Announcement Announcement Module
No announcement yet.
spring security issue Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring security issue

    I am using the same code that came from greenhouse for the configuration of spring security and oauth.

    This is the message I get when starting VMWare vFabric tc Server v2.6 in STS 2.8.1. I would normally assume that I needed to declare a Bean called usernamePasswordAuthenticationProvider; however, I cannot find such a bean definition in Greenhouse either. Can someone enlighten me on how Greenhouse does it and the configuration I have below is not working? I have Greenhouse loaded in STS as well and it starts up fine.

    Note: I've stripped out the extraneous and repeated logging details and itemized the errors.

    ERROR: org.springframework.web.context.ContextLoader - Context initialization failed
    1. Error creating bean with name '': Cannot resolve reference to bean '' while setting bean property 'sourceList' with key [0]; 
    2. Error creating bean with name '': Cannot resolve reference to bean '' while setting constructor argument with key [3];
    3. Error creating bean with name '': Cannot resolve reference to bean '' while setting bean property 'authenticationManager'; 
    4. Error creating bean with name '': Cannot resolve reference to bean '' while setting constructor argument;  
    5. Error creating bean with name '': FactoryBean threw exception on object creation; 
    6. Error creating bean with name '': Cannot resolve reference to bean 'usernamePasswordAuthenticationProvider' while setting constructor argument with key [0]; 
    7. No bean named 'usernamePasswordAuthenticationProvider' is defined
    public class SecurityConfig {
    	static class Embedded {
    		public PasswordEncoder passwordEncoder() {
    			return NoOpPasswordEncoder.getInstance();
    		public TextEncryptor textEncryptor() {
    			return Encryptors.noOpText();
    		public OAuthSessionManager oauthSessionManager(AppRepository appRepository) {
    			return new ConcurrentMapOAuthSessionManager(appRepository);
    	static class Standard {
    		private Environment environment;
    		public PasswordEncoder passwordEncoder() {
    			return new AccountPasswordEncoder(getEncryptPassword());
    		public TextEncryptor textEncryptor() {
    			return Encryptors.queryableText(getEncryptPassword(), environment.getProperty("security.encryptSalt"));
    		public OAuthSessionManager oauthSessionManager(StringRedisTemplate redisTemplate, AppRepository appRepository) {
    			return new RedisOAuthSessionManager(redisTemplate, appRepository);
    		// helpers
    		private String getEncryptPassword() {
    			return environment.getProperty("security.encryptPassword");
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns=""
    	<!-- Steps of OAuth 1.0 POST /oauth/request_token?oauth_consumer_key&oauth_callback 
    		(returns unauthorized token) GET /oauth/confirm_access?oauth_token (returns 
    		secure authorization form) (User) POST /oauth/authorize?requestToken&callbackUrl 
    		(authorizes oauth token, redirect to callbackUrl) POST /oauth/access_token?oauth_consumer_key&oauth_token&oauth_verifier -->
    	<!-- Spring Security OAuth 1.0 Provider Configuration -->
    	<oauth:provider consumer-details-service-ref="appConsumerDetailsService"
    		require10a="false" />
    	<!-- Sends a UNAUTHORIZED response back to clients attempting to access 
    		protected resources but who have not yet authenticated via OAuth -->
    	<bean id="oauthAuthenticationEntryPoint"
    		<property name="realmName" value="StudentSocialHealth" />

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns=""
    	<http use-expressions="true">
    		<!-- Authentication policy -->
    		<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
    		<logout logout-url="/signout" delete-cookies="JSESSIONID" />
    		<!-- Authorization policy definition: TODO consider replacing with @Secured on @Controllers -->
    		<intercept-url pattern="/" access="permitAll" />
    		<intercept-url pattern="/favicon.ico" access="permitAll" />
    		<intercept-url pattern="/resources/**" access="permitAll" />
    		<intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />	
    		<intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    		<intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
    		<!-- <intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" /> -->
    		<!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter.  Consider @Secured on @Controller. -->               
    		<intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />           
    		<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="usernamePasswordAuthenticationProvider" />
        <beans:import resource="security-oauth-provider.xml" />
    <!-- Secures the application -->
    		</init-param> -->

  • #2
    Howdy, anyone at all have an idea of what thing I'm missing here???? Anyone???


    • #3
      The "usernamePasswordAuthenticationProvider" is an annotated service bean at com.springsource.greenhouse.account.UsernamePasswo rdAuthenticationProvider. Check if you have it in your source code.


      • #4
        @yuanji, thanks that was a problem, now I have another problem. I'm getting the following error that I don't understand:

        Error creating bean with name '': Invocation of init method failed; 
        nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other 
        patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace
         or FilterChainProxy bean configuration


        • #5
          OK, that is a tough question. I don't have enough information about your application, so I can only guess what's wrong. Maybe you have more than one <http> in your security configuration, and the first one has no pattern attribute defined.

          Let's explain how this error happens. When Spring Security parses your config xml file, it starts with o.s.s.config.SecurityNamespacehandler. It has many parsers, one is o.s.s.config.http.HttpSecurityBeanDefinitionParser , which will parse <http> element.

          The HttpSecurityBeanDefinitionParser will register filter chain proxy if not registered before (a object of o.s.s.web.FilterChainProxy), and set filterChainValidator as o.s.s.config.http.DefaultFilterChainValidator. This filter chain proxy bean will have name of "springSecurityFilterChain", you see in your web.xml. Then HttpSecurityBeanDefinitionParser will parse <http> element with other configuration builders, each will add filters to the filter chain o.s.s.web.SecurityFilterChain. the bean class is o.s.s.config.http.DefaultSecurityFilterChain, with o.s.s.web.util.AnyRequestMatcher as RequestMatcher if no pattern or request-matcher-ref provided. After finish, it will add this SecurityFilterChain to filter chain proxy.

          After finish parsing, the filter chain proxy will be validated in afterPropertiesSet() method, which will call filterChainValidator.validate(). The DefaultFilterChainValidator will check the path order of all filter chains, and if one filter chain is using AnyRequestMatcher and is not the last one, it will through IllegalArgumentException, as you see in the output.

          Good luck.


          • #6
            @yuanji, Hi, thanks for the reply. I understand some of what you are saying, and I've looked at the spring code. I guess I am wondering if this is something I specify in my code that is not already posted above in my web.xml, security.xml, security-oauth-provider.xml, or files. The only reference to a <http> tag in my entire application is in the security.xml file. I did a global search just to make sure. Is this the <http> you are referring to. If yes, then I don't see any settings for path or path order. If no, then where are these paths being configured or determined?




            • #7
              @Yuanji, I have a partial fix. I commented out all of the <intercept-url... in the security.xml file except for the very last one with the pattern="/**". When starting up, I don't get the error anymore. I will have to work on the other patterns one at a time in different order to see what the problem is. Thanks for you help.