After upgrading to Spring Security 3.2.0.RC1 I'm getting the warning "Method 'setFilterProcessesUrl' is marked deprecated" for <http auto-config="true"> in my xml config. I get this warning even for a very simple configuration:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/myurl*" access="ROLE_USER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="12345" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
According to Spring Security 3.2 API documentation setFilterProcessesUrl is deprecated and setRequiresAuthenticationRequestMatcher(RequestMatcher) should be used instead. How can I change this basic XML configuration, so it doesn't use deprecated methods? I'm using Eclipse Kepler with Spring Tool Suite plugin.
UPDATE:
If I remove <http auto-config="true"> and add <form-login /> to the http element
<http>
<intercept-url pattern="/myurl*" access="ROLE_USER" />
<form-login />
</http>
I also get the "Method 'setFilterProcessesUrl' is marked deprecated" warning and if I add <logout /> I get the same warning the second time.
On the other hand, if I replace <form-login /> and <logout /> with <http-basic /> the warnings go away.
If you are using the namespace then an IDE error like this doesn't really matter, since you can guarantee that Spring Security will support the feature. You aren't actually using the method yourself.
auto-config is a bad idea generally. Someone looking at that configuration won't easily know what it actually does. Do you really want basic authentication, for example? You are best to remove auto-config and explicitly add the features you want.
Fixed in Spring Security 3.2.1. The warnings were caused by XML namespace using a deprecated method.
https://jira.springsource.org/browse/SEC-2455
Related
it's my first question here in stackoverflow.
I'll try to explain my problem as much comprensible as possible.
I'm trying to develop a web-app with Java 8 using spring(not spring-boot), hibernate and angular 6. I already wrote back-end side (spring and hibernate), my entities work perfectly with my db (MySQL). I divided the back-end side into 3 maven modules (persistance (entities-repositories), service, web(controllers)) and added a front-end maven module with Angular 6.
And here there is my problem.
I am not able to connect angular with spring, in particular with spring security. I cut and paste the dist folder of angular inside src>main>webapp package and i cant and/or i dont know how to reach the angular's login page using spring security. I mean, i dont know how to relate angular login with spring login.
In the spring security config xml i wrote
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/logout" access="isAuthenticated()" />
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="{noop}admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="user" password="{noop}user" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
i don't know how to relate the spring login page with my angular's login page, because the angular login page is not inside into dist folder.
Here there is the structure of my project:
myproject
----myproject-ng (angulars folder)
----myproject-persistence
--------entities
--------repositories
----myproject-service
--------serivices
----myproject-web
--------controllers
--------webapp
------------myproject-ng(angulars dist folder)
Ideally AngularJs 6 Project should run independent of the backend microservice. You will have to enable Cross Origin request in controller by #CrossOrigin annotation.
I'm writing a RESTful web service that requires multiple authentication mechanisms (basic, x509, and anonymous). I therefore have three <http> elements in three separate spring context files.
When I start my service, I'm getting the following exception:
org.springframework.beans.factory.NoUniqueBeanDefinitionException:
No qualifying bean of type [org.springframework.security.web.SecurityFilterChain]
is defined: expected single matching bean but found 3:
org.springframework.security.web.DefaultSecurityFilterChain#0,
org.springframework.security.web.DefaultSecurityFilterChain#1,
org.springframework.security.web.DefaultSecurityFilterChain#2
I think this makes sense, right? I've defined three <http> elements, so spring is probably creating three instances of org.springframework.security.web.DefaultSecurityFilterChain. And now someone is asking for a bean of type org.springframework.security.web.SecurityFilterChain, and is finding three.
But, according to Spring Security documentation, this is supposed to be possible, so my question is: How do I get this scenario to work?
