Spring security - java

Following the release of Spring security version 2.0.8 to 3.2.7.release, I have encountered the following problem.
I modified the Java classes for the adaptation of the code suite upgrade, the pom.xml for the escalation to 3.2.7.release, and context-security.xml. This is the error I encounter:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0': Cannot resolve reference to bean 'org.springframework.security.authentication.ProviderManager#0' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
My pom.xml updated for 3.2.7.RELEASE:
<spring-security.version>3.2.7.RELEASE</spring-security.version>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
My fil applicationContextSecurity.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<authentication-manager id="multipleLdapProvider">
<!--<authentication-provider ref="multipleLdapProvider" />-->
</authentication-manager>
<http pattern="/referentiel/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider">
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM" />
<http-basic />
</http>
<http pattern="/bareme/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI" />
<http-basic />
</http>
<http pattern="/comparaisonHosp/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider">
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM, ROLE_ELUCN" />
<http-basic />
</http>
<http pattern="/requete/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM" />
<http-basic />
</http>
<http pattern="/refManif/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI" />
<http-basic />
</http>
<http pattern="/contrat/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM, ROLE_ELUCN" />
<http-basic />
</http>
<http pattern="/utilisateur/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_INADM" />
<http-basic />
</http>
<http auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider">
<intercept-url pattern='/**' access="hasRole('USER')" />
<form-login login-page='/login.action' default-target-url="/home.action" always-use-default-target='true'/>
<logout />
</http>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg type="java.lang.String"><beans:value>${ldap.interne.url}</beans:value></beans:constructor-arg>
<beans:property name="userDn">
<beans:value>${ldap.interne.userDn}</beans:value>
</beans:property>
<beans:property name="password">
<beans:value>${ldap.interne.password}</beans:value>
</beans:property>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.referral" value="follow" />
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="contextSourceIndus"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg type="java.lang.String"><beans:value>${ldap.externe.url}</beans:value></beans:constructor-arg>
<beans:property name="userDn">
<beans:value>${ldap.externe.userDn}</beans:value>
</beans:property>
<beans:property name="password">
<beans:value>${ldap.externe.password}</beans:value>
</beans:property>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.referral" value="follow" />
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="multipleLdapProvider" class="com.cnom.idahe.utils.spring.MutlipleLdapAuthenticationProvider">
<beans:constructor-arg>
<beans:set>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearchInterne"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSourceIndus"/>
<beans:property name="userSearch" ref="userSearchExterne"/>
</beans:bean>
</beans:set>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="com.cnom.idahe.utils.spring.CnomDBPopulator">
</beans:bean>
</beans:constructor-arg>
<!--<custom-authentication-provider />-->
</beans:bean>
<beans:bean id="userSearchInterne" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value=""/>
<beans:constructor-arg index="1" >
<beans:value>(&(${ldap.interne.uid}={0})(objectclass=${ldap.objectClass.person}))</beans:value>
</beans:constructor-arg>
<beans:constructor-arg index="2" ref="contextSource" />
</beans:bean>
<beans:bean id="userSearchExterne" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value=""/>
<beans:constructor-arg index="1" >
<beans:value>(&(${ldap.externe.uid}={0})(objectclass=${ldap.objectClass.person}))</beans:value>
</beans:constructor-arg>
<beans:constructor-arg index="2" ref="contextSourceIndus" />
</beans:bean>
<!-- Debut gestion Ldap pour ecran User-->
<beans:bean id="ldapTemplateInterne" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="contextSource" />
</beans:bean>
<beans:bean id="ldapTemplateExterne" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="contextSourceIndus" />
</beans:bean>
</beans:beans>

Related

Spring Security 5 unable to add custom AccessDecisionManager [duplicate]

