Spring won't intercept locale parameter + security [Java, i18n] - java

I am using both Spring security and Spring i18n. This is my security config:
<security:http access-denied-page="/denied.htm">
<security:form-login login-page="/login.htm"
authentication-failure-url="/login.htm?login_error=true" />
<security:intercept-url pattern="/denied.htm" filters="none"/>
<security:intercept-url pattern="/login.htm*" filters="none"/>
<security:intercept-url pattern="/*" access="IS_AUTHENTICATED_FULLY" />
<security:logout/>
</security:http>
Besides that, I have set authenticationManager for database with MD5 encoding for password. Security work just fine. My i18n config is:
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages" />
</bean>
It works fine with reading locales from web browser's HTTP request, but I want it to change locale if I click on the link on the page (adds ?lang=hr parameter to current page). So when I add this, locale doesn't change at all:
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
<property name="defaultLocale" value="en"/>
</bean>
<bean id="handlerMapping" class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping">
<property name="interceptors">
<ref bean="localeChangeInterceptor" />
</property>
</bean>
So I have few questions.
Why the locale interception suddenly doesn't work and how to fix it?
How to read the current chosen locale for user's session from java class? I have java class where I need to fetch spring's message from message_en.properties or message_hr.properties file. Jasper report.
I need to add some interceptor (or something like that) to restrain user with default password only to work with /changePassword.htm page. What is the simplest solution?
Many thanks

Why the locale interception suddenly doesn't work and how to fix
it?
I guess: To "fix" you local interceptor, you should check, that the local interceptor can be invoked even if the user is not logged in.
_2. How to read the current chosen locale for user's session from java
class?
Use the RequestContext.getLocale() method.
#see http://static.springsource.org/spring/docs/2.0.x/reference/mvc.html#mvc-localeresolver
added
The best place (in design/architecure) to obtain the local form the request is the web controller. If you are using Spring 3.0 you can obtain the HttpServletRequest directly if you put an parameter of this type to your Controller Request Handler Method. But you have an better choise: just add a Local parameter to your controller handler method
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-ann-requestmapping-arguments
_3. I need to add some interceptor (or something like that) to restrain user
with default password only to work
with /changePassword.htm page. What is
the simplest solution?
One way (may not the simplest, and a one that needs documentation) is to give a user with the default passwort not the full set of priveleges (ony the privileges that he need to set the new password), after chaning tha password, give the user the full set of privileges, which allow him to do all the other stuff.

Try registering localeChangeInterceptor this way. It worked for me.
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"></property>
</bean>
</mvc:interceptors>

Related

Switch LDAP connection at runtime in Spring

I am new to spring. Admins of my spring based web app want to configure settings from the web interface, so users can authenticate against LDAP server with their company username and password.
Change in LDAP settings should be possible without restarting the application. This might happen during a 'migration' or whatever reason. I have a couple beans, which need to be refreshed after the admin saves new settings for the LDAP server:
<bean id="ldapServer" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg>
<list>
<value>${ldap.url1}</value>
...
</list>
</constructor-arg>
<constructor-arg value="${ldap.basedn}"</constructor-arg>
<property name="referral" value="${ldap.referral}" />
<property name="baseEnvironmentProperties">...</property>
<property name="userDn" value="${ldap.username}" />
<property name="password" value="${ldap.password}" />
</bean>
I am using Springframework 3.1.2. The problem is, there are constructor arguments, which I want to change and not affect other running jobs. I tried playing with Scoped proxy, but not to much success yet:
<bean id="ldapServer" scope="prototype" ...>
<aop:scoped-proxy/>
I was successful though to get ldapServer to reinstantiate, when using prototype scope by running this piece of code:
#Controller
public class LDAPSettingsController implements ApplicationContextAware {
public ModelAndView handleRequest(...) {
DefaultSpringSecurityContextSource ldap;
ldap = context.getParentBeanFactor().getBean("ldapServer");
System.out.println(ldap.hashCode());
return new ModelAndView(new RedirectView('login.jsp'));
}
...
}
Are scopes and proxies here the way to go, or is the another mechanism in Spring to reflect configuration changes into a running program instance?
UPDATE: Clear up the question.
UPDATE: The root problem with the AOP proxies was following root exception:
java.lang.IllegalArgumentException: Superclass has no null constructors but no arguments were given
What worked was adding proxy-target-class="false" attribute to the <aop:scoped-proxy/> tag. I created a new scope, which works better than prototype - It destroys beans on settings update. Now I have this in my beans.xml:
<bean class="org.springframework.beans.factory.config.CustomScopeConfigurer">
<property name="scopes">
<map>
<entry key="ldap">
<ref bean="ldapScope" />
</entry>
</map>
</property>
</bean>
<bean id="ldapScope" class="com.myapp.SettingsScope" />
<bean id="ldapServer" scope="ldap" ...>
<aop:scoped-proxy proxy-target-class="false"/>
<constructor-args>
<list><value>${ldap.url1}</value> .. </list>
</constructor-args>
...
</bean>
I also have a controller for LDAP settings into which I inject ldapScope and I call a method which destroys current life-cycle objects and starts a new life-cycle every time, user presses the apply button.
PS: Not sure if I handle the life-cycle "re-start" in the right way - people my way to look for auto-start beans and start them after such event happens (i.e.: Setting -> Apply)

