Announcement Announcement Module
Collapse
No announcement yet.
Spring Security RC1 Java Config not working for Hessian Remoting ? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security RC1 Java Config not working for Hessian Remoting ?

    Hi,

    I'm trying to secure a server that uses Hessian Remoting with Spring Security and Java Configuration.

    I've created a small isolated integration test to play with it:

    https://bitbucket.org/walczak_it/pro...test?at=master

    my configuration looks like this:

    Code:
    @Configuration
    @ComponentScan("test.context")
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled=true)
    public class HessianServerConfig extends WebSecurityConfigurerAdapter {
        
        @Autowired
        private SecurePingService securePingService;
            
        @Bean
        public AuthenticationManager authenticationManager() throws Exception {
            return super.authenticationManager();
        }
    
        @Override
        protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
    
            auth.inMemoryAuthentication()
                .withUser("someusr").password("somepass").roles("USER");
        }
        
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .httpBasic();
        }
        
        @Bean
        public SecurePingService securePingService() {
            return new SecurePingServiceImpl();
        }
        
        @Bean(name="/SecurePingService")
        public HessianServiceExporter securePingServiceExporter() {
            HessianServiceExporter he = new HessianServiceExporter();
            he.setService(securePingService);
            he.setServiceInterface(SecurePingService.class);
            return he;
        }
    }
    my service looks like this:

    Code:
    public interface SecurePingService {
    
        @PreAuthorize("hasRole('ROLE_USER')")
        public String ping(String returnValue);
    }
    Code:
    @Service
    public class SecurePingServiceImpl implements SecurePingService {
        
        private static final Log LOG = LogFactory
                .getLog(SecurePingServiceImpl.class);
    
        @Override
        public String ping(String returnValue) {
            // this will throw AuthenticationCredentialsNotFoundException:
            // An Authentication object was not found in the SecurityContext
            //------
            String name = SecurityContextHolder.getContext()
                .getAuthentication().getName();
            //------
            LOG.info("name=" + name);
            return returnValue;
        }
    
    }
    I connect to the service like this

    Code:
                HessianProxyFactoryBean proxyFactory = new HessianProxyFactoryBean();
                proxyFactory.setServiceInterface(SecurePingService.class);
                proxyFactory.setServiceUrl("http://localhost:8080/api/SecurePingService");
                proxyFactory.setUsername("somename");
                proxyFactory.setPassword("wrongpass");
                proxyFactory.setConnectTimeout(2000);
                proxyFactory.afterPropertiesSet();
                SecurePingService pingService
                        = (SecurePingService) proxyFactory.getObject();
                String ret = pingService.ping("pong");
    As to my understanding the AuthenticationCredentialsNotFoundException I'm getting from inside my services implementation indicates that Spring Security did not authenticate using HTTP Basic nor did it execute method security mechanizes.



    Please help: Em I doing something wrong or is it a bug ?



    I'm using the latest milestones:

    springVersion = 4.0.0.M2
    springSecurityVersion = 3.2.0.RC1

    and Java 8 b100
    Last edited by walec51; Aug 26th, 2013, 06:38 PM.

  • #2
    To eliminate all doubt I've checked the request using wireshark.

    Attachment

    The Basic authentication header did go in the request.

    My full Jetty boot and stack trace looks like this:

