Patrick
Reputation: 127
Running spring security
My first post was here Spring security. Cant run automaticly. My spring security working not good. I add redirect.jsp <%response.sendRedirect("login.do");%>and working everything good but I can at any time enter http://localhost:8081/test/index.doand I do not have use login page. What is wrong in my code? Help me please.
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
</web-app>
spring-security:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<security:http auto-config="true">
<security:http-basic/>
<security:intercept-url pattern="/welcome.do" access="ROLE_USER" />
<!-- <intercept-url pattern="/login*" access="isAnonymous()"/> -->
<security:form-login login-page="/login.do" default-target-url="/welcome.do"
authentication-failure-url="/loginfailed.do" />
<security:logout logout-success-url="/login.do" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select username,password, enabled
from users where username=?"
authorities-by-username-query="
select u.username, ur.authority from users u, user_roles ur
where u.user_id = ur.user_id and u.username =? "
/>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
dispatcher-servlet:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd">
<!-- <bean class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping" /> -->
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
<bean id="urlMapping"
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="urlMap">
<map>
<entry key="/index.do"> <ref bean="index" /></entry>
<entry key="/registration.do"> <ref bean="registration" /></entry>
<entry key="/usertestlist.do"> <ref bean="usertest" /></entry>
<entry key="/showContacts.do"> <ref bean="contact" /></entry>
<!-- <entry key="/add.html"> <ref bean="contact" /></entry> -->
<entry key="/saveContact.do"> <ref bean="contact" /></entry>
<entry key="/updateContact.do"> <ref bean="contact" /></entry>
<entry key="/deleteContact.do"> <ref bean="contact" /></entry>
<entry key="/searchContacts.do"> <ref bean="contact" /></entry>
<entry key="/login.do"> <ref bean="login" /></entry>
<entry key="/loginfailed.do"> <ref bean="login" /></entry>
<entry key="/logout.do"> <ref bean="login" /></entry>
<entry key="/welcome.do"> <ref bean="login" /></entry>
<!-- <entry key="/delete/*.html"> <ref bean="contact" /></entry> -->
</map>
</property>
</bean>
<bean id="index" class="pl.ivmx.web.IndexController"/>
<bean id="registrationValidator" class="pl.ivmx.validation.RegistrationValidator" />
<bean id="registration" class="pl.ivmx.web.RegistrationFormController" >
<property name="commandName"><value>userTest</value></property>
<property name="commandClass"><value>pl.ivmx.model.UserTest</value></property>
<property name="validator"><ref local="registrationValidator"/></property>
<property name="formView"><value>registration</value></property>
<property name="successView"><value>registrationsuccess</value></property>
<property name="userTestDao"><ref bean="userTestDao"/></property>
</bean>
<bean id="usertest" class="pl.ivmx.web.UserTestController">
<property name="userTestDao"><ref bean="userTestDao"/></property>
</bean>
<context:component-scan base-package="pl.ivmx" />
<bean id="contact" class="pl.ivmx.contact.controller.ContactController"/>
<bean id="login" class="pl.ivmx.service.servlet.LoginController"/>
<bean id="contactFormValidator" class="pl.ivmx.contact.validator.ContactFormValidator"/>
<!-- <mvc:annotation-driven/> -->
</beans>
applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<bean id="messageSource"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:messages" />
<property name="defaultEncoding" value="UTF-8" />
</bean>
<import resource="commonContext.xml" />
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${jdbc.driverClassName}" />
<property name="url" value="${jdbc.url}" />
<property name="username" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
</bean>
<bean id="userTestDao" class="pl.ivmx.dao.impl.UserTestDaoImpl">
<!-- <property name="dataSource" ref="dataSource" /> -->
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean" >
<!-- class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean"> -->
<property name="dataSource" ref="dataSource" />
<property name="configLocation" value="META-INF/hibernate.cfg.xml" />
<property name="configurationClass">
<value>org.hibernate.cfg.AnnotationConfiguration</value>
</property>
<!-- <property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
<property name="annotatedClasses">
<list>
<value>pl.ivmx.model.UserTest</value>
</list>
</property> -->
</bean>
<bean id="transactionManager"
class="org.springframework.orm.hibernate3.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<context:annotation-config />
<tx:annotation-driven />
<bean id="contactService" class="pl.ivmx.contact.service.ContactServiceImpl" />
<bean id="contactDAO" class="pl.ivmx.contact.dao.ContactDAOImpl"/>
</beans>
redirect.jsp:
<%
