Announcement Announcement Module
Collapse
No announcement yet.
Spring security 3 and Url Rewrite Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Hi __dev18 and eggsy84. Thank you very much for your help!
    With your advice I have made it.

    But there is still a problem.
    My application context path is /ksw and is deployed to http://localhost:8080/ksw

    In my *.jsp's I have some links which look like:
    Code:
    <script type="text/javascript" src="/ksw/js/script.js"></script>
    These links are also not working. But the controllers are doing very well!
    Unfortunately http://localhost:8080/ksw/j_spring_security_check ends up in error 404

    Maybe it's because I use the following "form action" in "login.jsp"?
    Code:
    <form action="<c:url value='j_spring_security_check'/>" method="POST">
    My configuration is the following now:

    web.xml

    Code:
    ...
    <!-- Tuckey's URL Rewrite Filter -->
    <filter>
    	<filter-name>UrlRewriteFilter</filter-name>
    	<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
    </filter>
    <filter-mapping>
    	<filter-name>UrlRewriteFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <!-- Spring Security -->
    <filter>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<url-pattern>/*</url-pattern>
    	<dispatcher>REQUEST</dispatcher>
    	<dispatcher>FORWARD</dispatcher>
    	<dispatcher>INCLUDE</dispatcher>
    	<dispatcher>ERROR</dispatcher>	
    </filter-mapping>	
    ...
    <!-- Dispatcher Servlet -->
    <servlet>
    	<servlet-name>dispatcher</servlet-name>
    	<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    	<load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
    	<servlet-name>dispatcher</servlet-name>
    	<url-pattern>/app/*</url-pattern>
    </servlet-mapping>
    ...
    <welcome-file-list>
    	<welcome-file>redirect.jsp</welcome-file>
    </welcome-file-list>
    ...
    urlrewrite.xml

    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
            "http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
    <urlrewrite default-match-type="wildcard">
    	<rule>
    		<from>/**</from>
    		<to>/app/$1</to>
    	</rule>
    	<outbound-rule>
    		<from>/app/**</from>
    		<to>/$1</to>
    	</outbound-rule>
    </urlrewrite>
    PageController.java

    Code:
    @RequestMapping(value="/page/{code}", method=RequestMethod.GET)
    public ModelAndView showErrors(@ModelAttribute("user") User user, @PathVariable("code") String errorMessage)
    {
    ...
    }
    Last edited by bennyn; Sep 20th, 2010, 03:47 PM.

    Comment


    • #17
      Originally posted by bennyn View Post
      Hi __dev18 and eggsy84. Thank you very much for your help!
      With your advice I have made it.

      But there is still a problem.
      My application context path is /ksw and is deployed to http://localhost:8080/ksw

      In my *.jsp's I have some links which look like:
      Code:
      <script type="text/javascript" src="/ksw/js/script.js"></script>
      These links are also not working. But the controllers are doing very well!
      Unfortunately http://localhost:8080/ksw/j_spring_security_check ends up in error 404

      Maybe it's because I use the following "form action" in "login.jsp"?
      Code:
      <form action="<c:url value='j_spring_security_check'/>" method="POST">
      Hi, you need to add rules to urlrewrite filter xml for Spring Security Servelts. For example in your case you need to allow Spring Security handle url j_spring_security_check.

      Code:
      	<rule>
      		<from>/j_spring_security_check**</from>
      		<to>/j_spring_security_check$1</to>
      	</rule>	
      	<rule>
      		<from>/logout**</from>
      		<to>/logout$1</to>
      	</rule>

      Comment


      • #18
        Ok, I did this but then my GlassFish v3 application server claims:
        WARNING: No mapping found for HTTP request with URI [/ksw/app/j_spring_security_check] in DispatcherServlet with name 'dispatcher'
        Here is my login.jsp:
        <form action="<c:url value='j_spring_security_check'/>" method="POST">
        ...
        </form>
        And some lines from my applicationContext-security.xml:
        <http access-denied-page="/accessDenied">
        <intercept-url pattern="/app/page" access="ROLE_USER" />
        <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <http-basic />
        <form-login login-page="/login" authentication-failure-url="/login/error" />
        <logout />
        </http>
        Maybe you can see an error in it... I'm very new to these things.