    Code:
    2013-08-27 01:50:15.150:INFO:oejs.Server:main: jetty-9.0.4.v20130625
    2013-08-27 01:50:15.600:INFO:/:main: Initializing Spring FrameworkServlet 'org.springframework.web.servlet.DispatcherServlet-0'
    sie 27, 2013 1:50:15 AM org.springframework.web.servlet.FrameworkServlet initServletBean
    INFO: FrameworkServlet 'org.springframework.web.servlet.DispatcherServlet-0': initialization started
    sie 27, 2013 1:50:15 AM org.springframework.context.support.AbstractApplicationContext prepareRefresh
    INFO: Refreshing WebApplicationContext for namespace 'org.springframework.web.servlet.DispatcherServlet-0-servlet': startup date [Tue Aug 27 01:50:15 CEST 2013]; root of context hierarchy
    sie 27, 2013 1:50:15 AM org.springframework.web.context.support.AnnotationConfigWebApplicationContext loadBeanDefinitions
    INFO: Successfully resolved class for [test.context.HessianServerConfig]
    sie 27, 2013 1:50:16 AM org.springframework.security.web.DefaultSecurityFilterChain <init>
    INFO: Creating filter chain: org.springframework.security.web.util.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7e990ed7, org.springframework.security.web.context.SecurityContextPersistenceFilter@c05fddc, [email protected]a0, org.springframework.security.web.csrf.CsrfFilter@4d15107f, org.springframework.security.web.authentication.logout.LogoutFilter@7b4c50bc, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5884a914, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@50378a4, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@60f00693, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@79207381, [email protected]491b9b8, org.springframework.security.web.access.ExceptionTranslationFilter@1a4927d6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@7a6d7e92]
    sie 27, 2013 1:50:17 AM org.springframework.web.servlet.handler.AbstractUrlHandlerMapping registerHandler
    INFO: Mapped URL path [/SecurePingService] onto handler '/SecurePingService'
    sie 27, 2013 1:50:17 AM org.springframework.web.servlet.FrameworkServlet initServletBean
    INFO: FrameworkServlet 'org.springframework.web.servlet.DispatcherServlet-0': initialization completed in 1701 ms
    2013-08-27 01:50:17.309:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@57576994{/,null,AVAILABLE}
    2013-08-27 01:50:17.320:INFO:oejs.ServerConnector:main: Started ServerConnector@30c8681{HTTP/1.1}{0.0.0.0:8080}
    sie 27, 2013 1:50:17 AM org.springframework.remoting.support.RemoteInvocationTraceInterceptor invoke
    WARNING: Processing of HessianServiceExporter remote call resulted in fatal exception: test.context.SecurePingService.ping
    org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:339)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:198)
    	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
    	at com.sun.proxy.$Proxy19.ping(Unknown Source)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:491)
    	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    	at org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:78)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
    	at com.sun.proxy.$Proxy22.ping(Unknown Source)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:491)
    	at com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:302)
    	at com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:217)
    	at org.springframework.remoting.caucho.HessianExporter.doInvoke(HessianExporter.java:221)
    	at org.springframework.remoting.caucho.HessianExporter.invoke(HessianExporter.java:138)
    	at org.springframework.remoting.caucho.HessianServiceExporter.handleRequest(HessianServiceExporter.java:66)
    	at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:51)
    	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925)
    	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856)
    	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:946)
    	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:848)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
    	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:822)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:698)
    	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:505)
    	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:211)
    	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1094)
    	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:432)
    	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)
    	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1028)
    	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)
    	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    	at org.eclipse.jetty.server.Server.handle(Server.java:445)
    	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:267)
    	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:224)
    	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)
    	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:601)
    	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:532)
    	at java.lang.Thread.run(Thread.java:724)
    
    2013-08-27 01:50:17.455:INFO:oejs.ServerConnector:Thread-1: Stopped ServerConnector@30c8681{HTTP/1.1}{0.0.0.0:8080}
    2013-08-27 01:50:17.455:INFO:/:Thread-1: Destroying Spring FrameworkServlet 'org.springframework.web.servlet.DispatcherServlet-0'
    2013-08-27 01:50:17.459:INFO:oejsh.ContextHandler:Thread-1: Stopped o.e.j.s.ServletContextHandler@57576994{/,null,UNAVAILABLE}
    Attached Files

    Comment


    • #3
      It looks the springSecurityFilterChain is not intercepting the requests. You can register it with the AbstractSecurityWebApplicationInitializer. See http://static.springsource.org/sprin...y-with-the-war

      Comment


      • #4
        Many thanks for the tip.

