I have configured Spring security 4.2.3 in jsf 2.0.1 successfully in a Mavennised project. I also, added Spring security taglib as a dependency but <sec:authorize access="hasRole('ROLE_ADMIN')"> is not functioning as expected.
security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd">
<http auto-config="true"><intercept-url pattern="/" access="permitAll" /><intercept-url pattern="/home" access="permitAll" /><intercept-url pattern="/secured**" access="hasRole('ADMIN')" /><intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" /><form-login login-page="/login" username-parameter="ssoId" password-parameter="password" authentication-failure-url="/unsecured" /></http> <authentication-manager><authentication-provider><user-service><user name="bill" password="abc123" authorities="ROLE_USER" /><user name="admin" password="root123" authorities="ROLE_ADMIN" /><user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" /></user-service></authentication-provider></authentication-manager>
</beans:beans>
web.xml:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<context-param> <param-name>javax.faces.DISABLE_FACELET_JSF_VIEWHANDLER</param-name> <param-value>true</param-value> </context-param>
<context-param><param-name>javax.faces.STATE_SAVING_METHOD</param-name><param-value>client</param-value></context-param>
<context-param><param-name>contextConfigLocation</param-name><param-value>classpath*:META-INF/spring/app*.xml</param-value></context-param>
<context-param><param-name>com.sun.faces.injectionProvider</param-name><param-value>com.sun.faces.vendor.WebContainerInjectionProvider</param-value></context-param>
<listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener>
<context-param><param-name>contextConfigLocation</param-name><param-value>/WEB-INF/spring/*.xml</param-value></context-param>
<filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter>
<filter-mapping><filter-name>springSecurityFilterChain</filter-name><url-pattern>/*</url-pattern></filter-mapping>
<listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener>
<servlet><servlet-name>Faces Servlet</servlet-name><servlet-class>javax.faces.webapp.FacesServlet</servlet-class><load-on-startup>1</load-on-startup></servlet>
<servlet-mapping><servlet-name>Faces Servlet</servlet-name><url-pattern>*.jsf</url-pattern></servlet-mapping>
<servlet-mapping><servlet-name>Faces Servlet</servlet-name><url-pattern>*.faces</url-pattern></servlet-mapping>
<filter><display-name>RichFaces Filter</display-name><filter-name>richfaces</filter-name><filter-class>org.ajax4jsf.Filter</filter-class></filter>
<filter-mapping><filter-name>richfaces</filter-name><servlet-name>Faces Servlet</servlet-name><dispatcher>REQUEST</dispatcher><dispatcher>FORWARD</dispatcher><dispatcher>INCLUDE</dispatcher></filter-mapping>
<welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list> <session-config><session-timeout>-1</session-timeout></session-config>
</web-app>
pom.xml dependencies:
<!-- START: Spring Security JARS -->
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-web</artifactId><version>${springsecurity.version}</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-config</artifactId><version>${springsecurity.version}</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-taglibs</artifactId><version>4.2.3.RELEASE</version>dependency>
Hi i am getting below default message every time instead of my custom message.
Your login attempt was not successful, try again.
Reason: Bad credentials
My web.xml is below
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
My servlet-context.xml is
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<!-- <annotation-driven /> -->
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<!-- <resources mapping="/resources/**" location="/resources/" /> -->
<!-- Resolves views selected for rendering by #Controllers to .jsp resources in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
<context:component-scan base-package="com.sandeep.customerrormsg" />
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>classpath:mymessages</value>
</list>
</property>
</bean>
</beans>
and spring-security.xml is
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="true">
<intercept-url pattern="/welcome*" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/loginfailed"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="sandy" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I'm trying to use spring security 4 with ldap. it works fine for the LDAP who as the basic authentication system. If I try to connect to a system that uses GSS no longer works. I think it is normal and should be specified using GSS somewhere. But where?
Below is the xml file security
<?xml version="1.0" encoding="UTF-8"?>
<beans:bean xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
">
<!-- This is where we configure Spring-Security -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="isAuthenticated()" />
<intercept-url pattern="/user**" access="hasAuthority('1')" />
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/planning"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"
authentication-success-handler-ref="customLdapAuthenticationSuccessHandler"
/>
<logout logout-url="/logout" logout-success-url="/login?logout" />
</http>
<ldap-server url="ldap://192.168.2.100/DC=ciro,DC=local,DC=it?one?(objectClass=*)" manager-dn="cn=Administrator,dc=web-gate,dc=local,dc=it" manager-password="PLAIN PWD" />
<authentication-manager>
<ldap-authentication-provider
group-search-base="ou=groups">
</ldap-authentication-provider>
</authentication-manager>
</beans:bean>
Spring LDAP has never supported the GSSAPI SASL mechanism. Luckily, you can use my library to do that with Spring LDAP. The configuration is straight forward.
I have spring basic authentication working on tomcat.
When I loaded the application on WebLogic 12c it suddenly stopped working, some research suggested I put <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> in the config.xml file of the domain to stop WebLogic intercepting the AUTHENTICATE header.
