In my application I have an invalid-session-url and I was wondering if it's possible to get the username in the invalid-session-url? If so please advise how to do that.
Yes, it is possible. You can send cookie to user's web browser with value of his/her username when user is authenticated. When session is expired, you can still access that cookie. All you need to do is set its lifetime to be long enough.
You may implement your own Filter. I recommend extending UsernamePasswordAuthenticationFilter. Overriding Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) gives you access to cookies - you can add one with HttpServletResponse.addCookie(Cookie cookie).
You can easily inject your own filter. More info about config: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-custom-filter
Also take into account that it can be insecure to send such a cookie. I don't see any other way to accomplish what you want.
But you can easily improve security of this solution by configuring LogoutHandler. There is an implementation of this interface CookieClearingLogoutHandler. You can use it to clear that cookie when user decides to logout manually.
<bean id="cookieClearingLogoutHandler" class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<constructor-arg>
<!-- Names of the cookies you want to remove when user logs out -->
<list>
<value>username</value>
</list>
</constructor-arg>
</bean>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login"/>
<constructor-arg>
<array>
<ref local="securityContextLogoutHandler"/>
<!-- Inject it -->
<ref local="cookieClearingLogoutHandler"/>
</array>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>
Related
I am new to spring. Admins of my spring based web app want to configure settings from the web interface, so users can authenticate against LDAP server with their company username and password.
Change in LDAP settings should be possible without restarting the application. This might happen during a 'migration' or whatever reason. I have a couple beans, which need to be refreshed after the admin saves new settings for the LDAP server:
<bean id="ldapServer" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg>
<list>
<value>${ldap.url1}</value>
...
</list>
</constructor-arg>
<constructor-arg value="${ldap.basedn}"</constructor-arg>
<property name="referral" value="${ldap.referral}" />
<property name="baseEnvironmentProperties">...</property>
<property name="userDn" value="${ldap.username}" />
<property name="password" value="${ldap.password}" />
</bean>
I am using Springframework 3.1.2. The problem is, there are constructor arguments, which I want to change and not affect other running jobs. I tried playing with Scoped proxy, but not to much success yet:
<bean id="ldapServer" scope="prototype" ...>
<aop:scoped-proxy/>
I was successful though to get ldapServer to reinstantiate, when using prototype scope by running this piece of code:
#Controller
public class LDAPSettingsController implements ApplicationContextAware {
public ModelAndView handleRequest(...) {
DefaultSpringSecurityContextSource ldap;
ldap = context.getParentBeanFactor().getBean("ldapServer");
System.out.println(ldap.hashCode());
return new ModelAndView(new RedirectView('login.jsp'));
}
...
}
Are scopes and proxies here the way to go, or is the another mechanism in Spring to reflect configuration changes into a running program instance?
UPDATE: Clear up the question.
UPDATE: The root problem with the AOP proxies was following root exception:
java.lang.IllegalArgumentException: Superclass has no null constructors but no arguments were given
What worked was adding proxy-target-class="false" attribute to the <aop:scoped-proxy/> tag. I created a new scope, which works better than prototype - It destroys beans on settings update. Now I have this in my beans.xml:
<bean class="org.springframework.beans.factory.config.CustomScopeConfigurer">
<property name="scopes">
<map>
<entry key="ldap">
<ref bean="ldapScope" />
</entry>
</map>
</property>
</bean>
<bean id="ldapScope" class="com.myapp.SettingsScope" />
<bean id="ldapServer" scope="ldap" ...>
<aop:scoped-proxy proxy-target-class="false"/>
<constructor-args>
<list><value>${ldap.url1}</value> .. </list>
</constructor-args>
...
</bean>
I also have a controller for LDAP settings into which I inject ldapScope and I call a method which destroys current life-cycle objects and starts a new life-cycle every time, user presses the apply button.
PS: Not sure if I handle the life-cycle "re-start" in the right way - people my way to look for auto-start beans and start them after such event happens (i.e.: Setting -> Apply)
I have this segment of XML:
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/statics/**" />
<bean class="com.company.website.servlet.StaticsHandlerInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<mvc:mapping path="/data/**" />
<bean class="com.company.website.servlet.AJAXHandlerInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<mvc:mapping path="/**" />
<bean class="com.company.website.servlet.PageHandlerInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
I have three different interceptors for a reason, though the StaticsHandlerInterceptor is just the preHandle method returning true (for all of my static content (js, css, etc)). The second one is for AJAX requests. The third one is for actual pages. What I see happening is the statics and the AJAX interceptors being called when they are supposed to be; however, with them, the page interceptor is always being called. I only want the page interceptor to be called for pages. How do I make that happen?
