I can't find a mechanism in spring-rabbitMQ to use CachingConnectionFactory with SSL using RabbitConnectionFactoryBean . what is the best way to provide SSL support for CachingConnectionFactory preferably using XML.
Simply wrap the results from the factory bean in a CachingConnectionFactory...
<bean id="rabbitFactory" class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
...
</bean>
<rabbit:connection-factory id="connectionFactory" connection-factory="rabbitFactory" host="localhost" />
The <rabbit/> namespace creates a CachingConnectionFactory or you can declare it as a <bean/> and inject the rabbit factory with a <constructor-arg/>.
Related
I am using Spring SAML to implement single sign on in my application. Evreything is integrated and works properly from SSO perspective.
Another service of my application which also uses HTTP client post via Axis started failing with the following error
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
I have looked into the answer provided the link
Spring Security SAML + HTTPS to another page and follow the same but to no avail.
Below is the configuration for TLSProtocolSocketFactory
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass" value="org.apache.commons.httpclient.protocol.Protocol"/>
<property name="targetMethod" value="registerProtocol"/>
<property name="arguments">
<list>
<value>https</value>
<bean class="org.apache.commons.httpclient.protocol.Protocol">
<constructor-arg value="https"/>
<constructor-arg>
<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory">
<constructor-arg ref="keyManager"/>
<constructor-arg><null/></constructor-arg>
<constructor-arg value="allowAll"/>
</bean>
</constructor-arg>
<constructor-arg value="443"/>
</bean>
</list>
</property>
</bean>
I have imported the cert of the other service in samlKeystore.jks as well.
Any help in the issue will be apreciated
I think this may be what you're looking for: Source
You are using bean TLSProtocolConfigurer which changes trusted certificates and hostname verification of the HTTPS protocol in the HTTP Client. You can revert behaviour of the HTTP Client back to defaults by removing this bean. You will then need to make sure that certificates used by entities from which you load metadata (https://idp.ssocircle.com/idp-meta.xml) are trusted in your cacerts, or use an endpoints without https (http://idp.ssocircle.com/idp-meta.xml).
Alternatively, you can disable hostname verification by setting property sslHostnameVerification to allowAll on bean TLSProtocolConfigurer. You will also need to make sure that the HTTPS certificate of https://www.somepage.com (or its CA) is included in the samlKeystore.jks (see Spring SAML manual).
You can find more details on the TLSProtocolConfigurer bean in the Spring SAML manual, chapter HTTP-based metadata provider with SSL.
The issue is in checkNames() function of PKIXX509CredentialTrustEngine where we are checking the trustedNames collection only for null instead of "null or Empty".Even though we are passing the value for trustedNames as null in TLSProtocolSocketFactory's getPKIXResolver() method to create StaticPKIXValidationInformatonResolver, the constructor of this class reinitialized the trustedNames collection to an empty collection.Changing the line from if(trustedNames == null) to if(trustedNames == null || trustedNames.isEmpty()) fixed the problem for me.
I'm trying to set up WebSockets with spring-messaging using stomp, and using redis-backed sessions with spring-session. Our application context is wired via xml, and spring-session is working with the non-websocket portion of the application. The relevant config for websocket is as follows
<websocket:message-broker application-destination-prefix="/streaming" >
<websocket:stomp-endpoint path="/data">
<websocket:sockjs session-cookie-needed="false" />
</websocket:stomp-endpoint>
<websocket:stomp-broker-relay prefix="/topic" relay-host="${jms_hostname}" relay-port="${jms_stomp_port}" />
<websocket:client-inbound-channel>
<websocket:interceptors>
<ref bean="sessionRepoMessageInterceptor"/>
<ref bean="authenticationValidationInterceptor" />
<ref bean="selectorValidationInterceptor" />
<ref bean="selectorQuotingInterceptor" /> <!-- comes after we have validated the selector, we now shim it so JMS understands it -->
</websocket:interceptors>
</websocket:client-inbound-channel>
</websocket:message-broker>
I have defined what I think are the necessary beans for spring-session's integration with web sockets here:
<bean id="redisSessionBackedWebsocketHandler" class="org.springframework.session.web.socket.server.">
</bean>
<bean id="sessionRepoMessageInterceptor" class="org.springframework.session.web.socket.server.SessionRepositoryMessageInterceptor">
</bean>
<bean id="webSocketRegistryListener" class="org.springframework.session.web.socket.handler.WebSocketRegistryListener">
</bean>
but I'm not sure where I would wire them in to the web socket configuration, and have not been able to find any doc on how to do it this way.
Thoughts?
The Spring Session WebSocket contains the config just only for the Java & Annotation variant.
And according to the Spring Session Docs the AbstractSessionWebSocketMessageBrokerConfigurer does the stuff for seamless integration between Spring Session and Spring WebSockets. However there we can see some paragraph, what it does:
To hook in the Spring Session support, we need to ensure ...
To be honest it isn't so easy to configure that stuff from XML.
