I have racked my brain about this for a while now, and have gotten nowhere. This is what is in my security-context.xml. This is going to be a servlet.
<security:http auto-config="true">
<security:intercept-url pattern="/"
access="IS_AUTHENTICATED_REMEMBERED" />
<security:intercept-url pattern="/login.html"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:form-login login-page="/login.html"
authentication-failure-url="/loginFailed.html" default-target-url="" />
<security:anonymous />
<security:logout />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch" ref="userSearch">
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean id="authoritiesPopulator"
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource" />
<beans:constructor-arg value="" />
<beans:property name="groupRoleAttribute" value="cn" />
<beans:property name="searchSubtree" value="true" />
<beans:property name="rolePrefix" value="ROLE_" />
<beans:property name="convertToUpperCase" value="true" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="thepathtomyLDAPdatabase" />
<beans:property name="userDn"
value="theuserpathforLDAP" />
<beans:property name="password" value="mypassword" />
</beans:bean>
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="CN=Users" />
<beans:constructor-arg index="1"
value="(sAMAccountName={0})" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
I keep getting the following error:
nested exception is java.lang.NoClassDefFoundError: org/springframework/dao/IncorrectResultSizeDataAccessException
Can someone please tell me what I am doing wrong? Thanks.
You need to ensure that you have spring-tx on your classpath. If you are using a build tool, you can figure out its configuration by looking at something like search.maven.org to explain what the configuration would look like. For example, if you are using Spring 3.2.0.RELEASE and Maven you will want to ensure you have the following in your pom.xml:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>3.2.0.RELEASE</version>
</dependency>
Note that it is critical to ensure that your Spring dependency versions match (i.e. the artifacts with group org.springframework should match), so if you are not using Spring 3.2.0.RELEASE elsewhere, you will want to ensure that you change the version number to match your other Spring dependencies.
Related
Im trying to get refresh token from oauth service but im get an error
here my code
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd ">
<!-- This is default url to get a token from OAuth -->
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<!-- This is where we tells spring security what URL should be protected
and what roles have access to them -->
<http pattern="/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<!-- Authentication manager -->
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service id="userDetailsService">
<user name="admin" password="password" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<!-- This defined token store, we have used inmemory tokenstore for now
but this can be changed to a user defined one -->
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<!-- This is where we defined token based configurations, token validity
and other things -->
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="10" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="test" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="my-trusted-client"
authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
authorities="ROLE_ADMIN" redirect-uri="/web" scope="read,write,trust"
access-token-validity="30" refresh-token-validity="600" />
</oauth:client-details-service>
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>
and this an URL im trying
http://localhost:9090/SpringSecurity/oauth/token?grant_type=password&client_id=my-trusted-client&username=admin&password=password
if trying run this url in Postman im getting this error
{
"error": "unauthorized",
"error_description": "No client with requested id: "
}
Spring security relies on the Spring MVC framework to deal with requests and responses. Therefor the MVC framework needs to be included and properly setup for Spring security OAuth to work.
<mvc:annotation-driven />
in my mvc-dispatcher-servlet.xml
<
beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<mvc:resources mapping="/resources/**" location="/resources/"/>
<mvc:annotation-driven />
<context:annotation-config />
<context:component-scan base-package="com.mkyong.*" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
</beans>
I have a very strange problem. I try to use Spring Security (4.1.0) for user authentication on a WildFly Server. I tried WildFly 9 and 10.
My authentication data is stored after the login and Spring can use it, when it calls getAuthentication() of SecurityContext, but if I call
SecurityContextHolder.getContext().getAuthentication() it returns null. I already recognized, that I get a different SecurityContextImpl (different object ID).
I tried already to use the three different modes of SecurityContextHolder, but it made no difference.
