With the following Java Config configuration for Spring Security 3.2.2 and Spring Framework 3.2.8, user passsword is deleted even when I use '.eraseCredentials(false)' and it's not available using authentication.getCredentials().
#Configuration
#EnableWebSecurity
#Order( 1 )
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Bean( name = "authenticationEntryPoint" )
public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {
return new XhrAwareAuthenticationEntryPoint( "/home?noAuthenticated=expired" );
}
#Bean( name = "acessDeniedHandler" )
public AccessDeniedHandler acessDeniedHandler() {
XhrAwareAccessDeniedHandlerImpl xhrAwareAccessDeniedHandler = new XhrAwareAccessDeniedHandlerImpl();
xhrAwareAccessDeniedHandler.setErrorPage( "/denied" );
return xhrAwareAccessDeniedHandler;
}
#Bean( name = "atlasAuthenticationSuccessHandler" )
public AtlasAuthenticationSuccessHandler atlasAuthenticationSuccessHandler() {
return new AtlasAuthenticationSuccessHandler( "/views/hub" );
}
#Bean( name = "atlasAuthenticationFailureHandler" )
public AtlasAuthenticationFailureHandler atlasAuthenticationFailureHandler() {
return new AtlasAuthenticationFailureHandler( "/home?loginError=error" );
}
#Bean( name = "atlasLogoutSuccessHandler" )
public AtlasLogoutSuccessHandler atlasLogoutSuccessHandler() {
AtlasLogoutSuccessHandler atlasLogoutSuccessHandler = new AtlasLogoutSuccessHandler();
atlasLogoutSuccessHandler.setDefaultTargetUrl( "/home?logoff=disconnect" );
return atlasLogoutSuccessHandler;
}
#Override
public void configure( WebSecurity web ) throws Exception {
web.ignoring().antMatchers( "/resources/**" );
}
#Override
protected void configure( HttpSecurity http ) throws Exception {
http.csrf().disable()
.httpBasic()
.authenticationEntryPoint( this.authenticationEntryPoint() )
.and()
.exceptionHandling()
.accessDeniedHandler( this.acessDeniedHandler() )
.and()
.formLogin()
.usernameParameter( "j_username" )
.passwordParameter( "j_password" )
.loginPage( "/home" )
.loginProcessingUrl( "/login" )
.failureHandler( this.atlasAuthenticationFailureHandler() )
.successHandler( this.atlasAuthenticationSuccessHandler() )
.permitAll()
.and()
.logout()
.logoutUrl( "/logout" )
.logoutSuccessHandler( this.atlasLogoutSuccessHandler() )
.invalidateHttpSession( true )
.permitAll()
.and()
.authorizeRequests()
.antMatchers(
ViewsConstants.VIEWS_URI + "/**",
RssController.RSS_URI + "/**",
ProxySolrController.SEARCH_URI + "/**" )
.authenticated()
.antMatchers( ConfigurationProperties.ADMIN_URI + "/**" ).hasAnyRole( Role.ADMIN )
.antMatchers( "/**" ).permitAll();
}
#Configuration
#Profile( "DES" )
public static class AuthenticacioInMemoryConfig {
#Autowired
public void configureGlobal( AuthenticationManagerBuilder auth ) throws Exception {
auth.eraseCredentials( false ).inMemoryAuthentication()
.withUser( "user" ).password( "atlas" ).authorities( "ROLE_USER" ).and()
.withUser( "admin" ).password( "atlas" ).authorities( "ROLE_ADMIN" );
}
}
#Configuration
#Profile( "PRO" )
#PropertySource( "file:${config.env}/config_env.properties" )
public static class AuthenticacionLdapConfig {
#Value( "${ldap.host}" )
private String host;
#Value( "${ldap.port}" )
private String port;
#Value( "${ldap.basedn}" )
private String baseDn;
#Value( "${ldap.userdn}" )
private String userDn;
#Value( "${ldap.passw}" )
private String password;
#Bean
public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
return new PropertySourcesPlaceholderConfigurer();
}
#Bean( name = "contextSource" )
public DefaultSpringSecurityContextSource contextSource() {
DefaultSpringSecurityContextSource contextSource =
new DefaultSpringSecurityContextSource( "ldap://" + this.host + ":" + this.port );
contextSource.setUserDn( this.userDn );
contextSource.setPassword( this.password );
return contextSource;
}
#Bean( name = "userSearch" )
public FilterBasedLdapUserSearch userSearch() {
return new FilterBasedLdapUserSearch( this.baseDn, "(bsalias={0})", this.contextSource() );
}
#Bean( name = "ldapAuthenticator" )
public LdapAuthenticator ldapAuthenticator() {
