I have followed a mash up of a couple tutorials and neither too succesfully!
I am trying to get Apache CXF and WS-Security to call back to my Spring Security authenticator. All is close to working but at tne moment I have a problem getting the password to give Spring security out of the WS-call back.
The Handler below gets galled but pc.getPassword() is null. I want this to be the password sent in Soap so I can pass it to spring
public class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword( pc.getPassword() );
}
My interceptor is set up as so
<bean id="wsAuthenticationInterceptor" class="com.olympus.viewtheworld.server.security.auth.WSAuthenticationInInterceptor">
<constructor-arg index="0">
<map key-type="java.lang.String" value-type="java.lang.Object">
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackClass" value="com.olympus.viewtheworld.server.security.auth.ServerPasswordCallback" />
</map>
</constructor-arg>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<jaxws:endpoint id="secureHelloService"
implementor="#secureHelloServiceImpl"
implementorClass="com.olympus.viewtheworld.server.service.Impl.SecureHelloServiceImpl"
address="/SoapService/secure/hello">
<jaxws:serviceFactory>
<ref bean="jaxws-and-aegis-service-factory" />
</jaxws:serviceFactory>
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<ref bean="wsAuthenticationInterceptor" />
</jaxws:inInterceptors>
</jaxws:endpoint>
And the soap request I am sending out of SoapUI is
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:test="http://test/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>rob2</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">passwordxx</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<test:hello>
<!--Optional:-->
<hello>asdf</hello>
</test:hello>
</soapenv:Body>
</soapenv:Envelope>
Version wise it is Spring 3.1 and CXF 2.7.0
What do I need to do to see "passwordxx" in the ServerPasswordCallback class? Is it the Soap request, the config or just wrong?!
Cheers,
Rob
It appears from the documentation on org.apache.ws.security.handler.WSHandlerConstants.PW_CALLBACK_CLASS that the method should instead call pc.setPassword with the stored password to compare the user provided password against as argument, instead of the user provided password itself:
This tag refers to the CallbackHandler implementation class used to
obtain passwords. The value of this tag must be the class name of a
javax.security.auth.callback.CallbackHandler instance. The callback function
javax.security.auth.callback.CallbackHandler.handle(javax.security.auth.callback.Callback[])
gets an array of org.apache.ws.security.WSPasswordCallback objects.
Only the first entry of the array is used. This object contains the
username/keyname as identifier. The callback handler must set the
password or key associated with this identifier before it returns. The
application may set this parameter using the following method:
call.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, "PWCallbackClass");
I'm using a org.apache.ws.security.validate.Validator to check the validity of the supplied password, and setting the Spring security context there:
#Bean(name = "wssforjInInterceptor")
public WSS4JInInterceptor wssforjInInterceptor() {
// Configure how we ask for username and password
Map<String, Object> props = new HashMap<>();
props.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
props.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
// Password callback
props.put(WSHandlerConstants.PW_CALLBACK_REF, passwordCallbackHandler());
// Validator registration
Map<QName, Object> validators = new HashMap<>();
String WSS_WSSECURITY_SECEXT_1_0_XSD = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
QName qName = new QName(WSS_WSSECURITY_SECEXT_1_0_XSD, WSHandlerConstants.USERNAME_TOKEN, "");
validators.put(qName, usernameTokenValidator());
props.put(WSS4JInInterceptor.VALIDATOR_MAP, validators);
WSS4JInInterceptor wss4jInInterceptor = new WSS4JInInterceptor(props);
return wss4jInInterceptor;
}
I'm not sure whether that approach is any better or worse (I'd appreciate some feedback on this), but perhaps it's useful for the next person to come across this issue. There appears to be a lack of decent up to date documentation on how to integrate Spring security and CXF.
Ok so this is not the ideal solution and hopefully a better answer will come along a bit later down the line, most likely when I have some more time to look at this.
I use a regex to inspect the full packet and pull out the password field. Code is below. Will update later when I work out the right way to do this as this is defintley not it!
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String mydata= pc.getRequestData().getMsgContext().toString();
Pattern pattern = Pattern.compile("<wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">(.*?)<");
Matcher matcher = pattern.matcher(mydata);
if (matcher.find())
{
pc.setPassword( matcher.group(1) );
}
Related
I'm working on a REST service provider web application with Java + Spring and I wonder if I can fuse my in-house authentication and authorization code with Spring Security?
