Announcement Announcement Module
Collapse
No announcement yet.
security:authorize tags not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • security:authorize tags not working

    In my roo-generated project I set up spring security so people can log in (still have the default admin and user users)


    I have used security:authorize tags before and all I had to add to my jsp was
    <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
    at the top and then throw security:authorize tags around stuff on my page. It works like a charm in my regular hand-crafted spring 2.5 webapp.

    I can't add that to my jspx files that roo generated, but I found a line in the default.jspx a line like this
    xmlns:security="http://www.springframework.org/schema/security"
    so I figured I could add that to the top of my menu.jspx and throw security tags around menu options so they won't show up except for admins

    Here is the top of my menu.jspx
    Code:
    <ul xmlns:c="http://java.sun.com/jsp/jstl/core" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xmlns:spring="http://www.springframework.org/tags" id="roo_menu">
    	<security:authorize ifAllGranted="ROLE_ADMIN">
    		<li id="web_mvc_jsp_interest_category">
    		<h2>interest</h2>
    		<ul>
    			<li id="web_mvc_jsp_create_interest_menu_item">
                        <c:url value="/interest/form" var="web_mvc_jsp_create_interest_menu_item_url"/> <a href="${web_mvc_jsp_create_interest_menu_item_url}"> <spring:message arguments="Interest" code="global.menu.new"/> </a>
                    </li>
    			<li id="web_mvc_jsp_list_interest_menu_item">
                        <c:url value="/interest?page=${empty param.page ? 1 : param.page}&amp;amp;size=${empty param.size ? 10 : param.size}" var="web_mvc_jsp_list_interest_menu_item_url"/> <a href="${web_mvc_jsp_list_interest_menu_item_url}"> <spring:message arguments="Interests" code="global.menu.list"/> </a>
                    </li>
    		</ul>
    		</li>
    	</security:authorize>
    Problem is when I run my app those security tags get left in the source and of course, all the stuff inside still gets shown to everyone.

    It seems like I am missing something I read on the internets somewhere that this can happen if your filters are in the wrong order. Here are my filters and filter mappings from web.xml:

    Code:
     <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter>
            <filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
            <filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
        </filter>
        
    	<filter>
    		<filter-name>etagFilter</filter-name>
    		<filter-class>org.springframework.web.filter.ShallowEtagHeaderFilter</filter-class>
    	</filter>
    
    	<filter>
    		<filter-name>CharacterEncodingFilter</filter-name>
    		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    		<init-param>
    			<param-name>encoding</param-name>
    			<param-value>UTF-8</param-value>
    		</init-param>
    		<init-param>
    			<param-name>forceEncoding</param-name>
    			<param-value>true</param-value>
    		</init-param>
    	</filter>
    
    	<filter>
    		<filter-name>httpMethodFilter</filter-name>
    		<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
    	</filter>
    
    	<filter>
    		<filter-name>UrlRewriteFilter</filter-name>
    		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
    	</filter>
        
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
    
    	<filter-mapping>
            <filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
        <filter-mapping>
    		<filter-name>etagFilter</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    
    	<filter-mapping>
    		<filter-name>CharacterEncodingFilter</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    
    	<filter-mapping>
    		<filter-name>httpMethodFilter</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    
    	<filter-mapping>
    		<filter-name>UrlRewriteFilter</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    Any tips? What am I missing?

  • #2
    I just tried this for the first time as well and it turns out you are using the wrong namespace URI. The correct one would be:

    Code:
    xmlns:security="http://www.springframework.org/security/tags"
    This works for me. Let me know if you have any further issues.

    Cheers,
    Stefan

    Comment


    • #3
      I fixed the url, but the security tags are still not working. They don't get stripped out either, they are just sitting there. When I view source i can see them and all of the content inside of them is visible to the world.

