I am trying to integrate Spring Security in my project. I have followed the documentation given here: https://spring.io/guides/gs/securing-web/ Instead of Spring Boot, I have configured everything using XML. My <code>web.xml</code> is: <pre class="prettyprint lang-xml prettyprint-override"><code><listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.css</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.js</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </code></pre> <code>dispatcher-servlet.xml</code>: <pre class="prettyprint"><code><context:component-scan base-package="com.name.ot" /> <bean id="resolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> <property name="prefix" value="/WEB-INF/" /> <property name="suffix" value=".jsp" /> </bean> </code></pre> And my view controller is: <pre class="prettyprint"><code>@Controller public class HomeController{ @RequestMapping(value={"/", "/home"}, method = RequestMethod.GET) public ModelAndView home() { ModelAndView model = new ModelAndView("home"); return model; } @RequestMapping(value={"/hello"}, method = RequestMethod.GET) public ModelAndView hello() { ModelAndView model = new ModelAndView("hello"); return model; } @RequestMapping(value={"/login"}, method = RequestMethod.GET) public ModelAndView login() { ModelAndView model = new ModelAndView("login"); return model; } } </code></pre> My security class: <pre class="prettyprint"><code>@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } } </code></pre> But, I am able to access all the pages, <code>/</code>, <code>/home</code>, <code>/hello</code>, <code>/login</code>. I don't want the user to directly access <code>/hello</code>, without going in <code>/login</code>. What am I doing wrong?

You have to register Filter Chain Proxy. For XML configuration, see Spring Security Reference: <blockquote> When using servlet filters, you obviously need to declare them in your <code>web.xml</code>, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s <code>DelegatingFilterProxy</code> provides the link between <code>web.xml</code> and the application context. When using <code>DelegatingFilterProxy</code>, you will see something like this in the <code>web.xml</code> file: <pre class="prettyprint lang-xml prettyprint-override"><code><filter> <filter-name>myFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>myFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </code></pre> </blockquote> For Java configuration and Servlet API 3+, see Spring Security Reference: <blockquote> The next step is to register the <code>springSecurityFilterChain</code> with the war. This can be done in Java Configuration with Spring’s <code>WebApplicationInitializer</code> support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class <code>AbstractSecurityWebApplicationInitializer</code> that will ensure the <code>springSecurityFilterChain</code> gets registered for you. </blockquote>

Why is Spring Security not working?

Tags:

java

spring-mvc

spring

spring-security

I am trying to integrate Spring Security in my project.

I have followed the documentation given here: https://spring.io/guides/gs/securing-web/

Instead of Spring Boot, I have configured everything using XML.

My web.xml is:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>*.css</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>*.js</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

dispatcher-servlet.xml:

<context:component-scan base-package="com.name.ot" />

<bean id="resolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="viewClass"
        value="org.springframework.web.servlet.view.JstlView" />
    <property name="prefix" value="/WEB-INF/" />
    <property name="suffix" value=".jsp" />
</bean>

And my view controller is:

@Controller
public class HomeController{

    @RequestMapping(value={"/", "/home"}, method = RequestMethod.GET)
    public ModelAndView home() {

        ModelAndView model = new ModelAndView("home");
        return model;
    }

    @RequestMapping(value={"/hello"}, method = RequestMethod.GET)
    public ModelAndView hello() {

        ModelAndView model = new ModelAndView("hello");
        return model;
    }

    @RequestMapping(value={"/login"}, method = RequestMethod.GET)
    public ModelAndView login() {

        ModelAndView model = new ModelAndView("login");
        return model;
    }
}

My security class:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

But, I am able to access all the pages, /, /home, /hello, /login.

I don't want the user to directly access /hello, without going in /login.

What am I doing wrong?

261

asked Sep 20 '16 08:09

adi rohan

2 Answers

I had the same issue.

My solution is as mentioned in the "Spring in action" book by Craig Walls p247. You need to create an empty class that extends AbstractSecurityWebApplicationInitializer.

public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {}

126

answered Sep 30 '22 15:09

user3559338

You have to register Filter Chain Proxy.

For XML configuration, see Spring Security Reference:

When using servlet filters, you obviously need to declare them in your web.xml, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s DelegatingFilterProxy provides the link between web.xml and the application context.

When using DelegatingFilterProxy, you will see something like this in the web.xml file:
<filter>
 <filter-name>myFilter</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
 <filter-name>myFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

For Java configuration and Servlet API 3+, see Spring Security Reference:

The next step is to register the springSecurityFilterChain with the war. This can be done in Java Configuration with Spring’s WebApplicationInitializer support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class AbstractSecurityWebApplicationInitializer that will ensure the springSecurityFilterChain gets registered for you.

answered Sep 30 '22 16:09

dur

Related questions
                            
                                Elasticsearch Scan&scroll with JEST API
                            
                                Expressions with conditional and assignment operator
                            
                                Evaluating multiple variable together in if condition
                            
                                How to convert String to enum value when enum type reference is a Class<?>?
                            
                                compare two strings in java using command line arguments [duplicate]
                            
                                No enclosing instance of type is accessible [duplicate]
                            
                                Populate child bean with Transformers.aliasToBean in Hibernate
                            
                                Search sorted List<Long> for closest and less than
                            
                                alternative way to compare if three ints are equal
                            
                                java.lang.NoSuchMethodException: Unknown property '' on class 'class java.lang.String'
                            
                                How to read comma separated integer inputs in java
                            
                                Parse negative number with parentheses [duplicate]
                            
                                Tomcat v7.0 stopped to run my project at localhost
                            
                                How to Create InputStream Object from JsonObject
                            
                                Install new software in Eclipse Luna gives always the error No repository found containing: osgi.bundle,org.eclipse.net4j.jms.api?
                            
                                Finding the second smallest integer in array
                            
                                How do I fix UnsupportedCharsetException in Eclipse Kepler/Luna with Jython/PyDev?
                            
                                JUnit @Before and @After executing before and after every test [duplicate]
                            
                                How to properly return part of ArrayList in Java?
                            
                                How to check if any item is selected in JavaFX ComboBox

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With