spring security issue

I am using the same code that came from greenhouse for the configuration of spring security and oauth.

This is the message I get when starting VMWare vFabric tc Server v2.6 in STS 2.8.1. I would normally assume that I needed to declare a Bean called usernamePasswordAuthenticationProvider; however, I cannot find such a bean definition in Greenhouse either. Can someone enlighten me on how Greenhouse does it and the configuration I have below is not working? I have Greenhouse loaded in STS as well and it starts up fine.

Note: I've stripped out the extraneous and repeated logging details and itemized the errors.

Code:

ERROR: org.springframework.web.context.ContextLoader - Context initialization failed org.springframework.beans.factory.BeanCreationException: 1. Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; 2. Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' while setting constructor argument with key [3]; 3. Error creating bean with name 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0': Cannot resolve reference to bean 'org.springframework.security.authentication.ProviderManager#0' while setting bean property 'authenticationManager'; 4. Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot resolve reference to bean 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0' while setting constructor argument; 5. Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; 6. Error creating bean with name 'org.springframework.security.authenticationManager': Cannot resolve reference to bean 'usernamePasswordAuthenticationProvider' while setting constructor argument with key [0]; 7. No bean named 'usernamePasswordAuthenticationProvider' is defined

SecurityConfig.java

Code:

@Configuration @ImportResource("classpath:com/studentsocialhealth/youarefine/config/security.xml") public class SecurityConfig { @Configuration @Profile("embedded") static class Embedded { @Bean public PasswordEncoder passwordEncoder() { return NoOpPasswordEncoder.getInstance(); } @Bean public TextEncryptor textEncryptor() { return Encryptors.noOpText(); } @Bean public OAuthSessionManager oauthSessionManager(AppRepository appRepository) { return new ConcurrentMapOAuthSessionManager(appRepository); } } @Configuration @Profile("standard") static class Standard { @Inject private Environment environment; @Bean public PasswordEncoder passwordEncoder() { return new AccountPasswordEncoder(getEncryptPassword()); } @Bean public TextEncryptor textEncryptor() { return Encryptors.queryableText(getEncryptPassword(), environment.getProperty("security.encryptSalt")); } @Bean public OAuthSessionManager oauthSessionManager(StringRedisTemplate redisTemplate, AppRepository appRepository) { return new RedisOAuthSessionManager(redisTemplate, appRepository); } // helpers private String getEncryptPassword() { return environment.getProperty("security.encryptPassword"); } } }

security-oauth-provider.xml

Code:

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security/oauth http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">   <oauth:provider consumer-details-service-ref="appConsumerDetailsService" token-services-ref="oauthProviderTokenServices" request-token-url="/oauth/request_token" authenticate-token-url="/oauth/authorize" authentication-failed-url="/oauth/confirm_access" access-token-url="/oauth/access_token" require10a="false" />  <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth.provider.OAuthProcessingFilterEntryPoint"> <property name="realmName" value="StudentSocialHealth" /> </bean> </beans>

security.xml

Code:

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> <http use-expressions="true">  <form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" /> <logout logout-url="/signout" delete-cookies="JSESSIONID" />  <intercept-url pattern="/" access="permitAll" /> <intercept-url pattern="/favicon.ico" access="permitAll" /> <intercept-url pattern="/resources/**" access="permitAll" /> <intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" /> <intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" /> <intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />   <intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" /> <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="usernamePasswordAuthenticationProvider" /> </authentication-manager> <beans:import resource="security-oauth-provider.xml" /> </beans:beans>

web.xml

Code:

 <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

Howdy, anyone at all have an idea of what thing I'm missing here???? Anyone???

The "usernamePasswordAuthenticationProvider" is an annotated service bean at com.springsource.greenhouse.account.UsernamePasswo rdAuthenticationProvider. Check if you have it in your source code.

@yuanji, thanks that was a problem, now I have another problem. I'm getting the following error that I don't understand:

Code:

Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

OK, that is a tough question. I don't have enough information about your application, so I can only guess what's wrong. Maybe you have more than one <http> in your security configuration, and the first one has no pattern attribute defined.

Let's explain how this error happens. When Spring Security parses your config xml file, it starts with o.s.s.config.SecurityNamespacehandler. It has many parsers, one is o.s.s.config.http.HttpSecurityBeanDefinitionParser , which will parse <http> element.

The HttpSecurityBeanDefinitionParser will register filter chain proxy if not registered before (a object of o.s.s.web.FilterChainProxy), and set filterChainValidator as o.s.s.config.http.DefaultFilterChainValidator. This filter chain proxy bean will have name of "springSecurityFilterChain", you see in your web.xml. Then HttpSecurityBeanDefinitionParser will parse <http> element with other configuration builders, each will add filters to the filter chain o.s.s.web.SecurityFilterChain. the bean class is o.s.s.config.http.DefaultSecurityFilterChain, with o.s.s.web.util.AnyRequestMatcher as RequestMatcher if no pattern or request-matcher-ref provided. After finish, it will add this SecurityFilterChain to filter chain proxy.

After finish parsing, the filter chain proxy will be validated in afterPropertiesSet() method, which will call filterChainValidator.validate(). The DefaultFilterChainValidator will check the path order of all filter chains, and if one filter chain is using AnyRequestMatcher and is not the last one, it will through IllegalArgumentException, as you see in the output.

Good luck.

@yuanji, Hi, thanks for the reply. I understand some of what you are saying, and I've looked at the spring code. I guess I am wondering if this is something I specify in my code that is not already posted above in my web.xml, security.xml, security-oauth-provider.xml, or SecurityConfig.java files. The only reference to a <http> tag in my entire application is in the security.xml file. I did a global search just to make sure. Is this the <http> you are referring to. If yes, then I don't see any settings for path or path order. If no, then where are these paths being configured or determined?

Thanks

Joe

@Yuanji, I have a partial fix. I commented out all of the <intercept-url... in the security.xml file except for the very last one with the pattern="/**". When starting up, I don't get the error anymore. I will have to work on the other patterns one at a time in different order to see what the problem is. Thanks for you help.