Feel free to follow with the issue: https://github.com/spring-projects/spring-session/issues/101
Am trying to implement Section level security using Spring3.1. Using Thymeleaf2.0 for my view part. Here is the configuration i have made to do so,
Jars Used## - All spring3.1 jars and thymeleaf-extras-springsecurity3.jar (version 1.0.0.beta-1)
SpringWebFlow-Servlet.xml
<bean id="templateEngine" class="org.thymeleaf.spring3.SpringTemplateEngine">
...
<property name="additionalDialects">
<set>
<bean class="org.thymeleaf.extras.springsecurity3.dialect.SpringSecurityDialect"/>
</set>
</property>
...
</bean>
<bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
spring-security.xml
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/productSelection" access="hasRole('ROLE_ADMIN')"/>
.....
</http>
xxx.html
<div sec:authorize="hasRole('ROLE_ADMIN')">
This only be seen if authenticated user has role ROLE_ADMIN.
</div>
Issue
Getting an Exception stating :
No visible WebSecurityExpressionHandler instance could be found in the applicationContext
In Spring3.1, DefaultWebSecurityExpressionHandler doesn't implement WebSecurityExpressionHandler and the interface is deprecated. Please let me know the workaround as Thymeleaf is trying to search for the instance of WebSecurityExpressionHandler which is not available in ApplicationContext.
You'll need to define the bean in your application (root) context not in your servlet context.
<bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
I had same problem moved it from servlet-context.xml to root-context.xml and the bean is picked up.
Depending on your spring setup it can be in another xml file so check your web.xml for the Spring context root.
In your case if spring-security.xml is imported in your Spring root context you can add it there.
The DefaultWebSecurityExpressionHandler class in Spring Security 3.1.0 does not implement the WebSecurityExpressionHandler interface, which was probably an ommission.
This was solved in Spring Security 3.1.1 and newer versions, so you just have to update your Spring Security dependencies.
This question is pretty old but for anybody who found there way here to complement Daniel's answer you can update your dependencies in your pom.xml by changing the following.
<properties>
...
<!-- <spring-security.version>3.1.0.RELEASE</spring-security.version> -->
<spring-security.version>3.1.1.RELEASE</spring-security.version>
</properties>
I blogged about this as well with some more information if anybody is interested
I'm using password-parameter (as below) to customize the name of the request parameter which contains the password. How to do the same with remember-me (default _spring_security_remember_me) ?
<security:form-login password-parameter="j_password_input" ... />
You have a few options which I have explained in further detail below
Use the Security Namespace with a BeanPostProcessor
Use the services-ref and configure RememberMeServices Manually
Use the Security Namespace with a BeanPostProcessor
The namespace does not have support for configuring the remember me parameter, but you can use a tip from the FAQ on how to still use the namespace support, but customise the result. The trick is to use a BeanPostProcessor to set the parameter field on AbstractRememberMeServices. You can find an example of this below:
public class MyBeanPostProcessor implements BeanPostProcessor {
public Object postProcessAfterInitialization(Object bean, String name) {
if (bean instanceof AbstractRememberMeServices) {
AbstractRememberMeServices rememberMe = (AbstractRememberMeServices) bean;
rememberMe.setParameter("myParamname");
}
return bean;
}
public Object postProcessBeforeInitialization(Object bean, String name) {
return bean;
}
}
Then you would need to use the namespace as you normally would and add MyBeanPostProcessor to your Spring configuration as shown below:
<security:http ..>
...
<security:remember-me/>
</security:http>
<bean class="sample.MyBeanPostProcessor"/>
Use the services-ref and configure RememberMeServices Manually
You can also use the services-ref attribute too, but this involves a little more configuration. For example, if you wanted you could use the following configuration:
<security:http ..>
...
<security:remember-me services-ref="rememberMeServices"/>
</security:http>
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="key" value="mustMatchRememberMeAuthenticationProvidersKey"/>
<property name="parameter" value="myParamName"/>
<!-- You must refer to a bean that implements UserDetailsService
in this example the bean id is userDetailsService -->
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
As of Spring Security 3.2.x, you can set this with the remember-me-parameter parameter on the remember-me element.
How to protect database username and password in shared hosting enviornment using spring
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<property name="url"><value>jdbc:mysql:///BUSINESS</value></property>
<property name="username"><value>root</value></property>
<property name="password"><value>password</value></property>
</bean>
I am not aware of any Spring specific solution for this.
In a shared hosting environment one should make sure that file's aren't public readable so other users can't view the content of you’re files. In case of a shared application server, the app server should be in the same group, so only the application server gets access to you’re files.
An application should never use a MySql root password. You should create an MySql account with limited rights on a specific schema (for example an user that can only do DML statements and not DDL statements).
To keep the username/password out of a plain text file you could hardcode the configuration in a Java class (This is basicaly security through obscurity). Replacement configuration:
<bean id="dataSource"
class="my.app.CustomDriverManagerDataSource" >
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
</bean>
And add this class to you're class path
import org.springframework.jdbc.datasource.DriverManagerDataSource;
public class CustomDriverManagerDataSource extends DriverManagerDataSource {
public DriverManagerDataSource() {
super("jdbc:mysql:///BUSINESS","root","password");
}
}