CODEWITHSUNDEEP
springtomcatauthenticationspring-security
user1289
user1289

Reputation: 1321

Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

I've configured spring security namespace to authenticate with my custom authentication manager:

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">

  <display-name>Application</display-name>

   <welcome-file-list>
        <welcome-file>index.html</welcome-file>
   </welcome-file-list>

   <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

   <servlet>
        <servlet-name>app</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextClass</param-name>
            <param-value>
                org.springframework.web.context.support.AnnotationConfigWebApplicationContext
            </param-value>
        </init-param>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
               com.me.web.controllers.controller
            </param-value>
        </init-param> 
   </servlet>

    <listener>
        <listener-class>
            com.me.web.controllers.listener
        </listener-class>
    </listener>

    <servlet-mapping>
        <servlet-name>app</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>



    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>

</web-app>

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
     xmlns:context="http://www.springframework.org/schema/context"
     xmlns:security="http://www.springframework.org/schema/security"
     xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:p="http://www.springframework.org/schema/p"
     xsi:schemaLocation="
            http://www.springframework.org/schema/beans    
            http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
            http://www.springframework.org/schema/context
            http://www.springframework.org/schema/context/spring-context-4.0.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-4.0.xsd
            http://www.springframework.org/schema/mvc
            http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">

    <context:component-scan base-package="com.me.web.controllers"/>
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/" />
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="myProvider" class="com.me.web.controllers.CustomAuthenticationProvider"> </bean>

    <security:http auto-config="true">
        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    </security:http>

    <security:authentication-manager erase-credentials="false" alias="authenticationManager">
        <security:authentication-provider ref='myProvider'/>
    </security:authentication-manager>

    <mvc:annotation-driven />
</beans>

CustomAuthenticationProvider.java

package com.me.web.controllers;

import java.util.jar.JarEntry;
import java.util.jar.JarFile;

import java.io.InputStream;
import java.util.Hashtable;
import java.util.ArrayList;
import java.util.Arrays;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String name = authentication.getPrincipal().toString();
        String password = authentication.getCredentials().toString();

        System.out.println("Username: " + name + ", password: " + password + "\n");

        if (name.equals("user") && password.equals("pass")) {
            return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"))));
        } else {
            return null;
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        System.out.println("supports method called\n");
        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }
}

Log file

INFO: Loading XML bean definitions from ServletContext resource [/WEB-INF/omdwebapp-servlet.xml]
дек 27, 2016 11:28:50 AM org.springframework.security.core.SpringSecurityCoreVersion performVersionChecks
INFO: You are running with Spring Security Core 4.0.4.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.core.SpringSecurityCoreVersion performVersionChecks
WARNING: **** You are advised to use Spring 4.2.5.RELEASE or later with this version. You are running: 4.1.5.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.config.SecurityNamespaceHandler <init>
INFO: Spring Security 'config' module version is 4.0.4.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser parseInterceptUrlsForFilterInvocationRequestMap
INFO: Creating access control expression attribute 'hasRole('ROLE_USER')' for /**
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.AuthenticationConfigBuilder createLoginPageFilterIfNeeded
INFO: No login page configured. The default internal one will be used. Use the 'login-page' attribute to set the URL of the login page.
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.HttpSecurityBeanDefinitionParser checkFilterChainOrder
INFO: Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, Root bean: class [org.springframework.security.web.header.HeaderWriterFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 500, Root bean: class [org.springframework.security.web.csrf.CsrfFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 600, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 700, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 1100, Root bean: class [org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1500, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2000, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2100, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2200, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2300]
дек 27, 2016 11:28:51 AM org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor <init>
INFO: JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
дек 27, 2016 11:28:51 AM org.springframework.security.web.DefaultSecurityFilterChain <init>
INFO: Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@5ebfb059, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7ad2d3a7, org.springframework.security.web.header.HeaderWriterFilter@2745b7f0, org.springframework.security.web.csrf.CsrfFilter@522f01b4, org.springframework.security.web.authentication.logout.LogoutFilter@c18fa93, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@3beacf19, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@34c2910a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@51c04295, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25536e21, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@8634bac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2efd0d81, org.springframework.security.web.session.SessionManagementFilter@6781a840, org.springframework.security.web.access.ExceptionTranslationFilter@714d36d6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@44b55b7]
дек 27, 2016 11:28:51 AM org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
INFO: Checking whether login URL '/login' is accessible with your configuration
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping registerHandlerMethod
INFO: Mapped "{[/rest],methods=[POST],params=[],headers=[],consumes=[],produces=[application/json],custom=[]}" onto public static void com.omd.web.controllers.OmdRestController.processPostRequest(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws javax.servlet.ServletException
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping registerHandlerMethod
INFO: Mapped "{[/rest],methods=[GET],params=[],headers=[],consumes=[],produces=[application/json],custom=[]}" onto public static void com.omd.web.controllers.OmdRestController.processGetRequest(java.lang.String,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws javax.servlet.ServletException
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter initControllerAdviceCache

But when I send request to the server (apache-tomcat), spring requests for login and password in an infinite loop, regardless what login:password I type. What am I doing? If it's not clear, how can I debug this?

This is error message when I try to log in:

Your login attempt was not successful, try again.

Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

I didn't find the log I've added in my class, so I think that authenticate function just isn't being called.

Upvotes: 1

Views: 17173

Answers (2)

Mhmoud Sabry
Mhmoud Sabry

Reputation: 403

I had the same problem and I solved it by adding this Class with this Name

IMP: I am working on pure Java configuration

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;


public class SecurityWebApplicationInitializer 
                        extends AbstractSecurityWebApplicationInitializer {

}

Upvotes: 1

Chao Luo
Chao Luo

Reputation: 2696

<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

But no roles returned in your authenticate method.

If you want do Basic Authentication, you should send the request with head.

Authorization -- Basic base64Encode(username:password)

to the server, and in your authenticate method, you should return

return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"))));

BTW: if you set auto-config = true, it will add following config automatically. 

<form-login />
<http-basic />
<logout />

I think you just want to set all the request should be authenticated. so you just need to change the config to

<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

then you don't need to change your authenticate method to return roles.

Edit

authentication.equals(UsernamePasswordAuthenticationToken.class);

this will return false, change it to 

(UsernamePasswordAuthenticationToken.class
                .isAssignableFrom(authentication));

Upvotes: 1

Related Questions