To be more specific, I have two methods (that I like to keep):
User authenticate(String username, String password) { ... }
boolean authorize(User user, String resource) { ... }
In this scenario, a REST API is a resource and the second method verifies whether it can be called by the user or not.
My question is if I switch to Spring Security then should I give in to it and annotate my methods with user names and role names!? Or is there a way that I can keep my way of thinking (that REST APIs are resources and annotating them with user names and role names is like hard-coding ACL)?
I know my question is somewhat vague but I've been struggling with it for some time now and I'll be really grateful if someone can give a straight answer.
You can inject your own authentication manager with password encoder.
Below is a post where I posted some questions about it a while ago. It's not an exact answer for you but it will lead you down the right track.
debug spring security authentication-manager
At the time I did it xml style but I'm sure you can change this to a java config style.
It definitely worked foe me!
Spring security also very useful for providing authentication and authorization to the REST URLs. We no need to specify any custom implementations.
First, you need to specify the entry-point-ref to restAuthenticationEntryPoint in your security configuration as below.
<security:http pattern="/api/**" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true" auto-config="true" create-session="stateless" >
<security:intercept-url pattern="/api/userList" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/api/managerList" access="hasRole('ROLE_ADMIN')"/>
<security:custom-filter ref="preAuthFilter" position="PRE_AUTH_FILTER"/>
</security:http>
Implementation for the restAuthenticationEntryPoint might be as below.
#Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException ) throws IOException {
response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized" );
}
}
After this you need to specify RequestHeaderAuthenticationFilter. It contains the RequestHeader key. This is basically used for identifying the user`s authentication. Generally RequestHeader carries this information while making the REST calls.
For example consider below code
<bean id="preAuthFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="Authorization"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
Here,
<property name="principalRequestHeader" value="Authorization"/>
"Authorization" is the the key presented the incoming request. It holds the required user`s authentication information.
Also you need to configure the PreAuthenticatedAuthenticationProvider to fulfill our requirement.
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="authenticationService"/>
</bean>
</property>
</bean>
This code will work for securing the REST urls by means of Authentication and authorization without any custom implementations.
My suggestion is go with Spring-AOP for custom authentication and authorization, if you want custom implementation for authentication and authorization which works similar to the spring security.
For Complete code please find the below link:
https://github.com/srinivas1918/spring-rest-security
I hope that, i understood your question.
I'm implementing a SOAP client that interacts with some legacy SOAP services.
All of SOAP body requests have the same format, like this:
<soap:Body>
<execute>
<msg>
</msg>
</execute>
</soap:Body>
As content, the msg element supports a list of any XML tags, so I can send any type of element inside msg: orders, customer, contacts, etc..
All of the requests also have the same action name.
Due to the restrictions/aspects above, if I use spring's PayloadRootAnnotationMethodEndpointMapping, since the root element in the soap body is the same for all the requests, each request will fall in the same method of my Endpoint. If I use spring's SoapActionAnnotationMethodEndpointMapping, since the action is the same for every requests, all of them will fall in the same method again.
The only thing I've got different in the requests, is the requesting URI.
It changes by the name of the operation that I'm invoking. Like:
http://host:port/services/Operation1?Wsdl or
http://host:port/services/Operation2?Wsdl
My idea was to have an endpoint for each type of requests. For example: all request related to products would fit into a "ProductsEndpoint".
I wanted to create a custom endpoint mapping that would extend springs AbstractEndpointMapping. In my implementation I would decide which endpoint to call based on the URI.
But how can I register my custom endpoint mapping in the spring's endpoint mapping chain?
Best regards
If anyone has a request like mine explained above, here goes what I've decided to do...
I've create a class MultipleMarshallersPayloadMethodProcessor extending spring org.springframework.ws.server.endpoint.adapter.method.MarshallingPayloadMethodProcessor. This is the class responsible for marshalling and unmarshalling arguments. In this class I've defined a java.util.map that will associate a given URL to a specific Marshaller. If the current URL request isn't a key in the map, it would use the default Marshaller supplied by the MarshallingPayloadMethodProcessor class.
To register the class as a spring bean:
<bean id="marshallingPayloadMethodProcessor"
class="br.com.tim.fiber.middleware.services.server.helpers.MultipleMarshallersPayloadMethodProcessor">
<constructor-arg ref="defaultMarshaller" />
<property name="otherMarshallers">
<map>
<entry key="/Operation1?wsdl" value-ref="operation1Marshaller"></entry>
<entry key="/Operation2?wsdl" value-ref="operation2Marshaller"></entry>
</map>
</property>
</bean>
And an example of a marshaller:
<bean id="operation1Marshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller">
<property name="contextPaths">
<list>
<value>com.app.dtos.operation1</value>
<value>com.app.dtos.common</value>
</list>
</property>
</bean>
With this setup I was able to marshall and unmarshall any request according to the URL. Then I've used the Facade design pattern to create a SOAP Endpoint with a single method that receives all the requests. That method just inspects the URL and delegates to specific endpoints.