BindAuthenticator authenticator = new BindAuthenticator( this.contextSource() );
authenticator.setUserSearch( this.userSearch() );
return authenticator;
}
#Bean( name = "atlasAuthoritiesPopulator" )
public AtlasAuthoritiesPopulator atlasAuthoritiesPopulator() {
return new AtlasAuthoritiesPopulator();
}
#Bean( name = "ldapAuthenticationProvider" )
public LdapAuthenticationProvider ldapAuthenticationProvider() {
return new LdapAuthenticationProvider( this.ldapAuthenticator(), this.atlasAuthoritiesPopulator() );
}
#Autowired
public void configureGlobal( AuthenticationManagerBuilder auth ) throws Exception {
auth.eraseCredentials( false ).authenticationProvider( this.ldapAuthenticationProvider() );
}
}
}
However, using the xml configuration for the same spring security and spring framework is running ok and the password is available.
<context:property-placeholder location="file:${config.env:}/config_env.properties" />
<global-method-security secured-annotations="enabled"/>
<beans:bean id="authenticationEntryPoint"
class="es.isban.atlas.views.web.core.authentication.XhrAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginFormUrl" value="/home?noAuthenticated=expired"/>
</beans:bean>
<beans:bean id="accessDeniedHandler"
class="es.isban.atlas.views.web.core.authentication.XhrAwareAccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/denied" />
</beans:bean>
<beans:bean id="atlasAuthenticationSuccessHandler"
class="es.isban.atlas.views.web.core.authentication.AtlasAuthenticationSuccessHandler">
<beans:constructor-arg name="defaultTargetUrl" value="/views/hub"/>
</beans:bean>
<beans:bean id="atlasAuthenticationFailureHandler"
class="es.isban.atlas.views.web.core.authentication.AtlasAuthenticationFailureHandler">
<beans:constructor-arg name="defaultFailureUrl" value="/home?loginError=error"/>
</beans:bean>
<beans:bean id="atlasLogoutSuccessHandler"
class="es.isban.atlas.views.web.core.authentication.AtlasLogoutSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home?logoff=disconnect" />
</beans:bean>
<!-- This is where we configure Spring-Security -->
<http use-expressions="true"
entry-point-ref="authenticationEntryPoint">
<access-denied-handler ref="accessDeniedHandler" />
<intercept-url pattern="/*" access="permitAll()"/>
<intercept-url pattern="/views/**" access="isAuthenticated()" />
<intercept-url pattern="/rss/**" access="isAuthenticated()" />
<intercept-url pattern="/search/**" access="isAuthenticated()" />
<intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN')" />
<form-login login-page="/home"
login-processing-url="/login"
authentication-success-handler-ref="atlasAuthenticationSuccessHandler"
authentication-failure-handler-ref="atlasAuthenticationFailureHandler" />
<!-- authentication-failure-url="/home?loginError=error"
default-target-url="/views/hub" -->
<logout logout-url="/logout"
invalidate-session="true"
success-handler-ref="atlasLogoutSuccessHandler" />
<!-- logout-success-url="/home"
delete-cookies="true" -->
</http>
<beans:beans profile="PRO">
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://${ldap.host}:${ldap.port}"/>
<beans:property name="userDn" value="${ldap.userdn}"/>
<beans:property name="password" value="${ldap.passw}"/>
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch">
<beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg value="${ldap.basedn}"/>
<beans:constructor-arg value="(bsalias={0})"/>
<beans:constructor-arg ref="contextSource"/>
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="es.isban.atlas.views.web.core.authorization.AtlasAuthoritiesPopulator" />
</beans:constructor-arg>
</beans:bean>
<authentication-manager erase-credentials="false">
<authentication-provider ref="ldapAuthProvider" />
</authentication-manager>
</beans:beans>
<beans:beans profile="DES">
<authentication-manager erase-credentials="false">
<authentication-provider>
<user-service>
<user name="user" password="atlas" authorities="ROLE_USER" />
<user name="admin" password="atlas" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Do you have any clue? How can I fix that?
