Announcement Announcement Module
Collapse
No announcement yet.
Upgrading from Spring Security 3.0.0.M2 to 3.0.0.RC1 Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Upgrading from Spring Security 3.0.0.M2 to 3.0.0.RC1

    Hi guys,
    I've just upgraded from Spring Security 3.0.0.M2 to 3.0.0.RC1, and now my security filter bean fails. I've set it up like this:

    Code:
       <security:http auto-config="true">
         <security:http-basic/>
    
         <security:intercept-url pattern="/public" filters="none"/>  
         <security:intercept-url pattern="/private/**" access="ROLE_ADMIN,ROLE_USER" />
         <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
         <security:port-mappings>
            <security:port-mapping http="8080" https="8443"/>
        </security:port-mappings>
    
         <security:intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
       </security:http>
    This used to work fine, but now I get

    Code:
    SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot create inner bean '(inner bean)' of type [org.springframework.security.config.authentication.AuthenticationManagerFactoryBean] while setting bean property 'parent'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#4': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
    	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
    	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:125)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1299)
    ....
    Before that, I've defined my authenticationmanager:
    Code:
    <bean id="userService" parent="txProxyTemplate">
      <property name="target">
        <bean class="tld.mydomain.business.UserServiceImpl"/>
      </property>
      <property name="proxyInterfaces" value="tld.mydomain.business.UserService"/>
    </bean>
    
    <bean id="_authenticationManager" class="org.springframework.security.authentication.ProviderManager">
      <property name="providers">
        <list>
          <bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
            <property name="userDetailsService" ref="userService"/>
            <property name="passwordEncoder">
              <bean class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder" />
            </property>
          </bean>
        </list>
      </property>
    </bean>
    This worked fine with M2 and authenticated my users, but now I get the exception above. Any suggestions? Has anything changed? Did I omit something that now came back to haunt me?

    Cheers

    Nik

  • #2
    i'm also interested in this answer. i'm using 3.0M4. and i configured authenticationManager in same manner as "_authenticationManager". And i was planning to upgrade to RC1.

    but i need to think twice now. i'm eager to know its solution

    Thanks

    Comment


    • #3
      The internal bean name "_authenticationManager" has been changed (check the BeanIds class), but you shouldn't really be using these names, they are reserverved for internal use and defining beans using them won't mess up your configuration.

      You should be using really be using the <authentication-manager> tag in preference for namespace support.

      Comment


      • #4
        Thanks, Luke. I was under the impression that it was convention that the authenticationManager should be called _authenticationManager.

        So I've removed the _authenticationManager bean completely and instead added:

        Code:
        <security:authentication-manager alias="authenticationManager">
          <security:authentication-provider user-service-ref="userService">
        	<security:password-encoder hash="plaintext"/>
          </security:authentication-provider>
        </security:authentication-manager>
        Is this the correct way to go about it? (the reason for plaintext passwords is the backend database, that I have no control over, uses plaintext passwords)

        Cheers

        Nik

        Comment


        • #5
          Originally posted by Luke Taylor View Post
          The internal bean name "_authenticationManager" has been changed (check the BeanIds class), but you shouldn't really be using these names, they are reserverved for internal use and defining beans using them won't mess up your configuration.

          QUOTE=Luke Taylor;265539]You should be using really be using the <authentication-manager> tag in preference for namespace support.
          ok... but we need to provide "sessionController". below is part of code snapshot..


          Code:
              <beans:bean id="_authenticationManager" class="org.springframework.security.authentication.ProviderManager">
                  <beans:property name="providers">
                      <beans:list>
                          <beans:ref local="daoAuthenticationProvider"/>
                      </beans:list>
                  </beans:property>
                  <beans:property name="sessionController" ref="concurrentSessionController"/>
              </beans:bean>
          
              <beans:bean id="concurrentSessionController" class="org.springframework.security.authentication.concurrent.ConcurrentSessionControllerImpl">
                  <beans:property name="maximumSessions" value="1"></beans:property>
                  <beans:property name="sessionRegistry" ref="sessionRegistry"/>
                  <!-- <beans:property name="exceptionIfMaximumExceeded" value="true"></beans:property> -->
              </beans:bean>
          So how can we change above code in <authentication-manager>? it does not shows attribute like 'sessionController"

          Comment


          • #6
            Hi Rohan,
            do you need a SessionController? To me, the userService is (as shown above) wrapped in a transaction proxy template, and it contains database session and transaction information. So my authenticationProvider doesn't need to bother about that.

            Cheers

            Nik

            Comment


            • #7
              Originally posted by niklassaers View Post
              Hi Rohan,
              do you need a SessionController? To me, the userService is (as shown above) wrapped in a transaction proxy template, and it contains database session and transaction information. So my authenticationProvider doesn't need to bother about that.

              Cheers

              Nik
              here sessionController is for concurrentSession hanling, not for db session handling

              Comment


              • #8
                Check the changelog. Concurrent session handling has been changed for 3.0

                https://jira.springsource.org/browse/SEC-1229

                Comment


                • #9
                  Hi Luke, thanks for that. I hit the docs, page http://static.springsource.org/sprin...rrent-sessions . Two quickies there: authentcation => authentication. The other one, org.springframework.security.web.session.Concurren tSessionControlStrategy, was harder, as it doesn't exist in the RC1 jars as far as I can see. There is a org.springframework.security.web.authentication.se ssion.ConcurrentSessionControlStrategy, but if I substitute the missing class with this one, I get
                  Code:
                  java.lang.NoSuchMethodException: org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy.<init>()
                  The main thing, though, is that doing authentication with RC1 as described in post #4 on this thread rather than in post #1 that I did with M4, I now get what looks like race conditions in the authentication code.

                  userService implements UserDetailsService, and SecurityContextHolderFacade is a service that grabs a context (SecurityContext context = SecurityContextHolder.getContext()), grabs the username (context.getAuthentication().getName()) and uses userService to look up this user and pass it back to the controller to let the controller list only the items that are relevant to that user (return userService.lookupUser(username()))

                  From my point of view, this is purely read-only. Still the exception indicates that something was modified, and even modified while another modification was taking place. Have I done anything outrageous? Has something changed from M4 to RC1 that should do this? Is there anything about doing it the way described in #4 instead of #1 that should give me this? Is this a problem with Hibernate and not Spring?

                  Here is the stacktrace:

                  Code:
                  21-10-2009 13:23:13 org.apache.catalina.core.StandardWrapperValve invoke
                  SEVERE: Servlet.service() for servlet SampleApp threw exception
                  java.util.ConcurrentModificationException
                  at java.util.LinkedHashMap$LinkedHashIterator.nextEntry(Unknown Source)
                  at java.util.LinkedHashMap$ValueIterator.next(Unknown Source)
                  at org.hibernate.engine.StatefulPersistenceContext.afterTransactionCompletion(StatefulPersistenceContext.java:253)
                  at org.hibernate.impl.SessionImpl.afterTransactionCompletion(SessionImpl.java:450)
                  at org.hibernate.jdbc.JDBCContext.afterNontransactionalQuery(JDBCContext.java:271)
                  at org.hibernate.impl.SessionImpl.afterOperation(SessionImpl.java:444)
                  at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1604)
                  at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306)
                  at tld.myservice.business.UserServiceImpl.lookupUser(UserServiceImpl.java:29)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
                  at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
                  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
                  at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
                  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
                  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
                  at $Proxy21.lookupUser(Unknown Source)
                  at tld.myservice.business.SecurityContextHolderFacade.user(SecurityContextHolderFacade.java:31)
                  at tld.myservice.business.SecurityContextHolderFacade.evaluate(SecurityContextHolderFacade.java:42)
                  at tld.myservice.view.web.controller.ItemsController.getAll(ItemsController.java:55)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.doInvokeMethod(HandlerMethodInvoker.java:654)
                  at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:160)
                  at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:378)
                  at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:366)
                  at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:781)
                  at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:726)
                  at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:636)
                  at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:545)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:344)
                  at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:110)
                  at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:98)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:95)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:110)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:55)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:36)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:92)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:106)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:110)
                  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
                  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
                  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
                  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
                  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
                  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
                  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
                  at java.lang.Thread.run(Unknown Source)
                  Cheers

                  Nik

                  Comment


                  • #10
                    It seems that I had a big problem in database session handling in my DAO, so I've made a write-up of my solution at StackOverflow and asked for people's opinion on the solution. I hope it doesn't give more issues :-)

                    Comment

                    Working...
                    X