        Comment


        • #19
          Originally posted by bennyn View Post
          Ok, I did this but then my GlassFish v3 application server claims:


          Here is my login.jsp:


          And some lines from my applicationContext-security.xml:


          Maybe you can see an error in it... I'm very new to these things.
          What version of urlrewrite filter you are using now? And these rules must be before app rule.

          In version 3.2 you need to add following xml rules:

          Code:
          	<rule>
          		<from>/j_spring_security_check**</from>
          		<to last="true">/j_spring_security_check$1</to>
          	</rule>	
          	<rule>
          		<from>/logout**</from>
          		<to last="true">/logout$1</to>
          	</rule>
          Last edited by __dev18; Sep 21st, 2010, 05:34 AM.

          Comment


          • #20
            I use version 3.2. With your configuration the Login works now!
            I had to change the form action url in my login.jsp from:
            <form action="<c:url value='j_spring_security_check'/>" method="POST">
            To:
            <form action="<c:url value='/ksw/j_spring_security_check'/>" method="POST">
            The only things which are not working yet is the "Logout" and my JavaScripts and CSS from my JSPs.

            Before using REST I always did the logout with the following url: http://localhost:8080/ksw/j_spring_security_logout
            But this is not possible anymore. I always get the warning:
            No mapping found for HTTP request with URI [/ksw/app/j_spring_security_logout] in DispatcherServlet with name 'dispatcher'
            Things which I have linked in my JSPs with:
            <script type="text/javascript" src="/ksw/js/prototype.js"></script>
            Do also give a warning, e.g.:
            No mapping found for HTTP request with URI [/ksw/app/js/prototype.js] in DispatcherServlet with name 'dispatcher'
            My urlrewrite.xml is now:
            <?xml version="1.0" encoding="utf-8"?>
            <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
            "http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
            <urlrewrite default-match-type="wildcard">
            <rule>
            <from>/**</from>
            <to>/app/$1</to>
            </rule>
            <outbound-rule>
            <from>/app/**</from>
            <to>/$1</to>
            </outbound-rule>
            <rule>
            <from>/j_spring_security_check**</from>
            <to last="true">/j_spring_security_check$1</to>
            </rule>
            <rule>
            <from>/j_spring_security_logout**</from>
            <to last="true">/j_spring_security_logout$1</to>
            </rule>
            </urlrewrite>
            P.S. If we get the things work, then I will write an entry in my blog so that nobody else pulls his/her hair out.

            Comment


            • #21
              Originally posted by bennyn View Post
              I use version 3.2. With your configuration the Login works now!
              I had to change the form action url in my login.jsp from:


              To:


              The only things which are not working yet is the "Logout" and my JavaScripts and CSS from my JSPs.

              Before using REST I always did the logout with the following url: http://localhost:8080/ksw/j_spring_security_logout
              But this is not possible anymore. I always get the warning:


              Things which I have linked in my JSPs with:


              Do also give a warning, e.g.:


              My urlrewrite.xml is now:


              P.S. If we get the things work, then I will write an entry in my blog so that nobody else pulls his/her hair out.
              Because you use version 3.2, you need to add attribute last="true" to those rules for Spring security.

              Js folder in your webconent cannot be accessed, because you need to add rule for that in your urlrewrite.xml, just like you need to add every other static folder (for example css files folder) in your webcontent folder.

