I work with ADFS 2.0 by SAML using spring-security-saml2-core (1.0.0.RC2). I use HTTP-POST binding. But I have a problem with SingleLogout.
Application receive LogoutRequest
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://myhost:8443/my/saml/SingleLogout/alias/defaultAlias"
ID="_438dcef8-cd64-4e04-8e11-e87705f26b6c"
IssueInstant="2014-08-01T10:53:14.641Z"
NotOnOrAfter="2014-08-01T10:58:14.641Z"
Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://adfs-server.local/adfs/services/trust</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">nata</NameID>
<samlp:SessionIndex>_34e48828-a6b5-47c2-96fd-595f9d0a88b7</samlp:SessionIndex>
</samlp:LogoutRequest>
And send LogoutResponse
<saml2p:LogoutResponse
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://adfs-server.local/adfs/ls/"
ID="a2ddb014h7d7558f3cd5hfge981bicf"
InResponseTo="_438dcef8-cd64-4e04-8e11-e87705f26b6c"
IssueInstant="2014-08-01T10:53:43.808Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://myhost:8443/my/saml/metadata/alias/defaultAlias</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
</saml2p:LogoutResponse>
But ADFS throw error of closing SAML-endpoint:
MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.
My configuration for SingleLogout:
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
</security:filter-chain-map>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg type="org.springframework.security.web.authentication.logout.LogoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg>
<array value-type="org.springframework.security.web.authentication.logout.LogoutHandler">
<ref bean="logoutHandler"/>
</array>
</constructor-arg>
</bean>
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
:-) ouch this was confusing..... And cross-posting??
First of all: My ADFS servers 2.x, on S2008(R2) and S2012 do not have that message. So I believe it cannot be ADFS 2.0. I assume that you are working on the ADFS server on Windows Server 2012R2 (which is never identified as 2.0). :-(
The message (about AuthnRequest vs. LogoutResponse) does seem totally out of place. It looks like you ran in to a minor (super confusing) bug of ADFS on S2012R2. Because ADFS 2.0 would have said something else in that case. It would have said [in the ValidateSignatureRequirements(SamlMessage) method]:
"MSIS1014: SAML LogoutRequest and LogoutResponse messages must be signed when using SAML HTTP Redirect or HTTP POST binding."
So you have a bug to file at Microsoft (a reference to this description could help you). Meanwhile you should ask the SP to sign the LogoutResponse. I am somewhat surprised that ADFS did not sign the LogoutRequest. It normally does sign the LogoutRequest.
paullem is right. Our Windows Server is 2012 R2, ADFS 3.0.
SAML LogoutRequest messages must be signed. Error was fixed. We set parameter requireLogoutResponseSigned in ''true" in ExtendedMetadata.
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="false" />
<property name="idpDiscoveryEnabled" value="false" />
<property name="requireLogoutResponseSigned" value="true"/>
</bean>
Related
Can someone please advise how to secure a web socket endpoint using Spring Security framework?
I have an application secured with Spring Security.
One of the endpoints is a web socket.
Inside the web socket handler I need to authenticate a user making a connection to the web socket.
Specifically, I need to acquire both userid and also zone/tenant id.
If I use tag sec:http for websocket endpoint in spring-security.xml (please see the file below), this does trigger a login, and then inside web socket's #onOpen(Session session) handler
when I invoke session.getUserPrincipal(), the returned principal has a correct username inside it.
However I also need zone/tenant-id information.
I am trying to use SecurityContextHolder.getContext().getAuthentication() which should contain it, but the call returns null.
Apparently, sec:http does not cause Authentication object to be created for web socket requests.
I had been referred to
http://docs.spring.io/autorepo/docs/spring-security/4.1.x/reference/html/websocket.html
http://docs.spring.io/autorepo/docs/spring-security/4.1.x/reference/html/appendix-namespace.html#nsa-websocket-security
that seems to advise that to get an authenticator with zone information in it for a websocket endpoint, I need to add the following section to spring-security.xml:
<sec:websocket-message-broker>
<sec:intercept-message pattern="/WebSocket.svc" access="isAuthenticated()" />
</sec:websocket-message-broker>
Yet, when I add it and trying to start the application it fails with the following traceback/message:
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Security namespace does not support decoration of element [websocket-message-broker]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
at org.springframework.beans.factory.parsing.FailFastProblemReporter.fatal(FailFastProblemReporter.java:60) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:68) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:55) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
at org.springframework.security.config.SecurityNamespaceHandler.reportUnsupportedNodeType(SecurityNamespaceHandler.java:144) ~[spring-security-config-4.1.2.RELEASE.jar:4.1.2.RELEASE]
I am using Spring Security 4.1.2, and 4.3.1 for master Spring.