      Comment


      • #4
        Here is my menu.jspx
        Code:
        <ul xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:security="http://www.springframework.org/security/tags" xmlns:spring="http://www.springframework.org/tags" id="roo_menu">
        	<security:authorize ifAllGranted="ROLE_ADMIN">
        		<li id="web_mvc_jsp_interest_category">
        		<h2>interest</h2>
        		<ul>
        			<li id="web_mvc_jsp_create_interest_menu_item">
                            <c:url value="/interest/form" var="web_mvc_jsp_create_interest_menu_item_url"/> <a href="${web_mvc_jsp_create_interest_menu_item_url}"> <spring:message arguments="Interest" code="global.menu.new"/> </a>
                        </li>
        			<li id="web_mvc_jsp_list_interest_menu_item">
                            <c:url value="/interest?page=${empty param.page ? 1 : param.page}&amp;amp;size=${empty param.size ? 10 : param.size}" var="web_mvc_jsp_list_interest_menu_item_url"/> <a href="${web_mvc_jsp_list_interest_menu_item_url}"> <spring:message arguments="Interests" code="global.menu.list"/> </a>
                        </li>
        		</ul>
        		</li>
        	</security:authorize>
        	<li id="web_mvc_jsp_researcher_category">
        	<h2>researcher</h2>
        	<ul>
        		<li id="web_mvc_jsp_create_researcher_menu_item">
                        <c:url value="/researcher/form" var="web_mvc_jsp_create_researcher_menu_item_url"/> <a href="${web_mvc_jsp_create_researcher_menu_item_url}"> Sign up! </a>
        		</li>
        		<li id="web_mvc_jsp_list_researcher_menu_item">
                        <c:url value="/researcher?page=${empty param.page ? 1 : param.page}&amp;amp;size=${empty param.size ? 10 : param.size}" var="web_mvc_jsp_list_researcher_menu_item_url"/> <a href="${web_mvc_jsp_list_researcher_menu_item_url}"> <spring:message arguments="Researchers" code="global.menu.list"/> </a>
                    </li>
        		<li id="finder_findresearchersbyinterests_menu_item">
                        <c:url value="/researcher/find/ByInterests/form" var="finder_findresearchersbyinterests_menu_item_url"/> <a href="${finder_findresearchersbyinterests_menu_item_url}"> Search
        		for Research Collaborators </a>
                    </li>
        	</ul>
        	</li>
        </ul>

        Comment


        • #5
          I noticed that on my other, non-roo spring project we have a jar called spring-security-taglibs-2.0.1.jar

          I don't see anything like that in my roo project...

          Comment


          • #6
            Indeed, without the tag library in your classpath the Spring Security tags will not work. Which version of Roo are you using? The tag library should be installed by default. If not just make sure this is in your pom:

            Code:
                <dependency>
                        <groupId>org.springframework.security</groupId>
                        <artifactId>org.springframework.security.core</artifactId>
                        <version>3.0.0.RC1</version>
                    </dependency>
                <dependency>
                        <groupId>org.springframework.security</groupId>
                        <artifactId>org.springframework.security.config</artifactId>
                        <version>3.0.0.RC1</version>
                    </dependency>
                <dependency>
                        <groupId>org.springframework.security</groupId>
                        <artifactId>org.springframework.security.web</artifactId>
                        <version>3.0.0.RC1</version>
                    </dependency>
                <dependency>
                        <groupId>org.springframework.security</groupId>
                        <artifactId>org.springframework.security.taglibs</artifactId>
                        <version>3.0.0.RC1-A</version>
                </dependency>
            HTH,
            Stefan

            Comment


            • #7
              I am using 1.0.0.RC2 [rev 321] now. I think that is the same version I was using when I created this project. Although I remember entering the security setup command and that doesn't seem to be an option now...

              Comment


              • #8
                I added those dependencies (core was already there, although an earlier version)

                Now my app won't start and the error says:

                Code:
                Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
                	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:31)
                	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:21)
                	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:143)
                	... 33 more

                Here is my security context file:

                Code:
                <?xml version="1.0" encoding="UTF-8"?>
                
                <beans:beans xmlns="http://www.springframework.org/schema/security"
                    xmlns:beans="http://www.springframework.org/schema/beans"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
                
                    <http auto-config="true">
                    	<form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
                        <logout logout-url="/static/j_spring_security_logout"/>
                        <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
                        <intercept-url pattern="/researcher/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
                        <intercept-url pattern="/interest/**" access="ROLE_ADMIN"/>
                        <intercept-url pattern="/member/**" access="IS_AUTHENTICATED_REMEMBERED" />
                        <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                        <intercept-url pattern="/static/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                    </http>
                    
                    <authentication-provider>
                    	<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
                    	<password-encoder hash="sha-256"/>
                        <user-service>
                            <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN"/>
                	        <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER"/>
                	    </user-service>
                	</authentication-provider>
                </beans:beans>
                That is basically what was auto-generated for me except that I added some intercept url patterns.