              This is what your urlrewrite.xml should look like

              Code:
              <?xml version="1.0" encoding="utf-8"?>
              <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
              "http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
              <urlrewrite default-match-type="wildcard">
              
              	<!-- Access to js folder in webcontent -->
              	<rule>
              	<from>/js**</from>
              	<to last="true">/js$1</to>
              	</rule>
              	<!-- End Access to js folder in webcontent -->
              	
              	<!-- Spring Security Servelts -->
              	<rule>
              	<from>/j_spring_security_check**</from>
              	<to last="true">/j_spring_security_check$1</to>
              	</rule>
              	
              	<rule>
              	<from>/j_spring_security_logout**</from>
              	<to last="true">/j_spring_security_logout$1</to>
              	</rule>
              	<!-- End Spring Security Servelts -->
              	
              	<!-- Spring Framework -->
              	<rule>
              	<from>/**</from>
              	<to>/app/$1</to>
              	</rule>
              	<outbound-rule>
              	<from>/app/**</from>
              	<to>/$1</to>
              	</outbound-rule>
              	<!-- End Spring Framework -->
              	
              </urlrewrite>

              Comment


              • #22
                You are fantastic! Logout seems to work now.

                My urlrewrite.xml is:
                <?xml version="1.0" encoding="utf-8"?>
                <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
                "http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
                <urlrewrite default-match-type="wildcard">

                <!-- Static Web Content -->
                <rule>
                <from>/js**</from>
                <to last="true">/js$1</to>
                </rule>
                <rule>
                <from>/images**</from>
                <to last="true">/images$1</to>
                </rule>

                <!-- Spring Security -->
                <rule>
                <from>/j_spring_security_check**</from>
                <to last="true">/j_spring_security_check$1</to>
                </rule>
                <rule>
                <from>/j_spring_security_logout**</from>
                <to last="true">/j_spring_security_logout$1</to>
                </rule>

                <!-- Spring Web MVC -->
                <rule>
                <from>/**</from>
                <to>/app/$1</to>
                </rule>
                <outbound-rule>
                <from>/app/**</from>
                <to>/$1</to>
                </outbound-rule>
                </urlrewrite>
                To secure http://localhost:8080/ksw/page I have to write this in my applicationContext-security.xml:
                <intercept-url pattern="/app/page" access="ROLE_USER" />
                If I access http://localhost:8080/ksw/page then, my login-page comes up and if I login successfully I get a 404 error because the login-page want's to redirect me to http://localhost:8080/ksw/app/page after the login.
                If I strip off the "/app" in my intercept-url pattern then the site http://localhost:8080/ksw/page isn't secured by Spring Security (no display of login-page for anonymous users).

                This is the last sign I have to solve to get my application working with REST. Thank you vey much for your help and your patience.

                Comment


                • #23
                  Today I played a bit around with securing my webpages. If want to access http://localhost:8080/ksw/page then Spring Security blocks me and wants me to login (yeah!). After a successful login, Spring Security redirects me to http://localhost:8080/ksw/app/page with status code 200, so the page is ok and can be seen. :-) The only problem I have with it is that the URL is http://localhost:8080/ksw/app/page and not http://localhost:8080/ksw/page.

                  My controller:
                  Code:
                  @RequestMapping("/page")
                  { ... }
                  My applicationContext-security.xml:
                  Code:
                  <intercept-url pattern="/app/page" access="ROLE_USER" />
                  My urlrewrite.xml is:

                  Code:
                  <?xml version="1.0" encoding="utf-8"?>
                  <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
                  "http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
                  <urlrewrite default-match-type="wildcard">
                  
                  	<!-- Static Web Content -->
                  	<rule>
                  		<from>/js**</from>
                  		<to last="true">/js$1</to>
                  	</rule>
                  	<rule>
                  		<from>/images**</from>
                  		<to last="true">/images$1</to>
                  	</rule>
                  
                  	<!-- Spring Security -->
                  	<rule>
                  		<from>/j_spring_security_check**</from>
                  		<to last="true">/j_spring_security_check$1</to>
                  	</rule>
                  	<rule>
                  		<from>/j_spring_security_logout**</from>
                  		<to last="true">/j_spring_security_logout$1</to>
                  	</rule>
                  	