My security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd">
<b:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<b:property name="allowIfAllAbstainDecisions" value="false" />
<b:constructor-arg>
<b:list>
<b:bean class="tool.security.RightVoter" />
</b:list>
</b:constructor-arg>
</b:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="loginAuthenticationProvider" />
</authentication-manager>
<b:bean id="authenticationProcessingFilter"
class="tool.security.AuthenticationProcessingFilter">
<b:constructor-arg value="/processLogin" /> <!-- defaultFilterProcessesUrl -->
<b:property name="authenticationManager" ref="authenticationManager" />
<!-- <b:property name="filterProcessesUrl" value="/processLogin" /> -->
<b:property name="authenticationSuccessHandler">
<b:bean
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<b:property name="alwaysUseDefaultTargetUrl" value="true" />
<b:property name="defaultTargetUrl" value="/initLogin" />
</b:bean>
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean class="tool.security.LoginFailureHandler">
<b:property name="redirectUrl" value="/login" />
</b:bean>
</b:property>
</b:bean>
<b:bean id="loginExistsFilter" class="tool.security.LoginExistsFilter">
<b:property name="loginUrl" value="/login" />
</b:bean>
<b:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:constructor-arg value="/login" /> <!-- loginFormUrl -->
</b:bean>
<b:bean id="loginAuthenticationProvider"
class="tool.security.LoginAuthenticationProvider">
<b:property name="loginService" ref="loginService" />
</b:bean>
<b:bean id="loginService" class="tool.security.LoginServiceImpl">
<b:property name="userDao" ref="userDao" />
<b:property name="userTF" ref="userTF" />
<b:property name="passwordEncoder" ref="passwordEncoder" />
</b:bean>
<b:bean id="userDao" class="tool.user.impl.MongoUserDao"></b:bean>
<b:bean id="userTF" class="tool.user.UserTFImpl"></b:bean>
<http security="none" pattern="/css/**" />
<http security="none" pattern="/js/**" />
<http security="none" pattern="/login" />
<http security="none" pattern="/loginRedirect" />
<http security="none" pattern="/invalidbrowser" />
<http entry-point-ref="authenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<session-management invalid-session-url="/login?timeout=1"
session-fixation-protection="newSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
<custom-filter ref="authenticationProcessingFilter"
position="FORM_LOGIN_FILTER" />
<custom-filter ref="loginExistsFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<csrf disabled="true" />
</http>
<global-method-security
access-decision-manager-ref="accessDecisionManager"
secured-annotations="enabled" />
I solved the problem by a movement of my call to SecurityContextHolder.getContext().getAuthentication(), it was first located in an included maven project, now it is in the same project and I have access to the same SecurityContextImpl instance.
This is my security configuration file, Any Idea how to do implement this? since from last 3 days i am working on this but did not get the solution. Your help is appreciate.
<http access-denied-page="/WEB-INF/pages/accessdenied.jsp"
auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<logout invalidate-session="true" logout-success-url="/logout.html" delete-cookies="JSESSIONID" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin/**" method = "GET" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/welcome.html" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter position="FORM_LOGIN_FILTER" ref="testFilter" />
</http>
<beans:bean id="testFilter"
class="com.test.dev..PreUsernamePasswordAuthenticationFilter">
<beans:property name="postOnly" value="false" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
</beans:bean>
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/welcome.html" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
</beans:bean>
<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/loginfailed.html" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.html" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
</authentication-provider>
</authentication-manager>
<security:global-method-security
secured-annotations="enabled" jsr250-annotations="enabled"
pre-post-annotations="enabled">
</security:global-method-security>
You add this filter in web.xml file and import your spring security.xml file into application-context.xml file.?????????????????
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
I have a spring mvc webapp using spring security and one thing I would like to do every time a user logs in is log the number of concurrent users on the system.
To do this I have given my session registry an alias and then I autowire into a class and say...
List<Object> principals = sessionRegistry.getAllPrincipals();
MDC.put(MDCKeyConstants.CONCURRENT_USER_COUNT, principals.size());
but principals.size is coming to 0 . i.e. the principals list is empty. Am I missing something else that I need to configure?
Sorry for the long post but I'm putting my spring security config here to try and get some help with the issue.. thanks in advance...
<http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
<!-- custom filters -->
<custom-filter position="FORM_LOGIN_FILTER" ref="twoFactorAuthenticationFilter" />
<custom-filter after="SECURITY_CONTEXT_FILTER" ref="securityLoggingFilter"/>
<!-- session management -->
<session-management
invalid-session-url="/sessionExpired.htm"
session-authentication-error-url="/alreadyLoggedIn.htm">
<concurrency-control
max-sessions="1"
expired-url="/sessionExpiredDuplicateLogin.htm"
error-if-maximum-exceeded="false"
session-registry-alias="sessionRegistry"/>
</session-management>
<!-- error handlers -->
<access-denied-handler error-page="/accessDenied.htm"/>
<!-- logout -->
<logout logout-success-url="/logout.htm" invalidate-session="false" delete-cookies="JSESSIONID"/>
<!-- authorize pages -->
<intercept-url pattern="/home.htm" access="isAuthenticated()" />
<intercept-url pattern="/shortsAndOvers.htm" access="isAuthenticated()" />
<intercept-url pattern="/shortsAndOversDaily.htm" access="isAuthenticated()" />
<intercept-url pattern="/birtpage.htm" access="isAuthenticated()" />
<intercept-url pattern="/reports/show.htm" access="isAuthenticated()" />
</http>
<!-- =============================== -->
<!-- AUTHENTICATION BEANS -->
<!-- =============================== -->
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsDao" />
<beans:property name="passwordEncoder" ref="encoder" />
</beans:bean>
<beans:bean id="twoFactorAuthenticationFilter" class="com.mycompany.reporting.security.TwoFactorAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="postOnly" value="true" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.htm" />
</beans:bean>
<beans:bean id="successHandler" class="com.mycompany.reporting.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home.htm" />
</beans:bean>
<beans:bean id="failureHandler" class="com.mycompany.reporting.security.CustomSimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/loginfailed.htm" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="authenticationProvider"></authentication-provider>
</authentication-manager>
Try this. It has worked for me.
