I'd like to use XML based configuration to Spring Security. The first idea was to use SHA-256 or any other hashing function for user passwords. I could not find a nice way to solve this with plain java., so I started to configure things in xml. That was the point, when it started to get interesting.
My configuration:
spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd>
<http pattern="/css/**" security="none"/>
<http pattern="/login.html*" security="none"/>
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.html'/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin"
authorities="ROLE_USER, ROLE_ADMIN"/>
<user name="bob" password="bob"
authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
I load the xml file in the class, where the public static void main
can be found:
@Configuration
@ComponentScan
@EnableAutoConfiguration
@Order(HIGHEST_PRECEDENCE)
@ImportResource({
"/spring-security.xml"
})
public class PhrobeBootApplication extends SpringBootServletInitializer {
...
}
But I get the following exception on any pageload:
[ERROR] org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
...
So it seems like the configuration from resources/WEB-INF/web.xml
doesn't load, if I have a good understanding from the documentation, I should use it when using just plain spring, without the boot. (the filters should be configured). Am I right?
Why is this error happens? Is there a better way to use xml based configuration for spring-security in spring-boot? Does web.xml even load by tomcat?
I was getting the same issue then I changed the path of XML file and kept it as in src/main/resources/spring
. It's working fine.
@SpringBootApplication
@ImportResource("classpath:/spring/spring-security.xml")
I haven't tried this (because there really isn't anything you can't do with Java configuration), but you would have to eliminate the Spring Boot-provided WebSecurityConfigurers
(and @EnableWebSecurity
). I think to do that is maybe more complicated than it needs to be (but then again no-one needs to use XML). You would have to exclude SecurityAutoConfiguration
in your @EnableAutoConfiguration
and then deal with problems as they arise (you might need a bean of type SecurityProperties
still for example, and you probably can't use the Actuator without some more messing about).
I'm not sure what you mean about "configuration from resources/WEB-INF/web.xml
" since a) it's a Spring Boot app and b) even if it wasn't there wouldn't be a resources/WEB-INF/web.xml
.
According to the statement by Dave Syer in the recent version of spring boot the best way to configure the spring security is with Java configuration.
I needed an SHA-256 encoder, but I haven't find any simple and good solution for implementing one. You just need to configure the jdbcAuthentication with the passwordEncoder. This is really really simple:
@EnableWebSecurity
public class SpringSecurityConfigurer extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private SecurityProperties security;
@Autowired
private DataSource dataSource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated()
.and().formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
PasswordEncoder sha256PasswordEncoder = new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return Hashing.sha256().hashString(rawPassword, Charsets.UTF_8).toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(Hashing.sha256().hashString(rawPassword, Charsets.UTF_8).toString());
}
};
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(this.dataSource)
.passwordEncoder(sha256PasswordEncoder);
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.