It is also unclear from Spring documentation whether sec:websocket-message-broker and sec:http should be used in conjunction for the web socket endpoint or are mutually exclusive.
Thanks for advice.
Sergey
P.S. My spring-security.xml looks like this:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:websocket="http://www.springframework.org/schema/websocket"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<sec:http pattern="/Consumer.svc/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
authentication-manager-ref="authenticationManager"
use-expressions="true">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/Consumer.svc/**" access="isAuthenticated()" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/WebSocket.svc" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
authentication-manager-ref="authenticationManager"
use-expressions="true">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/WebSocket.svc" access="isAuthenticated()" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:websocket-message-broker>
<sec:intercept-message pattern="/WebSocket.svc" access="isAuthenticated()" />
</sec:websocket-message-broker>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
</bean>
<bean id="oauthWebExpressionHandler"
class="org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler">
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="oauthWebExpressionHandler" />
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<sec:authentication-manager alias="authenticationManager"/>
<oauth:resource-server id="resourceServerFilter"
resource-id="springsec" token-services-ref="offlineTokenServices" />
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<!-- ... also some other elements here ... -->
</beans>
It was necessary to add the following to pom.xml:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-messaging</artifactId>
<version>4.1.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-messaging</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-websocket</artifactId>
<version>${spring.version}</version>
</dependency>
And this to spring-security.xml:
<bean id="springSecurityMessagePathMatcher"
class="org.springframework.util.AntPathMatcher"/>
Now Spring does not throw an exception at startup and parses spring-security.xml fine, but it does not work either. SecurityContextHolder.getContext().getAuthentication() still returns null.
I'm using spring authentication against ldap. If the provided user id and password exists in ldap, then I was able to get the user login. I would like to restrict this based on the user's memberOf attribute in the LDAP. If the user has memberOf attribute with a specific CN value (CN=adminaccess or CN=superadminaccess), then authentication/authorization should pass.Else authentication/authorization should fail.
<security:http auto-config="true" use-expressions="true" access-denied-page="/admin/auth/denied">
<security:intercept-url pattern="/admin/auth/login" access="permitAll" />
<security:intercept-url pattern="/admin/dashboard/*" access="hasAnyRole('ROLE_ADMINACCESS','ROLE_SUPERADMINACCESS')"/>
</security:http>
<security:authentication-manager>
<security:ldap-authentication-provider user-dn-pattern="CN={0},CN=Users" group-search-base="CN=adminaccess,CN=Users" />
</security:authentication-manager>
<bean id="ldapContext"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://xxx.ds.yyy.com:389/DC=xxx,DC=ds,DC=yyy,DC=com"/>
<property name="userDn" value="CN=aaa,CN=Users,DC=xxx,DC=ds,DC=yyy,DC=com"/>
<property name="password" value="thepassword"/>
</bean>
I always go to the Access Denied page with my above configuration. If I remove the access="hasAnyRole('ROLE_ADMINACCESS','ROLE_SUPERADMINACCESS')" from the security:intercept-url, I'm able to always access with valid user/password, even if the user is not part of adminaccess (which I was hoping would be restricted because my group -search-base had specified CN=adminaccess).