Thanks in advance.
This is a bug in the Spring Security Java Configuration that impacts the global authentication option. See SEC-2533 for details. There is not a real easy work around for this issue, but the bug is already fixed and a release will be out within the next few days.
Related
I have an issue when trying to logging URI of endpoint when a user try to access a secured Resource.
I've created an instance of AccessDeniedHandler :
public class CustomAccessDeniedHandler implements AccessDeniedHandler {
private final static Logger logger = Logger.getLogger(CustomAccessDeniedHandler.class);
#Override
public void handle(
HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException exc) throws IOException, ServletException {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
logger.warn("User: " + auth.getName()
+ " attempted to access the protected URL: "
+ request.getRequestURI());
}
}
}
But the handleMethod is never triggered and I don't understand why. In the project we have this class, and I suppose that it catch the exception before my AccessDeniedHandler, but I don't know o to deal with that.
#Provider
public class ExceptionMH extends Throwable implements ExceptionMapper<Exception> {
private static final long serialVersionUID = 1L;
private static final Logger logger = Logger.getLogger(ExceptionMH.class);
private void exceptionWarning(Exception e) {
logger.warn("[ExceptionMH] Warn: ", e);
}
private void exceptionError(Exception e) {
logger.error("[ExceptionMH] Error: ", e);
}
#Override
public Response toResponse(Exception exception) {
if (exception.getClass() == HttpRequestMethodNotSupportedException.class || exception.getClass() == NotFoundException.class) {
this.exceptionWarning(exception);
return Response.status(404).build();
} else if (exception.getClass() == CardException.class) {
this.exceptionWarning(exception);
return Response.status(200).build();
} else if (exception.getClass() == APIException.class) {
String msg = ((APIException) exception).getRawResponse();
logger.error("Facebook API exception: " + msg, exception);
return Response.status(500).entity(msg).build();
} else if (exception.getClass() == AccessDeniedException.class) {
this.exceptionError(exception);
return Response.status(401).entity("{ \"error\": \"" + exception.getMessage() + "\" }").build();
} else {
this.exceptionError(exception);
return Response.status(500).build();
}
}
}
What should I do to make AccessDeniedHandler triggered?
EDIT: Here's my configuration. The AccessDeniedHandler bean is declared and well added.