Assuming you use a consistent naming scheme for your pages, use that - e.g. if your externally-visible page URLs end with .html, specify:
<mvc:mapping path="/**/*.html" />
It's not very RESTful to have "extensions" like that though - you might prefer to use a scheme like:
GET of /user/{id} = returns User object for user {id}, JSON format
POST to /user/{id} = updates User object from JSON object
GET to /user/page/{id} = returns HTML page for user {id}
etc etc
Then you can use a nice readable, semantic mapping like:
<mvc:mapping path="/**/page/**" />
which will work to any "depth" of URL structure.
Edit: OK so it seems that using the mvc:interceptors style of bean declaration isn't going to give you the expressiveness you need to specify exclusion by pattern rather than inclusion.
From what I can make out in this blog, using the more-verbose HandlerMapping approach will allow you to invert the match logic - you can specify what not to match on to get what you need:
<bean id="nonStaticNonDataMapper" class="org.springplugins.web.IgnoreSelectedAnnotationHandlerMapping">
<property name="order">
<value>0</value>
</property>
<property name="urls">
<list>
<value>/statics/**</value>
<value>/data/**</value>
</list>
</property>
<property name="interceptors">
<list>
<bean class="com.company.website.servlet.PageHandlerInterceptor" />
</list>
</property>
(Apologies for the formatting of the above snippet, Markdown thinks the /** is a comment :-)
mvc:interceptors now supports excluding a particular mapping. Currently it's only available in Spring 3.2.0.M2. You can find more about it at the JIRA item (that is now resolved): https://jira.springsource.org/browse/SPR-6570
I am using both Spring security and Spring i18n. This is my security config:
<security:http access-denied-page="/denied.htm">
<security:form-login login-page="/login.htm"
authentication-failure-url="/login.htm?login_error=true" />
<security:intercept-url pattern="/denied.htm" filters="none"/>
<security:intercept-url pattern="/login.htm*" filters="none"/>
<security:intercept-url pattern="/*" access="IS_AUTHENTICATED_FULLY" />
<security:logout/>
</security:http>
Besides that, I have set authenticationManager for database with MD5 encoding for password. Security work just fine. My i18n config is:
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages" />
</bean>
It works fine with reading locales from web browser's HTTP request, but I want it to change locale if I click on the link on the page (adds ?lang=hr parameter to current page). So when I add this, locale doesn't change at all:
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
<property name="defaultLocale" value="en"/>
</bean>
<bean id="handlerMapping" class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping">
<property name="interceptors">
<ref bean="localeChangeInterceptor" />
</property>
</bean>
So I have few questions.
Why the locale interception suddenly doesn't work and how to fix it?
How to read the current chosen locale for user's session from java class? I have java class where I need to fetch spring's message from message_en.properties or message_hr.properties file. Jasper report.
I need to add some interceptor (or something like that) to restrain user with default password only to work with /changePassword.htm page. What is the simplest solution?
Many thanks
Why the locale interception suddenly doesn't work and how to fix
it?
I guess: To "fix" you local interceptor, you should check, that the local interceptor can be invoked even if the user is not logged in.
_2. How to read the current chosen locale for user's session from java
class?
Use the RequestContext.getLocale() method.
#see http://static.springsource.org/spring/docs/2.0.x/reference/mvc.html#mvc-localeresolver
added
The best place (in design/architecure) to obtain the local form the request is the web controller. If you are using Spring 3.0 you can obtain the HttpServletRequest directly if you put an parameter of this type to your Controller Request Handler Method. But you have an better choise: just add a Local parameter to your controller handler method
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-ann-requestmapping-arguments
_3. I need to add some interceptor (or something like that) to restrain user
with default password only to work
with /changePassword.htm page. What is
the simplest solution?
One way (may not the simplest, and a one that needs documentation) is to give a user with the default passwort not the full set of priveleges (ony the privileges that he need to set the new password), after chaning tha password, give the user the full set of privileges, which allow him to do all the other stuff.
