I have a spring configuration file for spring security. At beginning my file is getting from cache and when I do an operation it redirects me to the login page (However I can see page at first.) I want to solve that cache problem like that:
<beans:property name="defaultTargetUrl" value="/index.html?Math.random()"/>
However I think that it is not doing what I want, I am not sure.
Any ideas?
Try using Spring expression language
<property name="url" value="#{'/index.html?' + T(java.lang.Math).random()}"/>
Related
I am writing a Spring Jar (Without Spring boot) which connects to database. Almost all the tutorials which I saw connects to Database using the spring XML and the password is hard coded in the XML file.
This is in no way allowed in production environment and way out of standards in terms of security.
Can someone please help me if there is a way to inject password from a method call which inturn retrieves the password from a secured vault and provides the password to datasource object in runtime.
something like below.
<bean id="dataSource" class="org.springframework.jdbc.datasource.SingleConnectionDataSource">
<property name="driverClassName" value="org.postgresql.Driver" />
<property name="url" value="jdbc:postgresql://localhost:5432/postgres" />
<property name="username" value="postgres" />
<property name="password" value=getPasswordfromSecureVault("username") />
<property name="suppressClose" value="true" />
<jdbc:initialize-database >
<jdbc:script location="create-tables.sql"/>
</jdbc:initialize-database>
Based on the spring boot tag that you have, I'll assume that you're using spring boot for your project. With spring boot, it is very easy to externalize configuration for your application. It also auto-configures your datasource with a connection pool if you use the starters they provide.
In your case, you could benefit from moving to using spring boot's Externalized Configuration.
What that would allow you to do is to use an environment variable to configure your spring application. For example, to configure your password, use the environment variable SPRING_DATASOURCE_PASSWORD. You could also use the Java option -Dspring.datasource.password=[password] when starting the application, for example:
java -jar -Dspring.datasource.password=password app.jar
If using docker containers, the environment variable way is generally my go to as it's very straight forward for people to understand.
If you really want to configure the password from a method call, you can do that too using java configuration. Create a bean of type DataSource and Spring should pick it up and use it.
#Configuration
class AppConfiguration {
#Bean
public DataSource dataSource() {
String password = // Get your password
return DataSourceBuilder.create().password(password).build();
}
}
I have a Spring 4.1.1 web application. Currently the datasource password is stored in a property file, in clear. Configuration is:
<bean id="mainDataSource"
class="com.mchange.v2.c3p0.ComboPooledDataSource"
scope="singleton"
destroy-method="close">
<property name="driverClass"><value>${jdbc.driver}</value></property>
<property name="jdbcUrl"><value>${jdbc.url}</value></property>
<property name="user"><value>${jdbc.username}</value></property>
<property name="password"><value>${jdbc.password}</value></property>
.
.
.
</bean>
My client doesn't want the password to be stored in a property file or, more in general, in the server.
The ideal would be to have Spring show a secure webpage to enter the database password.
The big problem is that I need access to the db to initialize the context and pretty much everything needed for the application to work. So the question is:
Is it possible to have Spring display a web page prior to context initialization, so that the user can enter the datasource password? Perhaps through a filter or something?
Please note to have the password encrypted in the property file or to have it passed as a parameter at Tomcat startup won't do, as it wouldn't be much different than having it in the property file, as regard to security.
What I ended up doing was to set the database password into an environment variable, use the variable inside the spring configuration files, and then delete the variable after startup. This worked and seems to make the client happy.
To read the environment variable in spring_db.xml us this expression, if you have Spring 3.0 and above:
<property name="password"><value>#{systemEnvironment['variable_name']}</value></property>
I have a Java web-app using standard web.xml and servlets. At the moment, I'm using the <context-param> tags in web.xml to define the database configuration (JDBC url, username, password, etc.). These are picked up by a servlet in its init() method.
But I'd like to not include database username/password in my source repository.
For testing, I'm using jetty-maven-plugin. With that, I specify an option overrideDescriptor with a supplementary web.xml that is applied after the primary web.xml. I put my testing database configuration in this supplementary file, and everything works great.
For deployment, my host is using Tomcat. I'm not sure how to apply a database config here. Is there a similar way to specify a supplementary web.xml file? If not, what is the best practice to do this? Read the configuration from a separate properties file (or similar) included as a resource?
You should be using connection pools and JNDI. You keep the credentials on the server that way. Users only need the JNDI lookup name (e.g., "jdbc/FooDataSource") to access the connection pool.
"Read the configuration from a separate properties file (or similar) included as a resource?"
Yes.
There are lots of ways to do THAT, too. My current project uses Spring's PropertyPlaceholderConfigurer to read the appropriate properties files and allow any of the values to be used in a context file using the usual ${whatever} notation.
Addition:
Incidentally, we use a custom subclass of PropertyPlaceholderConfigurer to set the locations of the files. We use a "global" properties file that applies to all environments (dev, test, uat, prod) and then one file for each environment that overrides the global settings.
