The question says it all. In spring security 2.x we can set the custom values to the user in the userattributes. Is there a similar/alternate way of doing the same in spring secuirty 3.0?? ...
I wanted to build an application based on Java EE 6, but the security mechanisms of Java EE are not sufficient and a pain to with for my needs. Spring Security seems the best way to secure my application. Now I wonder if Spring Security + EJB is a good combination or if I should be better use Spring only. I need method interception, ACL...
Since EJB authorization is too limited for my needs I want to use Spring Security together with EJBs. For authentication I want to use Spring Security too. The question is, if I can use the Spring Security context within an EJB. The scenario: user communicates with a servlet authentication through Spring Security servlet communicates ...
I am slowly going insane trying to configure Spring Security 3.0.0 to secure an application. I have configured the server (jetty) to require client authentication (using a smart card). However, I cannot seem to get the applicationContext-security.xml and UserDetailsService implementation right. First, from the application context file:...
I want to use Spring Security with EJB 3.1. It was told me that storing the SecurityContext with ThreadLocal doesn't work in clustered environments. What is the best way to hold a Spring SecurityContext in a clustered EJB environment? My ideas: A) replace the SecurityContextHolder with a singleton EJB and hold the SecurityContext fo...
Spring Security offers many powerful security mechanisms but it doesn't fit properly into a Java EE (EJB) environment. One problem is that Spring Security stores the SecurityContext in a ThreadLocal object which is not suitable for clusters. Spring Security relies on services (AOP for example) from Spring core which are not available if ...
What is the best way to connect an ACL with the protected resource? 1) Should the protected resource hold a reference to its ACL? interface AclHolder { Acl getAcl(); } This would be simple, but if the object lives in a database it has to be constructed before it is possible to check access rights. 2) Spring Security uses a mec...
I have a Spring Security (form based authentication) web app running CXF JAX-RS webservices and I am trying to connect to this webservice from an Android app that can be authenticated on a per user basis. Currently, when I add an @Secured annotation to my webservice method all requests to this method are denied. I have tried to pass in ...
Suppose that I am using the Struts 2 iterate tag on a list of objects. Each object has a property called creatorUserId. I would like to compare the creatorUserId with the Id number of the currently logged in user. How do I do this with Spring Security and Struts 2 in the JSP page? <security:authentication property="principal.userID" /...
I'm trying to enable Spring Security 2.5 in my spring app but am running into configuration problems. I've followed a few examples and have done what they are doing, but I think something else I have configured is causing problems. Here is my web.xml: <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XML...
Typically, when you declare different "<authentication-provider>" for your application (webapp in my case), Spring Security takes care of invoking providers one after another, incase of failure. So, say I have DatabaseAuthenticationProvider and LDAPAuthenticationProvider with DatabaseAuthenticationProvider declared first in the config fi...
I have a grails(v1.2.1) app using the acegi plugin(v0.5.2) to authenticate users against an Active Directory domain. Everything works perfectly as long as I run the app using "grails run-app"; The correct controller/actions are protected, users can successfully log in, they don't have to log in on each page request, etc. When I run the...
When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml, spring security sends an HTTP redirect to our login page (e.g. /login). That's fine. The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a...
I need to secure a simple jersey RESTful API in a Tomcat 6.0.24 container. I'd like to keep the authentication with Basic Authentication using the tomcat-users.xml file to define the users and roles (this is for now, like I said its small). Now, for authorization I'd like to be able to use the JSR 250 annotations like @RolesAllowed, @Pe...
I use SecurityContextHolder and a custom UserDetailsService to obtain UserDetails from SecurityContextHolder: Object o = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); UserDetailsDTO user = (UserDetailsDTO) o; I left out the null checks, etc., but that's the idea. I'm using this in an @Around pointcut of an @A...
I'm working on implementing a URL token based authentication scheme (using Grails) and have been working off of Glen's very helpful example: http://blogs.bytecode.com.au/glen/2010/01/15/hacking-custom-authentication-providers-with-grails-spring-security.html The problem I've run into, is some of my requests are multipart/form-data and ...
Hi, I'm currently developing a menu for my application that should be able to display only the controllers that the current user can access (requestmap defined in the database). How can I check if the current user has access to a specific controller and action? Thanks, Jan ...
Hopefully this is super simple, exists, and I'm overlooking something right under my nose. I know that I can restrict access via annotations: @Secured({"ROLE_ADMIN"}) or via config: <security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN, ROLE_SUPER_USER" /> I would prefer to obtain authentication rules from a database...
Hi, I'm building an app using Hibernate 3 (with JPA Annotations), Spring 2.5 and Spring Security 2.0.5. I want to know what I need to put in my <authentication-provider> tag in my spring security config file (applicationContext-security.xml) so that I can get Spring Security to use my existing Service layer class (AuthenticationService...
Can I access the HTTP Session object from within the retrieveUser method of my class which extends org.springframework.security.providers.dao.AbstractUserDetailsAuthenticationProvider If so, how? Here is the method signature for retrieveUser: public UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentic...