spring security issue

[solarch]

I am using the same code that came from greenhouse for the configuration of spring security and oauth.

This is the message I get when starting VMWare vFabric tc Server v2.6 in STS 2.8.1. I would normally assume that I needed to declare a Bean called usernamePasswordAuthenticationProvider; however, I cannot find such a bean definition in Greenhouse either. Can someone enlighten me on how Greenhouse does it and the configuration I have below is not working? I have Greenhouse loaded in STS as well and it starts up fine.

Note: I've stripped out the extraneous and repeated logging details and itemized the errors.

Code:

ERROR: org.springframework.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanCreationException: 
1. Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#0' while setting bean property 'sourceList' with key [0]; 
2. Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot resolve reference to bean 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' while setting constructor argument with key [3];
3. Error creating bean with name 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0': Cannot resolve reference to bean 'org.springframework.security.authentication.ProviderManager#0' while setting bean property 'authenticationManager'; 
4. Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot resolve reference to bean 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0' while setting constructor argument;  
5. Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; 
6. Error creating bean with name 'org.springframework.security.authenticationManager': Cannot resolve reference to bean 'usernamePasswordAuthenticationProvider' while setting constructor argument with key [0]; 
7. No bean named 'usernamePasswordAuthenticationProvider' is defined

SecurityConfig.java

Code:

@Configuration
@ImportResource("classpath:com/studentsocialhealth/youarefine/config/security.xml")
public class SecurityConfig {

	@Configuration
	@Profile("embedded")
	static class Embedded {

		@Bean
		public PasswordEncoder passwordEncoder() {
			return NoOpPasswordEncoder.getInstance();
		}

		@Bean
		public TextEncryptor textEncryptor() {
			return Encryptors.noOpText();
		}

		@Bean
		public OAuthSessionManager oauthSessionManager(AppRepository appRepository) {
			return new ConcurrentMapOAuthSessionManager(appRepository);
		}
	}

	@Configuration
	@Profile("standard")
	static class Standard {

		@Inject
		private Environment environment;

		@Bean
		public PasswordEncoder passwordEncoder() {
			return new AccountPasswordEncoder(getEncryptPassword());
		}

		@Bean
		public TextEncryptor textEncryptor() {
			return Encryptors.queryableText(getEncryptPassword(), environment.getProperty("security.encryptSalt"));
		}

		@Bean
		public OAuthSessionManager oauthSessionManager(StringRedisTemplate redisTemplate, AppRepository appRepository) {
			return new RedisOAuthSessionManager(redisTemplate, appRepository);
		}

		// helpers
		private String getEncryptPassword() {
			return environment.getProperty("security.encryptPassword");
		}
	}
}

security-oauth-provider.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:oauth="http://www.springframework.org/schema/security/oauth"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security/oauth http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd">

	<!-- Steps of OAuth 1.0 POST /oauth/request_token?oauth_consumer_key&oauth_callback 
		(returns unauthorized token) GET /oauth/confirm_access?oauth_token (returns 
		secure authorization form) (User) POST /oauth/authorize?requestToken&callbackUrl 
		(authorizes oauth token, redirect to callbackUrl) POST /oauth/access_token?oauth_consumer_key&oauth_token&oauth_verifier -->

	<!-- Spring Security OAuth 1.0 Provider Configuration -->
	<oauth:provider consumer-details-service-ref="appConsumerDetailsService"
		token-services-ref="oauthProviderTokenServices" 
		request-token-url="/oauth/request_token"
		authenticate-token-url="/oauth/authorize" 
		authentication-failed-url="/oauth/confirm_access"
		access-token-url="/oauth/access_token" 
		require10a="false" />

	<!-- Sends a UNAUTHORIZED response back to clients attempting to access 
		protected resources but who have not yet authenticated via OAuth -->
	<bean id="oauthAuthenticationEntryPoint"
		class="org.springframework.security.oauth.provider.OAuthProcessingFilterEntryPoint">
		<property name="realmName" value="StudentSocialHealth" />
	</bean>