in <http></http>,
<session-management session-authentication-strategy-ref="sas" invalid-session-url="/invalid-session" />
And declare beans as follows:
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
And do not forget to add org.springframework.security.web.session.HttpSessionEventPublisher listener to your web configuration.
Authentication and Authorization is working properly. But remember me is not working properly in the application.
I have used both database authentication and ldap authentication using spring security (only one at a time) with lot of spring security customization.
Below is my spring security context file.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<context:property-placeholder location="classpath:/application.properties"/>
<http use-expressions="true">
<intercept-url pattern="/resources/**" filters="none" />
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/login"/>
<logout invalidate-session="true"
logout-success-url="/"
logout-url="/logout"/>
<remember-me key="myApp2" />
<custom-filter before="FORM_LOGIN_FILTER" ref="applicationAuthenticationFilter"/>
</http>
<beans:bean id="applicationAuthenticationFilter" class="com.myApp.security.DmxAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="failureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="successHandler"/>
<beans:property name="authenticationMethod" value="${authenticationMethod}"/>
</beans:bean>
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home"/>
<beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>
<beans:bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login?login_error=1"/>
</beans:bean>
<beans:bean id="accessControlService" class="com.myApp.services.AccessControlService"/>
<beans:bean id="userService" class="com.myApp.services.UserService"/>
<beans:bean id="roleService" class="com.myApp.services.RoleService"/>
<beans:bean id="lookupService" class="com.myApp.services.LookupService"/>
<beans:bean id= "userDetailsService" class="com.myApp.security.DmxUsersDetailsServiceImpl">
<beans:property name="accessControlService" ref="accessControlService"/>
</beans:bean>
<beans:bean id="databaseAuthenticationProvider" class="com.myApp.security.DmxAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
<!-- <beans:property name="hideUserNotFoundExceptions" value="false"/> -->
</beans:bean>
<!-- ================ LDAP configuration STARTS here ================ -->
<beans:bean id="ldapServer" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="${ldap.url}"/>
<beans:property name="userDn" value="${ldap.userDn}"/>
<beans:property name="password" value="${ldap.password}"/>
<!--
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.referral" value="follow" />
</beans:map>
</beans:property>
-->
</beans:bean>
<beans:bean id="ldapSearchBean" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg value="${ldap.userSearchBase}"/>
<beans:constructor-arg value="${ldap.userSearchFilter}"/>
<beans:constructor-arg ref="ldapServer"/>
</beans:bean>
<beans:bean id="ldapAuthenticationProvider" class="com.myApp.security.DmxLdapAuthenticationProvider">
<beans:constructor-arg ref="ldapBindAuthenticator"/>
<beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
<beans:property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/>
</beans:bean>
<beans:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapServer"/>
<beans:property name="userSearch" ref="ldapSearchBean"/>
</beans:bean>
<beans:bean id="ldapAuthoritiesPopulator" class="com.myApp.security.DmxLdapAuthoritiesPopulator">
<beans:constructor-arg ref="ldapServer" />
<beans:constructor-arg value="" />
<beans:property name="groupSearchFilter" value="${ldap.groupSearchFilter}"/>
<beans:property name="groupRoleAttribute" value="${ldap.groupRoleAttribute}" />
<beans:property name="rolePrefix" value=""/>
<beans:property name="searchSubtree" value="true"/>
<beans:property name="convertToUpperCase" value="false"/>
<beans:property name="ldapTemplate" ref="ldapTemplate"/>
</beans:bean>
<beans:bean id= "dmxUsersMapper" class="com.myApp.security.DmxUsersMapper">
<beans:property name="accessControlService" ref="accessControlService"/>
<beans:property name="userService" ref="userService"/>
<beans:property name="roleService" ref="roleService"/>
<beans:property name="lookupService" ref="lookupService"/>
<beans:property name="organizationUname" value="${organizationUname}"/>
<beans:property name="companyUname" value="${companyUname}"/>
<beans:property name="ldapUsername" value="${ldap.db.userName}"/>
<beans:property name="password" value="${ldap.db.password}"/>
</beans:bean>
<beans:bean class="com.myApp.security.DmxLdapUserDetailsMapper" id="ldapUserDetailsContextMapper">
<beans:property name="dmxUsersMapper" ref="dmxUsersMapper"/>
</beans:bean>
<beans:bean id="ldapTemplate" class="org.springframework.security.ldap.SpringSecurityLdapTemplate">
<beans:constructor-arg ref="ldapServer" />
<beans:property name="ignorePartialResultException" value="true"/>
</beans:bean>
<!-- ================ LDAP configuration ENDS here ================ -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="databaseAuthenticationProvider" />
<authentication-provider ref="ldapAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<beans:property name="basenames">
<beans:list>
<beans:value>com/myApp/resourceBundles/SecurityMessages</beans:value>
</beans:list>
</beans:property>
</beans:bean>
</beans:beans>
Below is my login page.
