When attempting to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat's session-timeout set to 1 minute for testing):
With the springSessionRepositoryFilter filter in web.xml commented-out, I am correctly booted to the login screen after a minute of inactivity
With the springSessionRepositoryFilter filter in web.xml active, I can continue to use the app at least 5 minutes after the last activity
Besides that, everything seems to work as expected - the session is persisted in redis & across webapp restarts, and logging out manually correctly invalidates the session.
Some snippets of my configuration - here is the invalid session handler configuration for spring-security, that will cause expired sessions to be redirected to a login page:
...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository">
<beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
</beans:constructor-arg>
<beans:property name="invalidSessionStrategy">
<beans:bean class="my.CustomInvalidSessionStrategy"/>
</beans:property>
</beans:bean>
...
<http>
...
<custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
...
<logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>
The web.xml 's filter chain looks like:
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And (one of) the spring context files loaded contains:
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>
<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>
Hopefully I'm just missing something really obvious!
Edit: The versions I used for the attempt was spring-security-4.0.4.RELEASE and spring-session-1.1.1.RELEASE
When using Redis session timeout is configured like this:
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
<property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>
Related
We recently started integrating spring-session in our project. This is a SOA based application and have some logic implementations to manage sessions.
HttpSessionListener which we use to log out the sessions in case of timeout and monitored through sessionDestroyed(HttpSessionEvent httpSessionEvent).
ServletRequestListener which we use to manage HTTP session invalidations. This is implemented in requestDestroyed(ServletRequestEvent servletRequestEvent) method.
For item #1, I found an article here, which describes the use of SessionEventHttpSessionListenerAdapter as supported by Spring Session. And have this configuration added in my session.xml.
<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean class="org.springframework.session.web.http.SessionEventHttpSessionListenerAdapter">
<constructor-arg>
<list>
<bean class="xxx.xxx.xxx.xxx.xxx.xxx.MyHttpSessionListener"/>
</list>
</constructor-arg>
</bean>
Also added below configuration in my deployment descriptor (e.g. web.xml)
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
After some debugging, I have noticed that my HttpSessionListener is using the session provided by spring session.
However, for item #2, using ServletRequestListener implementation, I could not find a way to migrate it to spring session. It is still using the session provided by the container.
Is there a corresponding adapter, like SessionEventHttpSessionListenerAdapter, intended for ServletRequestListener? Is this supported by Spring Session? What other options do I have to get our functionality working with spring session?
I ended up using custom Filter to manage HTTP session invalidation. Modified the web.xml with the following entries in sequence:
(a) Register springSessionRepositoryFilter
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(b) Add requestContextFilter
<filter>
<filter-name>requestContextFilter</filter-name>
<filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requestContextFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(c) Add custom filter
<filter>
<filter-name>myCustomServletRequestFilter</filter-name>
<filter-class>com.xxx.xxx.xxx.servlet.filter.MyCustomServletRequestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myCustomServletRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(d) Load spring session context
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:application-context.xml</param-value>
</context-param>
All HTTP requests are now using spring session.
I am learning and need to configure siteminder SSO with Spring Security. I followed some blog and wrote my code as fllowing. Plz help to resolove: "No bean named 'springSecurityFilterChain' is defined" error. Here is my code:
web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/conf/Security-config.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
Security-config.xml
<security:http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="customUserDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<bean id="customUserDetailsService" class="com.cno.cnofdw.security.CustomUserDetailsService"></bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean>
Placed Security-config.xml under WEB-INF/conf/
Even I tried importing in applicationContext.xml. but no use.
Can anybody help me to resolve this problem and if possible please suggest any blog to configure spring with siteminder signle sign on?
Your missing "/" in path. It should be:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/conf/Security-config.xml
</param-value>
</context-param>
thank you all who spent time to answer my question. I have placed contextClass in my web.xml and I have commented it and got resolved.
contextClass
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
i have a problem with spring-security configuration..
I'm working with spring 3.2.3 release, and i have the following spring-security.xml:
<http pattern="/login*" security="none"/>
<http auto-config="true">
<intercept-url method="GET" pattern='/**' access='ROLE_ADMIN' />
<form-login login-page="/login.ctx" default-target-url="/private/home.ctx" authentication-failure-url="/loginfailure.ctx" />
<logout invalidate-session="true" logout-success-url="/logout.ctx" />
</http>
The login autenticathe work fine, but if i call a service without authentication, the security allow to retrieve data, is not what I expected!
Example:
1 - Run the application on Jboss
2 - invoke this url: http://localhost:8080/ContextPanel/application/1 (this call a web services)
The url at point 2, invoke a service and return the required data, but the autentication at the application is not be performed!!