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd">
<global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>
<http entry-point-ref="authEntryPoint" create-session="never" >
<cors configuration-source-ref="corsSource"/>
<csrf disabled="true"/>
<custom-filter ref="authFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="customAccessDeniedHandler"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="daoAuthenticationProvider"/>
</authentication-manager>
<b:bean name="customAccessDeniedHandler"
class="io.markethero.security.CustomAccessDeniedHandler" />
<b:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<b:property name="userDetailsService" ref="userLoginService"/>
<b:property name="passwordEncoder" ref="customizePasswordEncoder"/>
</b:bean>
<b:bean id="customizePasswordEncoder" class="io.markethero.security.CustomizePasswordEncoder"/>
<b:bean id="authFilter" class="io.markethero.security.AuthFilter"/>
<b:bean id="authEntryPoint" class="io.markethero.security.AuthEntryPoint"/>
<b:bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
<b:property name="corsConfigurations">
<util:map>
<b:entry key="/**">
<b:bean class="org.springframework.web.cors.CorsConfiguration">
<b:property name="allowCredentials" value="true"/>
<b:property name="allowedHeaders">
<util:list>
<b:value>Authorization</b:value>
<b:value>Content-Type</b:value>
</util:list>
</b:property>
<b:property name="exposedHeaders">
<b:list>
<b:value>Account-Locked</b:value>
<b:value>Account-Disabled</b:value>
<b:value>Bad-Credentials</b:value>
</b:list>
</b:property>
<b:property name="allowedMethods">
<util:list>
<b:value>POST</b:value>
<b:value>GET</b:value>
<b:value>PUT</b:value>
<b:value>DELETE</b:value>
<b:value>OPTIONS</b:value>
</util:list>
</b:property>
<b:property name="allowedOrigins" value="*"/>
</b:bean>
</b:entry>
</util:map>
</b:property>
</b:bean>
</b:beans>
It's hard to answer exactly without seeing your security configuration, but I suspect that you haven't registered the handler? Assuming that CustomAccessDeniedHandler is a bean called customAccessDeniedHandler, this should enable it.
#Configuration
public class WebSecurityConfig {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// all HttpSecurity configurations here
// add this
http.exceptionHandling().accessDeniedHandler(customAccessDeniedHandler);
return http.build();
}
}
I need a special redirect when session timeout expires. So I am trying to apply custom InvalidSessionStrategy, by using it in filter on SESSION_MANAGEMENT_FILTER level.
I have the following security configuration
<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint" create-session="ifRequired" >
<custom-filter before="SESSION_MANAGEMENT_FILTER" ref="customSessionManagementFilter" />
<custom-filter before="BASIC_AUTH_FILTER" ref="customAuthFilter" />
<intercept-url pattern="/userpage*" access="hasRole('USER')" />
<intercept-url pattern="/greetpage*" access="hasAnyRole('USER')" />
<logout logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" />
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
<csrf disabled="true" />
</http>
<beans:bean id="customSessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<beans:property name="invalidSessionStrategy" ref="customInvalidSessionStrategy" />
</beans:bean>
<beans:bean id="customInvalidSessionStrategy" class="com.test.CustomInvalidSessionStrategy">
<beans:constructor-arg name="customHandlerService" ref="customHandlerService"/>
</beans:bean>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
<beans:bean id="customHandlerService" class="com.test.CustomHandlerService" />
and CustomInvalidSessionStrategy
public class CustomInvalidSessionStrategy implements InvalidSessionStrategy {
private CustomHandlerService customHandlerService;
private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
#Autowired
public CustomInvalidSessionStrategy(CustomHandlerService customHandlerService) {
this.customHandlerService = customHandlerService;
}
#Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String requestUrl = getRequestUrl(request);
if(requestUrl.contains("/api")) {
String refererUrl = request.getHeader("referer");
String redirectUrl = customHandlerService.getRedirectLogoutUrl(refererUrl);
redirectStrategy.sendRedirect(request, response, redirectUrl);
} else {
request.getSession(true);
redirectStrategy.sendRedirect(request, response, requestUrl);
}
}
private String getRequestUrl(HttpServletRequest request) {
StringBuffer requestURL = request.getRequestURL();
String queryString = request.getQueryString();
if (StringUtils.hasText(queryString)) {
requestURL.append("?").append(queryString);
}
return requestURL.toString();
}
}
The problem is that my CustomInvalidSessionStrategy is never called.
From breakpoint in SessionManagementFilter.doFilter() I see that it's invalidSessionStrategy is null, although
SessionManagementFilter.setInvalidSessionStrategy() DID set my custom filter into it.