#Endpoint
public class FacadeEndpoint {
private static final String NAMESPACE_URI = "http://my.namespace.com/services";
#Autowired
private RequesEndpointURLExtractor requestUrlExtractor;
#Autowired
private OrdersEndpoint ordersEndpoint;
#SuppressWarnings("unchecked")
#PayloadRoot(namespace = NAMESPACE_URI, localPart = "execute")
#ResponsePayload
public ExecuteResponse dispatch(#RequestPayload Execute request) {
String serviceURL = this.requestUrlExtractor.getCurrentURL();
ExecuteResponse response = null;
if (serviceURL.equals(ServiceRequestsEndpoint.CREATE_ENDPOINT_URI)) {
Operation1DTO serviceRequest = (Operation1DTO) request.getMsg().getAnies().get(0);
}
...
}
The RequestEnpointURLExtractor is just a spring bean that extracts the full URL from the request.
#Component
public class RequesEndpointURLExtractor {
public String getCurrentURL() {
TransportContext ctx = TransportContextHolder.getTransportContext();
HttpServletRequest httpServletRequest = ((HttpServletConnection) ctx.getConnection()).getHttpServletRequest();
String pathInfo = httpServletRequest.getPathInfo();
String queryString = httpServletRequest.getQueryString();
return pathInfo + "?" + queryString;
}
}
I could create a custom annotation that would have a URL associated, and use that annotation on methods that would process the request with the URL configured. That would be a cleaner solution instead of the if/else if ladder that I have.
But, since this was only for a simple mockup server, the if/else if ladder isn't such a big deal.
I am having a problem with SwitchUserFilter in Spring security. I have following configuration:
<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg name="searchBase" value=""/>
<constructor-arg name="searchFilter" value="(uid={0})"/>
<constructor-arg name="contextSource" ref="ldapContext"/>
</bean>
<security:ldap-server id="ldapContext" url="ldap://xxxxxxx"/>
<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg name="authenticator">
<bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="ldapContext" />
<property name="userSearch" ref="ldapUserSearch" />
</bean>
</constructor-arg>
<constructor-arg name="authoritiesPopulator" ref="dbLDAPAuthPopulator" />
</bean>
<security:authentication-manager>
<security:authentication-provider ref="ldapAuthProvider"/>
</security:authentication-manager>
And the corresponding SwitchUserFilter bean is created as:
SwitchUserFilter switchUserFilter = new SwitchUserFilter();
switchUserFilter.setUserDetailsService(ldapUserDetailsService);
switchUserFilter.setTargetUrl("/");
switchUserFilter.setSwitchUserUrl("/impersonate");
switchUserFilter.setUsernameParameter("username");
switchUserFilter.setExitUserUrl("/unimpersonate");
When I go to the url "/impersonate" the user gets impersonated properly. However when the redirect is send to the target url i.e. "/" the user is again authenticated using basic auth.
I had a look at the code of both the SwitchUserFilter and BasicAuthenticationFilter and seems that SU will not work with basic auth.
This is what happens:
When the /impersonate?username=xyz url is called it goes to SwitchUserFilter which gets the details of xyz user from the ldap and it then sets the securitycontext in the session. Code snippet is as follows:
if (requiresSwitchUser(request)) {
// if set, attempt switch and store original
try {
Authentication targetUser = attemptSwitchUser(request);
// update the current context to the new target user
SecurityContextHolder.getContext().setAuthentication(targetUser);
// redirect to target url
successHandler.onAuthenticationSuccess(request, response, targetUser);
} catch (AuthenticationException e) {
logger.debug("Switch User failed", e);
failureHandler.onAuthenticationFailure(request, response, e);
}
return;
So in the SecurityContext you have information about xyz user.
