I'm trying to set up an XML based basic auth for all my REST endpoints.
But I'm getting an BeanDefinitionParsingException - Configuration problem (see stack trace below) when I start the spring boot application with XML resource.
Any ideas why?
ERROR 151468 --- o.s.boot.SpringApplication : Application run failed org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The classes from the spring-security-web jar (or one of its dependencies) are not available. You need these to use <http>
Offending resource: class path resource [basic-auth.xml]; nested exception is java.lang.NoClassDefFoundError: javax/servlet/Filter
at org.springframework.beans.factory.parsing.FailFastProblemReporter.fatal(FailFastProblemReporter.java:62)
at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:90)
at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:75)
at org.springframework.security.config.SecurityNamespaceHandler.reportMissingWebClasses(SecurityNamespaceHandler.java:156)
at org.springframework.security.config.SecurityNamespaceHandler.parse(SecurityNamespaceHandler.java:111)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1391)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1371)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:179)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.doRegisterBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:149)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:96)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:511)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:391)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:338)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:310)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:196)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:232)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:203)
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.lambda$loadBeanDefinitionsFromImportedResources$0(ConfigurationClassBeanDefinitionReader.java:390)
at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:721)
My application is annotated with ImportResource:
...
#ImportResource("classpath:/basic-auth.xml")
public class SpringBootApp() {
...
basic-auth.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
https://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/securityNone" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="pw1" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I already added spring-boot-starter-security, spring-boot-starter-security-web, spring-boot-starter-web, spring-boot-starter-tomcat as dependencies.
Related
Newbie to Spring security. I had gone through some tutorials and implemented Spring Security. I have few pages which I secured via login.
Here is my spring-security.xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/person*/*"
access="hasRole('ROLE_ADMIN')" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="password"
authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
From my index.jsp, when I try to access persons URL, it's asking for authentication. And I have logout URL. Inside persons JSP page.
<a href="<c:url value="logout" />" > Logout</a>
Controller
#RequestMapping(value = "/logout", method = RequestMethod.GET)
public ModelAndView logoutPage(HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return new ModelAndView("redirect:/");
}
It's working fine. Except few things. - When I try to go to /person/add, it's directly going to the page instead of asking the Authentication. Why? and how to resolve? Do I need to mention all URLs in intercept URLs (What if I have many?)
Well the main thing is, I'm trying to configure SSL as well for my application.
I installed this tutorial.
I have created ketstore
Configured in tomcat, server.xml
Configured in web.xml
Now I have the following in spring-security.xml
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**"
requires-channel="https" />
<security:intercept-url pattern="/person*/*"
access="hasRole('ROLE_ADMIN')" />
</security:http>
The SSL is working. But Login is not working. When I go to persons URL, it's showing the page without asking for authentication. Why?
I tried adding access=hasRole('ROLE_USER'), then tomcat is showing Access denied when I give correct credentials.
How to solve it? I want to enable SSL for all URLs.
I'm using Spring 4.2.2.RELEASE and Spring Security 4.0.2.RELEASE
First, try to rewrite your security:intercept-url as following:
<security:intercept-url pattern="/person*" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/person/**" access="hasRole('ROLE_ADMIN')"
Regarding SSL, the tutorial is very nice and it should work out of the box, maybe the problem is again with intercepting url's, try my suggestion.
I am trying to add a custom filter to the spring security configuration. But the problem is that whenever I try to add the filter using xml I am getting an exception saying that
"Configuration problem: Filter beans '< subdomainFilter >' and '< org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#1 >' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from and avoiding the use of < http auto-config='true' >."
I am adding my spring security configuration below
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="subdomainFilter" class="com.testbudha.security.authentication.UsernamePasswordAuthenticationFilterWithSubdomain"/>
<http pattern="/**" auto-config='false' use-expressions='true'>
<custom-filter position="FORM_LOGIN_FILTER" ref="subdomainFilter" />
.......
</http>
........
</beans:beans>
Spring Security maintains a chain of filters in order to apply its services. The order of the filters is always strictly enforced when using the namespace. When the application context is being created, the filter beans are sorted by the namespace handling code and the standard Spring Security filters each have an alias in the namespace and a well-known position.
Your <form-login> is using a filter with alias FORM_LOGIN_FILTER. And also you are adding another filter with the same position (position="FORM_LOGIN_FILTER" ref="subdomainFilter"). So you're getting the error message
Try using
<custom-filter after="FORM_LOGIN_FILTER" ref="subdomainFilter" />
or
<custom-filter before="FORM_LOGIN_FILTER" ref="subdomainFilter" />
I have a spring mvc web app that has an API, that looks like this
/api/createUser?name=Tom.
At the same time there is a web site backed by the same web app, that has restricted pages, which can only be accessed once the a user authorizes using login form + Active Directory. I have managed to set up AD and it works well, but I am kinda lost with the API.
I want to make an authentication for API calls too. Namely, I want to introduce username and password fields to every API call, so that when the relevant controller receives this API call, it first authenticates the user programmatically and it succeeded, then proceeds further with the request.
So the question is, how can I authenticate a user programmatically outright from MVC controller in Spring? Is there any magic bean that I can inject and harness its power?
I think you could use spring sercurity
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true">
<intercept-url pattern="/api**" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="username" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
Soory for disgusting you. Actually i am poor in english. I am developing a spring application by using google app engige.
