I'd like to introduce the GridGain's web session clustering to our spring web project. The thing is I can successfully start a GridGain node but can not get the login function works.
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<welcome-file-list>
<welcome-file>home.do</welcome-file>
</welcome-file-list>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml,
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.gridgain.grid.startup.servlet.GridServletContextListenerStartup</listener-class>
</listener>
<filter>
<filter-name>GridGainWebSessionsFilter</filter-name>
<filter-class>org.gridgain.grid.cache.websession.GridWebSessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>GridGainWebSessionsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>GridGainConfigurationFilePath</param-name>
<param-value>default-config.xml</param-value>
</context-param>
<context-param>
<param-name>GridGainWebSessionsCacheName</param-name>
<param-value>partitioned</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
And here is my spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:hz="http://www.hazelcast.com/schema/spring"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.hazelcast.com/schema/spring http://www.hazelcast.com/schema/spring/hazelcast-spring-3.2.xsd">
<beans:bean id="myAuthenticationSuccessHandler" class="com.litv.litvweb.web.security.MyAuthenticationSuccessHandler">
<beans:property name="alwaysUseDefaultTargetUrl" value="false" />
</beans:bean>
<beans:bean id="customLogoutSuccessHandler" class="com.litv.litvweb.web.security.CustomLogoutSuccessHandler"/>
<beans:bean id="litvWebTemplateDataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<beans:property name="driverClassName">
<beans:value>${jdbc.driverClassName}</beans:value>
</beans:property>
<beans:property name="url">
<beans:value>${jdbc.database.litvpc.url}</beans:value>
</beans:property>
<beans:property name="username">
<beans:value>${jdbc.database.litvpc.username}</beans:value>
</beans:property>
<beans:property name="password">
<beans:value>${jdbc.database.litvpc.password}</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="litvWebNamedParameterJdbcTemplate" class="org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate"
c:dataSource-ref="litvWebTemplateDataSource" />
<beans:bean id="securityContextMariaDao" class="com.litv.litvweb.domain.dao.SecurityContextMariaDao">
<beans:property name="litvWebNamedParameterJdbcTemplate">
<beans:ref bean="litvWebNamedParameterJdbcTemplate"/>
</beans:property>
</beans:bean>
<beans:bean id="customSecurityContextRepository" class="com.litv.litvweb.web.security.CustomSecurityContextRepository">
<beans:property name="securityContextDao">
<beans:ref bean="securityContextMariaDao"/>
</beans:property>
</beans:bean>
<!--<http use-expressions="true" auto-config="true" security-context-repository-ref="customSecurityContextRepository">-->
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/protected.do" access="isAuthenticated()"/>
<intercept-url pattern="/member/memberInfo.do" access="isAuthenticated()"/>
<intercept-url pattern="/member/updateMemberInfo.do" access="isAuthenticated()"/>
<intercept-url pattern="/member/changePassword.do" access="isAuthenticated()"/>
<intercept-url pattern="/member/watchRecord.do" access="isAuthenticated()"/>
<intercept-url pattern="/member/useService.do" access="isAuthenticated()"/>
<intercept-url pattern="/member/consumptionRecord.do" access="isAuthenticated()"/>
<intercept-url pattern="/purchase/selectPayment.do" access="isAuthenticated()"/>
<intercept-url pattern="/purchase/cardInfo.do" access="isAuthenticated()"/>
<intercept-url pattern="/purchase/completeCard.do" access="isAuthenticated()"/>
<intercept-url pattern="/purchase/completeATM.do" access="isAuthenticated()"/>
<intercept-url pattern="/purchase/completeSupermarket.do" access="isAuthenticated()"/>
<intercept-url pattern="/login.do" access="permitAll"/>
<intercept-url pattern="/**" access="permitAll"/>
<intercept-url pattern="/home.do" requires-channel="http"/>
<form-login login-processing-url="/j_spring_security_check"
login-page="/login.do"
always-use-default-target="false"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
authentication-failure-url="/login.do?error=1"/>
<logout logout-url="/j_spring_security_logout"
success-handler-ref="customLogoutSuccessHandler"/>
<port-mappings>
<port-mapping http="8080" https="8443"/>
</port-mappings>
<session-management session-fixation-protection="migrateSession" />
</http>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<beans:bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<beans:property name="locations">