        I have to find a way to apply this to one of my jar projects with embeded Jetty used in tests.

        However I applied this to my war server app and I get a strange exception when I try to access any URL.

        Code:
        package com.prodoko.base.server;
        
        import org.springframework.core.annotation.Order;
        import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
        
        @Order(2)
        public class SecurityWebApplicationInitializer
                extends AbstractSecurityWebApplicationInitializer {
        }
        Code:
        package com.prodoko.base.server;
        
        import org.springframework.beans.factory.annotation.Autowired;
        import org.springframework.context.annotation.Bean;
        import org.springframework.context.annotation.ComponentScan;
        import org.springframework.context.annotation.Configuration;
        import org.springframework.context.annotation.Import;
        import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
        import org.springframework.core.io.FileSystemResource;
        import org.springframework.security.authentication.AuthenticationManager;
        import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
        import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
        import org.springframework.security.config.annotation.web.builders.HttpSecurity;
        import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
        import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
        import org.springframework.web.servlet.config.annotation.EnableWebMvc;
        
        import com.prodoko.base.model.impl.security.UserLoginRepository;
        import com.prodoko.remoting.hessian.EnableHessianExport;
        
        @Configuration
        @Import(BaseDatabaseConfig.class)
        @ComponentScan(basePackages = {
            "com.prodoko.base.model", "com.prodoko.base.model.impl",
            "com.prodoko.base.server.info"})
        @EnableWebMvc
        @EnableWebSecurity
        @EnableGlobalMethodSecurity(prePostEnabled=true)
        @EnableHessianExport
        public class BaseServerConfig extends WebSecurityConfigurerAdapter {
            
            @Autowired
            public UserLoginRepository userDetailsRepository;
            
            @Bean
            public static PropertySourcesPlaceholderConfigurer propertyPlaceholderConfigurer() {
                PropertySourcesPlaceholderConfigurer pc
                    = new PropertySourcesPlaceholderConfigurer();
                pc.setIgnoreResourceNotFound(true);
                pc.setIgnoreUnresolvablePlaceholders(true);
                pc.setLocation(new FileSystemResource("prodoko.server.properties"));
                return pc;
            }
            
            @Bean
            public AuthenticationManager authenticationManager() throws Exception {
                return super.authenticationManager();
            }
        
            @Override
            protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        
                auth.userDetailsService(userDetailsRepository);
            }
            
            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                    .authorizeRequests()
                        .anyRequest().authenticated()
                        .and()
                        .httpBasic();
            }
        }
        Code:
        package com.prodoko.base.server.example;
        
        import org.springframework.core.annotation.Order;
        import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
        
        import com.prodoko.base.server.BaseServerConfig;
        
        @Order(1)
        public class ExampleServerAppInitializer extends
                AbstractAnnotationConfigDispatcherServletInitializer {
        
            @Override
            protected Class<?>[] getRootConfigClasses() {
                return null;
            }
        
            @Override
            protected Class<?>[] getServletConfigClasses() {
                return new Class<?>[] { BaseServerConfig.class };
            }
        
            @Override
            protected String[] getServletMappings() {
                return new String[] { "/" };
            }
        
        }

        I boot Jetty to run the WAR and when I try to access any URL I get the exception below

