I'm developing an application that uses JSF (Mojarra) to control de MVC flow, but I also want to integrate Spring Security for its Autehntication and Authorization processes.
However, I'm having a problem where Spring Bean Factory cannot instantiate the classes that I build to do custom login and so on. From there, the system doesn't even go online.
The stacktrace starts with:
java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And then
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [com.tfduque.fieldAssist.manager.LoginBean] for bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/applicationContext.xml]; nested exception is java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And so on...
(Full stacktrace)
This is how my folders are organized, if it matters:
My application context (for spring security configurations):
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/login*" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/javascript/**" security="none" />
<http pattern="/Secured/**" create-session="stateless"
use-expressions="true">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<http-basic />
</http>
<http auto-config="true" use-expressions="true"
access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login.xhtml" login-processing-url="/j_login"
authentication-failure-url="/login.xhtml" always-use-default-target="false"
default-target-url="/" />
<logout invalidate-session="true" logout-success-url="/login.xhtml"
logout-url="/j_logout" delete-cookies="JSESSIONID" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="authenticationEntryPoint">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="appUserDetailsService"
class="com.tfduque.fieldAssist.security.AppUserDetailsService" />
<beans:bean id="authenticationEntryPoint"
class=" com.tfduque.fieldAssist.manager.LoginBean">
<beans:property name="loginFormUrl" value="/Login.xhtml" />
<beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
</beans:bean>
</beans:beans>
Some of my web.xml configs (btw, I'm also using weld for injection):
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.jboss.weld.environment.servlet.Listener</listener-class>
</listener>
<resource-env-ref>
<resource-env-ref-name>BeanManager</resource-env-ref-name>
<resource-env-ref-type>javax.enterprise.inject.spi.BeanManager</resource-env-ref-type>
</resource-env-ref>
<!-- Security -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Login Bean is annotated like this:
#Named("login")
#RequestScoped
public class LoginBean {
public String doLogin() throws IOException, ServletException {
[...]
}
I think that this is all needed to understand the problem.
Related
I need in my web 2 types of URLs, one with access restrictions and one without it.
This is the schema:
myApp:
myApp/*.do <-- Authorization required
myApp/public/* <-- No Authorization required
The (1) URLs works fine, but I don't know how to implement / configure spring for (2). This is my actual configuration of servlet-mapping:
Web.xml
<servlet>
<servlet-name>myApp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>myApp</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
And in context-security.xml I have the following for the public access:
<http pattern="/public/**" security="none"/>
I tried to add in Web.xml one more url-pattern with:
<url-pattern>/public/*</url-pattern>
But this doesn't work fine, I can access to all urls with authorization required without being logged using: myApp/public/xxx.do.
Should I create another servlet only for public URLs, or there is something more simple?
Edit:
My context-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- Debug -->
<!--
<debug />
-->
<global-method-security pre-post-annotations="enabled" />
<!-- No securizamos los recursos públicos -->
<http pattern="/public/**" security="none"/>
<http use-expressions="true" entry-point-ref="myAppAuthenticationEntryPoint">
<intercept-url pattern="/ProcessResponseServlet" access="permitAll" />
<intercept-url pattern="/CallAuthenticationServlet" access="permitAll" />
<intercept-url pattern="/ReturnAuthenticationServlet" access="permitAll" />
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login
login-page="/login.jsp"
default-target-url="/index.jsp"
authentication-failure-url="/login.jsp?login_error"
/>
<logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/>
<remember-me />
</http>
<!-- myApp authentication entry point -->
<beans:bean id="myAppAuthenticationEntryPoint"
class="com.home.myApp.webapp.security.myAppAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp" />
</beans:bean>
<!-- Autenticación de pruebas-->
<authentication-manager>
<authentication-provider ref="mockProvider">
</authentication-provider>
</authentication-manager>
<beans:bean id="mockProvider" class="com.home.myApp.webapp.security.MockAuthenticationProvider" >
</beans:bean>
You should use Spring security.
1. Add to your web.xml Filter for Spring Security (for example)
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/dispatcher.xml
/WEB-INF/context-security.xml
</param-value>
</context-param>
Add to your context-security.xml
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/public/**" access="permitAll"/>
<intercept-url pattern="/res/**" access="permitAll"/>
<intercept-url pattern="/*.do" access="isAuthenticated()"/>
</http>
This issue is related to spring security. Whenever I run my application on tomcat by default index.jsp opens but now i am getting access denied on this page.
From index.jsp i am redirecting the page to login.jsp, but since I am getting access denied on this page, redirection is not happening. What i meant to say is if hit: "localhost:8080/abc" I am getting access denied but if I hit "localhost:8080/abc/login" the page opens. (just to be clear, abc is the application context)
I am pretty much sure i have messed up somewhere in the spring security config, because it was working fine before.