Then when it redirects to target url i.e. "/" basicAuthenticationFilter is called which checks whether the user is authenticated. Code snippet:
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
if(existingAuth == null || !existingAuth.isAuthenticated()) {
return true;
}
// Limit username comparison to providers which use usernames (ie UsernamePasswordAuthenticationToken)
// (see SEC-348)
if (existingAuth instanceof UsernamePasswordAuthenticationToken && !existingAuth.getName().equals(username)) {
return true;
}
// Handle unusual condition where an AnonymousAuthenticationToken is already present
// This shouldn't happen very often, as BasicProcessingFitler is meant to be earlier in the filter
// chain than AnonymousAuthenticationFilter. Nevertheless, presence of both an AnonymousAuthenticationToken
// together with a BASIC authentication request header should indicate reauthentication using the
// BASIC protocol is desirable. This behaviour is also consistent with that provided by form and digest,
// both of which force re-authentication if the respective header is detected (and in doing so replace
// any existing AnonymousAuthenticationToken). See SEC-610.
if (existingAuth instanceof AnonymousAuthenticationToken) {
return true;
}
return false;
As you can see it checks existingAuth.getName().equals(username)) which in this case it is xyz. However logged in user is different so the filter again authenticates the user and all the work done by SwitchUserFilter is overridden.
Is their any way to solve this issue? Can I override the BasicAuthenticationFilter?
This question is quite old, however should anyone come across it the answer is still valid today. You don't show your <http /> stanzas for Spring Security but you need to ensure that the role granted by impersonation is the same role (authority) required to bypass authentication at /*. If it's not then yes, you will be asked to authenticate.
You can specify custom authorities to be granted on impersonation by implementing an extension of SwitchUserAuthorityChanger and passing a reference of it to SwitchUserFilter.
So I have a web service with several namespaces that I would like to route through a bean to do some checking of user credentials. Its been a long time since I used XPATH so I might just be having a PICNIC(Problem In Chair Not In Computer Moment) error.
The web service message will always have the following structure/pattern :
<Operation>
<header with the head name space where the user credentials are stored>
<record control>
<objXX>
</Operation>
Here is a example message(SOAP UI):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:list="http://www.insol.irix.com.au/IRIX_V1/Debtors/List" xmlns:head="http://www.insol.irix.com.au/IRIX_V1/Headers" xmlns:rec="http://www.insol.irix.com.au/IRIX_V1/RecordControl">
<soapenv:Header/>
<soapenv:Body>
<list:ListDebtorReq>
<head:MsgReqHdr>
<head:MsgGUID>${=java.util.UUID.randomUUID()}</head:MsgGUID>
<head:MsgDateTime>${=javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(GregorianCalendar.getInstance())}</head:MsgDateTime>
<head:ConsumerSystemIDInfo>
<head:ConsumerSystemID>ConsumerSystemID</head:ConsumerSystemID>
<head:ConsumerSystemUserID>AgentX</head:ConsumerSystemUserID>
</head:ConsumerSystemIDInfo>
<head:SecCredInfo>
<head:IRIXUserID>Some User ID</head:IRIXUserID>
<head:IRIXPassword>Some Password</head:IRIXPassword>
</head:SecCredInfo>
<head:CryptoInfo>
<head:DigitalSignatureInfo>
<head:DigitalSignatureValue>verrantque per auras</head:DigitalSignatureValue>
<head:DigitalSignatureAlgorithm>SHA-256</head:DigitalSignatureAlgorithm>
</head:DigitalSignatureInfo>
</head:CryptoInfo>
</head:MsgReqHdr>
<!--Optional:-->
<rec:RecCntrl>
<rec:StartRecordNumber>1</rec:StartRecordNumber>
<!--Optional:-->
<rec:NumberOfRecords>3</rec:NumberOfRecords>
</rec:RecCntrl>
</list:ListDebtorReq>
</soapenv:Body>
</soapenv:Envelope>
So essentially I want to be able to create a bean that will be able to query the MsgReq header for all the user name and password data. To simplify things I am just trying to query the MsgGUID and work my way from there. However I cant seem to get the xpath right. Since I am using several namespaces I have included them in the camel context file just to make sure they are available.
