Currently we are using jasig CAS server for SSO solution. We have two web application that is using same CAS server. We are using spring security for configuring CAS client. Sample code is like :
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant" >
<sec:filter-chain pattern="/j_spring_security_logout(.jsp)*" filters="appLogoutFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
<sec:filter-chain pattern="/**"
filters="securityContextPersistenceFilter,requestSingleLogoutFilter,appLogoutFilter,casAuthenticationFilter,requestCacheFilter,contextAwareFilter,exceptionTranslationFilter,filterSecurityInterceptor" />
</sec:filter-chain-map>
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="casAuthenticationProvider" />
</sec:authentication-manager>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="userDetailsServiceWrapper"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator" ref="ticketValidator"/>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="lormsSecurityUserDetailsService"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<constructor-arg ref="casEntryPoint"/>
<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</bean>
<bean id="appLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/j_spring_cas_security_logout"/>
<constructor-arg>
<list>
<ref bean="lormsLogOutHandler"/>
</list>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean class="org.springframework.security.web.util.matcher.RegexRequestMatcher">
<constructor-arg name="pattern" value="/j_spring_security_logout(.jsp)*" />
<constructor-arg name="httpMethod">
<null/>
</constructor-arg>
</bean>
</property>
</bean>
<!-- This filter redirects to the CAS Server to signal Single Logout should be performed ?service=${singleSignOn.cas.app.url}/LORMS -->
<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="${singleSignOn.cas.server.url}/logout?service=${singleSignOn.cas.app.url}/LORMS"/>
<constructor-arg>
<bean class= "org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean class="org.springframework.security.web.util.matcher.RegexRequestMatcher">
<constructor-arg name="pattern" value="/j_spring_cas_security_logout(.jsp)*" />
<constructor-arg name="httpMethod">
<null/>
</constructor-arg>
</bean>
</property>
</bean>
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" id="ticketValidator">
<constructor-arg index="0" value="${singleSignOn.cas.server.url}" />
</bean>
<bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
</bean>
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${singleSignOn.cas.server.url}/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="${singleSignOn.cas.app.url}/LORMS/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
Now I have existing form based login UI. I want to use same instead of using jasig web login screen. I found this link "Using CAS from external link or custom external form" using which I can use my login UI. Can anybody help me to integrate same with spring security in my application ?
After you integrate your application.you can change and edit casviewpage.jsp.You can change all UI.You use default casview.jsp and edit it.Why dont want to edit casview.jsp?
Related
I am using spring security with filters to authenticate the users. When several users access the same service in a multi-threaded environment, the principal has changed and going for re-authentication. The password is incorrect for the user and failed to authenticate.
How can I use the pre-authentication in a multi-thread environment?
Authentication using the filter.
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy" >
<sec:filter-chain-map request-matcher="ant" >
<sec:filter-chain pattern="/**" filters="requestContextFilter,securityContextFilter,exceptionTranslationFilter,userRoleProcessingFilter" />
</sec:filter-chain-map>
</bean>
<bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
<bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg>
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"></bean>
</constructor-arg>
<property name="forceEagerSessionCreation" value="false"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter" >
<constructor-arg>
<bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
</constructor-arg>
</bean>
<bean id="userRoleProcessingFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="CUSTOM_USER" />
<property name="credentialsRequestHeader" value="CUSTOM_CRED" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
<property name="exceptionIfHeaderMissing" value="false"></property>
<property name="checkForPrincipalChanges" value="true"></property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager" >
<constructor-arg>
<list>
<ref bean="authenticationProvider"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationProvider" class="com.common.authorization.spring.custom.CustomAuthenticationProvider" >
<property name="preAuthenticatedUserDetailsService">
<bean class="com.common.authorization.spring.custom.CustomUserDetailsService">
</bean>
</property>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased" >
<property name="allowIfAllAbstainDecisions" value="false"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="" />
</bean>
</list>
</constructor-arg>
</bean>
The first request made to the messageSender via a webservicetemplate using credential is failing with 401 unauthorized, but second time it is all okay and works well.
Configuration:
<property name="messageSender">
<bean class="org.springframework.ws.transport.http.HttpComponentsMessageSender">
<property name="connectionTimeout" value="900000" />
<property name="readTimeout" value="0" />
<property name="credentials">
<bean class="org.apache.http.auth.UsernamePasswordCredentials">
<constructor-arg value="${userName}:${Password}" />
</bean>
</property>
From so far, what i have googled through I get to know that I will have to do a preemptive authentication to avoid 401 unauthorized using [org.apache.http.client.HttpClient]. I want a spring xml configuration to allow this so that I can configure preemptive authentication.