I have the following snippet
<http use-expressions="true" auto-config="false"
entry-point-ref="loginUrlAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager" disable-url-rewriting="false">
<!--<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter"
/> -->
<custom-filter position="FORM_LOGIN_FILTER"
ref="usernamePasswordAuthenticationFilter" />
<custom-filter position="LOGOUT_FILTER" ref="tapLockFilter" />
<intercept-url pattern="/session/**" access="permitAll" />
<intercept-url pattern="/deviceregistration/**" access="permitAll" />
<intercept-url pattern="/session/lock" access="hasRole('ROLE_MEMBER')" />
<intercept-url pattern="/app/resources/admin*" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/app/SuperAppdashboard*" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/app/*" access="hasRole('ROLE_MEMBER')" />
<!--<session-management invalid-session-url="/tizelytics/session/invalidSession"
session-authentication-error-url="/tizelytics/session/accessDenied" session-authentication-strategy-ref="sas">
</session-management> -->
<session-management invalid-session-url="/session/invalidSession"
session-authentication-error-url="/session/accessDenied"
session-fixation-protection="none">
<concurrency-control max-sessions="1"
expired-url="/session/accessExpired" />
</session-management>
</http>
When i run this on server it throws an exception saying
Unsupported configuration attributes: [permitAll, permitAll, hasRole('ROLE_ADMIN'), hasRole('ROLE_ADMIN'), hasRole('ROLE_MEMBER'), hasRole('ROLE_MEMBER')]
here is my access-decision-manager bean within the same xml
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
If i remove the access-decision-manager-ref no exception is thrown the app launches correctly can anyone please advice?

Since you are defining your own accessDecisionManager, I don't see WebExpressionVoter as one of the beans in its list. WebExpressionVoter resolves strings like permitAll(), hasRole(), hasAuthority(), etc. So, your accessDecisionManager bean should be:
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>

Spring Security - Unable to locate Spring NamespaceHandler -- security

I have exception: org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring/security.xml]
Few minutes in google, say me, I need to add dependence -- spring-security-config. I have this, the latest version 4.2.1, but exception there is.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<beans:bean name="standartEncrypt"
class="org.springframework.security.crypto.password.StandardPasswordEncoder" >
<beans:constructor-arg name="secret" value="3u6gui" />
</beans:bean>
<http auto-config="true" >
<intercept-url pattern="/notes/**" access="authenticated" />
<intercept-url pattern="/register" requires-channel="https" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/accessDenied" access="permitAll" />
<intercept-url pattern="/duplicate" access="permitAll" />
<intercept-url pattern="/notExists" access="permitAll" />
<access-denied-handler error-page="/accessDenied" />
<logout
logout-success-url="/index"
logout-url="/notes/{username}/exit"
/>
<form-login
authentication-failure-url="/accessDenied"
login-page="/register"
login-processing-url="/register"
password-parameter="password"
username-parameter="username"
/>
<remember-me data-source-ref="dataSource" />
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
<authentication-manager >
<authentication-provider>
<password-encoder ref="standartEncrypt" />
<jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT username, password FROM Users WHERE username = ?"/>
</authentication-provider>
</authentication-manager>
<global-method-security jsr250-annotations="enabled" secured-annotations="enabled" />
maven
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.1.RELEASE</version>
</dependency>

This is likely an unresolved dependency. Without seeing your Maven pom or project configuration, the bare minimum for Spring Security is:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.1.RELEASE</version>
</dependency>
If you are using Spring Tool Suite or Eclipse, be sure to right click your project, then select Maven -> Update Project and do a full clean install

Spring Security 4 #AuthenticationPrincipal empty with core.annotation.AuthenticationPrincipal but not web.bind.annotation.AuthenticationPrincipal

I just recently upgraded from Spring Security 3 to 4 and my #AuthenticationPrincipal annotated input arguments in controllers are now empty. I managed to work around it by using the deprecated org.springframework.security.web.bind.annotation.AuthenticationPrincipal, but when using the one from the org.springframework.security.core.annotation package it is empty.
It'll also work if I do:
User activeUser = (User) ((Authentication) principal).getPrincipal();
I followed the migration guide as best as I could.
Here's my spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- enable use-expressions -->
<http auto-config="false" use-expressions="true">
<intercept-url pattern="/secure/admin**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_SUPER_ADMIN')" />
<intercept-url pattern="/secure/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_SUPER_ADMIN')" />
<intercept-url pattern="/secure/user**" access="isAuthenticated()" />
<intercept-url pattern="/secure/user/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="permitAll" />
<form-login login-page="/login"
authentication-success-handler-ref="redirectRoleStrategy"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"
login-processing-url="/auth/login_check" />
<logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
<csrf disabled="true" />
</http>
<beans:bean id='userDetailsService' class='com.myproject.security.UserDetailsServiceImpl' />
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
<beans:bean id='authenticationManager' class='org.springframework.security.authentication.ProviderManager'>
<beans:constructor-arg>
<beans:list>
<beans:ref bean='authenticationProvider' />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider user-service-ref='userDetailsService'>
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="10" />
</beans:bean>
<beans:bean id="redirectRoleStrategy" class="com.myproject.security.RoleBasedAuthenticationSuccessHandler">
<beans:property name="roleUrlMap">
<beans:map>
<beans:entry key="ROLE_ADMIN" value="/secure/admin"/>
<beans:entry key="ROLE_SUPER_ADMIN" value="/secure/admin"/>
</beans:map>
</beans:property>
</beans:bean>

