My Spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- This is where we configure Spring-Security -->
<security:global-method-security pre-post-annotations="enabled" />
<!-- <security:global-method-security secured-annotations="enabled" /> -->
<security:http auto-config="false" use-expressions="true" access-denied-page="/access-deniad"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/RetailEnterpriseSuite/login.do" access="permitAll" requires-channel="https" />
<security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
<!-- <security:intercept-url pattern="/common" access="hasRole('ROLE_USER')"/> -->
<security:intercept-url pattern="/users" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/*" access="permitAll" requires-channel="any"/>
<security:logout
invalidate-session="true"
logout-success-url="/login.html"
logout-url=""/>
<!--
Querying the SessionRegistry for currently authenticated users and their sessions
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals
-->
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:custom-filter ref="singleEntryFilter" after="FORM_LOGIN_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas"/>
</security:http>
<bean id="singleEntryFilter" class="com.stc.res.filter.SingleEntryFilter"
p:redirectURI="/login.html">
<property name="guardURI">
<list>
<!-- <value>/index.html</value> -->
<value>/index.html</value>
<!-- <value>/index.html</value>
<value>/index.html</value>
<value>/index.html</value>
<value>/index.html</value> -->
</list>
</property>
</bean>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>
<!-- We just actually need to set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/loginfailed" />
<!-- We just actually need to set the default target url here -->
<bean id= "customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="redirectStrategy" ref="customSuccessRedirStrategy" />
</bean>
<!-- <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:redirectStrategy-ref="customSuccessRedirStrategy" /> -->
<bean id= "customSuccessRedirStrategy" class=" com.stc.res.customeredirection.CustomSuccessRedirection"> </bean>
<!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
whenever the server sends back a response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login.html"/>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<!-- It's important to set the alias here because it's used by the authenticationFilter -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userservice">
<security:password-encoder ref="passwordEncoder">
<security:salt-source ref="saltSource"/>
</security:password-encoder>
</security:authentication-provider>
<security:authentication-provider user-service-ref="jdbcUserService"/>
</security:authentication-manager>
<bean id="userservice" class="com.stc.res.service.UserLoginService" >
<property name="usrlogindao" ref="userLogindao"/>
</bean>
<bean id="userLogindao" class = "com.stc.res.dao.UserLoginDao" />
<bean id="jdbcUserService" class="com.stc.res.service.JdbcUserService">
<property name="customJdbcDao" ref="custjdbcDao"/>
</bean>
<bean id="custjdbcDao" class= "com.stc.res.dao.CustomJdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>
<bean id="jdbcAdminUserService" class="com.stc.res.controller.JdbcAdminUserService">
<property name="dataSource" ref="dataSource"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<!-- Use a Sha encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>
<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
<property name="userPropertyToUse" value="username"/>
</bean>
<!-- <security:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="jdbcTokenRepository" />
<property name="userDetailsService" ref="userservice" />
<property name="key" value="springRocks" />
<property name="alwaysRemember" value="false" />
</security:bean>
Uses a database table to maintain a set of persistent login data
<security:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</security:bean>
-->
<!-- An in-memory list of users. No need to access an external database layer.
See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
<!-- john's password is admin, while jane;s password is user -->
<!-- Filter required by concurrent session handling package
The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an
instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired.
See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals -->
<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry"
p:expiredUrl="/login.html" />
<!-- Defines a concrete concurrent control strategy
Checks whether the user in question should be allowed to proceed, by comparing the number of
sessions they already have active with the configured maximumSessions value. The SessionRegistry
is used as the source of data on authenticated users and session data.
See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html-->
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="1" error-if-maximum-exceeded="true" >
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<!-- Maintains a registry of SessionInformation instances
See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans>
and I configured the in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<display-name>MycustomFilter</display-name>
<filter-name>MycustomFilter</filter-name>
<filter-class>com.stc.res.filter.MycustomFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MycustomFilter</filter-name>
<url-pattern>/MycustomFilter</url-pattern>
</filter-mapping>
listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Please let me know where is the fault in this code, and please guide me. I am new to spring-security. Even user can login from different browser, without logging out.
Have you tried this snippet from the official documentation (preventing multiple logins):
<security:http ... >
....
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
Related
I have a situation:
Step 1: Obtained access token (grant_type=password) (A1) and also a refresh token.(RT1)
Step 2: Accessed resource (R) using the token (A1) - Success
Step 3:Revoked user access role for Resource R.
