Announcement Announcement Module
Collapse
No announcement yet.
Secure web path & REST services with different method (n00b question) Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    basic + form

    Hi,

    I'm french, sorry for my english but I think you are able to understand my problem which is almot like the one of snowcrash.
    I'm also new to spring so forgive my ignorance.

    After read the spring security documents,
    I tried to seperate web service (RESTful) and others(html/flex) in my application context like this :
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:flex="http://www.springframework.org/schema/flex"
           xmlns:security="http://www.springframework.org/schema/security"
           xmlns:p="http://www.springframework.org/schema/p"
           xsi:schemaLocation="http://www.springframework.org/schema/beans 
                                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                http://www.springframework.org/schema/flex
                                http://www.springframework.org/schema/flex/spring-flex-1.0.xsd
    			    http://www.springframework.org/schema/security
    			    http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
           <!-- Definition de la source de donnees sous MySQL -->
    	   <bean id="dataSourceUsers" class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
                  <property name="driverClassName">
                        <value>com.mysql.jdbc.Driver</value>
                  </property>
                  <property name="url">
                        <value>jdbc:mysql://${jdbc.url}/Users</value>
                  </property>
                   <property name="username">
                        <value>${jdbc.user}</value>
                   </property>
                   <property name="password">
                         <value>${jdbc.pass}</value>
                   </property>
                </bean>
     
    
    
      	<!-- authencation provider -->
      	<security:authentication-manager alias="authenticationManager">
    	  	<security:authentication-provider>
    	       <security:jdbc-user-service data-source-ref="dataSourceUsers" 
    	                              users-by-username-query="SELECT userlogin as username, userpassword as password, userenable as enable FROM users WHERE userlogin =?"
    	                              authorities-by-username-query=" 
    	                              select  u.userlogin as username ,d.droitsnom as role FROM users u,roles r, droits d,matchUsersRoles mt
    				                  WHERE u.iduser = mt.iduser
    				                  and u.userlogin =?
    				                  and mt.idrole = r.idrole
    	                              and d.iddroit = r.iddroit"/>           	
    	       </security:authentication-provider>
    	</security:authentication-manager>
    
    		
    	<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    	  <security:filter-chain-map path-type="ant">
    	  
    	     <security:filter-chain pattern="/**/swfobject.js" filters="none"/>
    		 <security:filter-chain pattern="/**/*.css" filters="none"/>
    		 
    	     <security:filter-chain pattern="/webServices/**" filters="
    	           securityContextPersistenceFilterWithASCFalse,
    	           basicAuthenticationFilter,
    	           basicExceptionTranslationFilter,
    	           filterSecurityInterceptor" />
     		<security:filter-chain pattern="/**" filters="
    	           securityContextPersistenceFilterWithASCTrue,
    	           formLoginFilter,
    	           formExceptionTranslationFilter,
    	           filterSecurityInterceptor" />  
    	  </security:filter-chain-map>
    	</bean>
    
    	<!-- ********************************** web simple ***************************************************-->
    	<bean id="securityContextPersistenceFilterWithASCTrue" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    		<property name='securityContextRepository'>
    			<bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
    			  <property name='allowSessionCreation' value='true' />
    			</bean>
    		</property>
    	</bean>
    	
    	<!--   org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter-->
    	<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    		<property name="authenticationManager" ref="authenticationManager"/>
    		<property name="authenticationSuccessHandler">
    			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    				<property name="defaultTargetUrl" value="/main_app.html"/>
    			</bean>
    		</property>
    		<property name="filterProcessesUrl" value="/j_spring_security_check"/>
    	</bean>  
    
    	<bean id="formAuthenticationEntryPoint"
    		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<property name="loginFormUrl" value="/login"/>
    		<property name="forceHttps" value="false"/>
    	</bean>
    
    	<bean id="formExceptionTranslationFilter"
    		class="org.springframework.security.web.access.ExceptionTranslationFilter">
    		<property name="authenticationEntryPoint" ref="formAuthenticationEntryPoint"/>
    		<property name="accessDeniedHandler" ref="formAccessDeniedHandler"/>
    	</bean>		
    	
    	<bean id="formAccessDeniedHandler"
    	     class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    	  <property name="errorPage" value="/accessDenied.htm"/>
    	</bean>
    	
    	<!-- **********************************webservice******************************************* -->
    	<bean id="securityContextPersistenceFilterWithASCFalse" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    		<property name='securityContextRepository'>
    			<bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
    			  <property name='allowSessionCreation' value='false' />
    			</bean>
    		</property>
    	</bean>
    
