Parsing error for spring-security.xml file - spring-security

I know very little or nothing about xml and I have to write a spring-security.xml file . The problem i guess has something to do with my xml not following xsd. Here is the xml.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<s:http auto-config="true">
<s:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/**" access="ROLE_USER" />
<s:intercept-url pattern="/" access="ROLE_USER" />
<s:form-login login-page="/login" default-target-url="/getemp"/>
<s:logout logout-success-url="/logout" />
</s:http>
<s:authentication-manager>
<s:authentication-provider>
<s:ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
</s:authentication-provider>
</s:authentication-manager>
<s:ldap-server id="ldapServer" url="ldap://test.com:389" />
</beans>
When I try to run the web application I am getting an error.
Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 's:ldap-authentication-provider'. One of '{"http://www.springframework.org/schema/security":any-user-service, "http://www.springframework.org/schema/security":password-encoder}' is expected.
Here is the xsd
spring security xsd

The xsd says that <s:authentication-manager> accepts as children an authentication-provider OR an ldap-authentication-provider. So, remove the <s:authentication-provider> that is wrapping your <s:ldap-authentication-provider> and that should get you past this problem. Your final code should look like:
<s:authentication-manager>
<s:ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
</s:authentication-manager>

Related

Error when trying to use session-management

I am trying to place session-management in my security-application.xml file.
Error:
Invalid content was found starting with element 'session-management'. One of '{"http://www.springframework.org/schema/security":intercept-url,
I tried to put in other places but without success.
Advice?
------------------------UPDATE ONE------------------------
I tried:
<security:session-management invalid-session-url="/logonTimeOut.jsp">
<security:concurrency-control expired-url="/logonTimeOut.jsp"/>
</security:session-management>
and it is still not working.
I think your xml configuration is not correct .Change xml configuration like this
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"
>
<http create-session="always" use-expressions="true">
<intercept-url pattern="/anonymous*" access="isAnonymous()"/>
<intercept-url pattern="/login*" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<csrf disabled="true"/>
<form-login login-page='/login.html' authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/login.html?error=true"/>
<logout delete-cookies="JSESSIONID"/>
<remember-me key="uniqueAndSecret" token-validity-seconds="86400"/>
<session-management invalid-session-url="/invalidSession.html">
<concurrency-control max-sessions="2" expired-url="/sessionExpired.html"/>
</session-management>
</http>
<beans:bean id="myAuthenticationSuccessHandler" class="org.baeldung.security.MySimpleUrlAuthenticationSuccessHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="user1Pass" authorities="ROLE_USER"/>
<user name="admin1" password="admin1Pass" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

How to override BasicAuthenticationFilter using the schema configuration?

We use Spring Security 4.x and I want to override BasicAuthenticationFilter.
Unfortunately I was not able to find how to configure the class name for the BasicAuthenticationFilter nor in the http element neither in the http-basic element the schema configuration.
How to override BasicAuthenticationFilter using the schema configuration?
I have tried to override BasicAuthenticationFilter using the custom filter without success – the schema continue to create the default BasicAuthenticationFilter.
Added
Very strange. I configured auto-config="false but I still can see the creation of the default BasicAuthenticationFilter.
It should not be created according to the documentation http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#nsa-http
Added
The configuration w/o beans definitions
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<sec:global-method-security pre-post-annotations="enabled">
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</sec:global-method-security>
<sec:http use-expressions="true" auto-config="true" pattern="/api/**" disable-url-rewriting="false" entry-point-ref="authenticationEntryPoint">
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/api/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:logout logout-url="/logout.faces" success-handler-ref="logoutSuccessHandlerImpl" />
<sec:http-basic entry-point-ref="authenticationEntryPoint"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<!--<sec:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER"/>-->
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
<bean class="org.primefaces.webapp.filter.FileUploadFilter" name="fileUploadFilter"/>
<sec:http use-expressions="true" auto-config="true" disable-url-rewriting="false">
<sec:custom-filter ref="fileUploadFilter" before="FIRST"/>
<sec:custom-filter ref="rememberUrlFilter" before="BASIC_AUTH_FILTER"/>
<sec:custom-filter position="PRE_AUTH_FILTER" ref="ssoFilter" />
<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/login.faces" access="isAnonymous()"/>
<sec:intercept-url pattern="/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/img/**" access="permitAll" />
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
<sec:csrf disabled="true"/>
<sec:headers disabled="true"/>
<sec:form-login login-page="/login.faces"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.faces"
default-target-url="/pages/defaultPage.faces"
username-parameter="j_username"
password-parameter="j_password"
authentication-failure-handler-ref="authenticationFailureHandler"
/>
<sec:logout logout-url="/logout.faces"
success-handler-ref="logoutSuccessHandlerImpl"
/>
<sec:custom-filter ref="localhostIntegrationFilter" after="ANONYMOUS_FILTER"/>
<sec:access-denied-handler ref="accessDeniedHandler"/>
</sec:http>
...
</beans>
As per the schema documentation in the xsd if you want to replace a filter you need to use the position tag:
<sec:custom-filter ref="customBasicAuth" position="BASIC_AUTH_FILTER"/>
Also if you include the <sec:http-basic element, then the default basic auth filter will be added to the filter chain.
The auto-config is a legacy attribute and can be removed (no need to set it to false)