Wondering what the configuration should be:
To restrict access to just users who are memberOf CN=adminaccess and/or CN=superadminaccess
Specify correct group-search-base. If I specify only CN=Users, I'm getting a timeout as this is going against our corporate ldap. When I looked up users on LDAP browser, I couldnt find a "ou" that couldhelp. With my above configuration group-search-base="CN=adminaccess,CN=Users", I dont get a timeout, but I dont think it is correct either
Not sure if there is a better way, but I was able to successfully get this working using DefaultLdapAuthoritiesPopulator and updating to the below configuration:
<security:http auto-config="true" use-expressions="true" access-denied-page="/admin/auth/denied">
<security:intercept-url pattern="/admin/auth/login" access="permitAll" />
<security:intercept-url pattern="/admin/dashboard/*" access="hasAnyRole('ROLE_ADMINACCESS','ROLE_SUPERADMINACCESS')"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider
ref="ldapAuthProvider"></security:authentication-provider>
</security:authentication-manager>
<bean id="ldapContext"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://xxx.ds.yyy.com:389/DC=xxx,DC=ds,DC=yyy,DC=com"/>
<property name="userDn" value="CN=aaa,CN=Users,DC=xxx,DC=ds,DC=yyy,DC=com"/>
<property name="password" value="thepassword"/>
</bean>
<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="ldapContext" />
<property name="userDnPatterns">
<list>
<value>CN={0},CN=Users</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="ldapContext" />
<constructor-arg value="CN=Users" />
<property name="groupRoleAttribute" value="CN" />
</bean>
</constructor-arg>
</bean>
With this configuration, if the login username/password provided is correct, all the groups that the user is "memberOf" (pattern CN=Users,DC=xxx,DC=ds,DC=yyy,DC=com), get loaded as his "roles" (prefixed with ROLE_) and I'm able to manage access to these roles using security:intercept-url
I'm creating a java client consumer for a web service using SpringWS-Security.
My Request SOAP (That I use in SOAP UI)
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:sch="http://myws.mycompany.com/myws/schema">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>myUsernameString</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">123</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<sch:GetUserDetails idSender="5"/>
</soapenv:Body>
</soapenv:Envelope>
My servlet.xml in the WS.
<bean name="endpointMapping"
class="org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping">
<property name="interceptors">
<list>
<ref local="wsSecurityInterceptor" />
</list>
</property>
<bean id="wsSecurityInterceptor"
class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="UsernameToken" />
<property name="validationCallbackHandler" ref="springSecurityCallbackHandler" />
</bean>
<bean id="springSecurityCallbackHandler"
class="org.springframework.ws.soap.security.wss4j.callback.SpringPlainTextPasswordValidationCallbackHandler">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="authenticationProvider" class="ws.security.CustomAuthenticationProviderImpl">
<property name="userCommonService" ref="userCommonService" />
<security:custom-authentication-provider/>
</bean>
<security:authentication-manager alias="authenticationManager" />.
In my Java Client - applicationContext.xml
<bean name="webserviceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
<property name="defaultUri" value="http:/localhost:8080/myws-ws/" />
<property name="marshaller" ref="marshaller" />
<property name="unmarshaller" ref="unmarshaller" />
<property name="interceptors">
<list>
<ref local="wsSecurityInterceptor" />
</list>
</property>
</bean>
<oxm:jaxb2-marshaller id="marshaller"
contextPath="org.example.bean.schema" />
<oxm:jaxb2-marshaller id="unmarshaller"
contextPath="org.example.org.bean.schema" />
<bean id="client" class="example.client.impl.EfactClientImpl">
<property name="webServiceTemplate" ref="webserviceTemplate" />
</bean>
<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="securementActions" value="UsernameToken"/>
</bean>
When I use SOAP UI to consume the service everything is going fine, I think I need a little help at the Java Client and its context because when I run it I got this error:
The security token could not be authenticated or authorized; nested exception is:
javax.security.auth.callback.UnsupportedCallbackException; nested exception is org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is:
javax.security.auth.callback.UnsupportedCallbackException
When I debug my app I can notice that this element is crashing:
GetUserRequest request = new GetUserRequest();
request.setIdentifier(user.getIdentifier());
request.setPassword(user.getPassword());
GetUserResponse response = new GetUserResponse();
/* Crashing here. */
response = (GetUserResponse) getWebServiceTemplate().marshalSendAndReceive(request);
FYI: I always see this list of users in SpringWS with security, but what if I have a lot of users trying to access.
WS - [servlet-name]-servlet.xml
<bean id="callbackHandler" class="org.springframework.ws.soap.security.wss4j.callback.SimplePasswordValidationCallbackHandler">
<property name="users">
<props>
<prop key="Bert">Ernie</prop>
<prop key="Mickey">Mouse</prop>
</props>
</property>
</bean>
How can I resolve this UnsupportedCallbackException Exception?