Try registering localeChangeInterceptor this way. It worked for me.
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"></property>
</bean>
</mvc:interceptors>
<bean id="ntlmFilter" class="org.springframework.security.ui.ntlm.NtlmProcessingFilter">
<security:custom-filter position="NTLM_FILTER" />
<property name="stripDomain" value="true" />
<property name="defaultDomain" value="company" />
<property name="domainController" value="192.168.1.1" />
<property name="authenticationManager" ref="_authenticationManager" />
</bean>
may i know how to set failover second controller?
Unfortunately, NTLM isn't supported by Spring 3.
If using a secondary domain controller is a critical requirement for your application, I think you'll need to look into the jcifs source. Even jcifs doesn't want to support NTLM anymore either. But the old libraries are out there. I've hacked around so that my app will invisibly authenticate users whether they're from domainA or domainB. So it's possible, although possibly a bit daunting.
If I understood your question properly, you are looking for a fallback authentication provider, You can setup a list of authentication managers, so that if first one fails, it will automatically check with second one.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ntlmServiceAuthenticationProvider"/>
<security:authentication-provider ref="ldapAuthProvider"/>
</security:authentication-manager>
Probably missing something completely obvious here, but here goes. I'm starting out with Spring MVC. I have a form controller to process inbound requests to /share/edit.html. When I hit this url from my browser, I get the following error:
The requested resource (/inbox/share/share/edit) is not available.
Here is my applicationContext-mvc.xml:
<bean id="publicUrlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping" >
<property name="mappings" >
<value>
/share/edit.html=shareFormController
/share/list.html=shareController
/share/view.html=shareController
/folders.json=foldersController
/studies.json=studiesController
</value>
</property>
</bean>
<bean id="internalPathMethodNameResolver" class="org.springframework.web.servlet.mvc.multiaction.InternalPathMethodNameResolver" />
<bean id="shareFormController" class="com.lifeimage.lila.controller.ShareFormController" />
<bean id="shareController" class="com.lifeimage.lila.controller.ShareController" >
<property name="methodNameResolver" ref="internalPathMethodNameResolver" />
</bean>
and my form Controller:
public class ShareFormController extends SimpleFormController {
public ShareFormController() {
setCommandClass( Share.class );
}
#Override
protected ModelAndView onSubmit(HttpServletRequest request, HttpServletResponse response, Object command, BindException errors)
throws Exception {
//controller impl...
}
}
You should look at your view resolver. Make sure that it is resolving the logical name in your controller as you think it should. Looks like the name it is resolving it to does not exist currently
I think I've resolved this issue. There were two problems:
1) Implementations of SimpleFormController require a form and success view; which I had not configured here. As this is a server method for an AJAX client, I added a Spring-JSON view as follows:
<?xml version="1.0" encoding="UTF-8"?>
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"
default-lazy-init="false" default-autowire="no"
default-dependency-check="none">
<bean name="jsonView" class="org.springframework.web.servlet.view.json.JsonView">
<property name="jsonErrors">
<list>
<ref bean="statusError" />
<ref bean="modelflagError" />
</list>
</property>
</bean>
<bean name="statusError"
class="org.springframework.web.servlet.view.json.error.HttpStatusError">
<property name="errorCode"><value>311</value></property>
</bean>
<bean name="modelflagError"
class="org.springframework.web.servlet.view.json.error.ModelFlagError">
<property name="name"><value>failure</value></property>
<property name="value"><value>true</value></property>
</bean>
which can be used for all controllers that return JSON.
2) I switched from a SimpleURLHandlerMapping to ControllerClassNameHandlerMapping and relied on Spring naming conventions ( controllerClassName/method.html ), which fixed the routing issue. Might not be a long term solution, but got me through the task.
Did you check your log output? Spring MVC is generally pretty verbose in what it outputs.
Also, the URL you've posted (/inbox/share/share/edit) does not seem to match what you are configuring (/share/edit.html).
#jordan002 when I see all the hoops you had to jump to accomplish your task, I feel obliged to share a very powerful Java MVC framework that requires much less configuration. The framework is called Induction, check out the article Induction vs. Spring MVC, http://www.inductionframework.org/induction-vs-spring-mvc.html