I just figured it out. It's indeed a duplicate of Spring Security deprecated #AuthenticationPrincipal. Unfortunately never managed to find that post.
I changed
<mvc:annotation-driven>
<mvc:argument-resolvers>
<bean class="org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver" />
</mvc:argument-resolvers>
</mvc:annotation-driven>
To
<mvc:annotation-driven>
<mvc:argument-resolvers>
<bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver" />
</mvc:argument-resolvers>
</mvc:annotation-driven>
In my applicationContext.xml.

How can I add two logins in one web application?

I'm working on a web application with Spring. It should be able to access by any user and administrator. User login is already implemented with Spring Security.
web-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Enables Spring Security debugging infrastructure, and should only be
used in a DEVELOPMENT environment -->
<!-- <debug /> -->
<http pattern="/static/**" security="none" />
<http use-expressions="true" >
<!-- Setting user permissions here -->
<intercept-url pattern="/login*" access="permitAll" />
<!--Setting user permissions here -->
<!--End Setting user permissions here -->
<form-login login-page="/timeres_login"
authentication-failure-url="/timeres_login?login_error=1"
default-target-url="/userlogin" />
<logout logout-url="/logout"
logout-success-url="/home"
delete-cookies="JSESSIONID" invalidate-session="true" />
<access-denied-handler error-page="/accessDenied" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<session-management invalid-session-url="/home?error=sessionExpired"
session-authentication-strategy-ref="sas"
session-authentication-error-url="/timeres_login?error=alreadyLogin">
</session-management>
</http>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<authentication-manager>
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<!-- <beans:property name="passwordEncoder" ref="passwordEncoder" /> -->
</beans:bean>
<beans:bean id="userDetailsService"
class="com.timeres.security.AuthenticationUserDetailService">
</beans:bean>
<!-- <beans:bean id="passwordEncoder" -->
<!-- class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"> -->
<!-- <beans:constructor-arg index="0" value="256" /> -->
<!-- </beans:bean> -->
</beans:beans>
And now I want to add the administrator login part.
First I want to know whether it is able to add two different logins in one web application.
If it is able to do, how?
(Where should I change and what are the classes I should implement?)

How to solve the back button issue after logging out successfully with spring security

I use in my project:
Maven
Hibernate
JSF
Spring
Spring security
I log out successfully, but when I click on back button, it displays the previous page which is something I dislike. Any suggestions to solve this problem?
I have already tried some solutions but they don't work:
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="cacheSeconds" value="0" />
</bean>
or
<mvc:interceptors>
<bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0"/>
<property name="useExpiresHeader" value="false"/>
<property name="useCacheControlHeader" value="true"/>
<property name="useCacheControlNoStore" value="true"/>
</bean>
</mvc:interceptors>
I also found a solution with function doFilter but I don't know where I can put it.
This is my authentication code:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/ressources/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/pages/ajouterUser.xhtml" access="permitAll" />
<intercept-url pattern="/pages/userListe.xhtml" access="permitAll" />
<intercept-url pattern="/pages/index.xhtml" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/login" />
<form-login
login-page="/login"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login.jsp?logout"/>
<!-- enable csrf protection -->
</http>
<beans:bean id="myAuthenticationSuccessHandler"
class="inventory.security.MySimpleUrlAuthenticationSuccessHandler" />
<!-- Select users and user_roles from database -->
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"></beans:property>
</beans:bean>
<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5"></password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.core.userdetails.UsernameNotFoundException">/login.action?error=1</beans:prop>
</beans:props>
</beans:property>
</beans:bean>

Change your property useExpiresHeader as true
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**/*"/>
<bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0"/>
<property name="useExpiresHeader" value="true"/>
<property name="useCacheControlHeader" value="true"/>
<property name="useCacheControlNoStore" value="true"/>
</bean>
</mvc:interceptor>
</mvc:interceptors>

Categories