I'm implementing a REST service with Apache CXF and trying to use spring-security for authentication and authorization.
Embedded Jetty has been used as the container thus not using a web.xml.
How can I initialize spring-security filter chain with Apache CXF without using a web.xml?
If you use Servlet API 3.1 you can implement AbstractSecurityWebApplicationInitializer, see Spring Security Reference:
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
}
This would simply only register the springSecurityFilterChain Filter for every URL in your application.
Related
I wanted to try the new SAML2 Metadata endpoint in Spring Security 5.4.0-RC1 (with Spring Boot 2.3.2) but accessing /saml2/service-provider-metadata/{registrationId} returns 404.
I had to add the filter myself, like this:
#Bean
public Saml2MetadataFilter saml2MetadataFilter(RelyingPartyRegistrationRepository repository) {
return new Saml2MetadataFilter(new DefaultRelyingPartyRegistrationResolver(repository), new OpenSamlMetadataResolver());
}
Then the metadata endpoint works as expected.
Is this by design or is there a missing configuration on my part or in Spring Security?
I searched for Saml2MetadataFilter in the spring security repository on GitHub but only found it in a test.
Answering my own question: The Spring Security SAML2 documentation is now updated with instructions on how to enable the metadata endpoint.
https://docs.spring.io/spring-security/site/docs/5.4.0/reference/html5/#servlet-saml2login-metadata
This instruction make sure Saml2MetadataFilter is added before the Saml2WebSsoAuthenticationFilter so it's always publicly accessible.
I have an existing application which is using the embedded jetty. Right now jetty has only one WebappContext and serving the files from a directory and also it has web.xml (which has spring security configuration in it)
Now I need to serve some static files using a new war.
What is the easy way to configure existing webappcontext to add a new resource base?
If I add new webappcontext how I can tell jetty to use existing web.xml and spring security?
The serving of static files is just the role of the DefaultServlet
See prior answer about that ...
https://stackoverflow.com/a/20223103/775715
As for the existing web.xml and spring security question, the WebAppContext's are, by design, and by the nature of the servlet spec, isolated from each other.
If you want a single spring security configuration that applies for both webapps, you'll need to setup/install CAS.
I require a stateful Web Service and I got it working so far using #HttpSessionScope. The service runs in a Servlet provided by the OSGi HttpService. This servlet is created by some Builder service in my OSGi environment. This builder has some services that need to be injected into my Web Service when it gets instantiated. I know that we have the #Inject and the #Resource annotations for this purpose, but I cannot find a way to add my external object to Glassfish Metro so that those objects get injected into my services.
Have a look to this example:
#HttpSessionScope
#WebService
public class AImpl implements A {
#Inject
private ADelegated delegated;
...
}
How can I declare an object of ADelegated to be injected into this Web Service? Is there some sort of ResourceInjector in Glassfish Metro that allows me to register an object for injection?
I currently have a spring mvc application which I'm trying to add spring security to. However, I can't use the #PreAuthorize annotation without getting the following error:
Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/springframework/cglib/transform/impl/MemorySafeUndeclaredThrowableStrategy
I'm currently using Spring Version 4.1.0 and Spring Security 3.2.5, which according to spring's documentation and other posts on here should work fine.
There's also a sample on their github which appears to be using the same versions without issue.
Any ideas?
The PreAuthorize tag has been added to a Controller, cglib is in the classpath, yet still the same error message. Any ideas?
Turns out it was version issues. Spring Security is currently at 3.2.5.Release, which I was using, but Spring was at 4.1.0.
As of 4.0.2, some of the cglib classes have been removed. The solution was to go down to 4.0.1 in Spring, or use the 4.0.0.M2 milestone release for spring security.
#PreAuthorize is implemented via AOP. If the method on which you put the annotation are not declared in an interface implemented by the class, Spring cannot use the default of JDK proxy, but uses CGLIB to proxy classes.
The error suggests you use class proxying, but do not have CGLIB in classpath.
Two ways to fix it :
add CGLIB to classpath
make your class implements an interface
BTW, you say you added #PreAuthorize to a RestController. #PreAuthorize annotation is more frequent in service layer. Normally, you use URL based authorization for what could exists in controller. The best way to fix the problem could be to move the #PreAuthorize annotation to the service class that should already be wired as an interface.
I have been trying to switch from XML configuration to Java configuration for Spring Web Services. The only element I can't seem to do is the marshallers.
The XML line:
annotation-driven marshaller="xmlBeansMarshaller" unmarshaller="xmlBeansMarshaller"
should be replaced with the Java class annotations:
#EnableWs
#Configuration,
but I can't seem to find how to setup the marshallers in code.
Any ideas?
Thanks
Marshallers can just be registered by using a regular #Bean definition. For instance, consider this sample app configuration.