I would avoid this behavior!!
This is a snippet of web.xml:
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Does anybody have the Spring Security sample PreAuthentication Filter for WebSphere working (WebSpherePreAuthenticatedProcessingFilter)? There is very little documentation on it and I just can't seem to nail it. I'm looking for someone who has it working and might be willing to provide examples of your configuration. Ideally for Spring 3.1 and WAS 7 or 8.
I have a configuration in place that seems like it's "kind of" working. I can authenticate with WebSphere and then hit a URL in my app, but the browser returns this message:
Error 500: java.lang.RuntimeException: Exception occured while looking up groups for user
I get an exception stack trace like this:
java.lang.RuntimeException: Error while invoking method java.lang.reflect.Method.getGroupsForUser([UNAUTHENTICATED])
at org.springframework.security.web.authentication.preauth.websphere.DefaultWASUsernameAndGroupsExtractor.invokeMethod(DefaultWASUsernameAndGroupsExtractor.java:147) [spring-security-web-3.1.3.RELEASE.jar:3.1.3.RELEASE]
at org.springframework.security.web.authentication.preauth.websphere.DefaultWASUsernameAndGroupsExtractor.getWebSphereGroups(DefaultWASUsernameAndGroupsExtractor.java:115) [spring-security-web-3.1.3.RELEASE.jar:3.1.3.RELEASE]
at org.springframework.security.web.authentication.preauth.websphere.DefaultWASUsernameAndGroupsExtractor.getWebSphereGroups(
...
Caused by: java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.6.0]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) ~[na:1.6.0]
...
Caused by: com.ibm.websphere.security.EntryNotFoundException: null
at com.ibm.ws.wim.registry.util.MembershipBridge.getGroupsForUser(MembershipBridge.java:293) ~[com.ibm.ws.runtime.wim.core.jar:201207200704]
...
[12/28/12 14:05:15:879 CST] 00000055 LocalTranCoor E WLTC0017E: Resources rolled back due to setRollbackOnly() being called.
[12/28/12 14:05:15:879 CST] 00000055 webapp E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[ServletNameNotFound]: java.lang.RuntimeException: Exception occured while looking up groups for user
at org.springframework.security.web.authentication.preauth.websphere.DefaultWASUsernameAndGroupsExtractor.getWebSphereGroups(DefaultWASUsernameAndGroupsExtractor.java:123)
at org.springframework.security.web.authentication.preauth.websphere.DefaultWASUsernameAndGroupsExtractor.getWebSphereGroups(DefaultWASUsernameAndGroupsExtractor.java:94)
...
My web.xml file is as follows:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:/applicationContext-jcr.xml,
classpath*:/applicationContext-security.xml
</param-value>
</context-param>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!--
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
-->
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- ====================================================================== -->
<!-- S E R V L E T S -->
<!-- ====================================================================== -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ViewStatusMessages</servlet-name>
<servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class>
</servlet>
<!-- ====================================================================== -->
<!-- S E R V L E T M A P P I N G S -->
<!-- ====================================================================== -->
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ViewStatusMessages</servlet-name>
<url-pattern>/lbClassicStatus</url-pattern>
</servlet-mapping>
<!-- ====================================================================== -->
<!-- W E L C O M E F I L E S -->
<!-- ====================================================================== -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- Use if configuring for JNDI Datasource on J2EE Server -->
<resource-ref id="ResourceRef_LDP_Datasource">
<description>Resource reference to the LDP datasource.</description>
<!-- DB2 -->
<res-ref-name>jdbc/ldpdbDS</res-ref-name>
<!-- MS SQL -->
<!--
<res-ref-name>jdbc/ldpdbMSSQLDS</res-ref-name>
-->
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<!--
security-constraint reference:
http://s170.codeinspot.com/q/3419721
OK, I figured this out. The problem is that even though I had J2EE security setup in Websphere and was authenticated,
my web.xml contained no security constraints. Because of this, Websphere was not supplying the principal for my requests.
This is apparently an intentional feature. If you are not accessing a protected URL, you should not need the pre-authentication information.
To overcome this, I added a security constraint to my web.xml, which allowed ALL users to access the resources.
Effectively, the resources were not secured, but still - there was a constraint now.