Is it possible to get username/last visited page after session timeout

In my application I have an invalid-session-url and I was wondering if it's possible to get the username in the invalid-session-url? If so please advise how to do that.
Yes, it is possible. You can send cookie to user's web browser with value of his/her username when user is authenticated. When session is expired, you can still access that cookie. All you need to do is set its lifetime to be long enough.
You may implement your own Filter. I recommend extending UsernamePasswordAuthenticationFilter. Overriding Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) gives you access to cookies - you can add one with HttpServletResponse.addCookie(Cookie cookie).
You can easily inject your own filter. More info about config: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-custom-filter
Also take into account that it can be insecure to send such a cookie. I don't see any other way to accomplish what you want.
But you can easily improve security of this solution by configuring LogoutHandler. There is an implementation of this interface CookieClearingLogoutHandler. You can use it to clear that cookie when user decides to logout manually.
<bean id="cookieClearingLogoutHandler" class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<constructor-arg>
<!-- Names of the cookies you want to remove when user logs out -->
<list>
<value>username</value>
</list>
</constructor-arg>
</bean>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login"/>
<constructor-arg>
<array>
<ref local="securityContextLogoutHandler"/>
<!-- Inject it -->
<ref local="cookieClearingLogoutHandler"/>
</array>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>

Spring MVC Interceptor Mapping Problems

I have this segment of XML:
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/statics/**" />
<bean class="com.company.website.servlet.StaticsHandlerInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<mvc:mapping path="/data/**" />
<bean class="com.company.website.servlet.AJAXHandlerInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<mvc:mapping path="/**" />
<bean class="com.company.website.servlet.PageHandlerInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
I have three different interceptors for a reason, though the StaticsHandlerInterceptor is just the preHandle method returning true (for all of my static content (js, css, etc)). The second one is for AJAX requests. The third one is for actual pages. What I see happening is the statics and the AJAX interceptors being called when they are supposed to be; however, with them, the page interceptor is always being called. I only want the page interceptor to be called for pages. How do I make that happen?
Assuming you use a consistent naming scheme for your pages, use that - e.g. if your externally-visible page URLs end with .html, specify:
<mvc:mapping path="/**/*.html" />
It's not very RESTful to have "extensions" like that though - you might prefer to use a scheme like:
GET of /user/{id} = returns User object for user {id}, JSON format
POST to /user/{id} = updates User object from JSON object
GET to /user/page/{id} = returns HTML page for user {id}
etc etc
Then you can use a nice readable, semantic mapping like:
<mvc:mapping path="/**/page/**" />
which will work to any "depth" of URL structure.
Edit: OK so it seems that using the mvc:interceptors style of bean declaration isn't going to give you the expressiveness you need to specify exclusion by pattern rather than inclusion.
From what I can make out in this blog, using the more-verbose HandlerMapping approach will allow you to invert the match logic - you can specify what not to match on to get what you need:
<bean id="nonStaticNonDataMapper" class="org.springplugins.web.IgnoreSelectedAnnotationHandlerMapping">
<property name="order">
<value>0</value>
</property>
<property name="urls">
<list>
<value>/statics/**</value>
<value>/data/**</value>
</list>
</property>
<property name="interceptors">
<list>
<bean class="com.company.website.servlet.PageHandlerInterceptor" />
</list>
</property>
(Apologies for the formatting of the above snippet, Markdown thinks the /** is a comment :-)
mvc:interceptors now supports excluding a particular mapping. Currently it's only available in Spring 3.2.0.M2. You can find more about it at the JIRA item (that is now resolved): https://jira.springsource.org/browse/SPR-6570

JSR-303 inject locale into custom validator

I am using Spring 3 and I have the following configuration in my applicationContext.xml:
<bean id="validationMessageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"
p:basename="classpath:messages/validation_messages" p:defaultEncoding="UTF-8" p:cacheSeconds="3" />
<bean id="globalValidator" class="org.springframework.validation.beanvalidation.LocalValidatorFactoryBean">
<property name="validationMessageSource">
<ref bean="validationMessageSource" />
</property>
</bean>
Everything works fine with locales etc.
However, I was wondering if it is possible to inject the locale to a custom validator I have constructed. I have created a #CheckZip annotation for validating Zip codes. But since zip codes have different formats in different countries I am curious whether I could throw the current locale into the validator.
Not by injection, but static LocaleContextHolder can help here:
LocaleContextHolder.setLocale(locale); // set locale for your request or based on user settings e.g. inside custom interceptor
and
LocaleContextHolder.getLocale(); // get locale inside your validator
But I'm not sure why you need the locale explicitly, because having a LocaleChangeInterceptor that should work already:
<!-- Declare the Interceptor -->
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"
p:paramName="locale" />
</mvc:interceptors>
<!-- Declare the Resolver -->
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver" />

Java Spring NtlmProcessingFilter second controller

<bean id="ntlmFilter" class="org.springframework.security.ui.ntlm.NtlmProcessingFilter">
<security:custom-filter position="NTLM_FILTER" />
<property name="stripDomain" value="true" />
<property name="defaultDomain" value="company" />
<property name="domainController" value="192.168.1.1" />
<property name="authenticationManager" ref="_authenticationManager" />
</bean>
may i know how to set failover second controller?
Unfortunately, NTLM isn't supported by Spring 3.
If using a secondary domain controller is a critical requirement for your application, I think you'll need to look into the jcifs source. Even jcifs doesn't want to support NTLM anymore either. But the old libraries are out there. I've hacked around so that my app will invisibly authenticate users whether they're from domainA or domainB. So it's possible, although possibly a bit daunting.
If I understood your question properly, you are looking for a fallback authentication provider, You can setup a list of authentication managers, so that if first one fails, it will automatically check with second one.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ntlmServiceAuthenticationProvider"/>
<security:authentication-provider ref="ldapAuthProvider"/>
</security:authentication-manager>

Categories

Resources