I have created a web service in my machine. Its URL is
http://localhost:8080/aaa/test?wsdl
I want to enable one feature to it. As soon as the user enters the url in browser, it should ask for the credentials. Can it be done in web services.
If yes, can some one guide how to achieve it.
Thanks.
If you're already using Spring, you can easily apply basic authentication to a specific URL pattern with Spring Security. In your applicationContext.xml, just add:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<!-- HTTP basic authentication in Spring Security -->
<http>
<intercept-url pattern="/*wsdl?" access="ROLE_USER" />
<http-basic />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="someUser" password="somePassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Example taken from Mkyong's Spring Security HTTP Basic Authentication Example.
If you'd like to lookup users in a database, you'd need to use a different authentication provider. The Spring Security reference mentions data-source-ref if you'd like to query the standard Spring Security user data tables. If you've already got your own structure, you might be interested in using user-service-ref instead, in which you can lookup the users yourself.
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'/>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="mypackage.MyUserDetailsService">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
And code mypackage.MyUserDetailsService extending JdbcDaoImpl and implementing UserDetailsService.
Related
it's my first question here in stackoverflow.
I'll try to explain my problem as much comprensible as possible.
I'm trying to develop a web-app with Java 8 using spring(not spring-boot), hibernate and angular 6. I already wrote back-end side (spring and hibernate), my entities work perfectly with my db (MySQL). I divided the back-end side into 3 maven modules (persistance (entities-repositories), service, web(controllers)) and added a front-end maven module with Angular 6.
And here there is my problem.
I am not able to connect angular with spring, in particular with spring security. I cut and paste the dist folder of angular inside src>main>webapp package and i cant and/or i dont know how to reach the angular's login page using spring security. I mean, i dont know how to relate angular login with spring login.
In the spring security config xml i wrote
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http>
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/logout" access="isAuthenticated()" />
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="{noop}admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="user" password="{noop}user" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
i don't know how to relate the spring login page with my angular's login page, because the angular login page is not inside into dist folder.
Here there is the structure of my project:
myproject
----myproject-ng (angulars folder)
----myproject-persistence
--------entities
--------repositories
----myproject-service
--------serivices
----myproject-web
--------controllers
--------webapp
------------myproject-ng(angulars dist folder)
Ideally AngularJs 6 Project should run independent of the backend microservice. You will have to enable Cross Origin request in controller by #CrossOrigin annotation.
I've added Spring security to my project and configured it as
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http>
<intercept-url pattern="/add-job**" access="hasRole('USER')" />
<form-login
login-page="/login"
default-target-url="/"
always-use-default-target="true"/>
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
through the above configuration when I go to /add-job it redirects me to \login and after login success I go to /add-job it shows me error
is there any mistake I've.
Spring security is right in denying access:
you define only one login in your authentication manager: admin/admin with one authority ROLE_ADMIN
you restrict access to /add-job** to users having ROLE_USER authority
No user can have the ROLE_USER authority, so spring security will always deny access.
You should use either ROLE_ADMIN or ROLE_USER (or any other ROLE_xxx you like) but use the same in protecting the resource (access="hasRole(xxx)") and granting to user (authorities="ROLE_xxx")
Anyway, the simplest way to fix is to add the required authority to user admin:
<user name="admin" password="admin" authorities="ROLE_ADMIN,ROLE_USER" />
Recently I am using Spring Security basic authentication for my REST services.
Below is the security xml configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/rest/**" create-session="never" use-expressions="true">
<security:http-basic />
<security:intercept-url pattern="/rest/auth/**" access="isAuthenticated()"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder hash="sha-256" />
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled"/>
</beans>
Spring framework and Spring Security that I use:
<springframework.version>4.1.0.RELEASE</springframework.version>
<spring.security.version>3.2.5.RELEASE</spring.security.version>
I map my REST services to URL prefixed with "rest/" and when I access the URL for the first time, the browser prompt the username and password field of basic authentication. I fill it with the right credential and my controller accessed successfully.
However if I try to access the same URL with browser again, it will not prompt me the username and password field of basic authentication again and directly access the URL.
I expect that browser always prompt me with basic authentication because I set create-session attribute to never.
So, am I missing something?
Browser caches credentials. Sometimes clearing the cache doesn't help. The only reliable way how to fake it is use Chrome's incognito window (Ctrl+N). But one prompt per one incognito window. So you need new incognito window when you want to enter them again.
This is the only way I found to test basic authentication manually.
From the javadoc for create-session. I think your application is creating a sessions and that session is being used.
Attribute : create-session Controls the eagerness with which an HTTP
session is created by Spring Security classes. If not set, defaults
to "ifRequired". If "stateless" is used, this implies that the
application guarantees that it will not create a session. This
differs from the use of "never" which mans that Spring Security will
not create a session, but will make use of one if the application
does.
Data Type : string Enumerated Values :
- ifRequired
- always
- never
- stateless
You should try using
"stateless"
instead of
never
I have an application using BasicAuth with Spring Security. The credentials and roles are stored in a database.
For development I use MySQL, and production Oracle.
The problem happens, only in production with Oracle, when the database restarts while the application is running - I start receiving org.springframework.web.client.HttpClientErrorException: 401 Unauthorized.
This is my security context.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config='true'>
<intercept-url pattern="/v**/document/**" access="ROLE_DOCUMENT_USER" />
<intercept-url pattern="/v**/search/**" access="ROLE_DOCUMENT_USER" />
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<password-encoder hash="sha-256">
<salt-source
system-wide="#{T(com.example.app.data.entity.RestUser).SALT}"/>
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select user_nm, password, enabled
from rest_usr_t where user_nm = ?"
authorities-by-username-query="select u.user_nm,
ur.authority from rest_usr_t u, rest_authority_t ur where
u.user_nm = ur.user_nm and u.user_nm = ?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="restSecurityService"
class="com.example.app.security.rest.RestSecurityServiceImpl"/>
</beans:beans>
Any ideas what might be causing this, or ways to resolve it? Thanks, /w
I'm using spring security to manage user log in/signup in my project. I need to implement user lockout functionality after three failed log in attempts.What I did is to add another field 'account_non_locked' in 'Users' table in database.
The problem I'm facing is that spring security does not update that newly added column. I digged into the source code and found in the default UserDetailsManager the sql statement is written as:
"insert into users (username, password, enabled) values (?,?,?)"
which explains why it does not recognized my new column.
So I copy that file and change it to fit my own need, which is CustomUserDetailsManager.java
Now I can't configure spring security to use my own customized UserDetailsManager. The configuration file right now is:
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder ref="passwordEncoder" />
<jdbc-user-service id="userDetailsService" data-source-ref="dataSource" />
</authentication-provider>
</authentication-manager>
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
I can't find any examples online that will configure this properly. Please help and thanks in advance!
The section 3.2.4 Using other Authentication Providers covers how to do this using authentication-provider#user-service-ref.
Your example would look something like the following:
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
<beans:bean id="customUserDetailsManager"
class="com.example.CustomUserDetailsManager">
<!-- additional properties -->
</beans:bean>