The files themselves are deployed in a jar, but we don't need the flexibility of changing the values on the fly.
You could always store the configuration in an external .properties file, change your servlet to read from this instead (perhaps having web.xml point at the path to the file), and thus keep the file only on the server and out of source control.
In your application-context.xml , you can use the place holders and point the location of the placeholder's parameters to external properties file.
<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>/WEB-INF/database-config.properties</value>
</property>
</bean>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<property name="driverClassName" value="${jdbc.driver}"/>
<property name="url" value="${jdbc.url}"/>
<property name="username" value="${jdbc.user}"/>
<property name="password" value="${jdbc.password}"/>
</bean>
In your database-config.properties file. You can provide the placeholder's parameters. In this case database settings.
jdbc.driver=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/school?useUnicode=true&characterEncoding=UTF-8
jdbc.user=root
jdbc.password=root
I want to make spring MVC 3.0.3 portlet using DispatcherPortlet class With JSON support. So, i added following configuration in the spring context file.
<bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
text/html
Without this, if i use the 'InternalResourceViewResolver' only then it runs fine and i am able to use the portlet. But with this bean defined, i got the following error on tomcat startup.
I googled around and find a link stating that this bean with JSON only works with servlets in the latest spring vesion. please check the link as well.
http://jira.springframework.org/browse/SPR-7344 (JSON issue for portlets...)
http://jira.springframework.org/browse/SPR-6932?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel#issue-tabs
Also please check the error pasted below. Help me...
thanks.
:ERROR:
java.lang.IllegalArgumentException: Object of class [org.springframework.web.portlet.context.PortletRequestAttributes] must be an instance of class org.springframework.web.context.request.ServletRequestAttributes
please check the log
Caused by: java.lang.IllegalArgumentException: Object of class [org.springframework.web.portlet.context.PortletRequestAttributes] must be an instance of class org.springframework.web.context.request.ServletRequestAttributes
at org.springframework.util.Assert.isInstanceOf(Assert.java:337)
at org.springframework.util.Assert.isInstanceOf(Assert.java:319)
at org.springframework.web.servlet.view.ContentNegotiatingViewResolver.resolveViewName(ContentNegotiatingViewResolver.java:363)
at org.springframework.web.portlet.DispatcherPortlet.resolveViewName(DispatcherPortlet.java:1110)
at org.springframework.web.portlet.DispatcherPortlet.render(DispatcherPortlet.java:1052)
at org.springframework.web.portlet.DispatcherPortlet.doRenderService(DispatcherPortlet.java:761)
at org.springframework.web.portlet.FrameworkPortlet.processRequest(FrameworkPortlet.java:522)
ContentNegotiatingViewResolver doesn't work with portlets, only servlets.
As a general rule, many servlet API classes in Spring have a portlet equivalent, e.g.
org.springframework.web.servlet.HandlerAdapter
org.springframework.web.portlet.HandlerAdapter
You have to make sure that you use the right one - the servlet and portlet APIs are completely incompatible.
However, since Spring 2.5, the portlet framework has been neglected (probably because it's very rarely used), and newer parts of the servlet MVC API have not been included in the portlet MVC API.
It would seem that if you want to do what you're trying to do, you're going to have to do a lot of it yourself. You might be able to copy some of the code from ContentNegotiatingViewResolver and related classes.
Check this out. It should work now
<!-- View Resolver -->
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/test/testJSp/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
I am new to openJPA.
I have a scenario where, depending upon the server where my application is running, I need to change the settings to persistance.xml.
For eg. if its running on Server A, then it should use different database(different url), different password etc. and if the application is running on Server B then it should use different information.
And could you also tell me, which way should it be done, using datasource or simply putting properties under persistence-unit.
FYI I am using WS app. server 7 and RAD 7.5
Any type of help would be highly appreciated.
You're using an application server so you don't need to set database connection settings in the persistence.xml file. You should be able to create a JNDI data source in your appserver and then use that. EAch server could have the data source have the same JNDI name and then there'll be no need for any persistence.xml differences.
Workshop, JPA, and DataSources seems particularly relevant to you. As does Setting up a JNDI data source in WebSphere 6.0/6.1 and WebSphere + JNDI + Spring Framework + Hibernate.
Are you using Spring? If so, then the problem is easy to solve: you don't put the data source information in your persistence.xml, you put it in your application context and that'll have different configuration on each server.
For example:
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location" value="classpath:database.properties"/>
</bean>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<property name="driverClassName" value="${database.class}"/>
<property name="url" value="${database.url}"/>
<property name="username" value="${database.username}"/>
<property name="password" value="${database.password}"/>
</bean>
and each server could have a different database.properties file on each server (where each is in the classpath somewhere in this example):
database.username=scratch
database.password=scratch
database.class=oracle.jdbc.OracleDriver
database.url=jdbc:oracle:thin:#localhost:1521:XE
Changing persistence.xml at runtime is going to be problematic as that's not really how JPA is designed.
Of course, you can use JNDI data sources with Spring also.