I have a problem with Spring security, I try to redirect to login page when the user session was expired but it doesn't work. and I got this message when a user session was expired in my jsp page:
Etat HTTP 500 - Request processing failed; nested exception is java.lang.NullPointerException
type Rapport d''exception
message Request processing failed; nested exception is java.lang.NullPointerException
description Le serveur a rencontré une erreur interne qui l''a empêché de satisfaire la requête.
exception
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.NullPointerException
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:973)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
This is my spring-security.xml:
`
<security:access-denied-handler error-page="/403"/>
<security:session-management session-fixation-protection="none">
<security:concurrency-control expired-url="/login?login_error=2" />
</security:session-management>
<security:intercept-url pattern="/" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_RH')" />
<security:intercept-url pattern="/choix" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_RH')" />
<security:intercept-url pattern="/list" access="hasAnyRole('ROLE_ADMIN','ROLE_RH')" />
<security:intercept-url pattern="/listDemandeConge" access="hasRole('ROLE_USER','ROLE_RH','ROLE_ADMIN')" />
<security:intercept-url pattern="/addcategorie" access="hasRole('ROLE_ACHAT')" />
<security:form-login login-page="/login" login-processing-url="/login.do"
default-target-url="/" always-use-default-target="true"
username-parameter="username" password-parameter="password" authentication-failure-url="/login?error=1"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder hash="md5"></security:password-encoder>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select Login, Password, CASE ENABLED WHEN 'active' THEN 'true' ELSE 'false' END 'ENABLED' from Utilisateur where Login=?"
authorities-by-username-query="select us.Login, ur.Libelle_Profil from Utilisateur us, Profil ur
where us.id_utilisateur = ur.id_utilisateur and us.Login =? " />
</security:authentication-provider>
</security:authentication-manager>
`
Related
After updating spring security from 3.2.5 to 5.5.7 in keycloak implementation, on logout, it is redirecting to
sso/j_spring_security_logout and saying the page is not found.
spring security xml
<!-- Keycloak Security for UI -->
<security:http pattern="/sso/**" auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint" authentication-manager-ref="authenticationManagerKeycloak">
<security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/sso/**" access="hasAuthority('ROLE_ADMIN')" />
<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</security:http>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg name="logoutSuccessUrl" value="/sso" />
<beans:constructor-arg name="handlers" >
<beans:list>
<beans:ref bean="keycloakLogoutHandler" />
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="logoutRequestMatcher">
<beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<beans:constructor-arg name="pattern" value="/sso/j_spring_security_logout" />
<beans:constructor-arg name="httpMethod" value="POST" />
</beans:bean>
</beans:property>
</beans:bean>
I am writing my own filter chain to dynamically load user roles from database and filter the urls
application works fine when i properly login to the application using login page
but when i try to access some protected url that requires authentication instead of being redirected to the login page; i am getting a class cast exception.
debugging shows me that String "anonymousUser" is returned instead of my domain principal object :(
java.lang.ClassCastException: java.lang.String cannot be cast to com.mytech.myapp.model.MyAppUser at com.mytech.myapp.web.controller.helper.LeftMenuHelper.getManageLeftMenu(LeftMenuHelper.java:171) at com.mytech.myapp.web.controller.ManageController.setLeftTree(ManageController.java:1377) at com.mytech.myapp.web.controller.ManageController.renderManagePage(ManageController.java:379) at com.mytech.myapp.web.controller.ManageController.handleNoSuchRequestHandlingMethod(ManageController.java:371) at org.springframework.web.servlet.mvc.multiaction.MultiActionController.handleRequestInternal(MultiActionController.java:413) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:105) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at
my security xml is as follows
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<b:bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/brands/**" filters="none" />
<sec:filter-chain pattern="/javascript/**" filters="none" />
<sec:filter-chain pattern="/index.html" filters="none" />
<sec:filter-chain pattern="/login.do" filters="none" />
<sec:filter-chain pattern="/forgotPassword.do" filters="none" />
<sec:filter-chain pattern="/ws/restapi/**" filters="none" />
<sec:filter-chain pattern="/**" filters="
httpSessionContextIntegrationFilter,
logoutFilter,
preAuthFilter,
authenticationProcessingFilter,
anonymousProcessingFilter,
filterSecurityInterceptor
"/>
</sec:filter-chain-map>
</b:bean>
<!--
-->
<b:bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<b:property name="key" value="foobar" />
<b:property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
</b:bean>
<b:bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<b:property name="key" value="foobar" />
</b:bean>
<b:bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
<sec:custom-filter position="SESSION_CONTEXT_INTEGRATION_FILTER"/>
</b:bean>
<b:bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<b:constructor-arg value="/login.do?code=logout" />
<b:constructor-arg>
<b:list>
<b:ref bean="securityContextLogoutHandler" />
</b:list>
</b:constructor-arg>
<sec:custom-filter position="LOGOUT_FILTER"/>
</b:bean>
<b:bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