Spring security namespace configuration: cannot put authentication-provider inside a authentication-manager

I‘m start to use spring security to protect my project, but I have a problem with the namespace configuration. Here is my applicationContext-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<intercept-url pattern="/**/query/**" access="none" />
</http>
<http>
<intercept-url pattern="/**/edit/**" access="ROLE_USER" />
<form-login />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
These code are copied from the reference of spring security. However, the IDE gives following errors:
1, Element authentication-manager doesn't have required attribute alias.
2, Element authentication-provider is not allowed here.
3, Cannot resolve symbol user-service.
4, Cannot resolve symbol user.
What should I do? Thx!

error in spring-security.xml:The matching wildcard is strict, but no declaration can be found for element 'http'

I am developing application in spring for first time.Getting error at line no 11.Can any one solve this. I have added spring-security-config.jar.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
You haven't set the schemaLocation for the security namespace. Copy the examples from the reference manual or one of the sample applications.
You've also tried to use version 2.0.4, which won't work. The csrf element is only available from 3.2 onwards.
I'd also forget about auto-config and add what you want explicitly.

Configuring remember-me in spring security

How can i configure remember-me service in spring security.Am using spring3.0 +hibernate3+ struts2.I have tried as below.
login.jsp
<input type="checkbox" name="_spring_security_remember_me"/>remember-me
applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<description>SpringSecurity安全配置</description>
<!-- http安全配置 -->
<s:http auto-config="true" use-expressions="true" >
<s:intercept-url pattern="/css/**" filters="none" />
<s:intercept-url pattern="/img/**" filters="none" />
<s:intercept-url pattern="/js/**" filters="none" />
<s:intercept-url pattern="/account/user!save*" access="hasAnyRole('ROLE_修改用户')" />
<s:intercept-url pattern="/account/user!delete*" access="hasAnyRole('ROLE_修改用户')" />
<s:intercept-url pattern="/account/user*" access="hasAnyRole('ROLE_浏览用户')" />
<s:intercept-url pattern="/account/role!save*" access="hasAnyRole('ROLE_修改角色')" />
<s:intercept-url pattern="/account/role!delete*" access="hasAnyRole('ROLE_修改角色')" />
<s:intercept-url pattern="/account/role*" access="hasAnyRole('ROLE_浏览角色')" />
<s:form-login login-page="/login.action" default-target-url="/" authentication-failure-url="/login.action?error=true" />
<s:logout logout-success-url="/" />
<s:remember-me/>
</s:http>
<!-- 认证配置, 使用userDetailsService提供的用户信息 -->
<s:authentication-manager erase-credentials="false">
<s:authentication-provider user-service-ref="userDetailsService">
<s:password-encoder hash="plaintext" />
</s:authentication-provider>
</s:authentication-manager>
<!-- 项目实现的用户查询服务 -->
<bean id="userDetailsService" class="net.top.system.service.account.UserDetailsServiceImpl" />
</beans>
But no use at all.What else i need to configure in my application.
In order to make an application that is already secured with Spring, needed to add the following to the XML:
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
<sec:form-login/>
<sec:custom-filter … />
<sec:remember-me
data-source-ref="dataSource"
user-service-ref="userDetailsService"/>
</sec:http>
Note that using “data-source” is not a "must", but it actually declares that you want to use a JDBC persistent token. (In this case, Spring works with PersistentTokenBasedRememberMeServices.) Of course the data source bean has to be declared in the XML.
As documented by Spring , a table names persistent_logins has to exist in the DB.
The “userDetailsService” is a ref to the UserService bean, where the users and passwords are declared. It can be in the XML or point to the DB as well.
In run time, Spring creates a Cookie called SPRING_SECURITY_REMEMBER_ME_COOKIE( ) . It is seen with the “JSESSION” Cookie. It we delete the JSESSION (meaning we open a brand new session, just like reopen the browser) the “remember me” cookie remembers the last login, and creates a new JSESSION.
HTH :-)

Resources