Here is my camel-context:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:camel="http://camel.apache.org/schema/spring"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://camel.apache.org/schema/spring
http://camel.apache.org/schema/spring/camel-spring.xsd">
<import resource="classpath:META-INF/spring/camel-cxf.xml" />
<bean id="SecurityCheckBean" class="au.com.irix.insol.Security.IRIXSecurity"/>
<camelContext xmlns="http://camel.apache.org/schema/spring"
xmlns:list="http://www.insol.irix.com.au/IRIX_V1/Debtors/List"
xmlns:head="http://www.insol.irix.com.au/IRIX_V1/Headers"
xmlns:rec="http://www.insol.irix.com.au/IRIX_V1/RecordControl">
<route>
<from uri="cxf:bean:DebtorsService?dataFormat=PAYLOAD"/>
<bean ref="SecurityCheckBean"/>
</route>
</camelContext>
</beans>
As you can see I am running the incoming message of the web service producer to the SecurityCheckBean. My SecurityCheckBean is super simple at the moment see code below.
public class IRIXSecurity {
public void CheckCredentials(
#XPath("//head:MsgGUID") String msgGUID,
#Body String body){
System.out.println(body);
System.out.println("Check Credentials Invoked");
System.out.println(msgGUID);
}
}
However when I send a send a request via soap UI I get the following exception:
Invalid xpath: //head:MsgGUID. Reason: javax.xml.xpath.XPathExpressionException: net.sf.saxon.trans.XPathException: Prefix head has not been declared
So how do I go about retrieving this information? Why even though I have declared the name spaces in my camel-context.xml they are reported as missing?
Just for interest sake I have tried several variations of the XPATH such as:
#XPath("//MsgGUID")
#XPath("//MsgReqHdr/head:MsgGUID")
#XPath("//head:MsgReqHdr/head:MsgGUID")
Every time I either get an exception as listed above or a NULL value...
Right got it to work. When dealing with the namespaces in a bean the following syntax must be used to include the namespaces.
public class IRIXSecurity {
public void CheckCredentials(
//#Body ListDebtorReqType msgBody, #Headers Map hdr,
#XPath(value="//header:MsgGUID",namespaces = #NamespacePrefix(
prefix = "header",
uri = "http://www.insol.irix.com.au/IRIX_V1/Headers")) String msgGUID,
#Body Document xml)
{
System.out.println("Check Credentials Invoked");
System.out.println(msgGUID);
//exchange.getOut().setBody(debtorRsType);
}
}
I want to display custom error message in jsp for spring security authentication exceptions.
For wrong username or password,
spring displays : Bad credentials
what I need : Username/Password entered is incorrect.
For user is disabled,
spring displays : User is disabled
what I need : Your account is diabled, please contact administrator.
Do I need to override AuthenticationProcessingFilter just for this ? or else can I do something in jsp itself to find the authentication exception key and display different message
Redefine the properties in messages.properties inside spring security jar. For example add to the classpath myMessages.properties and add a message source to the context:
AbstractUserDetailsAuthenticationProvider.badCredentials=Username/Password entered is incorrect.
AbstractUserDetailsAuthenticationProvider.disabled=Your account is diabled, please contact administrator.
At Salvin Francis:
Add myMessages.properties to the WAR file inside WEB-INF/classes.
Add this bean to spring context config file
Message Source Bean
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>myMessages</value>
</list>
</property>
</bean>
After adding the "messageSource" bean, I had problems to get the Error Message work with the CookieLocaleResolver because the DispatcherServlet (which does use this for your application automatically) is invoked after the Security.
See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#localization
My Solution was a custom Filter which sets the LocalContextHolder:
public class LocaleContextFilter extends OncePerRequestFilter {
private LocaleResolver localeResolver;
public void setLocaleResolver(LocaleResolver localeResolver) {
this.localeResolver = localeResolver;
}
#Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
// store Local into ThreadLocale
if (this.localeResolver != null) {
final Locale locale = this.localeResolver.resolveLocale(request);
LocaleContextHolder.setLocale(locale);
}
try {
filterChain.doFilter(request, response);
} finally {
LocaleContextHolder.resetLocaleContext();
}
}
}
And the Spring Security Context configuration:
<http use-expressions="true">
<custom-filter ref="localeContextFilter" after="FIRST" />
.....
</http>
<beans:bean id="localeContextFilter" class="at.telekom.ppp.util.opce.fe.interceptor.LocaleContextFilter" >
<beans:property name="localeResolver" ref="localeResolver" /><!-- e.g.: CookieLocaleResolver -->
</beans:bean>
I hope this helps others which has this problem.
Here is a JSP EL fix for this. More of a hack than an elegant solution, but gets the job done quick and dirty. Caveat- this is not i18n safe! Only English.
This requires the functions tag library:
<%# taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
And the replace code:
${fn:replace(SPRING_SECURITY_LAST_EXCEPTION.message, 'Bad credentials', 'Username/Password are incorrect')}
I am new to spring, but try this at the server:
throw new BadCredentialsException("This is my custom message !!");
Of course you need a class that is an authentication provider for this to work.