This tricks the Websphere into filling in the user principal information in the request.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>All areas</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
My Spring security context XML file is as follows:
<!--
<sec:http use-expressions="true">
<sec:intercept-url pattern="/**" access="denyAll" />
<sec:form-login />
</sec:http>
-->
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<!--
<sec:filter-chain pattern="/**" filters="sif,webspherePreAuthFilter,logoutFilter,etf,fsi"/>
-->
<sec:filter-chain pattern="/**" filters="webspherePreAuthFilter,logoutFilter,etf,fsi"/>
</sec:filter-chain-map>
</bean>
<!--
<bean id="sif" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
<bean id="sif" class="org.springframework.security.web.context.SecurityContextIntegrationFilter"/>
-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="preAuthenticatedAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</bean>
<bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
<!--
This AbstractPreAuthenticatedProcessingFilter implementation is based on WebSphere authentication.
It will use the WebSphere RunAs user principal name as the pre-authenticated principal.
-->
<bean id="webspherePreAuthFilter" class="org.springframework.security.web.authentication.preauth.websphere.WebSpherePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
</bean>
<bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<!--
This AuthenticationDetailsSource implementation will set the pre-authenticated granted authorities based on the WebSphere
groups for the current WebSphere user, mapped using the configured Attributes2GrantedAuthoritiesMapper.
This AuthenticationDetailsSource implementation, when configured with a MutableGrantedAuthoritiesContainer,
will set the pre-authenticated granted authorities based on the WebSphere groups for the current WebSphere user,
mapped using the configured Attributes2GrantedAuthoritiesMapper.
By default, this class is configured to build instances of the PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails class.
-->
<bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.websphere.WebSpherePreAuthenticatedWebAuthenticationDetailsSource">
<property name="webSphereGroups2GrantedAuthoritiesMapper" ref="websphereUserGroups2GrantedAuthoritiesMapper"/>
</bean>
<bean id="websphereUserGroups2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="true"/>
</bean>
<bean id="webXmlResource" class="org.springframework.web.context.support.ServletContextResource">
<constructor-arg ref="servletContext"/>
<constructor-arg value="/WEB-INF/web.xml"/>
</bean>
<bean id="servletContext" class="org.springframework.web.context.support.ServletContextFactoryBean"/>
<bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint"/>
</bean>
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!-- See: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html -->
<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:intercept-url pattern="/**" access="ROLE_LDP_ADMINS"/>
</sec:filter-security-metadata-source>
</property>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
<!--
Simply put, the filter wraps the current httprequest with one that delegates request.isUserInRole() and request.getRemoteUser() to acegi.
<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
<property name="wrapperClass" value="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper"/>
</bean>
-->
I don't have a working config but a piece of advice
enable Spring Security debug logging
debug as closely as possibly into MembershipBridge.getGroupsForUser, I have a feeling the username passed to it is null
Based on my gut feeling I suspect the name of the pre-authenticated user is not being passed on. I remember vaguely that I had this a few years ago - need to dig up that code.
For some reason WebSphere doesn't require authentication for resources with the following constraint definition and the pre-authentication doesn't happen:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
It fails in the later stage when it tries to determine groups for an unknown principal.
I protected the resource with a default group Users and mapped all users to it:
<security-constraint>
<web-resource-collection>
<web-resource-name>AuthTest</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>User</role-name>
</security-role>
It is sort of a workaround because I don't want this role and manage its members but it is all I have for now.
I am somewhat new to spring security and I am trying to migrate an existing application from security 2.0.4 to 3.1 and I am getting the following error message:
org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'org.springframework.security.authentication.dao.DaoAuthenticationProvider#0': Initialization of bean failed;
nested exception is org.springframework.beans.ConversionNotSupportedException:
Failed to convert property value of type org.springframework.security.authentication.dao.DaoAuthenticationProvider'
to required type 'org.springframework.security.core.userdetails.UserDetailsService' for property 'userDetailsService';
nested exception is java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.authentication.dao.DaoAuthenticationProvider]
to required type [org.springframework.security.core.userdetails.UserDetailsService]
for property 'userDetailsService': no matching editors or conversion strategy found
I feel like I am missing something obvious but I can't for the life of me see it.
