Authentication via JSP (and redirecting to Flex)

[BrianBLong]

Hi all,

This thread is my alternative to moving a Flex thread on accessing UserDetails. Truthfully, I think I've got it working right, I'm just looking for confirmation from the community:


My security-config.xml file:

Code:

<http auto-config="true">
	<intercept-url pattern="/index.html" filters="none" />
	<intercept-url pattern="/favicon.ico" filters="none" />
	<intercept-url pattern="/main.css" filters="none" />
	<intercept-url pattern="/jspErrorPage.jsp" filters="none" /> <!--  For error handling  -->
	<intercept-url pattern="/ldaplogin.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
	<intercept-url pattern="/app-flex/**" access="ROLE_USER" />

	<!-- FIXME: Be sure to remove these as they may expose sensitive info -->
	<intercept-url pattern="/Hidden.jsp" access="ROLE_ADMIN" />	<!-- For Spring Security debugging only -->
	<intercept-url pattern="/variables.jsp" filters="none" /> <!-- For Tomcat/Java debugging only -->

	<form-login login-page="/ldaplogin.jsp" default-target-url="/app-flex/Main.html" 
		always-use-default-target="true"/>
</http>

My ldaplogin.jsp page:

Code:

if(cookieAuthentication == true){
	// The cookies that I have here include things like userid, first name, last name and the privileges they have
	sc =  (SecurityContextImpl)SecurityContextHolder.getContext();
	/*
	sc instance of: org.springframework.security.authentication.AnonymousAuthenticationToken
	Principal: anonymousUser; 
	Authenticated: true; 
	Granted Authorities: ROLE_ANONYMOUS
	*/
	if (sc != null){
		// Just using this for debuggin
		auth = SecurityContextHolder.getContext().getAuthentication();
	}
	// Instantiate a new Authentication object in the Security Context
	// per the user details that already exist in the cookies
	upat = new UsernamePasswordAuthenticationToken(ldaploginuserid,"password",AuthorityUtils.createAuthorityList("ROLE_USER","ROLE_ADMIN"));

	// Wondering if there's a best-practice way to do this in JSP
	SecurityContextHolder.getContext().setAuthentication(upat);

	log.info(upat.toString()); // For info only

	response.sendRedirect(referrer); // Where referrer is "flex-Main.html"
	return; // Flex will then use the SecurityHelper to change the View and allow method invocation 
}

This all seems to be in working order:
- I can make a call to a remote object (SecurityHelper) from the Flex client and get the Authentication of the principal (UserDetails)
- I can secure my interfaces via annotations like @Secured("ROLE_ADMIN")

Though, my security-config.xml file still has this in it (I've been converting the samples to fit my implementation needs):

Code:

<authentication-manager>
	<authentication-provider>
		<user-service>
			<user name="john" password="john" authorities="ROLE_USER" />
			<user name="admin" password="admin"
				authorities="ROLE_USER, ROLE_ADMIN, APP_ADMIN" />
			<user name="guest" password="guest" authorities="ROLE_GUEST" />
		</user-service>
	</authentication-provider>
</authentication-manager>

Do I need to create my own AuthenticationManager or AuthenticationProvider if my JSP seems to fit my need?

Thanks community!
- Brian

[pmularien]

I can answer your question, but I'm not convinced you're asking the question you want to ask

The answer to your question is no, but to me (without seeing what you are doing with LDAP), it looks like storing user credentials and roles in a cookie is just asking to get hacked!

If you are in fact authenticating against LDAP, and pulling authorization information from LDAP, you should probably look at the built-in LDAP authentication provider, which handles a lot of complex scenarios for you.

Additionally, if you are trying to integrate Spr Sec roles with Flex, you should look into the Spring Flex project and its ability to secure Flex endpoints by role - it integrates seamlessly with an already-authenticated session. The other nice bonus of Spring Flex is that you can integrate login directly into Flex (assuming you are running BlazeDS on the server).

[BrianBLong]

I definitely want to implement's Spring Security's LDAP model but I'm in iteration 1 of an internal RIA project that I'm hoping to wrap up quickly. Hopefully for iteration 2, I can get a bit more refinement. So unfortunately, I'm using a JSP page that my team's used on a number of web apps to handle authentication against LDAP. Basically what I have access to (for the time being) is the cookies that are returned to this particular JSP page which hold some user data.

Also, yes, I am using the Spring-Flex project, essentially refactoring and changing the samples (the "testdrive" application) to fit my need. It's an excellent project and I am definitely enjoying the ability to "secure Flex endpoints by role". I'm using the @Secured annotations on my DAO classes to that end, it's great and seems to be working just fine for the roles I'm assigning in my JSP (see previous threat post).

Anyhow, as I said I've started my project from modifying the Spring-Flex samples and when I remove:

Code:

	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="john" password="john" authorities="ROLE_USER" />
				<user name="admin" password="admin"
					authorities="ROLE_USER, ROLE_ADMIN" />
				<user name="guest" password="guest" authorities="ROLE_GUEST" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

I end up with this stack trace:

Code:

SEVERE: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot create inner bean '(inner bean)' of type [org.springframework.security.config.authentication.AuthenticationManagerFactoryBean] while setting bean property 'parent'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#4': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:125)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#4': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:149)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:109)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:274)
	... 30 more
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:30)
	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:20)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:142)
	... 32 more

*EDIT: After heading back to the Reference Docs, I added this (empty) node:

Code:

<authentication-manager/>

... right below the <http> element in my security-config.xml file and it seems like my application starts up and runs properly; including the security I'm expecting on certain methods and the privileges I'm assigning to particular users in my JSP page. I think I need to read more of the documentation now, to learn a bit more about the <authentication-manager> node.

Thanks everyone,
Brian

[cstepnitz]

Brian,

I am trying to do something similar, but am having trouble with web.xml. Would you be willing to post your version of web.xml?

Thanks!