Also, is the behaviour as expected.
What I have tried so far.
class="org.springframework.ws.transport.http.HttpComponentsMessageSender">
<property name="connectionTimeout" value="900000" />
<property name="readTimeout" value="0" />
<property name="httpClient" ref="httpClient" />
<property name="credentials" ref="credentials"/>
</bean>
</property>
<bean id="httpClient" class="org.apache.http.client.HttpClient">
<!-- Not Sure what configuration to add here -->
</bean>
<bean id="credentials" class="org.apache.http.auth.UsernamePasswordCredentials">
<constructor-arg value="${userName}:${password}" />
</bean>
Creating the http client with a credentials provider, which need UsernamePasswordCredentials and AuthScope. AuthScope is created with default values and UsernamePasswordCredentials is created with username, password. BasicCredentialsProvider does not take provider and credentials in constructor or setter method. It has to set by invoking setCredentials() method.
<bean class="org.springframework.ws.transport.http.HttpComponentsMessageSender">
<property name="connectionTimeout" value="900000"/>
<property name="readTimeout" value="0"/>
<property name="httpClient" ref="httpClient"/>
</bean>
<bean id="credentialProvider" class="org.apache.http.impl.client.BasicCredentialsProvider" />
<bean id="methodInvoke" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject"><ref local="credentialProvider" /> </property>
<property name="targetMethod" value="setCredentials"> </property>
<property name="arguments" >
<list>
<ref local="authScope" />
<ref local="credentials" />
</list>
</property>
</bean>
<bean id="authScope" class="org.apache.http.auth.AuthScope">
<constructor-arg name="host"><null /></constructor-arg>
<constructor-arg><value>-1</value> </constructor-arg>
<constructor-arg><null /></constructor-arg>
<constructor-arg><null /></constructor-arg>
</bean>
<bean id="credentials" class="org.apache.http.auth.UsernamePasswordCredentials">
<constructor-arg name="userName"><value>xxx</value></constructor-arg>
<constructor-arg name="password"><value>xxx</value></constructor-arg>
</bean>
<bean id="httpClient" class="org.apache.http.impl.client.DefaultHttpClient">
<property name="credentialsProvider" ref="credentialProvider"/>
</bean>
The configuration which I had to add to the Webservicetemplate are shown below:
<!-- Custom Interceptor Implementation to WebServiceTemplate -->
<property name="interceptors">
<list>
<bean class="com.utils.AddHttpHeaderInterceptor" >
</bean>
</list>
</property>
And implement the AddHttpHeaderInterceptor class which implements ClientInterceptor as below:
HttpPost postMethod = connection.getHttpPost();
postMethod.addHeader("Authorization", "Basic " + base64Creds);
return true;
And note: base64Creds is nothing but base64.encode(username:pwd)
Okay so I have an Mobile to Spring Java API Rest stack. I have implemented the Oauth2 security as described in the spring guide https://projects.spring.io/spring-security-oauth/docs/oauth2.html. I use the standard oauth/token endpoint for the user to login with credentials. Since we are trying to consolidate calls the mobile is making to the API, we want to put an access_token object in the response of the registration/step2 endpoint (at this point the users credentials and password has been persisted to the DB). I am not sure what code I need to add to get an access_token this way?
I know I have to make some DefaultTokenRequest with some params to the TokenGranter. Here is some of my config:
<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- Default authentication manager -->
<!--<security:authentication-manager alias="authenticationManager">-->
<!--<security:authentication-provider user-service-ref='userService' />-->
<!--<security:authentication-provider ref="daoAuthenticationProvider" />-->
<!--</security:authentication-manager>-->
<!--New authentication manager -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="authenticationProvider"/>
<security:authentication-provider user-service-ref='userService' />
</security:authentication-manager>
<beans:bean id="authenticationProvider" class="com.special.authenticationProvider" >
<property name="userDetailsService" ref="userService" />
<property name="passwordEncoder" ref="passwordEncoder" />
<property name="saltSource" ref="saltSource" />
</beans:bean>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetailsService" />
</bean>
<!-- Authentication manager for OAUTH token request endpoint -->
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>
<!-- oauth token storage -->
<bean id="oauthDataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${database.driverClassName}" />
<property name="url" value="${database.url}" />
<property name="username" value="${database.username}" />
<property name="password" value="${database.password}" />
</bean>
<bean id="tokenStore"
class="com.special.JdbcTokenStoreUserID">
</bean>
<bean id="tokenStoreCore"
class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg ref="oauthDataSource" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetailsService" />
<property name="tokenEnhancer" ref="customTokenEnhancer" />
</bean>
<bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<bean id="customTokenEnhancer" class="com.special.CustomTokenEnhancer"></bean>
I want to add basic authentication (http authentication) to SOAP web service from spring integration. I am following the approach below to authenticate:
<bean id="httpComponentsMessageSender"
class="org.springframework.ws.transport.http.CommonsHttpMessageSender">
<property name="credentials">
<bean class="org.apache.commons.httpclient.UsernamePasswordCredentials">
<constructor-arg value="userName" />
<constructor-arg value="*******" />
</bean>
</property>
</bean>
<int-ws:outbound-gateway id="uniqueId"
request-channel="requestServiceChannel" reply-channel="replyChannel"
uri="end point url" message-sender="httpComponentsMessageSender"
marshaller="ServiceMarshaller" unmarshaller="ServiceMarshaller">
</int-ws:outbound-gateway>
But I am getting this error: org.springframework.ws.soap.client.SoapFaultClientException: Internal Error
Is there any way to authenticate soap web service by adding basic authentication to it?
