Announcement Announcement Module
Collapse
No announcement yet.
SpringSecurity configuration Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SpringSecurity configuration

    I'm trying to include Spring Security in my application based on Airline. I get the following error on startup.

    Code:
    Caused by: java.lang.ClassNotFoundException: org.springframework.security.annotation.SecuredMethodDefinitionSource
    	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
    	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)
    	at org.springframework.util.ClassUtils.forName(ClassUtils.java:211)
    	at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:385)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1138)
    	... 72 more
    The missing class is found in spring-security-core-tiger-2.0.5.RELEASE.jar. The webservices distribution 1.5.9 includes spring-security-core-2.0.5.RELEASE.jar but not spring-security-core-tiger-2.0.5.RELEASE.jar.

    When I include the tiger jar I now get the following error

    Code:
    Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named '_authenticationManager' is defined
    	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:387)
    	at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:971)
    I guess this is a configuration problem in my application context ? How is the _authenticationManager defined in Airline ?

  • #2
    I'm assuming my application context configuration is wrong. I'm going back to Airline and will implement the same database based security in order to get this working.

    Note, when I run Airline, and connect to GetFrequentFlyerMileage I get the following message

    Code:
    java.lang.NoClassDefFoundError
    	at com.sun.xml.wss.ProcessingContext.setSOAPMessage(ProcessingContext.java:217)
    	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.createProcessingContext(XWSSProcessor2_0Impl.java:151)
    	at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:159)

    Comment


    • #3
      When I switch to Java 1.5.0_11 (instead of Java 1.6.0_22) the error becomes

      Code:
      java.lang.NoClassDefFoundError: com/sun/org/apache/xml/internal/security/Init
      com.sun.xml.wss.impl.SecurableSoapMessage.<clinit>(SecurableSoapMessage.java:94)
      com.sun.xml.wss.ProcessingContext.setSOAPMessage(ProcessingContext.java:217)
      com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.createProcessingContext(XWSSProcessor2_0Impl.java:151)
      org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:159)

      Comment


      • #4
        I've opened the war file, added xmlsec-2.0.jar to WEB-INF/lib, imported the war into Eclipse, and I can now invoke GetFrequentFlyerMileage from soapUI. This returns a SOAP fault

        Code:
        sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found
        I'm now going to investigate how to change the xml message soapUI has generated in order to satisfy this requirement

        Comment


        • #5
          So, why does the application return this code ?

          Code:
          XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found
          Code:
          <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
                            xmlns:mes="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
             <soapenv:Header>
               <wsse:Security xmlns:wsse="schemas.xmlsoap.org/ws/2002/07/secext/">     
                 <wsse:UsernameToken>
                   <wsse:Username>scott</wsse:Username>
                   <wsse:Password Type="wsse:PasswordText">tiger</wsse:Password>
                 </wsse:UsernameToken>
               </wsse:Security>
             </soapenv:Header>
             <soapenv:Body>
                <mes:GetFrequentFlyerMileageRequest>john</mes:GetFrequentFlyerMileageRequest>
             </soapenv:Body>
          </soapenv:Envelope>

          Comment


          • #6
            Painful progress here ...

            securityPolicy.xml now contains

            Code:
            <xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>
            Error now is
            Code:
            WssSoapFaultException: javax.security.auth.callback.UnsupportedCallbackException
            Input message now is

            Code:
            <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                              xmlns:mes="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
               <soapenv:Header>
                    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                        <wsse:UsernameToken>
                            <wsse:Username>john</wsse:Username>
                            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">changeme</wsse:Password>
                        </wsse:UsernameToken>
                    </wsse:Security>   
               </soapenv:Header>
               <soapenv:Body>
                  <mes:GetFrequentFlyerMileageRequest>john</mes:GetFrequentFlyerMileageRequest>
               </soapenv:Body>
            </soapenv:Envelope>

            Comment


            • #7
              ok, just for the record, if anyone else has the same learning curve, the following works

              Code:
              <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
              Code:
              <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
               <SOAP-ENV:Header>
                <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
                 <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
                  <wsse:Username>john</wsse:Username>
                  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">JyLURAuWM7syOnXdMKAU+bDtEfM=</wsse:Password>
                  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">J1qEDgXlIrI3H7yuMXOLyA==</wsse:Nonce>
                  <wsu:Created>2010-12-14T14:21:46.587Z</wsu:Created>
                 </wsse:UsernameToken>
                </wsse:Security>
               </SOAP-ENV:Header>
               <SOAP-ENV:Body>
                <GetFrequentFlyerMileageRequest xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages"/>
               </SOAP-ENV:Body>
              </SOAP-ENV:Envelope>
              Code:
              <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
                 <SOAP-ENV:Header/>
                 <SOAP-ENV:Body>
                    <GetFrequentFlyerMileageResponse xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">0</GetFrequentFlyerMileageResponse>
                 </SOAP-ENV:Body>
              </SOAP-ENV:Envelope>

              Comment


              • #8
                In case anyone else needs the configuration for for PasswordText instead of PasswordDigest, the following works :

                Code:
                <xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>
                Code:
                <security:authentication-provider user-service-ref="securityService"/>
                
                <bean id="securityService" class="org.springframework.ws.samples.airline.security.SpringFrequentFlyerSecurityService">
                 <constructor-arg ref="frequentFlyerDao"/>
                </bean>
                  
                <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
                 <property name="providers">
                  <bean class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
                   <property name="userDetailsService" ref="securityService"/>
                  </bean>
                 </property>
                </bean>
                
                <bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
                 <property name="secureResponse" value="false"/>
                 <property name="policyConfiguration" value="classpath:org/springframework/ws/samples/airline/security/securityPolicy.xml"/>
                 <property name="callbackHandler">
                  <bean id="springSecurityHandler" class="org.springframework.ws.soap.security.xwss.callback.SpringPlainTextPasswordValidationCallbackHandler">
                   <property name="authenticationManager" ref="authenticationManager"/>
                  </bean>        
                 </property>
                </bean>
                Last edited by sylvestris; Dec 15th, 2010, 08:31 AM.

                Comment


                • #9
                  As far as I can see, the explanation for this is that

                  Code:
                  SpringDigestPasswordValidationCallbackHandler.SpringSecurityDigestPasswordValidator.validate
                  contains

                  Code:
                  SecurityContextHolder.getContext().setAuthentication(authRequest);
                  and

                  Code:
                  SimplePasswordValidationCallbackHandler.SimplePlainTextPasswordValidator.validate
                  doesn't

                  Comment

                  Working...
                  X