http pattern="/images/**" security="none"/>
<http pattern="/styles/**" security="none"/>
<http pattern="/js/**" security="none"/>
<http pattern="/login" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login login-page="/login.jsp" default-target-url="/index" authentication-failure-url="/login" />
<logout logout-url="/logout" logout-success-url="/index"/>
</http>
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" ></beans:property>
</beans:bean>
<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="userDetailsService" class="com.UserDetailsServiceImpl"></beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5"></password-encoder>
</authentication-provider>
</authentication-manager>
</beans:beans>
EDIT 1: Based on user input
Change the following line
<intercept-url pattern="/**" access="isAuthenticated()"/>
to something along these lines
or
<intercept-url pattern="/**" access="hasRole('USER_ADMIN')"/>
Basically take out isAuthenticated() out of it as reading XML configurations few people have had issues with it.
Let me know if it fixes it.
Extra examples: Spring security wont redirect on intercept-url

error in spring-security.xml:The matching wildcard is strict, but no declaration can be found for element 'http'

I am developing application in spring for first time.Getting error at line no 11.Can any one solve this. I have added spring-security-config.jar.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
You haven't set the schemaLocation for the security namespace. Copy the examples from the reference manual or one of the sample applications.
You've also tried to use version 2.0.4, which won't work. The csrf element is only available from 3.2 onwards.
I'd also forget about auto-config and add what you want explicitly.

Spring Security 3 configuration in XML

I've tried to configure Spring Security through XML for some time now, but I can't seem to get it to work. Here is what I have so far:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
[...]
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
[???] <!-- What goes here? -->
</security:authentication-provider>
</security:authentication-manager>
</beans>
All the tutorials that I've found seem to want me to put <user-service> in the placeholder, but NetBeans won't auto-complete to that element. The only thing resembling that element is any-user-service which, as far as I understand, is an "abstract" element.
I just want to configure an in-memory list of users and passwords. How do I do that in Spring Security version 3?
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
</security:authentication-provider>
<bean id="userService" class="path.to.your.implementation.of.UserDetailsService" />
or you can have a basic in memory authentication (instead of, as well as) :
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
</security:authentication-provider>
<security:authentication-provider user-service-ref="customAdmin">
</security:authentication-provider>
</security:authentication-manager>
<security:user-service id="customAdmin">
<security:user name="yourUserName" password="yourPassword" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="yourOtherUserName" password="yourOtherPassword" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
The offical spring docs are always the best place to read, imho.
Write your own org.springframework.security.authentication.AuthenticationProvider, create the bean and provide a reference to your authentication manager:
<authentication-manager>
<authentication-provider ref="com.example.CustomAuthenticationProvider"/>
</authentication-manager>
Alternatively you can just supply usernames and passwords with their relevant authorities (I use this when mocking)
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="test" authorities="ROLE_AUTHENTICATED" />
</user-service>
</authentication-provider>
</authentication-manager>

Resources