i found the solution finally, here is the solution
<bean id="apacheHttpClientParams" class="org.apache.commons.httpclient.params.HttpClientParams">
<property name="authenticationPreemptive" value="true" />
<property name="connectionManagerClass"
value="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager" />
</bean>
<bean id="apacheHttpClient" class="org.apache.commons.httpclient.HttpClient">
<constructor-arg ref="apacheHttpClientParams" />
</bean>
<bean id="credentials"
class="org.apache.commons.httpclient.UsernamePasswordCredentials">
<constructor-arg value="userName" />
<constructor-arg value="password" />
</bean>
<bean id="authentication"
class="org.springframework.ws.transport.http.CommonsHttpMessageSender">
<constructor-arg ref="apacheHttpClient"></constructor-arg>
<property name="credentials" ref="credentials" />
</bean>
I want to run transactions on my Spring webapp which uses Apache Jackrabbit repository. JackRabbit then uses relational database (MySQL/PgSQL) for text data. Binary data are stored to FileSystem.
So far I have this functional configuration of Jackrabbit beans:
<bean id="sessionFactory" class="com.example.MyJcrSessionFactory">
<constructor-arg index="0" ref="repository"/>
<constructor-arg index="1" ref="jcrCredentials"/>
</bean>
<bean id="repository" class="org.apache.jackrabbit.core.RepositoryImpl">
<constructor-arg index="0" ref="config" />
</bean>
<bean id="config" class="org.apache.jackrabbit.core.config.RepositoryConfig" factory-method="create">
<constructor-arg index="0" type="java.io.InputStream" value="classpath:jackrabbit/repository.xml"/>
<constructor-arg index="1" type="java.lang.String" value="/tmp/repository" />
</bean>
<bean id="jcrCredentials" class="javax.jcr.SimpleCredentials">
<constructor-arg index="0" type="java.lang.String" value="..." />
<constructor-arg index="1" type="char[]" value="..." />
</bean>
And rest of Jackrabbit configuration in repository.xml file.
What do I have to do to successfully run transactions on JackRabbit repository? Which technology am I supposed to use?
I'm running Spring 3.1, Jackrabbit 2.3.3 on Tomcat/Glassfish. And I don't want to use obsolete spring modules.
We're using a similar setup (Jackrabbit, Spring, Tomcat) with Jencks as a JCA provider.
Here's an example config:
<bean id="txManagerJencks" class="org.jencks.factory.TransactionManagerFactoryBean" />
<bean id="pooledConnectionManagerJcr" class="org.jencks.factory.ConnectionManagerFactoryBean">
<property name="transactionManager">
<ref local="txManagerJencks" />
</property>
<property name="transaction" value="xa" />
<property name="poolMinSize" value="1"/>
<property name="poolMaxSize" value="5"/>
<property name="connectionMaxIdleMinutes" value="5" />
</bean>
<bean id="repositoryManagedConnectionFactory" class="org.apache.jackrabbit.jca.JCAManagedConnectionFactory" destroy-method="finalize">
<property name="homeDir" value="${jackrabbit.homeDir}/jackrabbit" />
<property name="configFile" value="classpath:repository.xml" />
</bean>
<bean id="repository"
class="org.springframework.jca.support.LocalConnectionFactoryBean" >
<property name="managedConnectionFactory">
<ref local="repositoryManagedConnectionFactory" />
</property>
<property name="connectionManager">
<ref local="pooledConnectionManagerJcr" />
</property>
</bean>