<beans:value>classpath:system.properties</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="litvJsonRpcPartnerAuthProxy" class="com.googlecode.jsonrpc4j.JsonRpcHttpClient">
<beans:constructor-arg>
<beans:bean class="java.net.URL">
<beans:constructor-arg>
<beans:value>${json.rpc.partnerauthproxy}</beans:value>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="systemProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
<beans:property name="locations">
<beans:list>
<beans:value>classpath:system.properties</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="systemService" class="com.litv.litvweb.domain.service.SystemService">
<beans:property name="systemProperties">
<beans:ref bean="systemProperties"/>
</beans:property>
</beans:bean>
<sec:authentication-manager>
<sec:authentication-provider ref="limitLoginAuthenticationProvider"/>
</sec:authentication-manager>
<!--
<beans:bean id="userCacheService" class="com.litv.litvweb.domain.service.UserCacheService"/>
-->
<beans:bean id="securityManagerService" class="com.litv.litvweb.domain.service.SecurityManagerService">
<!--
<beans:property name="userCacheService">
<beans:ref bean="userCacheService"/>
</beans:property>
-->
</beans:bean>
<beans:bean id="cdiPartnerService" class="com.litv.litvweb.domain.service.CdiPartnerService">
<beans:property name="litvJsonRpcPartnerAuthProxy">
<beans:ref bean="litvJsonRpcPartnerAuthProxy"/>
</beans:property>
<beans:property name="systemService">
<beans:ref bean="systemService"/>
</beans:property>
</beans:bean>
<beans:bean id="limitLoginAuthenticationProvider" class="com.litv.litvweb.web.security.LimitLoginAuthenticationProvider">
<beans:property name="userDetailsService">
<beans:ref bean="securityManagerService"/>
</beans:property>
<beans:property name="cdiPartnerService">
<beans:ref bean="cdiPartnerService"/>
</beans:property>
<!--
<beans:property name="userCacheService">
<beans:ref bean="userCacheService"/>
</beans:property>
-->
<beans:property name="passwordEncoder">
<beans:ref bean="encoder"/>
</beans:property>
</beans:bean>
No specific exception was thrown. Just couldn't get the login works. Does anyone know what goes wrong?
Thanks,
YI-CHAN
Yi-Chan,
I'm assuming that if you remove GridGain web session clustering configuration from your application, login function does work. Is that right? Please confirm.
Also could you check if web session clustering works correctly in case you disable Spring security?
Thanks!
Related
I'm trying to make spring authenticate users from my mysql database.
It's working fine for users in memory.
I followed every tutorial about this and still isn't working, I don't understand why, since it requires a very basic config.
My applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http security="none" pattern="/javax.faces.resource/**" />
<http security="none" pattern="/static/**"/>
<http auto-config="true" use-expressions="true"
access-denied-page="/public/login.xhtml">
<intercept-url pattern="/public/**" access="permitAll"/>
<intercept-url pattern="/secure/adm.xhtml" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/login.xhtml" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<form-login login-page="/public/login.xhtml"
authentication-failure-url="/public/login.xhtml?erro=true"
default-target-url="/secure/secure.xhtml"
username-parameter="usuario"
password-parameter="senha"
/> <!--login-processing-url-->
<logout/>
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
<beans:bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<beans:property name="url" value="jdbc:mysql://localhost:3306/gde" />
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
<beans:property name="username" value="root" />
<beans:property name="password" value="" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="a" password="b" authorities="ROLE_USER"/>
<user name="b" password="a" authorities="ROLE_ADMIN"/>
</user-service>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT USUARIO as username, SENHA as password, ISATIVO as enabled FROM usuario WHERE USUARIO=?"
authorities-by-username-query="SELECT USUARIO_USUARIO as username, AUTORIZACOES_TIPO as authority FROM usuario_tipo_usuario WHERE USUARIO_USUARIO=?"
/>
</authentication-provider>
</authentication-manager>
</beans:beans>
For a/b and b/a it authenticates just fine.
Officially answering: I just had to remove the in memory users and to get it working, although I don't really understand why.
Thank you, bluefoot and Luke Taylor.
I use Spring Security 3 and JSF2 Primefaces. Then, I create a index.xhtml for welcome page and login.xhtml for login page
When I access the root web site, it redirect me to login.xhtml page. Why not?
How to set the welcome page to index.xhtml
This is web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
This is spring-security.xml
<global-method-security secured-annotations="enabled"
jsr250-annotations="enabled" />
<!-- Resource Security -->
<http access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/pages/**" access="ROLE_ADMIN" />
<form-login login-page="/login.jsf" default-target-url="/pages/index.jsf" />
<logout logout-success-url="/login.jsf" invalidate-session="true" />
<session-management invalid-session-url="/login.jsf">
<concurrency-control max-sessions="10"
error-if-maximum-exceeded="true" />
</session-management>
</http>
For a basic application with JSF, Spring and Spring-Security, you need to configure your web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
<welcome-file-list>
<welcome-file>pages/index.jsf</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext*.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
and also configure faces-config.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<faces-config
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
version="2.0">
<application>
<el-resolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>
</application>
</faces-config>
and your applicationContext-security.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security secured-annotations="enabled"
jsr250-annotations="enabled" />
<http auto-config="true" >
<intercept-url pattern="/login.jsf*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/pages/*" access="ROLE_USER,ROLE_ADMIN" />
<intercept-url pattern="/pages/super/**" access="ROLE_ADMIN" />
<access-denied-handler error-page="/accessDenied.jsf" />
<form-login login-page='/login.jsf' default-target-url='/pages/index.jsf'
always-use-default-target='true'/>
<logout logout-success-url="/" logout-url="/j_spring_security_logout" invalidate-session="true" />
<session-management invalid-session-url="/login.jsf">
<concurrency-control max-sessions="10"
error-if-maximum-exceeded="true" />
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="ravi" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Finally, if you have any spring beans, your applicationContext.xml for annotation based configuration will be:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<context:annotation-config/>
<context:component-scan base-package="com.examples" />
</beans>
and annotate your beans like this:
#Component
#Scope("request")
So with all these in place along with your pages there should be no problem.
Please help with the following error that I get with Spring Security 3.05 and Tomcat7.0. I am new to spring security and am using the below tutorial:
Simple web application with Spring Security: http://heraclitusonsoftware.wordpress.com/software-development/spring/simple-web-application-with-spring-security-part-6/
Here is the error:
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'daoAuthenticationProvider' defined in ServletContext resource [/WEB-INF/applicationContext-security.xml]: Initialization of bean failed; nested exception is org.springframework.beans.ConversionNotSupportedException: Failed to convert property value of type 'org.springframework.security.core.userdetails.memory.InMemoryDaoImpl' to required type 'org.springframework.security.userdetails.UserDetailsService' for property 'userDetailsService'; nested exception is java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.core.userdetails.memory.InMemoryDaoImpl] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:527)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:563)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:872)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:423)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4723)
at org.apache.catalina.core.StandardContext$1.call(StandardContext.java:5226)
at org.apache.catalina.core.StandardContext$1.call(StandardContext.java:5221)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.springframework.beans.ConversionNotSupportedException: Failed to convert property value of type 'org.springframework.security.core.userdetails.memory.InMemoryDaoImpl' to required type 'org.springframework.security.userdetails.UserDetailsService' for property 'userDetailsService'; nested exception is java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.core.userdetails.memory.InMemoryDaoImpl] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
at org.springframework.beans.BeanWrapperImpl.convertForProperty(BeanWrapperImpl.java:471)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.convertForProperty(AbstractAutowireCapableBeanFactory.java:1363)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1322)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1076)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
... 19 more
Caused by: java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.core.userdetails.memory.InMemoryDaoImpl] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:291)
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:155)
at org.springframework.beans.BeanWrapperImpl.convertForProperty(BeanWrapperImpl.java:461)
... 23 more
My spring security config and listed below:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!--<global-method-security secured-annotations="disabled">
</global-method-security>
<http auto-config="true">
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.jsp"
default-target-url="/home.htm" always-use-default-target="false"
authentication-failure-url="/login.jsp?authfailed=true"/>
<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true"/>
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<user-service id="userDetailsService">
<user name="username" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="test" password="test" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>-->
<beans:bean id="sessionRegistry"
class="org.springframework.security.concurrent.SessionRegistryImpl" />
<beans:bean id="defaultConcurrentSessionController"
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="exceptionIfMaximumExceeded"
value="true" />
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="hideUserNotFoundExceptions"
value="false" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
<beans:property name="sessionController"
ref="defaultConcurrentSessionController" />
</beans:bean>
<beans:bean id="customAuthenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<beans:property name="defaultTargetUrl" value="/home.htm" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureUrl" value="/login.jsp?authfailed=true" />
<beans:property name="allowSessionCreation" value="true" />
</beans:bean>
<global-method-security secured-annotations="disabled">
</global-method-security>
<beans:bean id="myAuthenticationEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp" />
</beans:bean>
<http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/admin.htm" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true" />
<custom-filter position="FORM_LOGIN_FILTER"
ref="customAuthenticationProcessingFilter"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service id="userDetailsService">
<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="username" password="password" authorities="ROLE_USER" />
<user name="test" password="test" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Regards,
Nazir
org.springframework.security.userdetails.UserDetailsService is from Spring Security 2.x, in Spring Security 3.x its name is org.springframework.security.core.userdetails.UserDetailsService.
