I have read a lot of tutorials about using Spring Security 3 on Struts 2. But I can't make it work :/.
I can't find a "Dummy step by step guide" about implement this framework on Struts 2.
Here is what I have:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<display-name>cv</display-name>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>example/HelloWorld.jsp</welcome-file>
</welcome-file-list>
</web-app>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context/spring-context-2.5.xsd"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/context/spring-context-2.5.xsd/spring-spring-context-2.5.xsd-3.1.1.RELEASE.xsd
">
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true" use-expressions="true">
<intercept-url pattern="/auth/**" filters="none"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<http>
<intercept-url pattern="/login*" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/search.action*" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/user/**" access="ROLE_ADMIN" /><!-- Never reach -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login.action" />
<logout logout-url="/logout.action" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="customer" password="customer" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
</beans>
And my HelloWorld.jsp
<body>
<h1>Welcome!</h1><br />
<sec:authorize access="isAnonymous()">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_USER')">
This session will be visible to an Customer only.<br/>
You are an Customer.<br/>
</sec:authorize>
${HelloMessage}<br />
Logout
</body>
I want to test how the privileges works using the tag "isAnonymous" showing that block of text, but I can't make it work
:(
You need to add Spring Security's filter chain to the web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This goes after your Struts filter. This will allow Spring Security to check/block the request prior to Struts being handed the request.
Assuming the user is allowed to access the content Spring Security will set up a SecurityContext object that will make allow the JSP tags work.
Related
I'm developing an application that uses JSF (Mojarra) to control de MVC flow, but I also want to integrate Spring Security for its Autehntication and Authorization processes.
However, I'm having a problem where Spring Bean Factory cannot instantiate the classes that I build to do custom login and so on. From there, the system doesn't even go online.
The stacktrace starts with:
java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And then
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [com.tfduque.fieldAssist.manager.LoginBean] for bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/applicationContext.xml]; nested exception is java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And so on...
(Full stacktrace)
This is how my folders are organized, if it matters:
My application context (for spring security configurations):
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/login*" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/javascript/**" security="none" />
<http pattern="/Secured/**" create-session="stateless"
use-expressions="true">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<http-basic />
</http>
<http auto-config="true" use-expressions="true"
access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login.xhtml" login-processing-url="/j_login"
authentication-failure-url="/login.xhtml" always-use-default-target="false"
default-target-url="/" />
<logout invalidate-session="true" logout-success-url="/login.xhtml"
logout-url="/j_logout" delete-cookies="JSESSIONID" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="authenticationEntryPoint">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="appUserDetailsService"
class="com.tfduque.fieldAssist.security.AppUserDetailsService" />
<beans:bean id="authenticationEntryPoint"
class=" com.tfduque.fieldAssist.manager.LoginBean">
<beans:property name="loginFormUrl" value="/Login.xhtml" />
<beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
</beans:bean>
</beans:beans>
Some of my web.xml configs (btw, I'm also using weld for injection):
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.jboss.weld.environment.servlet.Listener</listener-class>
</listener>
<resource-env-ref>
<resource-env-ref-name>BeanManager</resource-env-ref-name>
<resource-env-ref-type>javax.enterprise.inject.spi.BeanManager</resource-env-ref-type>
</resource-env-ref>
<!-- Security -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Login Bean is annotated like this:
#Named("login")
#RequestScoped
public class LoginBean {
public String doLogin() throws IOException, ServletException {
[...]
}
I think that this is all needed to understand the problem.
I am new to Spring Security and have run into a problem. When I attempt to access a page that is expected to be restricted it is displaying the requested page anyway, no 403 nor redirecting to login page, no errors in the logs, nothing, just as if Spring Security was not implemented at all.
When the application is deployed I see the following in the logs which tells me Spring Security is at least starting:
INFO: Checking whether login URL '/security/credentials' is accessible with your configuration
I have attempted to change the login page to a restricted page, just to test that is actually restricted and I get the following, which tells me that it is correctly being restricted, at least in the simulation.
INFO: Checking whether login URL '/dashboard' is accessible with your configuration
org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)
I have the following setup:
web.xml
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<welcome-file-list>
<welcome-file>
index.html
</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>messages</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>TRACE</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
</web-app>
The Spring Security configuration file is imported from my applicationContext.xml.