                  	<!-- Secured Web Pages -->
                  	<rule>
                  		<from>/app/page**</from>
                  		<to>/page$1</to>
                  	</rule>
                  
                  	<!-- Spring Web MVC -->
                  	<rule>
                  		<from>/**</from>
                  		<to>/app/$1</to>
                  	</rule>
                  	<outbound-rule>
                  		<from>/app/**</from>
                  		<to>/$1</to>
                  	</outbound-rule>
                  </urlrewrite>
                  Do I need an extra outbound-rule for "/app/page"? I tried different constellations but nothing has helped.

                  Comment


                  • #24
                    Originally posted by bennyn View Post
                    Today I played a bit around with securing my webpages. If want to access http://localhost:8080/ksw/page then Spring Security blocks me and wants me to login (yeah!). After a successful login, Spring Security redirects me to http://localhost:8080/ksw/app/page with status code 200, so the page is ok and can be seen. :-) The only problem I have with it is that the URL is http://localhost:8080/ksw/app/page and not http://localhost:8080/ksw/page.

                    My controller:
                    Code:
                    @RequestMapping("/page")
                    { ... }
                    My applicationContext-security.xml:
                    Code:
                    <intercept-url pattern="/app/page" access="ROLE_USER" />
                    My urlrewrite.xml is:

                    Code:
                    <?xml version="1.0" encoding="utf-8"?>
                    <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.2//EN"
                    "http://tuckey.org/res/dtds/urlrewrite3.2.dtd">
                    <urlrewrite default-match-type="wildcard">
                    
                    	<!-- Static Web Content -->
                    	<rule>
                    		<from>/js**</from>
                    		<to last="true">/js$1</to>
                    	</rule>
                    	<rule>
                    		<from>/images**</from>
                    		<to last="true">/images$1</to>
                    	</rule>
                    
                    	<!-- Spring Security -->
                    	<rule>
                    		<from>/j_spring_security_check**</from>
                    		<to last="true">/j_spring_security_check$1</to>
                    	</rule>
                    	<rule>
                    		<from>/j_spring_security_logout**</from>
                    		<to last="true">/j_spring_security_logout$1</to>
                    	</rule>
                    	
                    	<!-- Secured Web Pages -->
                    	<rule>
                    		<from>/app/page**</from>
                    		<to>/page$1</to>
                    	</rule>
                    
                    	<!-- Spring Web MVC -->
                    	<rule>
                    		<from>/**</from>
                    		<to>/app/$1</to>
                    	</rule>
                    	<outbound-rule>
                    		<from>/app/**</from>
                    		<to>/$1</to>
                    	</outbound-rule>
                    </urlrewrite>
                    Do I need an extra outbound-rule for "/app/page"? I tried different constellations but nothing has helped.
                    What is your default-target-url in applicationContext-security.xml?

                    Comment


                    • #25
                      I have not set any default-target url. I had it before but then Spring Security redirected me to the default-target url everytime I logged in. But I want that the user stays on the page where the login was needed for.

                      My <http> configuration is just:
                      <http>
                      <intercept-url pattern="/app/page" access="ROLE_USER" />
                      <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                      <http-basic />
                      <form-login login-page="/login" authentication-failure-url="/login/error" />
                      <logout />
                      </http>

                      Comment


                      • #26
                        Method Level Security

                        Hi,

                        The URL authentication done by Spring Security is very much impressive and good to implement. Now i am implementing the ACLs for method level security.

                        I want to known can we do the ethod level security without touching the screen or code just using some implemented classes as we are doing in case of the URL. If it is possible please tell me.

                        I saw the example of contacts given by spring security for ACL implementations and in this we have to use the tags in JSP page and also some changes in the controller. I am having a project with 1500 screens which i cant change for authorization.

                        So kindly suggest me what is the best way to do?

                        Thanks

                        Comment

                        Working...
                        X