So, you have some Spring Security 2.x jars in the classpath.
Could somebody help me with the "java.lang.IllegalArgumentException: No DataSource specified" issue while defining secured URLs dynamically against AppFuse 2.1 (with Spring Security 3.0.5 and iBatis)??
Before I started to define secured URLs dynamically, the following namespace in security.xml was working fine.
...
<http auto-config="false" lowercase-comparisons="false">
<intercept-url pattern="/images/**" filters="none"/>
<intercept-url pattern="/styles/**" filters="none"/>
<intercept-url pattern="/scripts/**" filters="none"/>
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
...
But after I commented out the element and add the following elements in security.xml, the "userDao" did not work due to no datasource specified.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/images/**" filters="none"/>
<filter-chain pattern="/styles/**" filters="none"/>
<filter-chain pattern="/scripts/**" filters="none"/>
<filter-chain pattern="/app/**" filters="
securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
exceptionTranslationFilter,
filterSecurityInterceptor"/>
</filter-chain-map>
</beans:bean>
<beans:bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<beans:bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login"/>
<beans:constructor-arg ref="logoutHandler">
</beans:constructor-arg>
</beans:bean>
<beans:bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</beans:bean>
<beans:bean id="authenticationProcessingFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler"
ref="authenticationSuccessHandler"/>
<beans:property name="filterProcessesUrl" value="/j_security_check"/>
</beans:bean>
<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/app/mainMenu"/>
</beans:bean>
<beans:bean id="exceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
<beans:property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login"/>
</beans:bean>
<beans:bean id="accessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/403.jsp"/>
</beans:bean>
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource"/>
</beans:bean>
<beans:bean id="myFilterInvocationSecurityMetadataSource"
class="com.tangram.ebiz.webapp.authentication.MyFilterInvocationSecurityMetadataSource">
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="userDao"
class="com.tangram.ebiz.dao.ibatis.UserDaoiBatis">
<beans:property name="sqlMapClient" ref="sqlMapClient"/>
</beans:bean>
<beans:bean id="sqlMapClient"
class="com.ibatis.sqlmap.engine.impl.SqlMapClientImpl">
<beans:constructor-arg ref="sqlMapExecutorDelegate"/>
</beans:bean>
<beans:bean id="sqlMapExecutorDelegate"
class="com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate">
</beans:bean>
<beans:bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<beans:property name="driverClassName" value="oracle.jdbc.OracleDriver"/>
<beans:property name="url" value="jdbc:oracle:thin:#localhost:1521:XE"/>
<beans:property name="username" value="ebiz"/>
<beans:property name="password" value="ebiz"/>
</beans:bean>
<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider"/>
<beans:ref local="anonymousAuthenticationProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDao"/>
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean>
<beans:bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<beans:property name="key" value="doesNotMatter"/>
</beans:bean>
<!-- Override the default password-encoder (SHA) by uncommenting the following and changing the class -->
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<global-method-security>
<protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/>
<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
</global-method-security>
</beans:beans>
If you are using a custom user service, you need to ref that:
<security:authentication-manager>
<security:authentication-provider user-service-ref="myUserDetailsService">
<security:password-encoder ref="md5" />
</security:authentication-provider>
</security:authentication-manager>
If you are using JDBC and just going against a set of tables, you just ref the datasource:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="my-ds"/>
<security:password-encoder hash="md5"/>
</security:authentication-provider>
</security:authentication-manager>
I'm trying to implement the configuration but it never redirects me to my login.html page, any ideas?
Security Config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/denied.html">
<intercept-url filters="none" pattern="/javax.faces.resource/**" />
<intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
<intercept-url filters="none" pattern="/preregistered/*"/>
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS,ROLE_USER"/>
<intercept-url
pattern="/preregistered/*"
access="ROLE_ANONYMOUS,ROLE_USER"/>
<intercept-url
pattern="/registered/*"
access="ROLE_USER"
requires-channel="http"/>
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html" />
<logout invalidate-session="true"
logout-url="/auth/logout.html"
success-handler-ref="DCLogoutSuccessHandler"/>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter" />
<session-management session-fixation-protection="none"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias="am">
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="xmlAuthenticationProvider" />
</authentication-manager>
</beans:beans>
I had a lot of problems due to
filters="none"
try
access="IS_AUTHENTICATED_ANONYMOUSLY"