I try to install spring security on my web project. Unfortunately the spring session doesn't seems to be created well and i'm quite disapointed...
So there is some lines of my code :
web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://ift.tt/ra1lAU"
xmlns="http://ift.tt/nSRXKP" xmlns:web="http://ift.tt/LU8AHS"
xsi:schemaLocation="http://ift.tt/nSRXKP http://ift.tt/1eWqHMP"
id="WebApp_ID" version="3.0">
<display-name>Archetype Created Web Application</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-servlet.xml
/WEB-INF/hibernate-beans.xml
/WEB-INF/websocket-beans.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- log4j -->
...
<!-- SPRING SECURITY -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>com.improvisation.server.security.DelegatingFilterProxyPerso
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- SPRING MVC -->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/web/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<!-- JERSEY -->
...
</web-app>
spring-servlet.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://ift.tt/GArMu6"
xmlns:mvc="http://ift.tt/1bHqwjR" xmlns:xsi="http://ift.tt/ra1lAU"
xmlns:aop="http://ift.tt/OpNdV1" xmlns:context="http://ift.tt/GArMu7"
xmlns:jee="http://ift.tt/OpNaZ5" xmlns:lang="http://ift.tt/OGfeTY"
xmlns:p="http://ift.tt/1jdM0fE" xmlns:tx="http://ift.tt/OGfeU2"
xmlns:util="http://ift.tt/OGfeTW"
xmlns:websocket="http://ift.tt/1heCnO0"
xsi:schemaLocation="http://ift.tt/GArMu6 http://ift.tt/1jdM0fG
http://ift.tt/OpNdV1 http://ift.tt/1feTlrW
http://ift.tt/GArMu7 http://ift.tt/1jdLYo7
http://ift.tt/OpNaZ5 http://ift.tt/1feTnjL
http://ift.tt/OGfeTY http://ift.tt/1feTlrY
http://ift.tt/OGfeU2 http://ift.tt/18tm2Tg
http://ift.tt/OGfeTW http://ift.tt/1feTls0
http://ift.tt/1bHqwjR http://ift.tt/1bVJL9q
http://ift.tt/1heCnO0 http://ift.tt/1u8oNOr">
<tx:annotation-driven />
<context:annotation-config />
<context:component-scan base-package="com.improvisation.server" />
<mvc:annotation-driven />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<mvc:default-servlet-handler />
<mvc:resources mapping="/resources/**" location="/META-INF/resources/"
cache-period="0" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.UrlBasedViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
spring-security.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://ift.tt/1c8inpe"
xmlns:beans="http://ift.tt/GArMu6" xmlns:xsi="http://ift.tt/ra1lAU"
xsi:schemaLocation="http://ift.tt/GArMu6
http://ift.tt/QEDs1e
http://ift.tt/1c8inpe
http://ift.tt/1epvZ6L">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/assets/**" access="permitAll" />
<!-- <intercept-url pattern="/*" access="hasRole('ADMIN')" /> -->
<intercept-url pattern="/login.html" access="permitAll"/>
<intercept-url pattern="/liens.html" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('USER')" />
<logout logout-success-url="/login.html?logout" logout-url="/logout.html" />
<form-login default-target-url="/index.html"
always-use-default-target="true"
login-page="/login.html"
authentication-failure-url="/login.html?error"
password-parameter="password"
username-parameter="username" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="bill" password="pass" authorities="USER" />
<user name="jim" password="pass" authorities="USER" />
<user name="steve" password="pass" authorities="USER, ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
And the logs obtained with log4j :
DelegatingFilterProxyPerso.doFilter(org.apache.catalina.connector.RequestFacade@7dccb38f, org.apache.catalina.connector.ResponseFacade@730b5246, org.apache.catalina.core.ApplicationFilterChain@7734d8f
f)
username=steve;
password=pass;
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-05-26 02:32:46 DEBUG HttpSessionSecurityContextRepository:140 - No HttpSession currently exists
2015-05-26 02:32:46 DEBUG HttpSessionSecurityContextRepository:140 - No HttpSession currently exists
2015-05-26 02:32:46 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-05-26 02:32:46 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-05-26 02:32:46 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId:
null; Granted Authorities: ROLE_ANONYMOUS'
2015-05-26 02:32:46 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId:
null; Granted Authorities: ROLE_ANONYMOUS'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-05-26 02:32:46 DEBUG SessionManagementFilter:92 - Requested session ID 1C62AC8746B448DF832D995179C51120 is invalid.
2015-05-26 02:32:46 DEBUG SessionManagementFilter:92 - Requested session ID 1C62AC8746B448DF832D995179C51120 is invalid.
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-05-26 02:32:46 DEBUG FilterChainProxy:337 - /login.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-05-26 02:32:46 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/login.html'; against '/assets/**'
2015-05-26 02:32:46 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/login.html'; against '/assets/**'
2015-05-26 02:32:46 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/login.html'; against '/login.html'
2015-05-26 02:32:46 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/login.html'; against '/login.html'
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /login.html; Attributes: [permitAll]
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /login.html; Attributes: [permitAll]
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credent
ials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_A
NONYMOUS
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credent
ials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_A
NONYMOUS
2015-05-26 02:32:46 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2e918a48, returned: 1
2015-05-26 02:32:46 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2e918a48, returned: 1
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:215 - Authorization successful
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:215 - Authorization successful
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:227 - RunAsManager did not change Authentication object
2015-05-26 02:32:46 DEBUG FilterSecurityInterceptor:227 - RunAsManager did not change Authentication object
2015-05-26 02:32:46 DEBUG FilterChainProxy:323 - /login.html reached end of additional filter chain; proceeding with original chain
2015-05-26 02:32:46 DEBUG FilterChainProxy:323 - /login.html reached end of additional filter chain; proceeding with original chain
2015-05-26 02:32:46 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
2015-05-26 02:32:46 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
2015-05-26 02:32:46 DEBUG HttpSessionSecurityContextRepository:304 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-05-26 02:32:46 DEBUG HttpSessionSecurityContextRepository:304 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-05-26 02:32:46 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
2015-05-26 02:32:46 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
So, the password is visible on the DelegatingFilterProxy, but no session is created and the user pages are inaccessible.
If someone see what i do wrong, i will be grateful to him.
Thank you
Aucun commentaire:
Enregistrer un commentaire