Announcement Announcement Module
Collapse
No announcement yet.
Problems with the applicationContext-security.xml Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems with the applicationContext-security.xml

    Hello!
    I have a problem with the applicationContext-security.xml!

    I attached seven users with different roles in this file.

    These roles have different access rights for many different urls which I have protected in the intercept-url tags. (About 30)

    My problem is, if I open a link, I have to log me in! But if I want to protect this link with the sec:authorize tag, I see it! Although I protected it! What can I do to hide this link?

  • #2
    Hi

    Could you post your app. context and the jsp?

    Did you include the taglig in your jsp?
    Code:
    <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
    Regards

    Comment


    • #3
      the applicationContext-security.xml:
      Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <beans:beans xmlns="http://www.springframework.org/schema/security"
          xmlns:beans="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
      
          <global-method-security pre-post-annotations="enabled">
          </global-method-security>
      
          <http use-expressions="true">
              <intercept-url pattern="/functions/SEARCH_SENSITIVE_ASSET.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_PUBLIC') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/SEE_LYRICS.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/SEE_SUGGEST_KEYWORDS.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/SET_PERCENTAGE_PARAMETER.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/SET_PREFERENCES.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/SHOW_PLAYLIST_OVERVIEW.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/STREAM_FULL.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_EMPLOYEELIGHT') or hasRole('Bank_EXTERNALCLIENT') or hasRole('Bank_SUBADMIN') or hasRole('Bank_VIP')" />
              <intercept-url pattern="/functions/SEND_INVITATION.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_EMPLOYEE') or hasRole('Bank_SUBADMIN')" />
              <intercept-url pattern="/functions/ADD_ASSET.jsp" access="hasRole('Bank_ADMIN') or hasRole('Bank_SUBADMIN')" />
              <intercept-url pattern="/functions/DELETE_ASSET.jsp" access="hasRole('Bank_ADMIN')" />
              
              <!-- ... much more jsp Pages -->
              <intercept-url pattern="/functions/**" access="isAuthenticated()" />
              <intercept-url pattern="/versuch.jsp" access="hasRole('Bank_EMPLOYEE')" />
              
              <intercept-url pattern="/protectedPage/extremeprotectedPage/**" access="hasRole('Bank_ADMIN')" />
              <intercept-url pattern="/protectedPage/**" access="isAuthenticated()" />
              <intercept-url pattern="/testCheck.jsp" access="isAuthenticated()" />
              <intercept-url pattern="/**" access="permitAll" />
      
              <form-login login-page="/login_logout/login.jsp" authentication-failure-url="/login_logout/loginError.jsp" />
      
              <logout logout-success-url="/login_logout/logout.jsp" />
              <remember-me />
      
          </http>
      
          <authentication-manager>
              <authentication-provider>
                  <password-encoder hash="md5"/>
                  <user-service>
                      <user name="Bank_RLOE" password="098f6bcd4621d373cade4e832627b4f6" authorities="Bank_ADMIN, Bank_EMPLOYEE, Bank_EMPLOYEELIGHT, Bank_EXTERNALCLIENT, Bank_PUBLIC, Bank_VIP" />
                      <user name="TESTADMIN" password="9283a03246ef2dacdc21a9b137817ec1" authorities="Bank_ADMIN" />
                      <user name="TESTEMPLOYEE" password="93db5b52cc7f06164c7181d14abb6dce" authorities="Bank_EMPLOYEE" />
                      <user name="TESTEMPLOYEELIGHT" password="de7087e1329345b84d0700048a58d916" authorities="Bank_EMPLOYEELIGHT" />
                      <user name="TESTEXTERNALCLIENT" password="9ef5f145247792614d056f3421119f65" authorities="Bank_EXTERNALCLIENT" />
                      <user name="TESTPUBLIC" password="1fa4e666dd6d9f6e3a81b209ab9977fa" authorities="Bank_PUBLIC" />
                      <user name="TESTSUBADMIN" password="f0569f9d43e1106898624e3a27169b0a" authorities="Bank_SUBADMIN" />
                      <user name="TESTVIP" password="63bbd155aef816d02a70322ee3edae27" authorities="Bank_VIP" />
                  </user-service>
              </authentication-provider>
          </authentication-manager>
      
      </beans:beans>
      the jsp-File:
      Code:
      <%@ page import="java.io.*" %>
      <%@ page import="javax.servlet.*"%>
      <%@ page import="java.util.*" %>
      <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
      
      
      <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
          pageEncoding="ISO-8859-1"%>
      <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
      <title>Test Check</title>
      </head>
      <body>
          <h1>Test Check</h1><p><a href="j_spring_security_logout">Logout</a></p><br />
        
        <%
            	String line = "";
        String filename = request.getSession().getServletContext().getRealPath("/");
            	try {
            		BufferedReader r = new BufferedReader(new FileReader(filename+"roles.txt"));
            		while ((line = r.readLine()) != null) {
            %>
      	   <sec:authorize url="/Bank/functions/<%=line%>.jsp">
              <p><a href="/Bank/functions/<%=line%>.jsp"><%=line%></a></p><br />
          </sec:authorize>
         <%
         	}
         		r.close();
         	} catch (IOException e) {
         		e.printStackTrace();
         	}
         %>
      
      </body>
      </html>

      Comment


      • #4
        Hi

        Its seems you have the right configuration.

        I just could say to test if the problem is in the way you create your urls in the jsp.

