Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security with Java Config doesn´t work eraseCredentials method

With the following Java Config configuration for Spring Security 3.2.2 and Spring Framework 3.2.8, user passsword is deleted even when I use '.eraseCredentials(false)' and it's not available using authentication.getCredentials().

@Configuration
@EnableWebSecurity
@Order( 1 )
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean( name = "authenticationEntryPoint" )
    public LoginUrlAuthenticationEntryPoint authenticationEntryPoint() {

        return new XhrAwareAuthenticationEntryPoint( "/home?noAuthenticated=expired" );
    }

    @Bean( name = "acessDeniedHandler" )
    public AccessDeniedHandler acessDeniedHandler() {

        XhrAwareAccessDeniedHandlerImpl xhrAwareAccessDeniedHandler = new XhrAwareAccessDeniedHandlerImpl();
        xhrAwareAccessDeniedHandler.setErrorPage( "/denied" );
        return xhrAwareAccessDeniedHandler;
    }

    @Bean( name = "atlasAuthenticationSuccessHandler" )
    public AtlasAuthenticationSuccessHandler atlasAuthenticationSuccessHandler() {

        return new AtlasAuthenticationSuccessHandler( "/views/hub" );
    }

    @Bean( name = "atlasAuthenticationFailureHandler" )
    public AtlasAuthenticationFailureHandler atlasAuthenticationFailureHandler() {
        return new AtlasAuthenticationFailureHandler( "/home?loginError=error" );
    }

    @Bean( name = "atlasLogoutSuccessHandler" )
    public AtlasLogoutSuccessHandler atlasLogoutSuccessHandler() {
        AtlasLogoutSuccessHandler atlasLogoutSuccessHandler = new AtlasLogoutSuccessHandler();
        atlasLogoutSuccessHandler.setDefaultTargetUrl( "/home?logoff=disconnect" );
        return atlasLogoutSuccessHandler;
    }

    @Override
    public void configure( WebSecurity web ) throws Exception {

        web.ignoring().antMatchers( "/resources/**" );
    }

    @Override
    protected void configure( HttpSecurity http ) throws Exception {

        http.csrf().disable()
                .httpBasic()
                .authenticationEntryPoint( this.authenticationEntryPoint() )
                .and()
                .exceptionHandling()
                .accessDeniedHandler( this.acessDeniedHandler() )
                .and()
                .formLogin()
                .usernameParameter( "j_username" )
                .passwordParameter( "j_password" )
                .loginPage( "/home" )
                .loginProcessingUrl( "/login" )
                .failureHandler( this.atlasAuthenticationFailureHandler() )
                .successHandler( this.atlasAuthenticationSuccessHandler() )
                .permitAll()
                .and()
                .logout()
                .logoutUrl( "/logout" )
                .logoutSuccessHandler( this.atlasLogoutSuccessHandler() )
                .invalidateHttpSession( true )
                .permitAll()
                .and()
                .authorizeRequests()
                .antMatchers(
                        ViewsConstants.VIEWS_URI + "/**",
                        RssController.RSS_URI + "/**",
                        ProxySolrController.SEARCH_URI + "/**" )
                .authenticated()
                .antMatchers( ConfigurationProperties.ADMIN_URI + "/**" ).hasAnyRole( Role.ADMIN )
                .antMatchers( "/**" ).permitAll();
    }

    @Configuration
    @Profile( "DES" )
    public static class AuthenticacioInMemoryConfig {

        @Autowired
        public void configureGlobal( AuthenticationManagerBuilder auth ) throws Exception {

            auth.eraseCredentials( false ).inMemoryAuthentication()
                    .withUser( "user" ).password( "atlas" ).authorities( "ROLE_USER" ).and()
                    .withUser( "admin" ).password( "atlas" ).authorities( "ROLE_ADMIN" );
        }
    }

    @Configuration
    @Profile( "PRO" )
    @PropertySource( "file:${config.env}/config_env.properties" )
    public static class AuthenticacionLdapConfig {

        @Value( "${ldap.host}" )
        private String host;
        @Value( "${ldap.port}" )
        private String port;
        @Value( "${ldap.basedn}" )
        private String baseDn;
        @Value( "${ldap.userdn}" )
        private String userDn;
        @Value( "${ldap.passw}" )
        private String password;

        @Bean
        public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {

            return new PropertySourcesPlaceholderConfigurer();
        }

        @Bean( name = "contextSource" )
        public DefaultSpringSecurityContextSource contextSource() {

            DefaultSpringSecurityContextSource contextSource =
                    new DefaultSpringSecurityContextSource( "ldap://" + this.host + ":" + this.port );
            contextSource.setUserDn( this.userDn );
            contextSource.setPassword( this.password );
            return contextSource;
        }

        @Bean( name = "userSearch" )
        public FilterBasedLdapUserSearch userSearch() {

            return new FilterBasedLdapUserSearch( this.baseDn, "(bsalias={0})", this.contextSource() );
        }