Step 4: Obtained access token (grant_type=password) (A2) and also a refresh token.(RT2)
Step 5: Accessed resource (R) using the token (A2) - Failed
till here all fine.now comes the unexpected part.
Step 6: Obtained new access token (grant_type=refresh_token) using RT2. Unexpectedly using this access token i was able to access resource R.
During this whole flow none of the token was expired one.
I see two issues here:- User roles aren't getting updated for refresh token on grant_type=password and for grant_type=refresh_token. Although access token has changed (Step 4) but refresh token remains same RT1 == RT2. hence any further usage of RT gives access token with previous roles.
How do i tell spring (oauth2) to update user roles (for the newly created token's) while obtaining the access token using refresh token and also while updating RT with new roles (step4), to resolve this discrepancy.
Below is the Authorization server configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<bean class="com.dummy.mc.security.service.UserDetailsServiceImpl">
<property name="userRepository" ref="userRepository" />
<property name="grantedAuthorityRepository" ref="grantedAuthorityRepository" />
</bean>
</property>
<property name="passwordEncoder">
<bean class="com.dummy.mc.security.password.McpmPasswordEncoder">
<property name="encodeHashAsBase64" value="true" />
</bean>
</property>
<property name="saltSource">
<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="salt" />
</bean>
</property>
</bean>
<!--https://stackoverflow.com/questions/49761597/spring-oauth2-clientid-passed-in-as-username-for-password-grant-type-->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
<constructor-arg ref="dataSource" />
</bean>
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetailsService" />
<property name="reuseRefreshToken" value="false"/>
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientDetailAuthenticationManager" />
</bean>
<!-- Authentication manager for client (not resource-owner) authentication required to
protect the token endpoint URL -->
<security:authentication-manager id="clientDetailAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService"/>
</security:authentication-manager>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetailsService"/>
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<security:http pattern="/oauth/token" create-session="stateless" use-expressions="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/oauth/token" access="isAuthenticated()" />
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<security:custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>
<authorization-server client-details-service-ref="clientDetailsService"
xmlns="http://www.springframework.org/schema/security/oauth2" token-services-ref="tokenServices" >
<authorization-code />
<implicit />
<refresh-token />
<client-credentials />
<password authentication-manager-ref="authenticationManager" />
</authorization-server>
<!-- <oauth:resource-server id="resourceFilter" token-services-ref="tokenServices" authentication-manager-ref="authenticationManager" />
-->
<security:authentication-manager id="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
<oauth:client-details-service id="clientDetailsService">
<oauth:client client-id="core-api" secret="secret"
authorized-grant-types="password,client_credentials,refresh_token" scope="read"
resource-ids="api-core" access-token-validity="36000"
authorities="ROLE_CLIENT,ROLE_TRUSTED_CLIENT" />
</oauth:client-details-service>
</beans>
Resource Server Configuration:
<mvc:default-servlet-handler />
<mvc:annotation-driven/>
<security:global-method-security pre-post-annotations="enabled"/>
<!-- TODO: make an access denied view that tells me something useful -->
<security:http use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint">
<security:intercept-url pattern="/**" access="isFullyAuthenticated() and hasRole('api.core')" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:anonymous />
</security:http>
<!-- It's just a "feature" of the Spring Security that an authentication manager is mandatory.
so install an empty one because it isn't used at run time -->
<security:authentication-manager/>
<oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices" resource-id="api-core"/>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" >
<property name="tokenStore" ref="tokenStore" />
</bean>
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
<constructor-arg ref="dataSource" />
</bean>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
Authorities are loaded when access token its required.
Using jdbc store, authorities are saved to OAUTH_ACCESS_TOKEN table, AUTHENTICATION column.
When refresh token its required, authorities are loaded from database.
If authorities changed after access token was required, you will have to implement custom token store.
Take a look to org.springframework.security.oauth2.provider.token.store.JdbcTokenStore, and extend from it.
I recently encountered a problem with using springSAML 2.0 in a java project. The "problem" looks very "simple". I also tried to consult the literature and follow the tips on the article but it still does not work.
The network environment in which my program is located is very complex because it is a commercial system for the company. Therefore, the java program is deployed under F5 load balancing. I have already paid attention to setting the class of "contextProvider" to "SAMLContextProviderLB", but the problem It should not be here.
I checked it out:
Error on implementing spring-saml-security with WSO2
I've set: to lazy-init = false, but it still does not work.
