CODEWITHSUNDEEP
springstruts2spring-security
J888
J888

Reputation: 1964

Sample of implementing Spring-security on Struts2 does not work

My application is supposed to show secret.jsp page to users with ROLE_ADMIN access only, but it does not.

I have defined two users, one with ROLE_ADMIN access and the other with ROLE_USER access. I have two issues first issue is that the login page does not work I can access the application with any dummy username and password.

The other issue is that, the secret.jsp page is not visible to ROLE_ADMIN users. Once I open the login.jsp page and enter user's credentials, it goes to register page but when I click on secret link it redirects to login.jsp page rather than opening the secret.jsp page.

I am implementing SpringSecurity on Struts2.

Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>  
    </listener>
    <context-param> 
        <param-name>contextConfigLocation</param-name> 
        <param-value>
            /WEB-INF/applicationContext.xml
            /WEB-INF/medics-security.xml 
            /WEB-INF/login-service.xml
        </param-value> 
    </context-param> 
    <filter> 
        <filter-name>springSecurityFilterChain</filter-name> 
        <filter-class> 
            org.springframework.web.filter.DelegatingFilterProxy 
        </filter-class> 
    </filter> 

    <filter-mapping> 
        <filter-name>springSecurityFilterChain</filter-name> 
        <url-pattern>/*</url-pattern> 
    </filter-mapping>

    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
</web-app>

medics-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns='http://www.springframework.org/schema/security' 
        xmlns:beans='http://www.springframework.org/schema/beans' 
            xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
            xsi:schemaLocation='http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
<beans:import resource='login-service.xml'/> 
<http auto-config="true" access-denied-page="/error.jsp">
    <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/register*" access="ROLE_ADMIN" />
    <intercept-url pattern="/secret*" access="ROLE_ADMIN" />
    <form-login login-page="/login.jsp" authentication-failure-url="/login?error=true"/> 
    <remember-me/>
    <logout/>
</http> 

<authentication-manager> 
    <authentication-provider> 
        <user-service>
            <user name="admin" password="secret" authorities="ROLE_ADMIN"/>
            <user name="user" password="secret" authorities="ROLE_USER"/>
        </user-service>   
    </authentication-provider> 
</authentication-manager> 
</beans:beans>

login-service.xml

<beans xmlns='http://www.springframework.org/schema/beans' 
         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
         xsi:schemaLocation='http://www.springframework.org/schema/beans 

    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd'>


</beans>

applicationContext.xml

<?xml version='1.0' encoding='UTF-8'?> 
<beans xmlns='http://www.springframework.org/schema/beans' 
                xmlns:context='http://www.springframework.org/schema/context' 
                xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
                xsi:schemaLocation='http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context    
    http://www.springframework.org/schema/context/spring-context-3.0.xsd'>

    <context:component-scan base-package='com.myproject'/> 
    <bean id='internalResourceResolver' 
                 class='org.springframework.web.servlet.view.InternalResourceViewResolver'> 
        <property name='prefix' value='/Web Pages/'/> 
        <property name='suffix' value='.jsp'/> 
    </bean> 
    <bean 
    class='org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping'/>
    <bean class='org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter'/> 
    <bean id='placeholderConfig' 
                 class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/> 
   </beans>

struts.xml

<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
    <!-- Configuration for the default package. -->
    <constant name="struts.action.extension" value="html"/> 
    <constant name="struts.enable.SlashesInActionNames" value="true"/>


<action name="Login" class="com.myproject.struts.Login">
<result name="SUCCESS">login.jsp</result>
</action>

<action name="Register" class="com.myproject.struts.Register">
<result name="SUCCESS">register.jsp</result>
</action>

<action name="j_spring_security_check" class="com.myproject.struts.j_spring_security_check">
    <result name="SUCCESS">register.jsp</result>
</action>

register.jsp

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="s" uri="/struts-tags" %>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>secret page</title>
    </head>
    <body>
        <p>register</p>
        <a href="secret.jsp">secret</a>
    </body>
</html>

login.jsp

<html>
    <head>

    </head>
    <body>
        <form action="j_spring_security_check.html" method="post"> 
            <label for="j_username">Username</label>
            <input type="text" name="j_username" id="j_username"/><br/> 
            <label for="j_password">Password</label>
            <input type="password" name="j_password" id="j_password"/><br/> 
            <input type='checkbox' name='_spring_security_remember_me'/> Remember me<br/>   
            <input type="submit" value="Login"/>
            <input type="reset" value="Reset"/>
        </form>
    </body>
</html>

Upvotes: 2

Views: 2080

Answers (1)

Evgeni Dimitrov
Evgeni Dimitrov

Reputation: 22506

In your medics-security.xml you have 

<http auto-config="true" access-denied-page="/error.jsp">
    <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/register*" access="ROLE_ADMIN" />
    <intercept-url pattern="/secret*" access="ROLE_ADMIN" />
    <form-login login-page="/login.jsp" authentication-failure-url="/login?error=true"/> 
    <remember-me/>
    <logout/>
</http>

The first pattern is "/" it maps the root of your application. Spring Security checks the patterns in that order, and the first pattern satisfies your request and Spring Security lets you in because it's with access="IS_AUTHENTICATED_ANONYMOUSLY". You shold place the widest pattern last. You can see the pattern checking in the log.

Upvotes: 2

Related Questions