You must specify SecurementUsername and SecurementPassword at call time. This is a programmatically example:
WebServiceTemplate webServiceTemplate = new WebServiceTemplate();
webServiceTemplate.setDefaultUri(uri);
Wss4jSecurityInterceptor interceptor = new Wss4jSecurityInterceptor();
interceptor.setSecurementActions(securementActions);
interceptor.setSecurementMustUnderstand(true);
interceptor.setSecurementUsername(usuario);
interceptor.setSecurementPassword(contrasena);
webServiceTemplate.setInterceptors(new ClientInterceptor[] {interceptor});
I was getting this error when I upgraded from cfx 2.2.X to 2.7.X. Due to feature upgrades, the server side code was not able to read the password as a result the password was received as null by the server. Make sure the server received the correct username and password, which would fix this issue.
I am attempting to authenticate via X.509 smart card to my application. For the moment, my application doesn't have any users defined, so I'm trying to use anonymous authentication. I'll switch it to hasRole() once I create users.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="myUserService" />
</security:authentication-manager>
<!-- TODO: Enable this once I am ready to start annotating the service interfaces -->
<security:global-method-security pre-post-annotations="enabled" />
<security:http use-expressions="true" authentication-manager-ref="authenticationManager" access-denied-page="/index2.xhtml" >
<security:anonymous enabled="true" />
<security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="myUserService" />
<security:intercept-url pattern="/**" access="isAnonymous()" requires-channel="https" />
<!-- TODO: configure invalid-session-url, delete sessionid -->
<security:session-management>
<security:concurrency-control max-sessions="2" error-if-maximum-exceeded="true"/>
</security:session-management>
</security:http>
<bean id="roleVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_USER > ROLE_AUTHENTICATED
ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED
ROLE_UNAUTHENTICATED > ROLE_ANONYMOUS
</value>
</property>
</bean>
It seems to be caught in the infinite loop issue, which I thought I was avoiding using isAnonymous().
I'm probably making a dumb error, so if someone can point out said stupidity, I'd be grateful.
The issue was a problem with configuring FacesServlet in web.xml. The FacesServlet was mapped to one path, which seemed to be incompatible with the intercept-url defined for Spring Security.
We've since jettisoned JSF (and good riddance).
In our app spring security uses ldap as a provider.
i am working on a change that will let you flip a flag in dev that will allow you to log in if your user/pass matches a value from database. the ldap server might be down and you can still log in.
What ive realized though is that some urls are secured with
#Secured( {"ROLE_USER","ROLE_MERCHANT"})
so i need to still have some dealings with spring security in order for my logins to work. How do i go about doing this?
You can configure 2 providers: one LDAP provider and another DAO provider.
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="yourLdapAuthenticationProvider" />
<sec:authentication-provider ref="yourDaoAuthenticationProvider" />
</sec:authentication-manager>
If the LDAP fails, it will fall back to DAO authentication provider.
You will need to configure your own authentication filter to inject that flag into yourDaoAuthenticationProvider so that when the authentication falls back to yourDaoAuthenticationProvider, it can check whether to proceed with further authentication (say, in development) or ignore it (say, in production). So, in your authenticationFilter, override setDetails() to store the flag:-
myAuthenticationFilter bean
#Override
protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
YourObject yourObject = new YourObject(request.getParameter("devAuthAgainstDAO"));
authRequest.setDetails(yourObject);
}
With this, have your yourDaoAuthenticationProvider to check against this flag before proceeding with further authentication.
In the end, your configuration will look something like this:-
<sec:http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
<sec:logout logout-success-url="/login.jsp"/>
<sec:intercept-url ... />
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="myAuthenticationFilter"/>
</sec:http>
<bean id="myAuthenticationFilter" class="[YOUR_CUSTOM_AUTHENTICATION_FILTER]">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>
<bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.jsp"/>
</bean>
<bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/welcome.jsp"/>
<property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>
<bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<bean id="yourLdapAuthenticationProvider" ... />
<bean id="yourDaoAuthenticationProvider" ... />
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="yourLdapAuthenticationProvider"/>
<sec:authentication-provider ref="yourDaoAuthenticationProvider"/>
</sec:authentication-manager>