        Code:
        2013-08-27 20:29:06.926:INFO:oejr.Runner:main: Runner
        2013-08-27 20:29:07.033:INFO:oejs.Server:main: jetty-9.0.4.v20130625
        2013-08-27 20:29:08.644:INFO:oejpw.PlusConfiguration:main: No Transaction manager found - if your webapp requires one, please configure one.
        SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
        SLF4J: Defaulting to no-operation (NOP) logger implementation
        SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
        2013-08-27 20:29:11.789:INFO:/:main: Spring WebApplicationInitializers detected on classpath: [[email protected]0fb, [email protected]c]
        2013-08-27 20:29:12.580:INFO:/:main: Initializing Spring FrameworkServlet 'dispatcher'
        sie 27, 2013 8:29:13 PM org.hibernate.annotations.common.Version <clinit>
        INFO: HCANN000001: Hibernate Commons Annotations {4.0.2.Final}
        sie 27, 2013 8:29:13 PM org.hibernate.Version logVersion
        INFO: HHH000412: Hibernate Core {4.2.3.Final}
        sie 27, 2013 8:29:13 PM org.hibernate.cfg.Environment <clinit>
        INFO: HHH000206: hibernate.properties not found
        sie 27, 2013 8:29:13 PM org.hibernate.cfg.Environment buildBytecodeProvider
        INFO: HHH000021: Bytecode provider name : javassist
        sie 27, 2013 8:29:13 PM org.hibernate.ejb.Ejb3Configuration configure
        INFO: HHH000204: Processing PersistenceUnitInfo [
        	name: default
        	...]
        sie 27, 2013 8:29:13 PM org.hibernate.service.jdbc.connections.internal.ConnectionProviderInitiator instantiateExplicitConnectionProvider
        INFO: HHH000130: Instantiating explicit connection provider: org.hibernate.ejb.connection.InjectedDataSourceConnectionProvider
        sie 27, 2013 8:29:14 PM org.hibernate.dialect.Dialect <init>
        INFO: HHH000400: Using dialect: org.hibernate.dialect.ProgressDialect
        sie 27, 2013 8:29:14 PM org.hibernate.engine.jdbc.internal.LobCreatorBuilder useContextualLobCreation
        INFO: HHH000424: Disabling contextual LOB creation as createClob() method threw error : java.lang.reflect.InvocationTargetException
        sie 27, 2013 8:29:14 PM org.hibernate.engine.transaction.internal.TransactionFactoryInitiator initiateService
        INFO: HHH000268: Transaction strategy: org.hibernate.engine.transaction.internal.jdbc.JdbcTransactionFactory
        sie 27, 2013 8:29:14 PM org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory <init>
        INFO: HHH000397: Using ASTQueryTranslatorFactory
        sie 27, 2013 8:29:14 PM org.hibernate.validator.internal.util.Version <clinit>
        INFO: HV000001: Hibernate Validator 5.0.1.Final
        2013-08-27 20:29:16.490:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@7bc1a03d{/,file:/tmp/jetty-0.0.0.0-8001-prodoko-base-server-example-0.1.war-_-any-/webapp/,AVAILABLE}{file:/home/walec51/source/prodoko-base/prodoko-base-server-example/build/libs/prodoko-base-server-example-0.1.war}
        2013-08-27 20:29:16.620:INFO:oejs.ServerConnector:main: Started ServerConnector@358b70c4{HTTP/1.1}{0.0.0.0:8001}
        2013-08-27 20:29:24.231:WARN:oejs.ServletHandler:qtp1166726978-28: /
        java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?
        	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:252)
        	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1477)
        	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:503)
        	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:138)
        	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:564)
        	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:213)
        	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1094)
        	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:432)
        	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)
        	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1028)
        	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)
        	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:258)
        	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
        	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        	at org.eclipse.jetty.server.Server.handle(Server.java:445)
        	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:267)
        	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:224)
        	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)
        	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:601)
        	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:532)
        	at java.lang.Thread.run(Thread.java:724)
        Please help.

        Comment


        • #5
          BaseServerConfig should be present in the getRootConfigClasses so that it is picked up by the DelegatingFilterProxy (which only looks at the root).

          Alternatively, you can use the following which tells springSecurityFilterChain to use the child context:

          Code:
          import static org.springframework.web.servlet.support.AbstractDispatcherServletInitializer.*;
          
          public class SecurityWebApplicationInitializer
                  extends AbstractSecurityWebApplicationInitializer {
          
              protected String getDispatcherWebApplicationContextSuffix() {
                  return DEFAULT_SERVLET_NAME;
              }
          }

          Comment


          • #6
            Many thanks again !