<b:bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<sec:custom-filter position="FILTER_SECURITY_INTERCEPTOR"/>
<b:property name="authenticationManager" ref="authenticationManagerAlias" />
<b:property name="accessDecisionManager" ref="accessDecisionManager" />
<b:property name="objectDefinitionSource" ref="MyAppRoleUrlFilterSource" />
</b:bean>
<b:bean id="MyAppRoleUrlFilterSource" class="com.softech.myapp.web.filter.MyAppRoleUrlFilterSource">
</b:bean>
<b:bean id="accessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
<b:property name="decisionVoters" ref="roleVoter" />
</b:bean>
<b:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<b:property name="rolePrefix" value="" />
</b:bean>
<b:bean id="preAuthFilter" class="com.softech.myapp.web.filter.MyAppRequestPreAuthFilter">
<sec:custom-filter position="PRE_AUTH_FILTER" />
<b:property name="principalRequestHeader" value="MYAPP_AUTH_USER_TOKEN" />
<b:property name="authenticationManager" ref="authenticationManagerAlias" />
<b:property name="authenticationDetailsSource" ref="userDetailsService"></b:property>
<b:property name="preAuthEntryUrl" value="/interceptor.do"></b:property>
<b:property name="listenFrom" value="*"></b:property>
</b:bean>
<b:bean id="preAuthProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<sec:custom-authentication-provider />
<b:property name="preAuthenticatedUserDetailsService">
<b:bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
<b:property name="userDetailsService" ref="userDetailsService" />
</b:bean>
</b:property>
</b:bean>
<b:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<b:property name="loginFormUrl" value="/login.do"/>
<b:property name="forceHttps" value="false" />
</b:bean>
<sec:authentication-manager alias='authenticationManagerAlias'/>
<b:bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<b:property name="providers">
<b:list>
<b:ref local="secureDaoAuthenticationProvider"/>
<b:ref local="daoAuthenticationProvider"/>
</b:list>
</b:property>
</b:bean>
<b:bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<sec:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
<b:property name="defaultTargetUrl" value="/interceptor.do"/>
<b:property name="authenticationFailureUrl" value="/login.do"/>
<b:property name="authenticationManager" ref="authenticationManagerAlias"/>
<b:property name="authenticationDetailsSource" ref="myAppUserAuthenticationDetailsSource"/>
<b:property name="alwaysUseDefaultTargetUrl" value="true"/>
</b:bean>
<!-- <authentication-provider user-service-ref="userDetailsService"/> -->
<!-- the SHA-1 password encoder -->
<b:bean id="secureDaoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService" ref="userDetailsService"/>
<b:property name="passwordEncoder" ref="passwordEncoder"/>
<b:property name="saltSource" ref="saltSource"/>
<sec:custom-authentication-provider/>
</b:bean>
<!-- Plain Text password encoder - the default -->
<b:bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService" ref="userDetailsService"/>
<sec:custom-authentication-provider/>
</b:bean>
<b:bean id="myAppUserAuthenticationDetailsSource" class="org.springframework.security.ui.WebAuthenticationDetailsSource">
<b:property name="clazz" value="com.softech.myapp.web.filter.MyAppUserAuthenticationDetails"/>
</b:bean>
<!-- Automatically receives AuthenticationEvent messages -->
<b:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
</b:beans>
"Redirected to the login page" feature depends on two filters:
FilterSecurityInterceptor - check security rules, throw AccessDeniedException
ExceptionTranslationFilter - catch AccessDeniedException and start authentication in a case of anonymous user
As I can see ExceptionTranslationFilter is absent in your conf. So please add it to your filter chain. The order is very important, it must be inserted before FilterSecurityInterceptor.
I'm trying to make spring authenticate users from my mysql database.
It's working fine for users in memory.
I followed every tutorial about this and still isn't working, I don't understand why, since it requires a very basic config.
My applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http security="none" pattern="/javax.faces.resource/**" />
<http security="none" pattern="/static/**"/>
<http auto-config="true" use-expressions="true"
access-denied-page="/public/login.xhtml">
<intercept-url pattern="/public/**" access="permitAll"/>
<intercept-url pattern="/secure/adm.xhtml" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/login.xhtml" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<form-login login-page="/public/login.xhtml"
authentication-failure-url="/public/login.xhtml?erro=true"
default-target-url="/secure/secure.xhtml"
username-parameter="usuario"
password-parameter="senha"
/> <!--login-processing-url-->
<logout/>
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
<beans:bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<beans:property name="url" value="jdbc:mysql://localhost:3306/gde" />
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
<beans:property name="username" value="root" />
<beans:property name="password" value="" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="a" password="b" authorities="ROLE_USER"/>
<user name="b" password="a" authorities="ROLE_ADMIN"/>
</user-service>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USUARIO as username, SENHA as password, ISATIVO as enabled FROM usuario WHERE USUARIO=?"
authorities-by-username-query="SELECT USUARIO_USUARIO as username, AUTORIZACOES_TIPO as authority FROM usuario_tipo_usuario WHERE USUARIO_USUARIO=?"
/>
</authentication-provider>
</authentication-manager>
</beans:beans>
For a/b and b/a it authenticates just fine.
Officially answering: I just had to remove the in memory users and to get it working, although I don't really understand why.
