I have exception: org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
Offending resource: ServletContext resource [/WEB-INF/spring/security.xml]
Few minutes in google, say me, I need to add dependence -- spring-security-config. I have this, the latest version 4.2.1, but exception there is.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<beans:bean name="standartEncrypt"
class="org.springframework.security.crypto.password.StandardPasswordEncoder" >
<beans:constructor-arg name="secret" value="3u6gui" />
</beans:bean>
<http auto-config="true" >
<intercept-url pattern="/notes/**" access="authenticated" />
<intercept-url pattern="/register" requires-channel="https" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/accessDenied" access="permitAll" />
<intercept-url pattern="/duplicate" access="permitAll" />
<intercept-url pattern="/notExists" access="permitAll" />
<access-denied-handler error-page="/accessDenied" />
<logout
logout-success-url="/index"
logout-url="/notes/{username}/exit"
/>
<form-login
authentication-failure-url="/accessDenied"
login-page="/register"
login-processing-url="/register"
password-parameter="password"
username-parameter="username"
/>
<remember-me data-source-ref="dataSource" />
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
<authentication-manager >
<authentication-provider>
<password-encoder ref="standartEncrypt" />
<jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT username, password FROM Users WHERE username = ?"/>
</authentication-provider>
</authentication-manager>
<global-method-security jsr250-annotations="enabled" secured-annotations="enabled" />
maven
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.1.RELEASE</version>
</dependency>
This is likely an unresolved dependency. Without seeing your Maven pom or project configuration, the bare minimum for Spring Security is:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.1.RELEASE</version>
</dependency>
If you are using Spring Tool Suite or Eclipse, be sure to right click your project, then select Maven -> Update Project and do a full clean install
Related
Following the release of Spring security version 2.0.8 to 3.2.7.release, I have encountered the following problem.
I modified the Java classes for the adaptation of the code suite upgrade, the pom.xml for the escalation to 3.2.7.release, and context-security.xml. This is the error I encounter:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0': Cannot resolve reference to bean 'org.springframework.security.authentication.ProviderManager#0' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)
My pom.xml updated for 3.2.7.RELEASE:
<spring-security.version>3.2.7.RELEASE</spring-security.version>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
<version>1.3.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
My fil applicationContextSecurity.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<authentication-manager id="multipleLdapProvider">
<!--<authentication-provider ref="multipleLdapProvider" />-->
</authentication-manager>
<http pattern="/referentiel/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider">
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM" />
<http-basic />
</http>
<http pattern="/bareme/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI" />
<http-basic />
</http>
<http pattern="/comparaisonHosp/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider">
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM, ROLE_ELUCN" />
<http-basic />
</http>
<http pattern="/requete/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM" />
<http-basic />
</http>
<http pattern="/refManif/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI" />
<http-basic />
</http>
<http pattern="/contrat/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_CDOM, ROLE_ELUCN" />
<http-basic />
</http>
<http pattern="/utilisateur/**" auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider" >
<intercept-url pattern='/**' access="ROLE_ADMIN, ROLE_SERMI, ROLE_CPRMI, ROLE_INADM" />
<http-basic />
</http>
<http auto-config="true" use-expressions="true" authentication-manager-ref="multipleLdapProvider">
<intercept-url pattern='/**' access="hasRole('USER')" />
<form-login login-page='/login.action' default-target-url="/home.action" always-use-default-target='true'/>
<logout />
</http>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg type="java.lang.String"><beans:value>${ldap.interne.url}</beans:value></beans:constructor-arg>
<beans:property name="userDn">
<beans:value>${ldap.interne.userDn}</beans:value>
</beans:property>
<beans:property name="password">
<beans:value>${ldap.interne.password}</beans:value>
</beans:property>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.referral" value="follow" />
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="contextSourceIndus"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg type="java.lang.String"><beans:value>${ldap.externe.url}</beans:value></beans:constructor-arg>
<beans:property name="userDn">
<beans:value>${ldap.externe.userDn}</beans:value>
</beans:property>
<beans:property name="password">
<beans:value>${ldap.externe.password}</beans:value>
</beans:property>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry key="java.naming.referral" value="follow" />
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="multipleLdapProvider" class="com.cnom.idahe.utils.spring.MutlipleLdapAuthenticationProvider">
<beans:constructor-arg>
<beans:set>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearchInterne"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSourceIndus"/>
<beans:property name="userSearch" ref="userSearchExterne"/>
</beans:bean>
</beans:set>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="com.cnom.idahe.utils.spring.CnomDBPopulator">
</beans:bean>
</beans:constructor-arg>
<!--<custom-authentication-provider />-->
</beans:bean>
<beans:bean id="userSearchInterne" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value=""/>
<beans:constructor-arg index="1" >
<beans:value>(&(${ldap.interne.uid}={0})(objectclass=${ldap.objectClass.person}))</beans:value>
</beans:constructor-arg>
<beans:constructor-arg index="2" ref="contextSource" />
</beans:bean>
<beans:bean id="userSearchExterne" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value=""/>
<beans:constructor-arg index="1" >
<beans:value>(&(${ldap.externe.uid}={0})(objectclass=${ldap.objectClass.person}))</beans:value>
</beans:constructor-arg>
<beans:constructor-arg index="2" ref="contextSourceIndus" />
</beans:bean>
<!-- Debut gestion Ldap pour ecran User-->
<beans:bean id="ldapTemplateInterne" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="contextSource" />
</beans:bean>
<beans:bean id="ldapTemplateExterne" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="contextSourceIndus" />
</beans:bean>
</beans:beans>
Spring security how do admin perform every action which comes after (/admin/**) just using 1 intercept url
Spring Security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/user**" access="permitAll" />
<!-- access denied page -->
<access-denied-handler error-page="/noaccess" />
<form-login login-page="/login" authentication-failure-url="/loginfailed" authentication-success-handler-ref="customSuccessHandler"
username-parameter="username" password-parameter="password" />
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="loginService" />
</authentication-manager>
<beans:bean id="customSuccessHandler" class="com.slp.pro.handler.CustomSuccessHandler" />
</beans:beans>
I have a general question. I have a web project written using Spring Security 3.2 and Spring 4. I deployed project in Tomcat 7.0. There are 2 roles in spring sec for project users: USER and COMPANY. When I log in from home computer (without any proxy), everything works fine. But if I login from my work computer (my computer is behind company proxy) my web application does not work properly, It cannot get localization or often it gives USER role to company account and etc. I looked for this issue in web, but cannot find any solutions. Hope anybody can figure out what can be the reason. Thanks in advance..
spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />
<security:global-method-security
pre-post-annotations="enabled">
<security:expression-handler ref="securityExpressionHandler" />
</security:global-method-security>
<security:http auto-config="false" use-expressions="true" access-denied-page="/login" entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/account/register" access="permitAll"/>
<security:intercept-url pattern="/main" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/wishlist" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/messagebox" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/settings" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/search" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas" />
</security:http>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login?fail=true" />
<!-- We just actually need to set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/main" />
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthenticationProvider" />
</security:authentication-manager>
<bean id="customAuthenticationProvider" class="service.CustomAuthenticationManager">
</bean>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<bean id="customUserDetailsService" class="service.CustomUserDetailsService"/>
<bean id="concurrencyFilter" class="filter.AzunisConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry"
p:expiredUrl="/login" />
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="-1" p:exceptionIfMaximumExceeded="false" p:alwaysCreateSession="true">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<!-- Maintains a registry of SessionInformation instances
See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
I think this is the caching mechanism of the proxy. Let the login and landingpage site expiring with in your Response Header.
I have a web app where you can login with form-login or you can be pre-authenticated and be logged in like that. Both method work well but I only can find way to use a success handler with the form-login using the authentication-success-handler-ref property.
My question is, how can I call the success handler "mySuccessHandler" for the PRE_AUTH_FILTER in my security-app-context? I would guess I can call it as a property or something under the PreAuthenticatedProcessingFilter, preauthAuthProvider or the custom-filter.
Just need to go to different pages if the user has the role Teacher or Student.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http pattern="/**" use-expressions="true" create-session="always">
<intercept-url pattern="/login.jsp*" access="permitAll" />
<intercept-url pattern="/**/ErrorPages/**" access="permitAll" />
<intercept-url pattern="/**/Students/**" access="hasAnyRole('STUDENT, TEACHER')" />
<intercept-url pattern="/**/Teacher/**" access="hasRole('TEACHER')" />
<intercept-url pattern="/**/Login/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**/Js/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**/Css/**" access="permitAll" />
<intercept-url pattern="/**/Img/**" access="permitAll" />
<intercept-url pattern="/**/api/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="denyAll" />
<custom-filter position="PRE_AUTH_FILTER" ref="PreAuthenticatedProcessingFilter" />
<access-denied-handler
<form-login
username-parameter="idnumber"
password-parameter="password" login-processing-url="/athuga_innskraningu"
login-page='/login.jsp'
authentication-failure-handler-ref="myAuthErrorHandler"
authentication-success-handler-ref="mySuccessHandler"
always-use-default-target='true'
authentication-failure-url="/login.jsp?login_error=true"/>
<logout logout-url="/utskra/" logout-success-url="/login.jsp"/>
</http>
<beans:bean id="mySuccessHandler" class="is.inna.rest.login.AuthenticationSuccess"/>
<beans:bean id="myAuthErrorHandler" class="is.inna.rest.login.AuthenticationFailure"/>
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<beans:bean name="myUserDetailsService" class="is.inna.rest.login.UserDetailServiceLogin" />
<beans:bean id="userDetailsServiceWrapper" class="is.inna.rest.login.UserDetailServicePreAuth" />
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="preauthAuthProvider" />
</authentication-manager>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceWrapper"/>
</beans:bean>
<beans:bean id="PreAuthenticatedProcessingFilter" class="is.inna.rest.login.PreAuthenticatedProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
Your requirement is to redirect user to different pages depending on the role. You can do this using authentication success handler also. Refer the sample success handler class I have written. You always have access to Authentication object in the overridden onAuthenticationSuccess method. You can get the authorities and role of logged in user and depending upon it, you can always redirect user to appropriate page.
Hope this helps.
I would like to secure method in my managed session bean for specific role "ROLE_ADMIN"
config(applicationContext-security.xml):
<global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/**" access="permitAll()"/>
<form-login
login-processing-url="/j_spring_security_check"
login-page="/login.jsf"
default-target-url="/main.jsf"
authentication-failure-url="/login.jsf" />
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="user1" password="user1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
bean's secured method:
#PreAuthorize("hasRole('ROLE_ADMIN')")
public String buy() {
...
}
When I logged in under user1 or as anonym and click "buy" button on web-page, it still redirected to the next page.
I expect that some access denied exception occurred, and it doesn't.
Remember to enable method level security on your applicationContext-security.xml:
<sec:global-method-security secured-annotations="enabled" />
If, insted you will use Pre or Post annotations, use:
<security:global-method-security pre-post-annotations="enabled"/>
For more on this, see:
http://forum.springsource.org/showthread.php?t=77862
Note: For annotations from jsr-250:
<sec:global-method-security jsr250-annotations="enabled" />