                Comment


                • #9
                  Observed same behavior

                  I have observed same behavior, I have

                  <dependency>
                  <groupId>org.springframework.security</groupId>
                  <artifactId>org.springframework.security.core</artifactId>
                  <version>3.0.0.RC1</version>
                  </dependency>
                  <dependency>
                  <groupId>org.springframework.security</groupId>
                  <artifactId>org.springframework.security.config</artifactId>
                  <version>3.0.0.RC1</version>
                  </dependency>
                  <dependency>
                  <groupId>org.springframework.security</groupId>
                  <artifactId>org.springframework.security.web</artifactId>
                  <version>3.0.0.RC1</version>
                  </dependency>
                  <dependency>
                  <groupId>org.springframework.security</groupId>
                  <artifactId>org.springframework.security.taglibs </artifactId>
                  <version>3.0.0.RC1-A</version>
                  </dependency>

                  xmlns:security="http://www.springframework.org/security/tags"

                  and

                  <security:authorize ifAllGranted="ROLE_ADMIN">
                  some text
                  </security:authorize>

                  and I do have org.springframework.security.taglibs-3.0.0.RC1-A.jar in the WAR/WEB-INF/lib directory.

                  thanks

                  Comment


                  • #10
                    It seems you have setup everything correctly. Can you enable DEBUG logging for Spring Security to see what is happening (use 'logging setup --level DEBUG --package SECURITY')? Also, since we are not doing anything specific in terms of using Spring Security in Roo generated projects it might make sense to ask in the Spring Security forum if anyone there as come across your issue.

                    Cheers,
                    Stefan

                    Comment


                    • #11
                      I turned on security logging and this is what I see for one request of the home page:

                      Code:
                      Converted URL to lowercase, from: '/'; to: '/'
                      Candidate is: '/'; pattern is /**; matched=true
                      / at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1e44e3e9'
                      HttpSession returned null object for SPRING_SECURITY_CONTEXT
                      No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@115e01c2. A new one will be created.
                      / at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@29fd28da'
                      / at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@2b8515bf'
                      / at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@2e56c4eb'
                      Authorization header: null
                      / at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@429a3811'
                      / at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1ad70640'
                      / at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@447f1499'
                      Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90576bf4: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 577455A205EE55571E2E8DFC25CB5BB7; Granted Authorities: ROLE_ANONYMOUS'
                      / at position 8 of 10 in additional filter chain; firing Filter: '[email protected]73216bf0'
                      / at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@1735949d'
                      / at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@3eafdb52'
                      Converted URL to lowercase, from: '/'; to: '/'
                      Candidate is: '/'; pattern is /admin/**; matched=false
                      Candidate is: '/'; pattern is /researcher/**; matched=false
                      Candidate is: '/'; pattern is /interest/**; matched=false
                      Candidate is: '/'; pattern is /member/**; matched=false
                      Candidate is: '/'; pattern is /resources/**; matched=false
                      Candidate is: '/'; pattern is /static/**; matched=false
                      Candidate is: '/'; pattern is /**; matched=true
                      Secure object: FilterInvocation: URL: /; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
                      Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90576bf4: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 577455A205EE55571E2E8DFC25CB5BB7; Granted Authorities: ROLE_ANONYMOUS
                      Voter: org.springframework.security.access.vote.RoleVoter@167d912, returned: 0
                      Voter: org.springframework.security.access.vote.AuthenticatedVoter@48dc2d76, returned: 1
                      Authorization successful
                      RunAsManager did not change Authentication object
                      / reached end of additional filter chain; proceeding with original chain
                      DispatcherServlet with name 'FacultyResources2' determining Last-Modified value for [/csri/app/index]
                      Mapping [/index] to handler '[email protected]57076'
                      Last-Modified value for [/csri/app/index] is: -1
                      DispatcherServlet with name 'FacultyResources2' processing GET request for [/csri/app/index]
                      Returning view name 'index' for lookup path [/index]
                      Rendering view [org.springframework.web.servlet.view.tiles2.TilesView: name 'index'; URL [index]] in DispatcherServlet with name 'FacultyResources2'
                      Successfully completed request
                      Chain processed normally
                      SecurityContextHolder now cleared, as request processing completed
                      The stuff that is inside a <security:authorize ifAllGranted="ROLE_ADMIN"> is still visible to a non-authenticated person.

                      Comment


                      • #12
                        Strangely,

                        If I change my security tag to <security:authorize ifNotGranted="ROLE_ANONYMOUS">

                        then the stuff gets hidden...

                        Comment


                        • #13
                          Now I am baffled. It is just working now... I didn't change anything except to try ifNotGranted and then change it back to ifAllGranted.

                          Comment


                          • #14
                            Glad you got it working.

                            Comment


                            • #15
                              This is exactly the issue I was having. If you figure out the exact fix, let me know. I will tinker with my project some more and hopefully it will start working for me too.

                              Comment

                              Working...
                              X