spring-security

Spring security: adding "On unsuccessful login event listener"

I'm new to Spring Security. How do I add an event listener which will be called as a user logs in successfully? Also I need to get some kind of unique session ID in this listener which should be available further on. I need this ID to synchronize with another server. ...

When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?

I have a Spring MVC web app which uses Spring Security. I want to know the username of the currently logged in user. The code snippet below is what I'm doing. My question is, is this the accepted way? I don't like having a call to a static method inside this controller - that defeats the whole purpose of Spring, IMHO. Is there a w...

Securing Remote Access over JMXMP with Spring Security

I am using Spring 2.5 and Java 1.6.0_7. I remote several JMX MBeans and have multiple clients invoking those MBeans remotely using JMXMP. I rely on JMX Notification listeners to push events out to multiple clients. I am trying to figure out how to secure remote access to those MBeans using Spring Security. I need to specify multiple le...

Unit testing with Spring Security

My company has been evaluating Spring MVC to determine if we should use it in one of our next projects. So far I love what I've seen, and right now I'm taking a look at the Spring Security module to determine if it's something we can/should use. Our security requirements are pretty basic; a user just needs to be able to provide a usern...

Creating a custom authentication with Acegi/Spring Security

I'm having trouble discovering exactly what I need to implement in order to use a custom authentication method with my web application using Spring Security. I have a Grails application with the Spring Security plugin that currently uses the standard user/password authentication with a browser form. This is working correctly. I need to...

How can I determine what roles are required to access a URL with Spring Security?

I'm using Spring Security to secure a webapp. The URLs are secured like this: <security:http entry-point-ref="authenticationEntryPoint"> <security:intercept-url pattern="/" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/assets/**/*" access="ROLE_ANONYMOUS" /> ... <security:intercept-url pattern="/**" access="ROLE_U...

How to throw an informative exception from AccessDecisionManager that uses voters

Hi all, I have the following situation: my application's authorization mechanism is implemented using Spring security. The central class implements AccessDecisionManager and uses voters (each of which implements AccessDecisionVoter) to decide whether to grant access to some method or not. The algorithm that tallies the votes is custom: ...

Problem migrating Spring Web App from tomcat 5.5 to tomcat 6.0

I have a spring web application which has been working fine on tomcat 5.5. I've attempted to deploy the same web app to a tomcat 6 container and come up against some issues. The main two problems I've had are relating to configuring the container for jstl and getting the spring security login to work properly. I believe I've solved the...

What are some good sample applications using Spring and Hibernate?

I need a quick jump start for using Spring and Hibernate together and I was looking for some sample code to modify and extend. Bonus points for Struts2 and Spring Security integration. ...

Spring embedded ldap server in unit tests

I am currently trying to use an embedded ldap server for unit tests. In Spring Security, you can quickly define an embedded ldap server for testing with the tag with some sample data loaded from the specified ldif. I will be using Spring Ldap to perform ldap operations, and thinking of testing the usual CRUD features of my User servic...

How to grant access for all authenticated users?

Need to grant access to users without any role using Spring Security. Anyone how process authentication must be granted to access any URL. So can I do that by something like this or may be somehow else? <http auto-config='true'> <intercept-url pattern="/**" access="ALL" /> <intercept-url pattern="/login.jsp" filters="none" /> <for...

Cannot locate 'org.springframework.security.annotation.Jsr250MethodDefinitionSource'

When I configure method security under Spring Security I get the error shown above (see stack trace below). I am running Spring 2.5.6, Spring Security 2.0.4 under Eclipse 3.4 with a Tomcat 6 runtime. I need any suggestion as to what to look at to get this working. My security configuration file is as follows: <beans:beans xmlns="http:/...

Permissions checking in server-side API

Hi all, our product is built on a client-server architecture, with the server implemented in Java (we are using POJO's with Spring framework). We have two API levels on the server: the external API, which uses REST web services - useful for external clients and integrations with other servers. the internal API, which uses pure Java cl...

Spring Security: How to get the initial target url

I am using the spring security to restricted urls. I am trying to provide signup and login page, on the same page. On login spring security transfers to the restricted page. However i am trying to pass the target url to the signup process, so that after signup we can redirect to the restricted page. How to get the actual URL that user ...

Spring Security: Custom Authentication Provider for 'one time password' and 'securit questions'

Hello, I am using Spring Security and would like to use authentication providers for 'one time password' and 'security questions'. The number of allowed failures for one time password and security questions is limited. So far the authentication providers works fine but for the enduser it would be nice to know if he has typed in the wro...

Combining namespace based configuration with different authentication methods in spring-security

I'm trying to get spring-security to work with a project where there is both a form login component needed (for website access) and a http-basic or http-digest component for web services. Now we started out with the namespace based configuration, e.g. a spring-security.xml file with stuff like: <http auto-config="true"> <intercept-u...

Spring Security: What is the UserDetailsManager interface used for? And more!

I'm curious about the UserDetailsManager interface. It's not mentioned in the reference guide and in the JavaDoc it's described as: An extension of the UserDetailsService which provides the ability to create new users and update existing ones. When implementing the UserDetailsManager interface you have to implement five meth...

Grails Acegi Plugin springsecurity.GrailsDaoImpl - User [admin] has no GrantedAuthority

Hi guys, i upgraded my grails 1.0.4 + acegi 0.4.1 project to grails 1.1 with acegi 0.5.1. I'm able to start my application without errors, but when i want to login i get a "wrong username or password" message. Grails-shell output is: 2009-04-26 12:38:46,997 [403984690@qtp0-0] ERROR springsecurity.GrailsDaoImpl - User [admin] ...

Why is my (Spring Security) servlet filter getting called twice?

Any ideas about why doFilterHttp in my SpringSecurityFilter subclass is getting called twice on each request? I don't really know where to start looking. Feeling a little stumped. I'm reverse engineering a vacationing co-worker's code. To the best I can figure it, here's the relevant configuration: in web.xml: <filter> <filter-name>u...

Spring Security: Advice needed on how to handle GrantedAuthority

I have a concern when it comes to GrantedAuthority objects in a Spring Security application. I'm looking for a good way to handle things. First of all I'm trying to describe my concern, if there are any factual errors do not hesitate to point them out, I'll only be greatful. Spring Security uses GrantedAuthority instances to act as toke...