This is my applicationContextSecurity.xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="employeeServiceFacade"/>
<beans:property name="passwordEncoder" ref="passwordEncoderDecoder"/>
<beans:property name="hideUserNotFoundExceptions" value="false" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="daoAuthenticationProvider"/>
</authentication-manager>
<global-method-security secured-annotations="disabled"/>
<beans:bean id="customAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.action"/>
</beans:bean>
<beans:bean id="customAuthenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="allowSessionCreation" value="true" />
<beans:property name="sessionAuthenticationStrategy" ref="sas"/>
</beans:bean>
<beans:bean id="successHandler" class="com.es.tms.web.security.RoleBasedTargetUrlResolver" >
<beans:property name="defaultTargetUrl" value="/timesheet/searchTimeEntries.action" /> <!-- which is the default value -->
<beans:property name="roleNameToUrlMap">
<util:map>
<beans:entry key="ROLE_ASSISTANT" value="/billing/viewBillings.action"/>
<beans:entry key="ROLE_BILLING" value="/expenses/viewToAPApproveExpenses.action"/>
<beans:entry key="ROLE_PAYROLL" value="/payroll/viewPayroll.action"/>
<beans:entry key="ROLE_OFFICEASSISTANTEXPENSES" value="/expenses/searchExpenseEntries.action"/>
<beans:entry key="ROLE_ADMIN_LEVEL1" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_ADMIN" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_ADMIN_ASSISTANT" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_ACCOUNT_MANAGER" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_HR" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_RECRUITER_MANAGER" value="/administration/searchEmployees.action"/>
</util:map>
</beans:property>
<beans:constructor-arg ref="defaultTargetUrlResolver" />
</beans:bean>
<beans:bean id="defaultTargetUrlResolver" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" />
<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >
<beans:property name="defaultFailureUrl" value="/login.action?login_error=true" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<beans:property name="migrateSessionAttributes" value="true" />
</beans:bean>
<!-- Non Secured patterns -->
<http security="none" pattern="/images/**" />
<http security="none" pattern="/styles/**" />
<http security="none" pattern="/scripts/**" />
<http security="none" pattern="/common/**" />
<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint" access-denied-page="/forbidden.jsp">
<custom-filter position="FORM_LOGIN_FILTER" ref="customAuthenticationProcessingFilter" />
<!-- SECURITY URLs -->
<intercept-url pattern="/login.action*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/index.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/error*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<logout logout-success-url="/login.action"/>
<anonymous username="Guest" granted-authority="ROLE_ANONYMOUS"/>
<remember-me/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="employeeServiceFacade">
<password-encoder ref="passwordEncoderDecoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="passwordEncoderDecoder" class="com.es.tms.util.CustomPasswordEncoder"/>
<beans:bean id="employeeServiceFacade" class="com.es.tms.service.security.EmployeeServiceFacade">
<beans:property name="coreService" ref="coreService"/>
<beans:property name="hireStatusCodes" value="O:SOP's have not been completed#P:Survey has not been completed" />
</beans:bean>
</beans:beans>
Also this is my web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="stanplus" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>TMS</display-name>
<!-- Define the basename for a resource bundle for I18N -->
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>app_resources</param-value>
</context-param>
<!-- Fallback locale if no bundles found for browser's preferred locale -->
<!-- Force a single locale using param-name 'javax.servlet.jsp.jstl.fmt.locale' -->
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.fallbackLocale</param-name>
<param-value>en</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContextMail.xml
/WEB-INF/applicationContextDao.xml
/WEB-INF/applicationContextService.xml
/WEB-INF/applicationContextWeb.xml
/WEB-INF/applicationContextReports.xml
/WEB-INF/applicationContextQuartz.xml
/WEB-INF/applicationContextSecurity.xml
</param-value>
</context-param>
<!-- Filters -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>sitemesh</filter-name>
<filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>
<filter>
<filter-name>struts-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
<filter>
<filter-name>struts</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter>
<filter-name>lazyLoadingFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>lazyLoadingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts-cleanup</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>struts</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>net.sf.navigator.menu.MenuContextListener</listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>jspSupportServlet</servlet-name>
<servlet-class>org.apache.struts2.views.JspSupportServlet</servlet-class>
<load-on-startup>5</load-on-startup>
</servlet>
<!-- Welcome file lists -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>
</web-app>
Any help would be much appreciated.
Thanks,
Steve
Update:
Ok I looked at this example and I did see that I had my authentication manager incorrect. So I fixed that but now I can't' seem to get by this error:
org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'daoAuthenticationProvider'
defined in ServletContext resource [/WEB-INF/applicationContextSecurity.xml]:
Cannot resolve reference to bean 'employeeServiceFacade' while setting bean property 'userDetailsService';
nested exception is org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'employeeServiceFacade'
defined in ServletContext resource [/WEB-INF/applicationContextSecurity.xml]:
Initialization of bean failed; nested exception is
org.springframework.beans.factory.BeanInitializationException:
Property 'coreService' is required for bean 'employeeServiceFacade'
I have not changed my coreServie in this upgrade but it almost looks like it has not been initialized? Any thoughts?
My coreService is set in the applicationContextService.xml file.
I have an applicationContextService.xml file that contains this bean. When I walk through it at startup in debug I see that the service is initialized, but for some reason still thinks it is not set. I took the #Required annotation off of the coreService in the EmployeeServiceFacade class and now it seems to be working. Don't understand why but I can at least run my app now. Thanks for the responses it at least got me looking in the right direction.