    	<bean id="basicAuthenticationFilter"
    	  class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    	  <property name="authenticationManager" ref="authenticationManager"/>
    	  <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
    	</bean>
    	
    	<bean id="basicExceptionTranslationFilter"
    	     class="org.springframework.security.web.access.ExceptionTranslationFilter">
    	  <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
    	  <property name="accessDeniedHandler" ref="basicAccessDeniedHandler"/>
    	</bean>
    	
    	<bean id="basicAuthenticationEntryPoint"
    	  class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    	  <property name="realmName" value="Name Of Your Realm"/>
    	</bean>
    	
    	<bean id="basicAccessDeniedHandler"
    		class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    	</bean>	
    
    
    <!-- commun -->
    	<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    	  <property name="authenticationManager" ref="authenticationManager"/>
    	  <property name="accessDecisionManager" ref="accessDecisionManager"/>
    	  <property name="securityMetadataSource">
    	    <security:filter-security-metadata-source>
    	         <security:intercept-url pattern="/**/*.swf" access="ROLE_USER"/>
    		     <security:intercept-url pattern="/**/*.html" access="ROLE_USER"/>
    	      <security:intercept-url pattern='/flex/**' access='ROLE_ANONYMOUS, ROLE_USER' />   
    	      <security:intercept-url pattern="/webServices/**" access="ROLE_ADMIN"/>
    		  <security:intercept-url pattern="/**" access="ROLE_USER"/>
    	    </security:filter-security-metadata-source>
    	  </property>
    	</bean>
    	
    	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    	  <property name="allowIfAllAbstainDecisions" value="false"/>
    	  <property name="decisionVoters">
    	    <list> 
    	    	<bean id="roleVoter" class= "org.springframework.security.access.vote.RoleVoter"/> 
    	    </list>
    	  </property>
    	</bean>
    When I run my wepapp whit glassfish, firefox told me "The page is not correctly redirected" (actually in french but I tried to translate ).
    There is nothing particulary in the glassfish's log.
    Did I make a mistake which I 'm not able to see now ?
    Please help me

    Comment


    • #17
      You are probably running foul of the issue in this FAQ.

      Make sure you always check the debug log on the server - whatever the client (Firefox) says will never be as useful.

      Comment


      • #18
        login configuration

        Ok it seems to works fine now.
        I have made some mistakes about the syntax to call the login page

        Here is the correction about my context application :

        Code:
        ....
        <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
        	  <security:filter-chain-map path-type="ant">
        	  
        	     <security:filter-chain pattern="/**/swfobject.js" filters="none"/>
        		 <security:filter-chain pattern="/**/*.css" filters="none"/>
        		  <security:filter-chain pattern="/login.jsp" filters="none"/>
        		 
        	     <security:filter-chain pattern="/webService/**" filters="
        	           securityContextPersistenceFilterWithASCFalse,
        	           basicAuthenticationFilter,
        	           basicExceptionTranslationFilter,
        	           filterSecurityInterceptor" />
         		<security:filter-chain pattern="/**" filters="
        	           securityContextPersistenceFilterWithASCTrue,
        	           formLoginFilter,
        	           formExceptionTranslationFilter,
        	           filterSecurityInterceptor" />  
        	  </security:filter-chain-map>
        	</bean>
        ....
        	<bean id="formAuthenticationEntryPoint"
        		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        		<property name="loginFormUrl" value="/login.jsp"/>
        		<property name="forceHttps" value="false"/>
        	</bean>
        ....
        Luke
        I agree with you about firefox but I'm not sure to understand the difference between log and debug log (run in debug mode?).
        Like I said there is nothing in the log of galssfish but I will chek the docs about that.

        Thanks for help

        Comment


        • #19
          BasicAuthenticationFilter in 2.0.4

          I'm trying to do something similar to what Malakan and Snowcrash did. However I'm using 2.0.4 and can't find anything like the BasicAuthenticationFilter.

          Is there a corresponding class in 2.0.4?

          Comment


          • #20
            i just want to exclude some paths from authentication , is it possible to just have:


            <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChai nProxy">
            <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/static/**" filters="none" />
            <security:filter-chain pattern="/**/*.css" filters="none"/>
            </security:filter-chain-map>
            </bean>

            without all the other explicit bean definitions?
            (because that doesn't seem to work for me...)
            Last edited by chrismarx; Aug 19th, 2010, 03:24 PM.

            Comment

            Working...
            X