        @Bean( name = "ldapAuthenticator" )
        public LdapAuthenticator ldapAuthenticator() {

            BindAuthenticator authenticator = new BindAuthenticator( this.contextSource() );
            authenticator.setUserSearch( this.userSearch() );
            return authenticator;
        }

        @Bean( name = "atlasAuthoritiesPopulator" )
        public AtlasAuthoritiesPopulator atlasAuthoritiesPopulator() {

            return new AtlasAuthoritiesPopulator();
        }

        @Bean( name = "ldapAuthenticationProvider" )
        public LdapAuthenticationProvider ldapAuthenticationProvider() {

            return new LdapAuthenticationProvider( this.ldapAuthenticator(), this.atlasAuthoritiesPopulator() );
        }

        @Autowired
        public void configureGlobal( AuthenticationManagerBuilder auth ) throws Exception {

            auth.eraseCredentials( false ).authenticationProvider( this.ldapAuthenticationProvider() );
        }
    }
}

However, using the xml configuration for the same spring security and spring framework is running ok and the password is available.

<context:property-placeholder location="file:${config.env:}/config_env.properties" />

<global-method-security secured-annotations="enabled"/>

<beans:bean id="authenticationEntryPoint"
        class="es.isban.atlas.views.web.core.authentication.XhrAwareAuthenticationEntryPoint">
    <beans:constructor-arg name="loginFormUrl" value="/home?noAuthenticated=expired"/>
</beans:bean>

<beans:bean id="accessDeniedHandler"
        class="es.isban.atlas.views.web.core.authentication.XhrAwareAccessDeniedHandlerImpl">
        <beans:property name="errorPage" value="/denied" />
</beans:bean>

<beans:bean id="atlasAuthenticationSuccessHandler"
        class="es.isban.atlas.views.web.core.authentication.AtlasAuthenticationSuccessHandler">
    <beans:constructor-arg name="defaultTargetUrl" value="/views/hub"/>
</beans:bean>

<beans:bean id="atlasAuthenticationFailureHandler"
        class="es.isban.atlas.views.web.core.authentication.AtlasAuthenticationFailureHandler">
    <beans:constructor-arg name="defaultFailureUrl" value="/home?loginError=error"/>
</beans:bean>

<beans:bean id="atlasLogoutSuccessHandler"
        class="es.isban.atlas.views.web.core.authentication.AtlasLogoutSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/home?logoff=disconnect" />
</beans:bean>

<!-- This is where we configure Spring-Security -->
<http use-expressions="true"
      entry-point-ref="authenticationEntryPoint">

    <access-denied-handler ref="accessDeniedHandler" />

    <intercept-url pattern="/*" access="permitAll()"/>
    <intercept-url pattern="/views/**" access="isAuthenticated()" />
    <intercept-url pattern="/rss/**" access="isAuthenticated()" />
    <intercept-url pattern="/search/**" access="isAuthenticated()" />
    <intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN')" />

    <form-login login-page="/home"
                login-processing-url="/login"
                authentication-success-handler-ref="atlasAuthenticationSuccessHandler"
                authentication-failure-handler-ref="atlasAuthenticationFailureHandler" />
                <!-- authentication-failure-url="/home?loginError=error"
                     default-target-url="/views/hub" -->

    <logout logout-url="/logout"
            invalidate-session="true"
            success-handler-ref="atlasLogoutSuccessHandler" />
            <!-- logout-success-url="/home"
                 delete-cookies="true" -->
</http>

<beans:beans profile="PRO">

    <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://${ldap.host}:${ldap.port}"/>
        <beans:property name="userDn" value="${ldap.userdn}"/>
        <beans:property name="password" value="${ldap.passw}"/>
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
            class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch">
                    <beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
                        <beans:constructor-arg value="${ldap.basedn}"/>
                        <beans:constructor-arg value="(bsalias={0})"/>
                        <beans:constructor-arg ref="contextSource"/>
                    </beans:bean>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="es.isban.atlas.views.web.core.authorization.AtlasAuthoritiesPopulator" />
        </beans:constructor-arg>
    </beans:bean>

    <authentication-manager erase-credentials="false">
        <authentication-provider ref="ldapAuthProvider" />
    </authentication-manager>

</beans:beans>

<beans:beans profile="DES">
    <authentication-manager erase-credentials="false">
        <authentication-provider>
            <user-service>
                <user name="user" password="atlas" authorities="ROLE_USER" />
                <user name="admin" password="atlas" authorities="ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Do you have any clue? How can I fix that?

Thanks in advance.

like image 306
Juan Carlos Serrano Avatar asked Mar 25 '14 11:03

Juan Carlos Serrano


1 Answers

This is a bug in the Spring Security Java Configuration that impacts the global authentication option. See SEC-2533 for details. There is not a real easy work around for this issue, but the bug is already fixed and a release will be out within the next few days.

like image 62
Rob Winch Avatar answered Nov 10 '22 00:11

Rob Winch