I also checked:
SAML authentication is failing with 'MetadataKeyInfoGenerator' does not exist after enabling AXIS2 #200
Although I also suspect that Axis2.0 problem, but I do have no evidence of this problem.
I have two machines deployed two java applications, and these two java applications are open springSAML function, of course, I have generated a keystore configured correctly (but I use the same two keystore two applications, because I The configuration is exactly the same), the two machines after I stop and then start I visit samlLogin are ok, and then I found a customer complained after sleeping, said idp select interface appeared 500 errors, I looked found:
java.lang.IllegalArgumentException: Manager with name 'MetadataKeyInfoGenerator' does not exist
org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager.getFactory (NamedKeyInfoGeneratorManager.java:156)
org.opensaml.xml.security.SecurityHelper.getKeyInfoGenerator (SecurityHelper.java:1049)
org.springframework.security.saml.metadata.MetadataGenerator.generateKeyInfoForCredential (MetadataGenerator.java:255)
org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo (MetadataGenerator.java: 211)
org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor (MetadataGenerator.java:329)
org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata (MetadataGenerator.java:189)
org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization (MetadataGeneratorFilter.java:127)
org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter (MetadataGeneratorFilter.java:86)
org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter (FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal (FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter (FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate (DelegatingFilterProxy.java:343)
org.springframework.web.filter.DelegatingFilterProxy.doFilter (DelegatingFilterProxy.java:260)
I know this question is DefaultBootstrap does not seem to start, I do not know when Spring will start it, I tracked the source found because:
public class NamedKeyInfoGeneratorManager
{
private Map <String, KeyInfoGeneratorManager> managers;
There's nothing inside the managers.
I was thinking why the managers could not find 'MetadataKeyInfoGenerator'.
Please help me.
my java project web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<display-name>SSO</display-name>
<!--分割线|在启用saml模式下打开配置|start -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/securityContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/saml/*</url-pattern>
<url-pattern>/samlLogin</url-pattern>
</filter-mapping>
<!-- 分割线|在启用saml模式下打开配置 |end-->
......
<servlet>
<servlet-name>AxisServlet</servlet-name>
<servlet-class>org.apache.axis2.transport.http.AxisServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoggingConfigure</servlet-name>
<servlet-class>com.ztesoft.zsmart.web.util.Log4jConfigServlet</servlet-class>
<init-param>
<param-name>log4jExposeWebAppRoot</param-name>
<param-value>CVBS_WEBAPP_REALPATH</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>MVCServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/web-application-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/authorize/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/token/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/token/validate/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/user/getInfo/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>WebInitServlet</display-name>
<servlet-name>WebInitServlet</servlet-name>
<servlet-class>com.ztesoft.zsmart.sso.web.servlet.WebInitServlet</servlet-class>
<init-param>
<param-name>DEFAULT_LANGUAGE</param-name>
<param-value>en-US</param-value>
</init-param>
<init-param>
<param-name>LOCAL_CHARSET</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>DEFAULT_CHARSET</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>REQUEST_ENCODE</param-name>
<param-value>ISO-8859-1</param-value>
</init-param>
<load-on-startup>100</load-on-startup>
</servlet>
<!-- saml 功能开启是打开-->
<servlet>
<servlet-name>samlLoginServlet</servlet-name>
<servlet-class>
com.ztesoft.zsmart.sso.web.servlet.SamlLoginServlet
</servlet-class>
<init-param>
<param-name>serviceUrl</param-name>
<param-value>/saml/logout</param-value>
</init-param>
<init-param>
<param-name>path</param-name>
<param-value>/</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>samlLoginServlet</servlet-name>
<url-pattern>/samlLogin</url-pattern>
</servlet-mapping>
<servlet>
<description>Common Servlet for Download</description>
<display-name>Common Servlet for Download</display-name>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>com.ztesoft.zsmart.web.servlet.DownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/DownloadServlet.do</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>LoginIndex.do</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>trimSpaces</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<error-page>
<error-code>404</error-code>
<location>/Error.do?SSO_ERROR_CODE=S-SSO-10044</location>
</error-page>
<servlet>
<description></description>
<display-name>OauthAppAPI</display-name>
<servlet-name>OauthAppAPI</servlet-name>
