I currently have a spring mvc application which I'm trying to add spring security to. However, I can't use the #PreAuthorize annotation without getting the following error:
Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/springframework/cglib/transform/impl/MemorySafeUndeclaredThrowableStrategy
I'm currently using Spring Version 4.1.0 and Spring Security 3.2.5, which according to spring's documentation and other posts on here should work fine.
There's also a sample on their github which appears to be using the same versions without issue.
Any ideas?
The PreAuthorize tag has been added to a Controller, cglib is in the classpath, yet still the same error message. Any ideas?
Turns out it was version issues. Spring Security is currently at 3.2.5.Release, which I was using, but Spring was at 4.1.0.
As of 4.0.2, some of the cglib classes have been removed. The solution was to go down to 4.0.1 in Spring, or use the 4.0.0.M2 milestone release for spring security.
#PreAuthorize is implemented via AOP. If the method on which you put the annotation are not declared in an interface implemented by the class, Spring cannot use the default of JDK proxy, but uses CGLIB to proxy classes.
The error suggests you use class proxying, but do not have CGLIB in classpath.
Two ways to fix it :
add CGLIB to classpath
make your class implements an interface
BTW, you say you added #PreAuthorize to a RestController. #PreAuthorize annotation is more frequent in service layer. Normally, you use URL based authorization for what could exists in controller. The best way to fix the problem could be to move the #PreAuthorize annotation to the service class that should already be wired as an interface.
Related
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
I am attempting to use the Grails Spring Security Core plugin. I would like to override the login functionality, which is 'login/authenticate'. I searched through the spring-security-core plugin source and wasn't able to find the 'authenticate' method, and its not in the generated LoginController.
https://github.com/grails-plugins/grails-spring-security-core/blob/master/grails-app/controllers/grails/plugin/springsecurity/LoginController.groovy
Any guidance would be most appreciated. Thank you in advance.
Spring security is built around filter chains. The correct way would be to create a new filter. You probably need to download the spring grails security core plugin and look at classes like GrailsUsernamePasswordAuthenticationFilter to get a feel for how to do it. Your way forward might be to copy GrailsUsernamePasswordAuthenticationFilter, install it as your authentication filter, and put logging in there.
I was asking why the WebSecurityExpressionHandleris annotated deprecated in spring security 3.1 and 3.2? There is no documentation in the api.
http://static.springsource.org/spring-security/site/docs/3.2.x/apidocs/org/springframework/security/web/access/expression/WebSecurityExpressionHandler.html
Does anybody know something about the reasons?
It looks like they are going to replace WebSecurityExpressionHandler with SecurityExpressionHandler<T> where T can be either FilterInvocation or MethodInvocation. Note that it doesn't affect implementation classes (DefaultWebSecurityExpressionHandler).
See also:
SEC-1562 Create SecurityExpressionHandler interface
I cite from mybatis plugin documentation:
"When working with MyBatis plugin your "Domain" classes should be
located in src/groovy and not in grails-app/domain. This is necessary
to avoid conflict with GROM since MyBatis plugin can coexist with
existing GORM Domain classes."
So where should the validation and constraints be located, when I want to use grails with MyBatis plugin ?
You can add a #Validateable annotation to any Groovy class in Grails, and you will be able to validate it... The Plugin currently doesn't check for any validation errors so you will have to implement that code yourself.
From official Grails documentation:
Classes which define the static constraints property and are annotated
with #Validateable can be made validateable by the framework
http://grails.org/doc/2.1.0/guide/validation.html#validationNonDomainAndCommandObjectClasses
You could even write a custom MyBatis Interceptor (see https://github.com/fzilic/Grails-MyBatis/blob/master/src/groovy/org/grails/plugins/mybatis/locking/OptimisticLockingInterceptor.groovy) and register it after the SqlSession is created...
Currently the MyBatis plugin doesn't support registering custom Interceptors in it's configuration, but they could be added to the interceptor chain
def factory = GrailsApplication.mainContext.getBean("sqlSessionFactoryBean_dataSource")
factory.configuration.interceptorChain.addInterceptor(Interceptor)
Support for this might be added in future versions.
I am working with an app that uses spring-security 3.0 and oauth2 using spring-security-oauth-1.0.0.M3. It works fine. But it looks like migrating to spring-security 3.1 will not be trivial. I have been unable to find confirmation that the oauth module is still supported.
For example, the oauth tutorial mentions 3.0 not 3.1:
https://github.com/SpringSource/spring-security-oauth/wiki/tutorial
And I have encountered a problem similar to the Mar 4, 2012 comment in the following discussion when I attempt to do a straight upgrade to 3.1 using spring-security-oauth 1.0.0.M3 or M4:
http://code.google.com/p/spring-security-social/wiki/Usage
Specifically I see this in the Tomcat logs:
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration
problem: Failed to import bean definitions from URL location ...
Offending resource: class path resource [spring/applicationContext.xml]; nested
exception is org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected
exception parsing XML document from URL ...; nested exception is
org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class
[org.springframework.security.oauth2.config.OAuth2SecurityNamespaceHandler] for namespace
[http://www.springframework.org/schema/security/oauth2]: problem with handler class file or
dependent class; nested exception is java.lang.NoClassDefFoundError:
org/springframework/security/web/util/AntUrlPathMatcher
Can someone suggest a solution to the above problem, or point to a reference for using spring-security 3.1 and spring-security-oauth, or else suggest a better alternative to implement oauth2 using spring-security 3.1?
Or if I'm missing a fundamental point of spring-security 3.1, that would also be useful to know.
Thanks!
Yes, Spring Security OAuth milestone build 1.0.0.M6, and specifically the oauth2 module, supports Spring Security 3.1.0. It is not yet considered a release. The OAuth 2.0 spec itself is not final.
The 1.0.0.M6 samples appear to be the most accurate and complete reference for implementation. The full 1.0.0.M6 tag zipball is here.
The OAuth 2 Developers Guide is a good textual reference. It's not 100% accurate, at least with respect to 1.0.0.M6. For example, the attribute user-approval-page belongs to authorization-server not authorization-code.
The Maven pom.xml must refer to artifactId spring-security-oauth2 (not spring-security-oauth as in older versions such as 1.0.0.M3).