Has anyone had an issue with doing file uploads using Spring Webflow 2.3 and Spring Security? Anytime I have a JSP page with the enctype="multipart/form-data" it all goes up in flames. I have added this:
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<!-- one of the properties available; the maximum file size in bytes -->
<property name="maxUploadSize" value="100000"/>
</bean>
into the Spring config as well as having the commons-fileupload JAR available to the application
Increase the maxUploadSize as value="1048576", strangely it doesn't throw any exception.
Related
I'm trying to implement Google authentication (OAuth) in CAS 4.1.9.
First of all I have created a new project on console.developers.google.com in which I have generated a new client id for my application.
Then, I have installed CAS using Maven overlays. In my pom.xml I included the pac4j dependency as it follows:
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-oauth</artifactId>
<version>3.4.0</version>
<scope>runtime</scope>
</dependency>
Moreover,this is what I have added in my applicationContext.xml file:
<bean id="GoogleAuthenticationHandler"
class="org.pac4j.oauth.client.Google2Client"
p:key="<MYKEY>"
p:secret="<MYSECRET>"
p:scope="EMAIL_AND_PROFILE" />
<bean id="clients"
class="org.pac4j.core.client.Clients">
<property name="callbackUrl" value="https://myapplication.com/cas" />
<property name="clients">
<list>
<ref bean="GoogleAuthenticationHandler" />
</list>
</property>
</bean>
And finally I have added the following line in casLoginView.jsp
Authenticate with Google <br />
The maven compilation worked fine and the war file deployed successfully on my tomcat server.
The problem is that the href to Google in my CAS login web page does not contain the correct OAuth url but the same redirect url I have defined for my client under console.developers.google.com.
As second attempt I tried to substitute ${Google2ClientUrl} with the OAuth url:
<a href="https://accounts.google.com/o/oauth2/auth?redirect_uri=https://myapplication.com/cas&response_type=code&client_i
d=<MY CLIENT ID>&scope=https://www.googleapis.com/auth/analytics.re
adonly+https://www.googleapis.com/auth/userinfo.email&approval_prompt=force&access_type=offline">Authenticate with Google</a> <br />
In this case the Google login page shows up and it accepts user authentication, but it seems that CAS does not recognize a successfully user authentication by Google (i.e. it does not show the normal page containing the authentication success message).
Did I miss something?
Thanks a lot for your help!
I managed to solve the problem by installing a newer version of CAS (5.3.6). Here the Google authenticator configuration is much easier. Actually only two steps are needed :
1) add pac4j dependency in the pom.xml file
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-pac4j-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
2) add the Google authenticator parameter in the cas.properties file:
cas.authn.pac4j.google.id=<MY_CLIENT_ID>
cas.authn.pac4j.google.secret=<MY_SECRET>
cas.authn.pac4j.google.clientName=<MY_CLIENT_NAME>
cas.authn.pac4j.google.autoRedirect=false
cas.authn.pac4j.google.principalAttributeId=
cas.authn.pac4j.google.scope=EMAIL_AND_PROFILE
Once this is done a link to Google authentication shows up in the CAS login page automatically.
We have struts MVC in our app and want to now integrate spring security.
I am able to integrate it successfully and able to deploy application.
In order to get custom login page we must add form-login to spring security xml file. I am having difficulty in integrating custom login pages.
Struts global forward
<global-forwards>
<forward name="login" path="/" redirect="true"/>
</global-forwards>
When not logged in it will take us to login page
Web xml login config
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.vm</form-login-page>
<form-error-page>/loginError.vm</form-error-page>
</form-login-config>
</login-config>
Above section in web.xml is removed as part of integrating with spring security. Rather I have following section in spring security
<intercept-url pattern="/**" access="hasRole('ROLE')" />
<form-login login-page="/login.vm"
authentication-failure-url="/loginError.vm" />
But when I try to login I won't get custom login page rather it just points url to IP:PORT/APP/login.vm and page is not present.
Login form has j_spring_security
action="j_spring_security_check"
What changes are required in order to get custom login?
Should strut config be changed?
I'm guessing here, but I suspect that you are getting this as Spring Security does not understand/know about Velocity. I had a similair problem when I intergrated Spring Security into my Struts app using .jsp pages. In the end, I pointed login-page and authentication-failure-url to point to actions and loaded the jsp pages from there. I suggest that you try the same.
Getting 404 on authorizationcode and accesstoken service I am Trying to upgrade spring security oauth2 from 1.0.5.Release to 2.0.5.Release.
I am using spring security 3.2.5 version,spring core 3.2.13 and spring oauth2 2.0.5.Release.
Do we need spring 4 for spring-oauth2-2.0.5.Release?
Do I need to use java config for spring-oauth2-2.0.5.Release?
When I use the same xml
config which works in 1.0.5 doesnot work in
spring-oauth2-2.0.5.Release?
Do we need spring 4 for spring-oauth2-2.0.5.Release?
Yes, I believe so.
Do I need to use java config for spring-oauth2-2.0.5.Release?
No.
When I use the same xml config which works in 1.0.5 doesnot work in spring-oauth2-2.0.5.Release?
Is that a question? It should work, but without more details it's going to be hard to say. There are some API changes in 2.0, so depending on the customization you did, you may or may not have to re-implement bits of it.
A 404 is pretty generic, so maybe your whole application just failed to start? Impossible to say without more data.
The main thing I noticed that changed was the token stores packages where changed so for example:
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
becomes
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
Also previously in 1.0.5 I had used the TokenServicesUserApprovalHandler which I could no longer find in any of the packages. I removed the reference to that class and user-approval-handler-ref="userApprovalHandler" I had added to the oauth:authorization server. Mines seems to be working now on 2.0.5, hope this helps.
I'm trying to integrate Orbeon with a backend REST API (web application I just developed for testing purposes as we are evaluating Orbeon for a new project). I have followed the scenario mentioned on this tutorial http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/persistence-api#TOC-A-scenario
and I have set my local properties (properties-local.xml) as following:
<properties xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:oxf="http://www.orbeon.com/oxf/processors">
<property
as="xs:string"
name="oxf.fr.persistence.provider.TestApp.WelcomeForm.data"
value="coffee"/>
<property as="xs:anyURI" name="oxf.fr.persistence.coffee.uri" value="http://localhost:8080/SpringMVC/coffee"/>
<property as="xs:boolean" name="oxf.fr.persistence.coffee.active" value="true"/>
<property as="xs:boolean" name="oxf.fr.persistence.coffee.autosave" value="false"/>
<property as="xs:boolean" name="oxf.fr.persistence.coffee.permissions" value="false"/>
</properties>
however, when I open my form in the form runner, I got Error message "Error performing search", and If I try to save a new form, I get the following message "There was an error communicating with the database. Please contact the application administrator."
Is there any tutorial shows how to integrate external REST backend service with Orbeon instead of a database (We want to use our backend REST services as persistence layer).
My project was using Spring Security 3.2.0.RC2 and my JSP's used the Spring taglib's form:form tag to automatically insert the CSRF token into my forms.
After upgrading to Spring Security 3.2.0.RELEASE, I'm finding that the form:form tag no longer automatically inserts the CSRF token into my form, and that I now must manually add it via placing this in my form:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
Has anyone else encountered the same issue? If so, what did you do for a workaround? Thanks.
You need to ensure you are using the #EnableWebMvcSecurity annotation instead of the #EnableWebSecurity annotation as described in Hello Spring MVC Security Java Config. The reason adding the new annotation was to resolve SEC-2436. You will notice that SEC-2463 was added to better document this within the CSRF part of the reference.