<servlet-class>com.ztesoft.zsmart.sso.oauth.v2.as.api.OauthAppAPI</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>OauthAppAPI</servlet-name>
<url-pattern>/OauthAppAPI</url-pattern>
</servlet-mapping>
</web-app>
my securityContext.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- 配置不拦截资源 -->
<security:http security="none" pattern="/webportal/**"/>
<security:http security="none" pattern="/webtechfrm/**"/>
<security:http security="none" pattern="/sso/**"/>
<security:http security="none" pattern="/oauth/**"/>
<security:http security="none" pattern="/*.do"/>
<security:http security="none" pattern="/*/*/*.do"/>
<security:http security="none" pattern="/*/*/*/*.do"/>
<security:http security="none" pattern="/Login.jsp*"/>
<security:http security="none" pattern="/metadata/**"/>
<security:http security="none" pattern="/services/**"/>
<!--配置节点 -->
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!--SAML处理拦截器-->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/samlLogin"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/Error.do?SSO_ERROR_CODE=P_ADFS_LOGINERROR"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<!--<property name="defaultTargetUrl" value="/LoginIndex.do"/>-->
</bean>
<security:authentication-manager alias="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- 配置SSL证书,需要在部署之前配置好 -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="/WEB-INF/tomcat/tomcat-ssl.keystore"/>
<constructor-arg type="java.lang.String" value="ztesoft"/>
<constructor-arg>
<map>
<entry key="tomcat7" value="ztesoft"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="tomcat7"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
<!--
<property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-->
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/idpSelection.jsp"/>
</bean>
<!-- 该过滤器希望对已配置的URL进行调用,并向用户提供表示该应用程序部署的SAML2元数据。 -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
<property name="entityBaseURL" value="https://webportalapp.bes.post.lu:8440/sso"/>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- 配置IDP Metadata,可配置多个 -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- ADFS -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="/sso/cer/post/federationmetadata.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
</bean>
<!-- Provider of default SAML Context -->
<!--<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>-->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="webportalapp.bes.post.lu"/>
<property name="serverPort" value="8440"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/sso"/>
</bean>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<constructor-arg index="2" ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- 初始化 OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap" lazy-init="false"/>
<!-- 初始化搜索引擎 -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- OpenSAML解析所需的XML解析器池-->
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
I use Fortify for scanning code and got this problem by recommend
Recommendations: Utilize Spring Security and SSL to provide authentication, authorization, confidentiality and integrity.
So I'm trying to fix this problem by implement Spring Security and basic authentication from the example guide
http://www.jayway.com/2008/09/30/spring-remoting-with-security-and-ssl/
I will get spring configuration like this
---- Server Side Configurations ---
remote-server.xml
<bean name="/testService" class="org.springframework.remoting.caucho.HessianServiceExporter">
<property name="service" ref="testService" />
<property name="serviceInterface" value="example.TestService" />
</bean>
security-server.xml
<security:http auto-config="true">
<security:http-basic/>
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service id="uds">
<security:user name="testUser" password="testPassword" authorities="ROLE_ADMIN, ROLE_MANAGER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
--- Client Side Configurations ---
remote-client.xml
<bean id="rcaRemotingService" class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
<property name="serviceUrl" value="${endpoint.url}/testService"/>
<property name="serviceInterface" value="example.TestService"/>
<property name="username" value="${endpoint.user}"/>
<property name="password" value="${endpoint.password}"/>
</bean>
But it doesn't work, the tools always hilight the problem like this
Abstract: On line 5 of remoting-servlet.xml, the application exposes
spring beans as remote services. By default, these remote services do
not require authentication and information transferred to or from this
service is in clear text. This could allow an attacker to access
privileged operations or expose sensitive data.
Sink: remote-server.xml:5 null()
line 5: <bean name="/testService" class="org.springframework.remoting.caucho.HessianServiceExporter">
<property name="service" ref="testService" />
<property name="serviceInterface" value="example.TestService" />
</bean>
My application's sequrity system is based on Spring Sequrity 3.1. I am using PersistentTokenBasedRememberMeServices.
I need to display a list of all logged users using Sessionregistrympl. The problem is that when the site goes "rememberme-user", it's session does not exist in SessionRegistry.