        Try :
        Code:
        <sec:authorize url="/protectedPage/extremeprotectedPage/**"> 
        say something
        </sec>
        sorry

        Comment


        • #5
          I don't think I will be able to help you right now. I'm trying to figure out Spring Security myslf at the moment.

          I'm just wondering what Spring Security jar-files you have included.


          I'm using your applicationContext-security.xml, but I keep getting this error
          Code:
          Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/security]
          If I can figure this out I will get back to you!!

          Comment


          • #6
            I included the Spring jar Files from the spring-security-sample-tutorial

            But I think I found out my problem! If I put the different jsp files which I want to protect into different folders, then it works! I can make it invisible for unauthorized users! But if I put them into only one folder, it doesn't work! I just can protect them, but I can't make it invisible for unauthorized users!

            Comment


            • #7
              Ok. I will try that!

              I have downloadad this release: spring-security-3.0.3.RELEASE.

              I might have to download another version. What is the name of the version you have used?

              Did you include all the files in the dist folder in your project?

              Comment


              • #8
                I use the same version!

                No, I included the jar files from the spring-security-samples-contacts-3.0.3.RELEASE.war example!

                Comment


                • #9
                  I'm getting the error below:

                  You didn't get an error like that?

                  Code:
                  SEVERE: WebModule[/FoodBase]PWC1275: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
                  org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/applicationSecurity.xml]; nested exception is java.lang.NoSuchMethodError: org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.getLocalName(Lorg/w3c/dom/Node;)Ljava/lang/String;
                          at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:385)
                          at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:313)
                          at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:290)
                          at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:142)
                          at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:158)
                          at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:124)
                          at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:92)
                          at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:97)
                          at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:411)
                          at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:338)
                          at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:251)
                          at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:190)
                          at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
                          at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4623)
                          at org.apache.catalina.core.StandardContext.start(StandardContext.java:5323)
                          at com.sun.enterprise.web.WebModule.start(WebModule.java:456)
                          at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:922)
                          at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:906)
                          at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
                          at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:2205)
                          at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1890)
                          at com.sun.enterprise.web.WebApplication.start(WebApplication.java:85)
                          at com.sun.enterprise.v3.server.ApplicationLifecycle.start(ApplicationLifecycle.java:560)
                          at com.sun.enterprise.v3.server.ApplicationLifecycle.start(ApplicationLifecycle.java:547)
                          at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:189)
                          at com.sun.enterprise.v3.server.ApplicationLoaderService.processApplication(ApplicationLoaderService.java:260)
                          at com.sun.enterprise.v3.server.ApplicationLoaderService.postConstruct(ApplicationLoaderService.java:97)
                          at com.sun.enterprise.v3.server.ApplicationLoaderInjector.postConstruct(ApplicationLoaderInjector.java:61)
                          at com.sun.hk2.component.AbstractWombImpl.inject(AbstractWombImpl.java:150)
                          at com.sun.hk2.component.ConstructorWomb$1.run(ConstructorWomb.java:90)
                          at java.security.AccessController.doPrivileged(Native Method)
                          at com.sun.hk2.component.ConstructorWomb.initialize(ConstructorWomb.java:87)
                          at com.sun.hk2.component.AbstractWombImpl.get(AbstractWombImpl.java:75)
                          at com.sun.hk2.component.SingletonInhabitant.get(SingletonInhabitant.java:58)
                          at com.sun.hk2.component.LazyInhabitant.get(LazyInhabitant.java:107)
                          at com.sun.hk2.component.AbstractInhabitantImpl.get(AbstractInhabitantImpl.java:60)
                          at com.sun.enterprise.v3.server.AppServerStartup.run(AppServerStartup.java:203)
                          at com.sun.enterprise.v3.server.AppServerStartup$1.run(AppServerStartup.java:116)
                  Caused by: java.lang.NoSuchMethodError: org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.getLocalName(Lorg/w3c/dom/Node;)Ljava/lang/String;

                  Comment


                  • #10
                    No, I don't get one of these errors!

                    Comment


                    • #11
                      Really, two separate issues here - vator, you may want to create your own thread?

                      @vator, it looks like you are mixing Spr Sec 3 and Spring 2 - this won't work - Spr Sec and Spring versions must match, e.g. Spr Sec 3 + Spring 3, or Spr Sec 2 + Spring 2.

                      @ProgX, it's hard for me to figure out what exact problem you're having. The "url" attribute on the tag you're using needs to match a valid path in your intercept-url list, so for example "/Bank/functions/....php" doesn't match a path, presumably because you've deployed the web application under a URI stem called "Bank". If you change this "url" attribute to exclude the name of the web application, e.g. "/functions/....php", you should find that it works fine.

                      You may wish to use the "url" tag from the JSTL core library to handle the hrefs in your application, this is typically done so that you don't hard-code the name of the web application in your JSPs.

                      Hope that helps!

                      Comment


                      • #12
                        I found my problems!
                        Thank you for your help!

                        The uri was the probelm!

                        Comment


                        • #13
                          Thanks!

                          I'm using Spring Framework 2.5 and I've installed Spring Security 2.0.5.

                          That should work, right?

                          Comment


                          • #14
                            Hope it helps somebody:

                            I've had a similar problem and the cause was some spring 2.5.x jar that was added to my Spring 3 project by mistake (Maven transitive dependencies).

                            Comment

                            Working...
                            X