</beans>

security.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

	<http use-expressions="true">
		<!-- Authentication policy -->
		<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
		<logout logout-url="/signout" delete-cookies="JSESSIONID" />
		<!-- Authorization policy definition: TODO consider replacing with @Secured on @Controllers -->
		<intercept-url pattern="/" access="permitAll" />
		<intercept-url pattern="/favicon.ico" access="permitAll" />
		<intercept-url pattern="/resources/**" access="permitAll" />
		<intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />	
		<intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
		<intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
		<!-- <intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" /> -->
		<!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter.  Consider @Secured on @Controller. -->               
		<intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />           
		<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
	</http>

	<authentication-manager alias="authenticationManager">
		<authentication-provider ref="usernamePasswordAuthenticationProvider" />
	</authentication-manager>

    <beans:import resource="security-oauth-provider.xml" />
    
</beans:beans>

web.xml

Code:

<!-- Secures the application -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><!-- 
		<init-param>
			<param-name>targetBeanName</param-name>
			<param-value>springSecurityFilterChain</param-value>
		</init-param> -->
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

[solarch]

Howdy, anyone at all have an idea of what thing I'm missing here???? Anyone???

[yuanji]

The "usernamePasswordAuthenticationProvider" is an annotated service bean at com.springsource.greenhouse.account.UsernamePasswo rdAuthenticationProvider. Check if you have it in your source code.

[solarch]

@yuanji, thanks that was a problem, now I have another problem. I'm getting the following error that I don't understand:

Code:

Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; 
nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other 
patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace
 or FilterChainProxy bean configuration

[yuanji]

OK, that is a tough question. I don't have enough information about your application, so I can only guess what's wrong. Maybe you have more than one <http> in your security configuration, and the first one has no pattern attribute defined.

Let's explain how this error happens. When Spring Security parses your config xml file, it starts with o.s.s.config.SecurityNamespacehandler. It has many parsers, one is o.s.s.config.http.HttpSecurityBeanDefinitionParser , which will parse <http> element.

The HttpSecurityBeanDefinitionParser will register filter chain proxy if not registered before (a object of o.s.s.web.FilterChainProxy), and set filterChainValidator as o.s.s.config.http.DefaultFilterChainValidator. This filter chain proxy bean will have name of "springSecurityFilterChain", you see in your web.xml. Then HttpSecurityBeanDefinitionParser will parse <http> element with other configuration builders, each will add filters to the filter chain o.s.s.web.SecurityFilterChain. the bean class is o.s.s.config.http.DefaultSecurityFilterChain, with o.s.s.web.util.AnyRequestMatcher as RequestMatcher if no pattern or request-matcher-ref provided. After finish, it will add this SecurityFilterChain to filter chain proxy.

After finish parsing, the filter chain proxy will be validated in afterPropertiesSet() method, which will call filterChainValidator.validate(). The DefaultFilterChainValidator will check the path order of all filter chains, and if one filter chain is using AnyRequestMatcher and is not the last one, it will through IllegalArgumentException, as you see in the output.

Good luck.

[solarch]

@yuanji, Hi, thanks for the reply. I understand some of what you are saying, and I've looked at the spring code. I guess I am wondering if this is something I specify in my code that is not already posted above in my web.xml, security.xml, security-oauth-provider.xml, or SecurityConfig.java files. The only reference to a <http> tag in my entire application is in the security.xml file. I did a global search just to make sure. Is this the <http> you are referring to. If yes, then I don't see any settings for path or path order. If no, then where are these paths being configured or determined?

Thanks

Joe

[solarch]

@Yuanji, I have a partial fix. I commented out all of the <intercept-url... in the security.xml file except for the very last one with the pattern="/**". When starting up, I don't get the error anymore. I will have to work on the other patterns one at a time in different order to see what the problem is. Thanks for you help.