Will appreciate any advice,
Thanks
The question is invalid. the problem was that ajax sent requests to other url, shich wasn't configured to use custom message filter. that is why invalid session strategy was null
I am using Spring security version 3.1.4.RELEASE. When I try to login to the application I am getting an error. I have cross checked the credentials in DB. Even though the credentials are correct the system is not lettng me to login. Following the details of error and my configuration settings.
Getting following error while trying to login to the system:
web.security.auth.CustomUsernamePasswordAuthenticationFilter username is support
web.security.auth.CustomUsernamePasswordAuthenticationFilter password is [PROTECTED]
web.security.auth.CustomUsernamePasswordAuthenticationFilter authRequest is org.springframework.security.authentication.UsernamePasswordAuthenticationToken#4a159a52: Principal: support; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 204.238.52.177; SessionId: 9B49838B0DF4224E169EAF425C0AABE9; Not granted any authorities
web.security.auth.CustomUsernamePasswordAuthenticationFilter Authentication manager was com.sun.proxy.$Proxy476
System.out loadUserByUsername support enter
org.springframework.security.authentication.event.LoggerListener Authentication event AuthenticationFailureServiceExceptionEvent: support; details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 204.238.52.177; SessionId: 9B49838B0DF4224E169EAF425C0AABE9; exception: null
Here I am getting the exception as null!
Config:
<authentication-manager alias="authenticationManager">
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
<beans:bean id="plaintextPasswordEncoder" class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder" />
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="daoUserDetailsService" />
<beans:property name="passwordEncoder" ref="plaintextPasswordEncoder" />
</beans:bean>
<beans:bean id="daoUserDetailsService" class="web.security.auth.DAOUserDetailsService">
<beans:property name="dataSource" ref="dataSource" />
</beans:bean>
<beans:bean id="dataSource" class="web.security.auth.DAODataSource" />
<beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map request-matcher="ant">
<filter-chain pattern="/**" filters="channelProcessingFilter, SecurityContextPersistenceFilter, logoutFilter, authenticationFilter, anonymousAuthFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
</filter-chain-map>
</beans:bean>
<beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
<beans:property name="securityMetadataSource">
<filter-security-metadata-source request-matcher="ant">
<intercept-url pattern="/**" access="REQUIRES_SECURE_CHANNEL"/>
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<beans:property name="channelProcessors">
<beans:list>
<beans:ref bean="secureChannelProcessor"/>
<beans:ref bean="insecureChannelProcessor"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor" />
<beans:bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor" />
<beans:bean id="SecurityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<beans:bean id="authenticationFilter" class="web.security.auth.CustomUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="filterProcessesUrl" value="/j_spring_security_check"/>
<beans:property name="usernameParameter" value="username"/>
<beans:property name="passwordParameter" value="password"/>
</beans:bean>
<beans:bean id="anonymousAuthFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<beans:property name="key" value="foobar"/>
<beans:property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</beans:bean>
<beans:bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<beans:property name="key" value="foobar"/>
</beans:bean>
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="securityMetadataSource">
<filter-security-metadata-source>
<intercept-url pattern="/LoginPage" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/LoginExpiredPage" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/wicket/bookmarkable/web.sec.pages.LoginExpiredPage" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/*.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/wicket/resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"/>
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/" />
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout"/>
</beans:bean>
<beans:bean id="forceCookieUseFilter" class="web.security.ForceCookieUseFilter">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
<beans:property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</beans:bean>
<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/LoginPage"/>
</beans:bean>
<beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/accessDenied.htm"/>