Here are my three <http> configurations:
x509Auth.xml:
<sec:http pattern="/service/x509/**" use-expressions="true">
<sec:x509 subject-principal-regex="(.*)" user-service-ref="ldapUserDetailsService" />
<sec:intercept-url pattern="/service/x509/identity/**" access="hasRole('Domain Users')" />
</sec:http>
basicAuth.xml:
<sec:http pattern="/anubis/basic/**" use-expressions="true" create-session="stateless">
<sec:intercept-url pattern="/service/basic/identity/**" access="isAuthenticated()" />
<sec:http-basic />
</sec:http>
noAuth.xml:
<sec:http pattern="/service/anonymous/**" security="none" />
Thanks to this InfoQ post, I learned that with new flexibility comes new responsibility. Since you can have multiple <http> elements now, you can also have multiple authentication managers. This requires us to tell spring which authentication manager goes with each<http> element.
Here is my now-working spring configuration:
<!-- This section configures X509 Certificate Authentication -->
<sec:http
pattern="/service/x509/**"
use-expressions="true"
authentication-manager-ref="ldapAuthenticationManager">
<sec:x509 subject-principal-regex="(.*)" user-service-ref="ldapUserDetailsService" />
<sec:intercept-url pattern="/service/x509/identity/**" access="hasRole('Domain Users')" />
</sec:http>
<sec:authentication-manager alias="ldapAuthenticationManager">
<sec:authentication-provider user-service-ref="ldapUserDetailsService" />
</sec:authentication-manager>
<!-- This section configures BASIC Authentication -->
<sec:http
pattern="/service/basic/**"
use-expressions="true"
create-session="stateless"
authentication-manager-ref="mongoAuthenticationManager">
<sec:http-basic />
<sec:intercept-url pattern="/service/basic/identity/**" access="isAuthenticated()" />
</sec:http>
<sec:authentication-manager alias="mongoAuthenticationManager">
<sec:authentication-provider user-service-ref="mongoUserDetailsService" />
</sec:authentication-manager>
<!-- This section configures NO Authentication -->
<sec:http pattern="/service/anonymous/**" security="none" />
I'm using Spring Security 3.2.4 and trying to determine where it gets its default configuration from. For example, when using the following configuration:
<http use-expressions="true">
<intercept-url pattern="/secure/login" access="permitAll" />
<intercept-url pattern="/secure/logout" access="permitAll" />
<intercept-url pattern="/secure/denied" access="permitAll" />
<session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>
</session-management>
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/secure/login" default-target-url="/" authentication-failure-url="/secure/denied" />
<logout logout-url="/secure/logout" logout-success-url="/" />
<expression-handler ref="defaultWebSecurityExpressionHandler" />
</http>
Something in a Spring configuration somewhere, is telling Spring to instantiate the LoginUrlAuthenticationEntryPoint and set the login-page to "/secure/login", etc. I realize that it is the form-login tag that is doing this magic for me, but where within Spring is the form-login tag translated to mean the LoginUrlAuthenticationEntryPoint, etc?
Similarly, by default, Spring will instantiate a filter chain of name org.springframework.security.filterChains, but can't find where that bean is defined. I presume it is in an xml configuration file within one of the Spring Security jars, but I can't find it anywhere.
Where are all these defaults configured?
Check out SecurityNamespaceHandler and work your way down from there. As you can see, it is in the spring-security-config artifact, in package org.springframework.security.config.
I am trying to find a way just to setup a URL that will logout my user from the system. this is only for testing. Right now we are using the default login page in spring secuirty
here is my spring-secuirty.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
<http use-expressions="true">
<intercept-url access="hasRole('ROLE_VERIFIED_MEMBER')" pattern="/ask-union**" />
<intercept-url access="hasRole('ROLE_VERIFIED_MEMBER')" pattern="/ask-welfare**" />
<intercept-url pattern='/*' access='permitAll' />
<form-login default-target-url="/ask-union" />
<logout logout-success-url="/" />
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="xxxxx#aol.com.dev" password="testing" authorities="ROLE_VERIFIED_MEMBER" />
ser-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Add this line to your config
<logout logout-url="/sign-out"/>
Then if you have a link to that URL, then it will sign you out
(Add it just below your logout success config)
I am a bit late on this. But answer may help others.