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<form-login
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/security/**" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll"/>
<logout logout-success-url="/security/signout" />
<remember-me />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="test" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Spring is behaving correctly as you are actually telling Spring that /security/** requests requires no authentication (access="permitAll"):
...
<intercept-url pattern="/security/**" access="permitAll" />
...
If you wanted to restrict access to only authenticated users then you could specify:
...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
Or if you wanted to restrict access to a specific role (replace ROLE_XXX with your specific role):
...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...
Please note that login related URLs can't be restricted (for obvious reasons):
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
So either change them to rather start with something like /login/ instead of /security/ or add specific intercepts URLs for each of them (if you must use them):
...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
The more specific URLs should be declared first as Spring uses the first rule that it finds from the top.
I suggest try it after removing <remember-me /> tag, or deleting all the cookies first.
It appears because of existing cookie you are able to access /dashboard
Edit:
You have UrlRewriteFilter configured before spring security, check whats the final url thats given to spring security filter, or you can try after disabling UrlRewriteFilter ?
Here is my Spring Security configuration:
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>tutorial.root</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>greetServlet</servlet-name>
<servlet-class>ru.andrew.springsecuregwt.server.GreetingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>greetServlet</servlet-name>
<url-pattern>/springsecuregwt/greet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>Springsecuregwt.html</welcome-file>
</welcome-file-list>
</web-app>
applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<debug />
<global-method-security pre-post-annotations="enabled" />
<http pattern="/static/**" security="none"/>
<http pattern="/loggedout.jsp" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>
<remember-me />
</http>
<beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder"/>
<user-service>
<user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" />
<user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" />
<user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" />
<user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
When I click on the logout link, I'm successfully landing at the logout page, but if I enter
localhost:8080/projectname
in the new Chrome tab, I can gain access to the app, without any authentication page.
What do I do wrong and how can I fix such security issue?
Spring remembeMe functionality creates a cookie with the name 'SPRING_SECURITY_REMEMBER_ME_COOKIE'. It then uses this to authenticate. If your logout only deletes the webapp container session id the authentication will check for that and then the presence of this cookie. So you need to make sure you remove this cookie on logout.
I had basic Spring MVC + Hibernate application. Here is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
Everything was OK with it.
Then I tried to add basic Spring Security support to the app by adding the following to web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/security-context.xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My /WEB-INF/security-context.xml looks like following:
<?xml version="1.0" encoding="UTF-8" ?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http>
<intercept-url pattern="/index*" access="ROLE_USER"/>
<form-login login-page="/login.jsp" default-target-url="/index"
authentication-failure-url="/login.jsp?error=true"/>
<logout logout-url="/logout" logout-success-url="/index"/>
<remember-me/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="pass" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
After adding that stuff the application breaks down. It simply shows "Link doesn't work. Try to search it in Google." in Chrome.
Did I miss something? Any Ideas? Thanks in advance.
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http>
<security:intercept-url pattern="/index*" access="ROLE_USER"/>
<security:form-login login-page="/login.jsp" default-target-url="/index" authentication-failure-url="/login.jsp?error=true"/>
<security:logout logout-url="/logout" logout-success-url="/index"/> <security:remember-me/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="pass" authorities="ROLE_USER"/> </security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
try with the above code for security-context.xml.
Thanks you all. Just solved it. The problem was that I used http://www.springframework.org/schema/security/spring-security-3.0.xsd in the /WEB-INF/security-context.xml namespace, but used 3.1.2.RELEASE version of spring-security libs.
I have a problem to run JSF and Spring Security.
WEB.xml:
<!-- spring and jsf configuration files mapping -->
...
<!-- JSF mapping -->
...
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
securityContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true">
<intercept-url pattern="/pages**" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="evgeny" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
and http://localhost:8081/spring/pages/userInfo.jsf is accessed with no problem!
Based on the sample URL you provide ( http://localhost:8081/spring/pages/userInfo.jsf )
<intercept-url pattern="/pages**" access="ROLE_USER" />
should be changed to the following to match it
<intercept-url pattern="/spring/pages**" access="ROLE_USER" />