</beans:bean>
<beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
AuthenticationFilter class as follows:
public class CustomUsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
private boolean postOnly = true;
public CustomUsernamePasswordAuthenticationFilter() {
super("/j_spring_security_check");
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
if(this.getAuthenticationManager()==null){
logger.info("Authentication manager is null.");
} else {
logger.info("Authentication manager was "+this.getAuthenticationManager().getClass().getName());
}
return this.getAuthenticationManager().authenticate(authRequest);
}
protected String obtainPassword(HttpServletRequest request) {
return request.getParameter(passwordParameter);
}
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(usernameParameter);
}
protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
public void setUsernameParameter(String usernameParameter) {
this.usernameParameter = usernameParameter;
}
public void setPasswordParameter(String passwordParameter) {
this.passwordParameter = passwordParameter;
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
public final String getUsernameParameter() {
return usernameParameter;
}
public final String getPasswordParameter() {
return passwordParameter;
}
}
UserDetails class as follows:
public class DAOUserDetailsService implements UserDetailsService {
private DataSource dataSource;
public void setDataSource(DAODataSource dataSource) {
this.dataSource = dataSource;
}
public DAOUserDetailsService () { }
public DAOUserDetailsService (DAODataSource dataSource) {
this.dataSource = dataSource;
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
DataSource ds = dataSource;
PreparedStatement userStatement = null;
try {
Connection con = ds.getConnection();
String userQuery = "SELECT USER_ID, USER_PASSWORD, USER_ENABLED FROM USER WHERE USER_ID = ?";
userStatement = con.prepareStatement(userQuery);
userStatement.setString(0, username);
ResultSet userResults = userStatement.executeQuery();
if (userResults.next()) {
final SimpleGrantedAuthority supervisorAuthority = new SimpleGrantedAuthority(
"supervisor");
final SimpleGrantedAuthority userAuthority = new SimpleGrantedAuthority(
"user");
Collection<GrantedAuthority> authorityList = new ArrayList<GrantedAuthority>();
authorityList.add(supervisorAuthority);
authorityList.add(userAuthority);
return new User(userResults.getString(0), userResults.getString(1), authorityList);
}
throw new UsernameNotFoundException(username);
} catch (SQLException e) {
throw new UsernameNotFoundException(e.toString());
}
finally {
if (userStatement != null) {
try {
userStatement.close();
} catch (SQLException e) {
throw new UsernameNotFoundException(e.toString());
}
}
}
}
}
Kindly provide some idea on the issue.
Thanks in advance.
You can create your implementation of LoggerListener for investigate more the causes.
public class LoggerListener implements ApplicationListener<AbstractAuthorizationEvent> {
private static final Log logger = LogFactory.getLog(LoggerListener.class);
public void onApplicationEvent(AbstractAuthorizationEvent event) {
//investigation code
}
}
I had a very similar problem and the cause was one ClassCastException in other part of code, one controller.
In your class DAOUserDetailsService:
...
return new User(userResults.getString(0), userResults.getString(1), new ArrayList<GrantedAuthority>());
...
you return UserDeatils with empty authorities. So your user is loged in but he has no roles (not authorised).
You have to add ROLE_ prefix to role while creating your GrantedAuthority. So you code should look like:
// For xxx
final SimpleGrantedAuthority supervisorAuthority = new SimpleGrantedAuthority(
"ROLE_xxx");
Alternative: You can clear default prefix in RoleVoter but IMO this is not a good choice because ROLE_ prefix actually helps RoleVoter to understand what remaning string is.
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value=""></property>
</bean>
I have following spring security configuration:
<authentication-manager alias="userAuthenticationManager">
<!-- <authentication-provider user-service-ref="userSecurityService"> -->
<authentication-provider>
<password-encoder ref="encoder" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select email,password,prop_was_moderated from terminal_user where email = ? and prop_confirm_terminal=true"
authorities-by-username-query="select email,user_role from terminal_user where email = ?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="10" />
</beans:bean>
and following configuration class
#Configuration
public class Configiuration {
#Bean
BCryptPasswordEncoder bCryptPasswordEncoder(){
return new BCryptPasswordEncoder();
}
}
I create user password like this:
...
#Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
...
public void register(...){
...
user.setPassword(bCryptPasswordEncoder.encode(generatedPassword));
...
}
...
But when I try to loging I seemessage that auth failed.
What do I wrong?
I had Spring Security 2.0.5 on my webApp, using a default Provider. Now requirements have changed and I need a CustomAuthenticationProvider in order to change Authentication way.
This is my AuthenticationProvider
public class CustomAuthenticationProvider implements AuthenticationProvider {
#Autowired
private ParamsProperties paramsProperties;
#SuppressWarnings("unchecked")
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//Check username and passwd
String user = (String) authentication.getPrincipal();
String pass = (String) authentication.getCredentials();
if(StringUtils.isBlank(user) || StringUtils.isBlank(pass) ){
throw new BadCredentialsException("Incorrect username/password");
}
//Create SSO
SingleSignOnService service = new SingleSignOnService(paramsProperties.getServicesServer());
try {
//Check logged
service.setUsername(authentication.getName());
service.setPassword(authentication.getCredentials().toString());
ClientResponse response = service.call();
String result = response.getEntity(String.class);
ObjectMapper mapper = new ObjectMapper();
Map<String,Object> map = mapper.readValue(result, new TypeReference<Map<String,Object>>() {} );
//Read code
String code = (String)map.get("code");
log.debug(" ** [Authenticate] Result: " + code );
for (String s : (List<String>)map.get( "messages" ) ) {
log.debug(" [Authenticate] Message: " + s );
}
if ( code.equals( "SESSION_CREATED" ) || code.equals( "SESSION_UPDATED" ) || code.equals( "SESSION_VERIFIED" ) ) {
UsernamePasswordAuthenticationToken tokenSSO = LoginHelper.getuserSringTokenFromAuthService(map);
return tokenSSO;
} else {
return null;
}
} catch (Exception e) {
e.printStackTrace();
throw new AuthenticationServiceException( e.getMessage() );
}
}
public boolean supports(Class authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
And this is my security.xml
<http>
<form-login default-target-url ="/Login.html" always-use-default-target="true" login-page="/Login.html" login-processing-url="/j_spring_security_check"
authentication-failure-url="/Login.html" />
<http-basic />
<logout logout-success-url="/Login.html" />
</http>
<beans:bean id="myPasswordEncryptor"
class="com.mycomp.comunes.server.spring.core.MyPasswordEncoder" lazy-init="true">
<beans:constructor-arg>
<beans:bean class="org.jasypt.util.password.ConfigurablePasswordEncryptor" />
</beans:constructor-arg>
<beans:constructor-arg ref="paramsProperties" />
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.jasypt.spring.security2.PasswordEncoder" lazy-init="true">
<beans:property name="passwordEncryptor">
<beans:ref bean="myPasswordEncryptor" />
</beans:property>
</beans:bean>
<beans:bean id="authenticationProvider"
class="com.mycomp.comunes.server.spring.manager.autenticacion.CustomAuthenticationProvider">
</beans:bean>
<authentication-provider user-service-ref='authenticationProvider'>
<password-encoder ref="passwordEncoder" />
</authentication-provider>
But when deploying, I get the following:
Caused by: java.lang.IllegalArgumentException: Cannot convert value of type [$Proxy112 implementing org.springframework.security.providers.AuthenticationProvider,org.springframework.aop.SpringProxy,org.springframework.aop.framework.Advised] to required type [org.springframework.security.userdetails.UserDetailsService] for property 'userDetailsService': no matching editors or conversion strategy found
Can anyone help?
You refer to the authenticationProvider bean as a user service, which it is not.
<authentication-provider user-service-ref='authenticationProvider'>
With this old version of the framework, I can only guess that the way to use a custom auth provider is correctly described here.
Needless to say that it would be highly recommended to upgrade, if for nothing else, then just in order to get support easier.