It now works if I access via the ip address
//basic spring authentication works
http://123.456.789.111/mycontext
but not via localhost
//can no longer login to the application
http://localhost/mycontext
Does anyone know how I can fix this?
UPDATE - spring security configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/resources/**" security="none"/>
<http pattern="/404" security="none"/>
<http auto-config="true">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/endpoints/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/logout"/>
<form-login
login-page="/login"
authentication-failure-url="/login?login_error=1"
default-target-url="/dashboard"
always-use-default-target='true'/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="test" password="pass" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I am working on Mule CE and need to implement token based security (preferably) using Oauth2. I have configured the authorization-server and I do see the default mappings in the log file, however when I send message on "/oauth/token" nothing happens.
Similar config of OAuth2 works fine with Spring/Tomcat when deployed as standalone Spring web service application on Tomcat.
Here is my Mule config:
<mule xmlns:mulexml="http://www.mulesoft.org/schema/mule/xml"
xmlns:https="http://www.mulesoft.org/schema/mule/https" xmlns:jersey="http://www.mulesoft.org/schema/mule/jersey"
xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:vm="http://www.mulesource.org/schema/mule/vm/2.0"
xmlns:spring="http://www.springframework.org/schema/beans" version="CE-3.3.1"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context" xmlns:ss="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/xml http://www.mulesoft.org/schema/mule/xml/current/mule-xml.xsd
http://www.mulesoft.org/schema/mule/xml
http://www.mulesoft.org/schema/mule/xml/3.3/mule-xml.xsd
http://www.mulesoft.org/schema/mule/http
http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core
http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/https
http://www.mulesoft.org/schema/mule/https/current/mule-https.xsd
http://www.mulesoft.org/schema/mule/jersey
http://www.mulesoft.org/schema/mule/jersey/current/mule-jersey.xsd
http://www.mulesoft.org/schema/mule/spring-security
http://www.mulesoft.org/schema/mule/spring-security/3.3/mule-spring-security.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.mulesoft.org/schema/mule/pattern
http://www.mulesoft.org/schema/mule/pattern/3.3/mule-pattern.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd ">
<mule-ss:security-manager>
<mule-ss:delegate-security-provider
name="memory-provider" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider ref="myAuthenticationProvider" />
</ss:authentication-manager>
<oauth:client-details-service id="clientDetailsService">
<oauth:client client-id="admin"
authorized-grant-types="password,authorization_code,refresh_token,implicit,client_credentials"
authorities="ROLE_USER, ROLE_TRUSTED_CLIENT" scope="read,write,trust"
access-token-validity="60" />
</oauth:client-details-service>
<oauth:authorization-server
client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
</spring:beans>
<spring:beans>
<mvc:annotation-driven />
<spring:bean id="myAuthenticationProvider"
class="com.sachin.tech.security.MyUserAuthenticationProvider" />
<spring:bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<spring:property name="realmName" value="myCustomerAppRealm" />
</spring:bean>
<spring:bean id="oauth2AccessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
<spring:bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<spring:property name="authenticationManager" ref="authenticationManager" />
</spring:bean>
<spring:bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<spring:bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<spring:property name="tokenStore" ref="tokenStore" />
<spring:property name="supportRefreshToken" value="true" />
<spring:property name="accessTokenValiditySeconds"
value="60" />
</spring:bean>
</spring:beans>
<flow name="wsauthentication_2" doc:name="wsauthentication_2">
<http:inbound-endpoint exchange-pattern="request-response"
host="localhost" port="8098" doc:name="MyHTTPInbound2_2"
doc:description="wsauthentication_2 Desc">
</http:inbound-endpoint>
<echo-component doc:name="Echo" />
</flow>
</mule>
The mapping seems to be fine in logs:
13:48:01,789 DEBUG FrameworkEndpointHandlerMapping:125 - Looking for request mappings in application context: org.mule.config.spring.MuleApplicationContext#7fe3a7ec: startup date [Tue Apr 23 13:47:56 IST 2013]; root of context hierarchy
13:48:01,836 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.handleError(javax.servlet.http.HttpServletRequest)
13:48:01,836 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/confirm_access],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map<java.lang.String, java.lang.Object>) throws java.lang.Exception
13:48:01,851 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/authorize],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.lang.String,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
13:48:01,851 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/authorize],methods=[POST],params=[user_oauth_approval],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
13:48:01,851 INFO FrameworkEndpointHandlerMapping:197 - Mapped "{[/oauth/token],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.lang.String,java.util.Map<java.lang.String, java.lang.String>)
Please help.
I don't think Sprint OAuth can actually work outside of a Java web container.
For Mule EE, you can use the OAuth2 provider from the Enterprise Security package.
For Mule CE, you could try to run an embedded Jetty container and use Mule's Servlet endpoints behind it. That should provide an environment in which Spring OAuth could work. See the Bookstore example, provided with the Mule distribution, for inspiration.