Search:

I have a pretty standard Spring 3.0.7 web app

The structure is like this

WebContent/
------resources/
------------myStaticContent/
------WEB-INF/
------------views/...

Still have not had any luck finding concrete examples .

My requirement my be more uncommon but it would be nice to know if the ability to update or write users roles/Authorities is part of...

We use Spring Security to authenticate and authorize our users and it works very well.

However we now may have to change a users roles and their corresponding group membership.

This means...

I think you could use whatever you choose to program : )

I have not used container security ( i.e. web sphere ) in conjunction with spring so I can't say if it would work .

Spring security is...

jr

glad to hear that you got it fixed.

If possible could you post your fix ? I have been unable to get a fix working .

thanks

OK

in my case the access denied config is its own line not a part of the http element


<access-denied-handler errorPage="/accessDenied" />

When you debug do you see a request for that page...

jr

Just updating ... I have so far been unable to handle access denied better.

in my case (x509 with LDAP authorities) I implemented my own FilterBasedLDAPUserSearch and UserDetailsServices...

Have you considered assigning roles based on authentication source ? ie ROLE_FROM_CAS and ROLE_FROM_DB...

Spring makes it very easy to then test for those roles ...

Sword

When you say not working what do you mean ? What DOES happen ? a 403 page or ?

I use the configuration you posted and it does work ..however Spring's use of accessDeneid has a few...

First I suggest you read the faq here

http://static.springsource.org/spring-security/site/faq.html



Relative to what ? If the CAS is not secure then there are likely larger problems.
...

Stieuma

I would agree with Marcel . I just implemented x509 certs with LDAP authorities.

I am not sure what the x509 certificate is supposed to accomplish without SSL/TLS negotiation. As far I...

Jason

I took a look at my running code .

I implemented LdapAuthoritiesPopulator to setup my initial authorities. It would seem that you might also be able to set the authorities to a a new...

I learned alot from Peter Mularien's book. Worth every penny

http://forum.springsource.org/showthread.php?90236-Spring-Security-Book-Now-Available

Jason

I have not tried it but I use a custom authorities provisioner to handle my roles and i think it could handle this .

There may be some protections in place to prevent inaccurate session...

jr

see my thread here http://forum.springsource.org/showthread.php?115235-x509-with-separate-userdetails-and-access-denied-handler

I suspect you are seeing what I am seeing .

In preauth...

digging deeper I created my own userDetails and LdapfilterSearch implementations.

I was attempting to change the UsernNotFound exception to something I could actually use.

However it appears...

Ok so coming back to this ...

I can see that bad user credentials ( where the user is not found but has a valid x509) throws a UserNameNotFoundException from...

ravkrr

I suspect your paths do not match.

src/main/webapp may be where you put it but where does it end up when you build ?

Your war or root folder should contain a meta-inf , a Web-in and...

I did some more testing and had some disturbing results.

using only


<access-denied-handler error-page="/myController">

I tested both use cases . In cases where the user has a valid cert...

I am using x509 client certs with spring security 3.0.7.

I authenticate with the client certs and then get user authorities from a ldap server.

This all works correctly so now i need to deal...

OK so it seems the best (?) path to using the memberOf in AD is to write my own ldapAuthoritiesPopulator.

so given the config below ( which all works correctly minus the mapping of memberOf to...

Ok I have found where my problem is

in SpringSecurityLdapTemplate.searchForSingleAttributeValues

Specifically it accepts four arguments. groupSearchBase,groupSearchFilter,groupRoleAttribute...

Mo

I agree that configuring spring security to work with a AD LDS is troublesome.

In part this seems to be due to the fact that getting successful results from the search,bind and authorities...

Hi mo


I would suggest that you upgrade to 3.0.7 just to rule our an issues.

The way I read your debug log is that the string used to bind for authentication is not a match.

I am not at...

Mo

I think we might have the same problem .

My AD/LDS server is a 2008 R2 and not a 2003 ( which returns vastly different results FYI ) ..

I put a break point in...