            I didn't know why this class required two configuration classes from me. That was my first attempt to return BaseServerConfig in getRootConfigClasses but I've got an exception is getServletConfigClasses returned null despite the fact that the javadoc states that it can return null.

            But now I have a truly bizarre problem. When my Hessian client tries to connect I get the following response:

            Code:
            HTTP/1.1 403 Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
            I have no CSRF in my configuration;

            Code:
            @Configuration
            @Import(BaseDatabaseConfig.class)
            @ComponentScan(basePackages = {
                "com.prodoko.base.model", "com.prodoko.base.model.impl", "com.prodoko.base.server.info" })
            @EnableWebMvc
            @EnableWebSecurity
            @EnableGlobalMethodSecurity(prePostEnabled=true)
            @EnableHessianExport
            public class BaseServiceConfig extends WebSecurityConfigurerAdapter {
                
                // ...
            
                @Override
                protected void configure(HttpSecurity http) throws Exception {
                    http
                        .authorizeRequests()
                            .anyRequest().authenticated()
                            .and()
                            .httpBasic();
                }
            }
            PS. I've started returning this in getServletMappings to just return something:

            Code:
            @Configuration
            @ComponentScan(basePackages = { "com.prodoko.base.server.info"})
            @EnableWebMvc
            public class BaseInfoConfig {
            
            }

            Comment


            • #7
              CSRF is included by default with Java Config. If your application is not going to be used in a web browser or their is a piece that does not use state you can disable it. See the reference for an example on how to disable it http://static.springsource.org/sprin...csrf-configure

              Comment


              • #8
                Images from Wireshark:

                Attachment

                Attachment
                Attached Files

                Comment


                • #9
                  Thanks, your saving my life

                  Got past the authentication. Now I get 404 everywhere but I think I'll start a new topic outside of the security subforum with this. I was wrong that the documentation states that getServletConfigClasses can return null. However I cant understand why AbstractAnnotationConfigDispatcherServletInitializ er requires me to have two applications contexts and I'm probably doing something wrong here.

                  Comment


                  • #10
                    New thread: http://forum.springsource.org/showth...on-in-Spring-4

                    Comment


                    • #11
                      Hi, me again.

                      Unfortunately AbstractAnnotationConfigDispatcherServletInitializ er does not work with Spring Remoting. More details in the above thread.

                      Is there any way to setup Security with this type of first initializer:

                      Code:
                      @Order(1)
                      public class ExampleServerAppInitializer implements WebApplicationInitializer {
                          
                          @Override
                          public void onStartup(ServletContext servletContext)
                                  throws ServletException {
                              AnnotationConfigWebApplicationContext ctx = new AnnotationConfigWebApplicationContext();
                              ctx.register(BaseServerConfig.class);
                              ctx.setServletContext(servletContext);
                              ctx.refresh();
                              Dynamic servlet = servletContext.addServlet("dispatcher",
                                      new DispatcherServlet(ctx));
                              servlet.addMapping("/");
                              servlet.setLoadOnStartup(1);
                          }
                      
                      /* this does not work with remoting:
                      extends
                              AbstractAnnotationConfigDispatcherServletInitializer {
                      
                          @Override
                          protected Class<?>[] getRootConfigClasses() {
                              return new Class<?>[] { BaseServerConfig.class };
                          }
                      
                          @Override
                          protected Class<?>[] getServletConfigClasses() {
                              return new Class<?>[] { BaseInfoConfig.class };
                          }
                      
                          @Override
                          protected String[] getServletMappings() {
                              return new String[] { "/*" };
                          }
                      */
                      }
                      I'm getting the:

                      java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?

                      exception again with this.

                      Comment

                      Working...
                      X