response.sendRedirect("login.do");
%>
login.jsp:
<%@ include file="header.jsp"%>
<div id="menu"></div>
<div id="subMenu"></div>
<div id="main">
<c:if test="${not empty error}">
<div class="errorblock">
Your login attempt was not successful, try again.<br /> Caused :
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>
<!-- <form class="jqtransform" id="loginForm" action='/test/j_spring_security_check' method="POST"> -->
<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' />
</td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" />
</td>
</tr>
<tr>
<td colspan='2'><input name="reset" type="reset" />
</td>
</tr>
</table>
</form>
</div>
<%@ include file="footer.jsp"%>
index.jsp:
<%@ include file="header.jsp"%>
<div id="menu">
<div id="subMenu">
<div class="menuDiv">Kliknij</div>
<ul>
<li><a href="registration.do">REJESTRUJ</a></li>
<li><a href="usertestlist.do">lista uzytkownikow</a></li>
<li><a href="showContacts.do">contact</a></li>
</ul>
</div>
</div>
<div id="main">
</div>
<%@ include file="footer.jsp"%>
IndexController: package pl.ivmx.web;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class IndexController {
@RequestMapping(value = "/index")
public ModelAndView index(){
ModelAndView mav = new ModelAndView("index");
return mav;
}
LoginController:
package pl.ivmx.service.servlet;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.multiaction.MultiActionController;
import pl.ivmx.contact.form.Contact;
@Controller
public class LoginController {
// public String login(HttpServletRequest request, HttpServletResponse response) {
// return "login";
// }
// @RequestMapping(value="/index", method = RequestMethod.GET)
// public String printWelcome(ModelMap model) {
//
// User user = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
// String name = user.getUsername();
// model.addAttribute("username", name);
// model.addAttribute("message", "Spring Security login + database example");
// return "index";
// }
@RequestMapping(value="/welcome.do", method = RequestMethod.GET)
public String printWelcome(Map<String, Object> map) {
User user = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String name = user.getUsername();
map.put("username", name);
return "index";
}
@RequestMapping(value="/login.do", method = RequestMethod.GET)
public String login(ModelMap model) {
return "login";
}
@RequestMapping(value="/loginfailed.do", method = RequestMethod.GET)
public String loginerror(ModelMap model) {
model.addAttribute("error", "true");
return "login";
}
@RequestMapping(value="/logout.do", method = RequestMethod.GET)
public String logout(ModelMap model) {
return "login";
}
}
Upvotes: 0
Views: 249
Answers (1)
Qwerky
Reputation: 18405
A quick glance tells me that a request to index.do isn't asking you to log on because you haven't asked it to. In fact the only URL you seem to require auth for is welcome.do;
<security:http auto-config="true">
<security:http-basic/>
<security:intercept-url pattern="/welcome.do" access="ROLE_USER" />
<security:form-login login-page="/login.do" default-target-url="/welcome.do"
authentication-failure-url="/loginfailed.do" />
<security:logout logout-success-url="/login.do" />
</security:http>
You basically have two choices;
Default to requiring auth for all URLs and then manually specify those that don't
<security:http auto-config="true">
<security:http-basic/>
<security:intercept-url pattern="/css/**" filters="none"/>
<security:intercept-url pattern="/img/**" filters="none"/>
<security:intercept-url pattern="/jscript/**" filters="none"/>
<security:intercept-url pattern="/login.do" filters="none"/>
<security:intercept-url pattern="/loginfailed.do" filters="none"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:form-login login-page="/login.do" default-target-url="/welcome.do"
authentication-failure-url="/loginfailed.do" />
<security:logout logout-success-url="/login.do" />
</security:http>
Note that you have to tell spring that the css/img/script resources don't require login, and neither does the login page.
Default to not requiring auth for any URLs then manually specify those that do
<security:http auto-config="true">
<security:http-basic/>
<security:intercept-url pattern="/welcome.do" access="ROLE_USER" />
<security:intercept-url pattern="/index.do" access="ROLE_USER" />
<security:form-login login-page="/login.do" default-target-url="/welcome.do"
authentication-failure-url="/loginfailed.do" />
<security:logout logout-success-url="/login.do" />
</security:http>
Note that you have to specify every URL that requires auth. This can be a pain to maintain.
Upvotes: 1
Related Questions
- Spring Security with Spring Boot
- Configuring Spring security
- Spring boot Security
- Spring Security Authorization
- Spring Security 3.1
- how to configure my application with spring security?
- How to enable Spring security?
- Spring Security Java configuration
- Spring Java configuration with spring-security
- Spring Security Configuration Issue