<form action="j_dmx_security_filter" method="post">
<table border="0" class="section_tbl2">
<tr>
<td><label for="j_organization">Organization</label> </td>
<td> : </td>
<td><input id="j_organization" name="j_organization" size="20" maxlength="50"
type="text" class="txtinput"/></td>
</tr>
<tr>
<td> <label for="j_company">Company</label></td>
<td> : </td>
<td> <input id="j_company" name="j_company" size="20" maxlength="50"
type="text" class="txtinput"/></td>
</tr>
<tr>
<td><label for="j_username">Username</label> </td>
<td> : </td>
<td><input id="j_username" name="j_username" size="20" maxlength="50"
type="text" class="txtinput"/></td>
</tr>
<tr>
<td><label for="j_password">Password</label> </td>
<td> : </td>
<td><input id="j_password" name="j_password" size="20" maxlength="50"
type="password" class="txtinput"/></td>
</tr>
<tr>
<td></td>
<td></td>
<td> <input type="submit" value="Login"/></td>
</tr>
<tr>
<td></td>
<td></td>
<td> <input id="_spring_security_remember_me" name="_spring_security_
remember_me" type="checkbox" value="true"/>
<label for="_spring_security_remember_me">Remember Me?</label></td>
</tr>
</table>
</form>
The remember me token itself is not getting created.
Please help.
in order to help, where are your relevant beans definitions of the RememberMe? such as
<bean id="rememberMeServices" class=
"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="jpaUserDetailsService"/>
<property name="key" value="89dqj219dn910lsAc12"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class=
"org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="89dqj219dn910lsAc12"/>
</bean>
(this is too long to be written as a comment, so I wrote it as an "answer"... sorry)
In the Spring security they provide 2 ways to use the rememberMe service.
In the rememberMeService Definition, set a property alwaysRememberMe is true. In this case whenever first time user try to access the secure URL it will take to login page. once user logged in with correct user name and password, after onwards it wil not ask you for login until you logout.
In the login page add a remember me checkbox with name "_spring_security_remember_me" and value="true". In this case when user select the remember me check box then only it will able to access to secure URL without login page until u logout.
Its working for me..
This is how I did and it worked....complete sample of working code is available HERE
<security:http use-expressions='true'>
<security:intercept-url pattern="/protected" access="isAuthenticated()"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:form-login login-page="/login" authentication-failure-url="/login?login_error=1" />
<security:logout logout-url="/j_spring_security_logout" />
<security:remember-me services-ref="rememberMeServices" key="testKeyForBlog" />
</security:http>
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="customTokenRepository" />
<property name="userDetailsService" ref="userDetailsService" />
<property name="key" value="testKeyForBlog" />
</bean>
You have to use rememberMeService and pass it to your applicationAuthenticationFilter
rememberMeSevice will be like
<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="key" value="myApp2" />
</beans:bean>
Your Authentication will be
<beans:bean id="applicationAuthenticationFilter" class="com.myApp.security.DmxAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="rememberMeServices" ref="rememberMeServices" />
<beans:property name="authenticationFailureHandler" ref="failureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="successHandler"/>
<beans:property name="authenticationMethod" value="${authenticationMethod}"/>
</beans:bean>
This should work