Below are my files:
This is my spring-security.xml
<sec:global-method-security pre-post-annotations="enabled"/>
<!--
Add white listed urls here.
Please note that the filter chain will not be applied and the security context not populated.
Use for static resource mostly
-->
<http pattern="/resources/**" security="none" />
<http pattern="/login" security="none" />
<http pattern="/login1" security="none" />
<http pattern="/googleLogin" security="none" />
<!-- Add protected resource here -->
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="AuthenticationService" />
</authentication-manager>
<beans:bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<beans:bean id="AuthenticationService" class="com.hitesh.security.AuthenticateUserService"/>
<beans:bean id="oauth2PreAuthFilter" class="com.hitesh.security.OAuth2PreAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="preAuthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</beans:bean>
<beans:bean id="preAuthenticatedUserDetailsService" class="com.hitesh.security.Oauth2PreAuthenticatedUserService"/>
This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Inventory Project</display-name>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/abc/application.xml,
classpath:/abc/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I am stuck on this for quite a time, any help will be really appreciated.
Update: On application startup, my code is going into the oauth2PreAuthFilter. For index.jsp, it shouldn't run this filter. Is there a way to avoid this, i have tried
<http pattern="/index" security="none" />
but this didn't helped.
Try this (use your values):
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
</http>
Got the fix:
<http auto-config="true" pattern="/index.jsp" />
Here is my Spring Security configuration:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>tutorial.root</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>greetServlet</servlet-name>
<servlet-class>ru.andrew.springsecuregwt.server.GreetingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>greetServlet</servlet-name>
<url-pattern>/springsecuregwt/greet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>Springsecuregwt.html</welcome-file>
</welcome-file-list>
</web-app>
applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<debug />
<global-method-security pre-post-annotations="enabled" />
<http pattern="/static/**" security="none"/>
<http pattern="/loggedout.jsp" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>
<remember-me />
</http>
<beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder"/>
<user-service>
<user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" />
<user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" />
<user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" />
<user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
When I click on the logout link, I'm successfully landing at the logout page, but if I enter
localhost:8080/projectname
in the new Chrome tab, I can gain access to the app, without any authentication page.
What do I do wrong and how can I fix such security issue?
Spring remembeMe functionality creates a cookie with the name 'SPRING_SECURITY_REMEMBER_ME_COOKIE'. It then uses this to authenticate. If your logout only deletes the webapp container session id the authentication will check for that and then the presence of this cookie. So you need to make sure you remove this cookie on logout.
I have read a lot of tutorials about using Spring Security 3 on Struts 2. But I can't make it work :/.
I can't find a "Dummy step by step guide" about implement this framework on Struts 2.
Here is what I have:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<display-name>cv</display-name>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>example/HelloWorld.jsp</welcome-file>
</welcome-file-list>
</web-app>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context/spring-context-2.5.xsd"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/context/spring-context-2.5.xsd/spring-spring-context-2.5.xsd-3.1.1.RELEASE.xsd
">
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true" use-expressions="true">
<intercept-url pattern="/auth/**" filters="none"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<http>
<intercept-url pattern="/login*" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/search.action*" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/user/**" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login.action" />
<logout logout-url="/logout.action" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="customer" password="customer" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
</beans>
And my HelloWorld.jsp
<body>
<h1>Welcome!</h1><br />
<sec:authorize access="isAnonymous()">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_USER')">
This session will be visible to an Customer only.<br/>
You are an Customer.<br/>
</sec:authorize>
${HelloMessage}<br />
Logout
</body>
I want to test how the privileges works using the tag "isAnonymous" showing that block of text, but I can't make it work
:(
You need to add Spring Security's filter chain to the web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This goes after your Struts filter. This will allow Spring Security to check/block the request prior to Struts being handed the request.
Assuming the user is allowed to access the content Spring Security will set up a SecurityContext object that will make allow the JSP tags work.
I have a problem to run JSF and Spring Security.
WEB.xml:
<!-- spring and jsf configuration files mapping -->
...
<!-- JSF mapping -->
...
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
securityContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true">
<intercept-url pattern="/pages**" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="evgeny" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
and http://localhost:8081/spring/pages/userInfo.jsf is accessed with no problem!
Based on the sample URL you provide ( http://localhost:8081/spring/pages/userInfo.jsf )
<intercept-url pattern="/pages**" access="ROLE_USER" />
should be changed to the following to match it
<intercept-url pattern="/spring/pages**" access="ROLE_USER" />