Spring Security 3 configuration in XML - spring-security

I've tried to configure Spring Security through XML for some time now, but I can't seem to get it to work. Here is what I have so far:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
[...]
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
[???] <!-- What goes here? -->
</security:authentication-provider>
</security:authentication-manager>
</beans>
All the tutorials that I've found seem to want me to put <user-service> in the placeholder, but NetBeans won't auto-complete to that element. The only thing resembling that element is any-user-service which, as far as I understand, is an "abstract" element.
I just want to configure an in-memory list of users and passwords. How do I do that in Spring Security version 3?

<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
</security:authentication-provider>
<bean id="userService" class="path.to.your.implementation.of.UserDetailsService" />
or you can have a basic in memory authentication (instead of, as well as) :
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
</security:authentication-provider>
<security:authentication-provider user-service-ref="customAdmin">
</security:authentication-provider>
</security:authentication-manager>
<security:user-service id="customAdmin">
<security:user name="yourUserName" password="yourPassword" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="yourOtherUserName" password="yourOtherPassword" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
The offical spring docs are always the best place to read, imho.

Write your own org.springframework.security.authentication.AuthenticationProvider, create the bean and provide a reference to your authentication manager:
<authentication-manager>
<authentication-provider ref="com.example.CustomAuthenticationProvider"/>
</authentication-manager>
Alternatively you can just supply usernames and passwords with their relevant authorities (I use this when mocking)
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="test" authorities="ROLE_AUTHENTICATED" />
</user-service>
</authentication-provider>
</authentication-manager>

Related

How to solve Spring security misconfiguration: incorrect request matcher type?

I have this Spring security configuration:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd ">
<http pattern="/api/swagger-ui.html" security="none" xmlns="http://www.springframework.org/schema/security"/>
<http pattern="/api/webjars/**" security="none" xmlns="http://www.springframework.org/schema/security"/>
<http pattern="/api/swagger-resources/**" security="none" xmlns="http://www.springframework.org/schema/security"/>
<http pattern="/api/v2/api-docs" security="none" xmlns="http://www.springframework.org/schema/security"/>
<http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false"/>
<intercept-url pattern="/api/**" access="IS_AUTHENTICATED_FULLY"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter"/>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</constructor-arg>
</bean>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="sample"/>
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
<oauth:resource-server id="resourceServerFilter" resource-id="sample" token-services-ref="remoteTokenServices"/>
<bean id="remoteTokenServices" class="org.springframework.security.oauth2.provider.token.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${oauth.check.token.url}"/>
<property name="clientId" value="${oauth.client:crdb}"/>
<property name="clientSecret" value="${oauth.secret:secret}"/>
</bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
</authentication-manager>
<oauth:expression-handler id="oauthExpressionHandler"/>
<oauth:web-expression-handler id="oauthWebExpressionHandler"/>
</beans>
Fortify returns to me Spring security misconfiguration: incorrect request matcher type on line 9, 10, 11, 15. Can someone give me a point how to solve this issue? It seems there is a some path problem, but Im not so familiar with fortify, so I dont know how to solve this issue.
it seems like you have problem using <http/> tag used for configuration. Look closely whether you are using valid attributes related to that tag. You can simply identify the available properties/attributes for that by clicking on the tag.
It seems like xmlns="http://www.springframework.org/schema/security" this is making error because <http> does not have xmlns property.
You also don't need to define it in every http.
Try removing xmlns property from <http> tag and it should work.
For Reference: Spring Security XML Configuration
Available <http> attributes for configuration:
<http pattern=""
name=""
access-decision-manager-ref=""
authentication-manager-ref=""
auto-config=""
create-session=""
disable-url-rewriting=""
entry-point-ref=""
jaas-api-provision=""
once-per-request=""
realm=""
request-matcher=""
request-matcher-ref=""
security=""
security-context-repository-ref=""
servlet-api-provision=""
use-expressions=""/>

Error when trying to use session-management

I am trying to place session-management in my security-application.xml file.
Error:
Invalid content was found starting with element 'session-management'. One of '{"http://www.springframework.org/schema/security":intercept-url,
I tried to put in other places but without success.
Advice?
------------------------UPDATE ONE------------------------
I tried:
<security:session-management invalid-session-url="/logonTimeOut.jsp">
<security:concurrency-control expired-url="/logonTimeOut.jsp"/>
</security:session-management>
and it is still not working.
I think your xml configuration is not correct .Change xml configuration like this
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"
>
<http create-session="always" use-expressions="true">
<intercept-url pattern="/anonymous*" access="isAnonymous()"/>
<intercept-url pattern="/login*" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<csrf disabled="true"/>
<form-login login-page='/login.html' authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/login.html?error=true"/>
<logout delete-cookies="JSESSIONID"/>
<remember-me key="uniqueAndSecret" token-validity-seconds="86400"/>
<session-management invalid-session-url="/invalidSession.html">
<concurrency-control max-sessions="2" expired-url="/sessionExpired.html"/>
</session-management>
</http>
<beans:bean id="myAuthenticationSuccessHandler" class="org.baeldung.security.MySimpleUrlAuthenticationSuccessHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="user1Pass" authorities="ROLE_USER"/>
<user name="admin1" password="admin1Pass" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Spring security namespace configuration: cannot put authentication-provider inside a authentication-manager

I‘m start to use spring security to protect my project, but I have a problem with the namespace configuration. Here is my applicationContext-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<intercept-url pattern="/**/query/**" access="none" />
</http>
<http>
<intercept-url pattern="/**/edit/**" access="ROLE_USER" />
<form-login />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
These code are copied from the reference of spring security. However, the IDE gives following errors:
1, Element authentication-manager doesn't have required attribute alias.
2, Element authentication-provider is not allowed here.
3, Cannot resolve symbol user-service.
4, Cannot resolve symbol user.
What should I do? Thx!

error in spring-security.xml:The matching wildcard is strict, but no declaration can be found for element 'http'

I am developing application in spring for first time.Getting error at line no 11.Can any one solve this. I have added spring-security-config.jar.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
You haven't set the schemaLocation for the security namespace. Copy the examples from the reference manual or one of the sample applications.
You've also tried to use version 2.0.4, which won't work. The csrf element is only available from 3.2 onwards.
I'd also forget about auto-config and add what you want explicitly.

Spring Security:redirection to a specific page based on roles in JSF

I work with JSF and Spring Security. I use a custom login page. I have two roles : Administrator and User.
My question is how to redirect to different pages for different roles. For example if the user is an administrator, he will be redirected to "dashboard_Admin.jsf" and if he is a simple user, he will be redirected to "dashboard_user.jsf".
This is my spring security file :
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/pages/**"
access="hasRole('ROLE_ADMIN')" />
<security:form-login login-page="/login.jsf"
authentication-failure-url="/login.jsf?error=true"
default-target-url="/pages/admin/dashboard_Admin.jsf" />
<security:logout logout-success-url="/login.jsf"
delete-cookies="JSESSIONID" invalidate-session="true" />
<security:session-management
invalid-session-url="/login.jsf">
<security:concurrency-control
max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="test" password="test"
authorities="ROLE_USER" />
<security:user name="sam" password="sam" authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
This is my doLogin method:
public String doLogin() throws ServletException, IOException {
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
.getRequestDispatcher("/j_spring_security_check?j_username=" + username
+ "&j_password=" + password);
dispatcher.forward((ServletRequest) context.getRequest(),
(ServletResponse) context.getResponse());
FacesContext.getCurrentInstance().responseComplete();
return null;
}
I find a very easy solution without using Spring Security, and it works very good.
Thanks Ravi

Resources