1. If the server is in running mode, for the first if i would try to log into the application. Firstly it should navigate to the
login page.
2. If any user wants to access aby page in the application by giving the page name like for example(in my application if i have ABC.jsp page, if the user wnat to access the file by giving 127.0.0.0:8888/ABC.jsp) it should navigate to the some default page which contains some message, and click here to navigate to the home page.
Now can you please tell how to do it in my application.
can you please tell me the step by step process to achieve this by using Spring MVC ,Objectify ORM and Google app engine.
Still don't quite understand what your problem is.
Add this to your web.xml:
<welcome-file-list>
<welcome-file>/login</welcome-file>
</welcome-file-list>
</web-app>
This ensures that if a user only types http://server:port she is redirected to http://server:port/login.
Now if you want that the user is also redirected to login if she types http://server:port/foobar.html, what you call "random page", which does not exist then you need an HTTP status code mapping.
<error-page>
<error-code>404</error-code>
<location>/login</location>
</error-page>
If you want that the user must always first authenticate (i.e. go through /login) first before any existing page is displayed you could use Spring Security for that. Example for simple basic-auth:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<!-- HTTP basic authentication in Spring Security -->
<http>
<intercept-url pattern="/*" access="ROLE_USER" />
<http-basic />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
You can use spring security to do this. Have a look at
this link. The http tag should allow this. It will direct a user the login page for users that aren't authenticated. A sample context would be the following.
<beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/jsp/login.jsp" />
</beans:bean>
<http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<intercept-url pattern="/protected" access="hasRole('ROLE_protected')" />
<intercept-url pattern="/jsp/login.jsp*" filters="none"/>
<logout logout-success-url="/jsp/login.jsp" invalidate-session="true" />
<session-management invalid-session-url="/jsp/login.jsp?timeout=true" />
</http>
while trying to run my app-engine spring project, i am getting the blow error.
I have xslt in my spring security file but still getting the error.
And eclipse is creating a file named spring-security.out.xml
16:54:39,148 INFO [main] Main - javax.xml.transform.TransformerFactory=null
16:54:39,151 INFO [main] Main - java.endorsed.dirs=C:\Program Files\Java\jdk1.7.0_45\jre\lib\endorsed
16:54:39,156 INFO [main] Main - launchFile: E:\spring+gapp_32kepler\workspace_new\.metadata\.plugins\org.eclipse.wst.xsl.jaxp.launching\launch\launch.xml
16:54:39,264 FATAL [main] Main - No embedded stylesheet instruction for file: file:/E:/spring+gapp_32kepler/workspace_new/cms/war/WEB-INF/spring-security.xml
org.eclipse.wst.xsl.jaxp.debug.invoker.TransformationException: No embedded stylesheet instruction for file: file:/E:/spring+gapp_32kepler/workspace_new/cms/war/WEB-INF/spring-security.xml
at org.eclipse.wst.xsl.jaxp.debug.invoker.internal.JAXPSAXProcessorInvoker.transform(JAXPSAXProcessorInvoker.java:223)
at org.eclipse.wst.xsl.jaxp.debug.invoker.internal.JAXPSAXProcessorInvoker.transform(JAXPSAXProcessorInvoker.java:187)
at org.eclipse.wst.xsl.jaxp.debug.invoker.internal.Main.main(Main.java:73)
Caused by: org.eclipse.wst.xsl.jaxp.debug.invoker.TransformationException: No embedded stylesheet instruction for file: file:/E:/spring+gapp_32kepler/workspace_new/cms/war/WEB-INF/spring-security.xml
at org.eclipse.wst.xsl.jaxp.debug.invoker.internal.JAXPSAXProcessorInvoker.transform(JAXPSAXProcessorInvoker.java:213)
... 2 more
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- This is where we configure Spring-Security -->
<security:http auto-config="false" use-expressions="true" access-denied-page="/jsp/admin/login" entry-point-ref="authenticationEntryPoint" >
<security:intercept-url pattern="/jsp/admin" access="permitAll"/>
<security:intercept-url pattern="/jsp/admin/**" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/jsp/user/**" access="permitAll"/>
<security:logout invalidate-session="true" logout-success-url="/jsp/admin/login" logout-url="/logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
<!-- Custom filter to deny unwanted users even though registered -->
<!-- Custom filter for username and password. The real customization is done in the customAthenticationManager -->
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<!-- Custom authentication manager. In order to authenticate, username and password must not be the same -->
<bean id="customAuthenticationManager" class="com.tut.yudi.authentication.CustomAuthenticationManager" />
<!-- We just actually need to set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login?error=true" />
<!-- We just actually need to set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/jsp/admin/home" />
<!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
whenever the server sends back a response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login"/>
<!-- The tag below has no use but Spring Security needs it to autowire the parent property of
org.springframework.security.authentication.ProviderManager. Otherwise we get an error
A probable bug. This is still under investigation-->
<security:authentication-manager/>
</beans>
It is because you are running wrong file in Eclipse.
Make sure you have selected the class where your mail function is and then press the Run button(the little green on top).
The issue is resolved automatically.
It might be some bug of eclipse, b'cox when I started the eclipse another day, my project work fine. Even i didn't made any changes.