Use following code. logout-success-url is the URL you want take user after logging out.
<http auto-config="true" use-expressions="true" access-denied-page="/denied">
<logout invalidate-session="true" logout-success-url="/landing" delete-cookies="JSESSIONID" />
</http>
Double-check the URL you're using -- the absolute path should be your-domain/projectPath/sign-out, per SJS's example. If the relevant portion of your spring-security.xml file looks like the following, it should work:
<http use-expressions="true">
. . .
<logout
logout-success-url="/"
logout-url="/sign-out"/>
If you're able to authenticate, then simply browse to that path, and it should log you out. If it still doesn't try experimenting with the intermediary subdirectories specified in the URL, i.e. your-domain/projectPath/some-subdirectory/log-out.
Are you able to authenticate? It may not just be the logout aspect that's failing...
Late to the party, but for future reference -- if you are interested in seeing how the security filters are instantiated and configured from XML, take a look at the following package:
org.springframework.security.config.annotation.web.configurers
For the logout filter configuration, this will be the LogoutConfigurer class. If you review the LogoutConfigurer.createLogoutFilter() method, you'll see how the default Logout filter is created. This implies that you can do the following in an #Configuration class:
#Bean
public LogoutFilter logoutFilter() {
// NOTE: See org.springframework.security.config.annotation.web.configurers.LogoutConfigurer
// for details on setting up a LogoutFilter
SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
securityContextLogoutHandler.setInvalidateHttpSession(true);
LogoutFilter logoutFilter = new LogoutFilter("/", securityContextLogoutHandler);
logoutFilter.setLogoutRequestMatcher(new AntPathRequestMatcher("/logout"));
return logoutFilter;
}
If you have that, you can then either configure further by beans or have that bean picked up automatically since its method name is logoutFilter()
I have problems with double authentication. I have implemented the authentication form through pop-up window which is always on top. But I have problem probably with interceptors that cause the authentication request by Tomcat even before the start of application:
A username and password are being requested by http://127.0.0.1:8888.
The site says: "Spring Security Application"
If I disable interceptors, I see in log that SecurityContextHolder treats user as Anonymous.
So my question is:
Can I somehow disable that first Tomcat login screen?
My Spring-security configuration XML is:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="com.myCompany.model.security.CustomAuthenticationProvider" >
<beans:property name="databaseId" value="${configuration.databaseId}" />
<beans:property name="applicationId" value="${configuration.applicationId}" />
</beans:bean>
<http auto-config="true" >
<intercept-url pattern="/myApp/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/MyApp.html*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/gwt/**" access="ROLE_USER"/>
<intercept-url pattern="/**/*.html" access="ROLE_USER"/>
<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>
<global-method-security secured-annotations="enabled" />
</beans:beans>
In case I understand your question in a correct way you have a problem with double authentication e.g. a Tomcat authentication or an Apache Basic Auth and the Spring authentication mechanism.
While the last project I had related problems with an Apache Basic Auth and the Spring security mechanism. Before launch I had the task to "protect" the access to the site by an simple Apache Basic Auth. By enabling this in the Apache configuration Spring started to do the same: "Spring Security Application" has been shown all the time
The solution for this behaviour was to disable the auto-config:
<security:http auto-config="false" ...>
...
</security:http>
Your question is not too clear. You mention a Tomcat login screen, which I assume is the first screen of your web application, to allow a user to sign in.
If this is correct, and your login page is named, say login.html, all you have to do is configure the interceptors to allow anonymous access to this page-
<intercept-url pattern="/**/login.*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/gwt/**" access="ROLE_USER"/>
<intercept-url pattern="/**/*.html" access="ROLE_USER"/>
<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER" />