My configuration files:web.xml
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
and spring-sequrity.xml:
<s:http auto-config="false" entry-point-ref="authenticationEntryPoint" >
<s:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
<s:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeFilter" />
<s:custom-filter position="CONCURRENT_SESSION_FILTER" ref= "concurrencyFilter" />
<s:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<s:intercept-url pattern="/admin/**/" access="ROLE_ADMIN"/>
<s:intercept-url pattern="/**/" access="ROLE_USER, ROLE_GUEST"/>
<s:anonymous username="guest" granted-authority="ROLE_GUEST" />
</s:http>
<bean
id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/logout/">
<constructor-arg value="/login/" />
<constructor-arg>
<list>
<ref bean="rememberMeServices" />
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" p:invalidateHttpSession="true"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login/"/>
<bean id="customAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/index/" />
<bean id="customAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login/error/" />
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"
p:tokenRepository-ref="jdbcTokenRepository"
p:userDetailsService-ref="hibernateUserService"
p:key="pokeristStore"
p:tokenValiditySeconds="1209600" />
<bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"
p:dataSource-ref="dataSource"/>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"
p:key="pokeristStore" />
<bean id="rememberMeFilter"
class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"
p:rememberMeServices-ref="rememberMeServices"
p:authenticationManager-ref="authenticationManager" />
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:rememberMeServices-ref="rememberMeServices"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="1">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry" />
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256"/>
</bean>
<bean id="saltSource"
class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="username"/>
</bean>
<bean id="hibernateUserService"
class="com.mysite.service.simple.SecurityUserDetailsService"/>
<s:authentication-manager alias="authenticationManager">
<s:authentication-provider user-service-ref="hibernateUserService">
<s:password-encoder ref="passwordEncoder">
<s:salt-source ref="saltSource"/>
</s:password-encoder>
</s:authentication-provider>
<s:authentication-provider ref="rememberMeAuthenticationProvider" />
How can I solve this problem?
One of the solutions found by me - is to set alwaysReauthenticate property to 'true' in FilterSecurityInterceptor bean, but it affects the performance of web-site.
You need a ConcurrentSessionControlStrategy, to populate the session registry. This is described in the session management section of the manual. Check out the configuration example in there if you want to use plain Spring beans. Note that you need to inject it into both the supply the same reference to both the UsernamePasswordAuthenticationFilter and the session-management namespace element.
If you want SessionRegistry to be populated Spring Security have to create a session, try adding create-session="always" to your <http> tag in Spring Security configuration file.
I have configured my web application with the following config file:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<!--
Filter chain; this is referred to from the web.xml file. Each filter
is defined and configured as a bean later on.
-->
<!-- Note: anonumousProcessingFilter removed. -->
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilter,
basicAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</security:filter-chain-map>
</bean>
<!--
This filter is responsible for session management, or rather the lack
thereof.
-->
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
<property name="allowSessionCreation" value="false" />
</bean>
</property>
</bean>
<!-- Basic authentication filter. -->
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<!-- Basic authentication entry point. -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Ayudo Web Service" />
</bean>
<!--
An anonymous authentication filter, which is chained after the normal authentication mechanisms and automatically adds an
AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there.
-->
<!--
<bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousProcessingFilter">
<property name="key" value="ayudo" /> <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS" /> </bean>
-->
<!--
Authentication manager that chains our main authentication provider
and anonymous authentication provider.
-->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
<ref local="inMemoryAuthenticationProvider" />
<!-- <ref local="anonymousAuthenticationProvider" /> -->
</list>
</property>
</bean>
<!--
Main authentication provider; in this case, memory implementation.
-->
<bean id="inMemoryAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="propertiesUserDetails" />
</bean>
<security:user-service id="propertiesUserDetails" properties="classpath:operators.properties" />
<!-- Main authentication provider. -->
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<!--
An anonymous authentication provider which is chained into the ProviderManager so that AnonymousAuthenticationTokens are
accepted.
-->
<!--
<bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="ayudo" /> </bean>
-->
<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
</property>
</bean>
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="securityMetadataSource">
<security:filter-security-metadata-source use-expressions="true">
<security:intercept-url pattern="/*.html" access="permitAll" />
<security:intercept-url pattern="/version" access="permitAll" />
<security:intercept-url pattern="/users/activate" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:filter-security-metadata-source>
</property>
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
</list>
</property>
</bean>
As soon as I run my application on tomcat, I get a request for username/password basic authentication dialog. Even when I try to access: localhost:8080/myapp/version, which is explicitly set to permitAll, I get the authentication request dialog. Help!
Thank,
Sammy
You have the basicAuthenticationFilter in your filter chain therefor it's going to try to authenticate a user. The permitAll will allow any user, but the request still needs to have a user in the SecurityContext (retrieved from your UserDetailsService).
If you want those URI's to allow all access (even without authenticating a user) then do this:
<intercept-url pattern="/version" filters="none"/>