Thank you, bluefoot and Luke Taylor.
Please help with the following error that I get with Spring Security 3.05 and Tomcat7.0. I am new to spring security and am using the below tutorial:
Simple web application with Spring Security: http://heraclitusonsoftware.wordpress.com/software-development/spring/simple-web-application-with-spring-security-part-6/
Here is the error:
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'daoAuthenticationProvider' defined in ServletContext resource [/WEB-INF/applicationContext-security.xml]: Initialization of bean failed; nested exception is org.springframework.beans.ConversionNotSupportedException: Failed to convert property value of type 'org.springframework.security.core.userdetails.memory.InMemoryDaoImpl' to required type 'org.springframework.security.userdetails.UserDetailsService' for property 'userDetailsService'; nested exception is java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.core.userdetails.memory.InMemoryDaoImpl] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:527)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:563)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:872)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:423)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4723)
at org.apache.catalina.core.StandardContext$1.call(StandardContext.java:5226)
at org.apache.catalina.core.StandardContext$1.call(StandardContext.java:5221)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.springframework.beans.ConversionNotSupportedException: Failed to convert property value of type 'org.springframework.security.core.userdetails.memory.InMemoryDaoImpl' to required type 'org.springframework.security.userdetails.UserDetailsService' for property 'userDetailsService'; nested exception is java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.core.userdetails.memory.InMemoryDaoImpl] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
at org.springframework.beans.BeanWrapperImpl.convertForProperty(BeanWrapperImpl.java:471)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.convertForProperty(AbstractAutowireCapableBeanFactory.java:1363)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1322)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1076)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
... 19 more
Caused by: java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.core.userdetails.memory.InMemoryDaoImpl] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:291)
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:155)
at org.springframework.beans.BeanWrapperImpl.convertForProperty(BeanWrapperImpl.java:461)
... 23 more
My spring security config and listed below:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!--<global-method-security secured-annotations="disabled">
</global-method-security>
<http auto-config="true">
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.jsp"
default-target-url="/home.htm" always-use-default-target="false"
authentication-failure-url="/login.jsp?authfailed=true"/>
<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true"/>
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<user-service id="userDetailsService">
<user name="username" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="test" password="test" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>-->
<beans:bean id="sessionRegistry"
class="org.springframework.security.concurrent.SessionRegistryImpl" />
<beans:bean id="defaultConcurrentSessionController"
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="exceptionIfMaximumExceeded"
value="true" />
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="hideUserNotFoundExceptions"
value="false" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
<beans:property name="sessionController"
ref="defaultConcurrentSessionController" />
</beans:bean>
<beans:bean id="customAuthenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<beans:property name="defaultTargetUrl" value="/home.htm" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureUrl" value="/login.jsp?authfailed=true" />
<beans:property name="allowSessionCreation" value="true" />
</beans:bean>
<global-method-security secured-annotations="disabled">
</global-method-security>
<beans:bean id="myAuthenticationEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp" />
</beans:bean>
<http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/admin.htm" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true" />
<custom-filter position="FORM_LOGIN_FILTER"
ref="customAuthenticationProcessingFilter"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service id="userDetailsService">
<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="username" password="password" authorities="ROLE_USER" />
<user name="test" password="test" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Regards,
Nazir
org.springframework.security.userdetails.UserDetailsService is from Spring Security 2.x, in Spring Security 3.x its name is org.springframework.security.core.userdetails.UserDetailsService.
So, you have some Spring Security 2.x jars in the classpath.
I am new to spring security. I have created an example in spring security 3.
I am facing a problem. I am able to login successfully with the default login page, but when I logout, I am successfully redirected to my loggedout.jsp but when check with altering URL I see that I am still logged in.
The Spring security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/loggedout.jsp" security="none" />
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
<logout logout-success-url="/loggedout.jsp" invalidate-session="true"
delete-cookies="JSESSIONID" />
<!-- <remember-me key="myAppKey" /> -->
<!-- <session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management> -->
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="vrajesh" password="vrajesh"
authorities="ROLE_USER,ROLE_ADMIN" />
<user name="test" password="test"
authorities="ROLE_USER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<!--
<http pattern="/loggedout.jsp" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<logout logout-success-url="/loggedout.jsp"
delete-cookies="JSESSIONID"/>
<remember-me />
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
</http>
-->
</beans:beans>
This is my logout link on every page:
<p>Logout</p>
and this is my loggedout.jsp:
<p>
You have been logged out. Start again.
</p>
In my loggedout.jsp, if I click on the 'Start again' link it should display login page, but it does not. Instead I am logged in the application.
Please help me and let me know if I am missing anything.
Your logout link on every page should be:
<p>Logout</p>
I had problem when referencing j_spring_security_logout, so I did this:
1.- In spring-security.xml added to section:
<logout logout-url="/logout.html"/>
2.- In my controller I just have:
#RequestMapping(value = "logout.html", method = RequestMethod.GET)
public String logout(ModelMap model, HttpServletRequest request) {
return "loginform";
}
3.- In my .jsp:
<fmt:message key="text.exit" />
And it works flawlessly :)
You can check additional logout configurations here.