spring 3.1 multiple providers configuration

[mykel33]

Good morning
I'd like to implement this solution: i want to have to type of authentication (form-login and openID login) with spring security 3.1
I proceed like that:

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
  
  <!--<http pattern="/resources" security="none" /> -->
  
  <http auto-config="false" use-expressions="true">
    
    <intercept-url pattern="/login.htm" access="permitAll" />
    <intercept-url pattern="/loginfailed*" access="permitAll" />
    <intercept-url pattern="/home.htm" access="permitAll" />
    <intercept-url pattern="/**.htm" access="hasRole('ROLE_CLOUD_USER')" />
    
    <form-login login-page="/login.htm"
    default-target-url="/admin.htm"
    authentication-failure-url="/loginfailed.htm"
    always-use-default-target="true"/>
    <logout logout-url="/logout.htm" logout-success-url="/home.htm" />  
    
  </http>
  
  <http auto-config="true" use-expressions="true" pattern="/loginopenid*" authentication-manager-ref="authenticationManager">
    <openid-login authentication-failure-url="/loginopenidfailed.htm">
      <attribute-exchange>
        <openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" count="2"/>
        <openid-attribute name="name" type="http://schema.openid.net/namePerson/friendly" />
      </attribute-exchange>
    </openid-login>
  </http>
  
  <!--Authentication Manager
  <authentication-manager alias="authenticationManager">
  <authentication-provider ref="daoAuthenticationProvider"/>
  <authentication-provider ref="openIDAuthenticationProvider"/>
</authentication-manager>-->
  
  <beans:bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">  
    <beans:property name="authenticationManager" ref="providerManager"/> 
  </beans:bean>  
  
  <beans:bean id="providerManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
      <beans:list>
        <beans:ref bean="daoAuthenticationProvider" />
        <beans:ref bean="openIDAuthenticationProvider" />
      </beans:list>
    </beans:property>
  </beans:bean>
  
  <!--dao authentication provider -->
  <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService" />
  </beans:bean>
  
  <!--openID authentication provider -->
  <beans:bean id="openIDAuthenticationProvider" class="org.springframework.security.openid.OpenIDAuthenticationProvider">
    <beans:property name="userDetailsService">   
      <beans:bean id="openIDUserDS" class="test.security.CloudOpenIDUserDS"/>
    </beans:property>
  </beans:bean>  
  
  <user-service id="userDetailsService">
    <user name="abdellah" password="32fe5bbf04adc744455c92fa7b71e9dca8ce729c" authorities="ROLE_CLOUD_USER" />
    <user name="guest"    password="35675e68f4b5af7b995d9205ad0fc43842f16450" authorities="ROLE_CLOUD_USER" />
  </user-service>
  
</beans:beans>

in this configuration you can see, i have too providers ; the openid privider use a custom userDetailsService.
here is the classe:

Code:

package test.security;

import org.springframework.dao.DataAccessException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.openid.OpenIDAuthenticationToken;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

public class CloudOpenIDUserDS implements UserDetailsService,
   AuthenticationUserDetailsService<OpenIDAuthenticationToken>
{
   private final Map<String, List<GrantedAuthority>> userAuthorities = new HashMap<String, List<GrantedAuthority>>();

   public CloudOpenIDUserDS()
   {
      List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
      //this user has the privilege: "customer"
      authorities.add(new GrantedAuthorityImpl("customer"));
      this.userAuthorities.put("[http://mykel33.myopenid.com,]", authorities);
   }

   @Override
   public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException
   {
      User out_retour = null;
      if (this.userAuthorities.containsKey(username))
      {
         out_retour = new User(username, "", true, true, true, true, this.userAuthorities.get(username));
      }
      return out_retour;
   }

   @Override
   public UserDetails loadUserDetails(OpenIDAuthenticationToken tocken) throws UsernameNotFoundException
   {
      
      return null;
   }

}

when i deploy the app i always have this stacktrace:

[mykel33]

the stack trace is:

Code:

	... 41 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0': Cannot resolve reference to bean 'org.springframework.security.authentication.ProviderManager#0' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot resolve reference to bean 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add a gobal  element to your configuration (with child  elements)? Alternatively you can use the authentication-manager-ref attribute on your  and  elements.
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1360)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1118)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)
	... 55 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot resolve reference to bean 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add a gobal  element to your configuration (with child  elements)? Alternatively you can use the authentication-manager-ref attribute on your  and  elements.
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:616)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:148)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1035)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:939)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)
	... 65 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add a gobal  element to your configuration (with child  elements)? Alternatively you can use the authentication-manager-ref attribute on your  and  elements.
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:149)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:102)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1441)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:305)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)
	... 77 more
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add a gobal  element to your configuration (with child  elements)? Alternatively you can use the authentication-manager-ref attribute on your  and  elements.
	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:31)
	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:20)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:142)
	... 82 more

[mykel33]

Hello,
I fixed the problem by changing my configuration!! like that:

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
  
  <!--<http pattern="/resources" security="none" /> -->
  
  <http auto-config="true" use-expressions="true" >
    <intercept-url pattern="/**.htm" access="hasRole('ROLE_CLOUD_USER')" />
    <intercept-url pattern="/login.htm" access="permitAll" />
    <intercept-url pattern="/loginfailed*" access="permitAll" />
    <intercept-url pattern="/home.htm" access="permitAll" />
    
    
    <form-login login-page="/login.htm"
    default-target-url="/admin.htm"
    authentication-failure-url="/loginfailed.htm"
                always-use-default-target="true"/>
    <logout logout-url="/logout.htm" logout-success-url="/home.htm" />  
    
  </http>
  
  <http auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager">
    <intercept-url pattern="/loginopenid*" access="hasRole('ROLE_CLOUD_USER')" />
    <openid-login authentication-failure-url="/loginopenidfailed.htm">
      <attribute-exchange>
        <openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" count="2"/>
        <openid-attribute name="name" type="http://schema.openid.net/namePerson/friendly" />
      </attribute-exchange>
    </openid-login>
  </http>
  
  <!--Authentication Manager -->
  <authentication-manager alias="authenticationManager">
    <authentication-provider ref="daoAuthenticationProvider"/>
    <authentication-provider ref="openIDAuthenticationProvider"/>
  </authentication-manager>
  
  
  <!--dao authentication provider -->
  <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService" />
    <beans:property name="passwordEncoder" ref="passwordEncoder" />
  </beans:bean>
  
  <!--openID authentication provider -->
  <beans:bean id="openIDAuthenticationProvider" class="org.springframework.security.openid.OpenIDAuthenticationProvider">
    <beans:property name="userDetailsService" ref="openIDUserDS"/>   
  </beans:bean>  
  
     
    <beans:bean id="openIDUserDS" class="test.security.CloudOpenIDUserDS"/>
  
  <user-service id="userDetailsService">
    <user name="abdellah" password="32fe5bbf04adc744455c92fa7b71e9dca8ce729c" authorities="ROLE_CLOUD_USER" />
    <user name="guest"    password="35675e68f4b5af7b995d9205ad0fc43842f16450" authorities="ROLE_CLOUD_USER" />
  </user-service>
  
  <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
  
</beans:beans>

but i have now another problem less complicated then the old bug:

Code:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your  namespace or FilterChainProxy bean configuration
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1455)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)
	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:384)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:283)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1079)
	at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1002)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:506)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1065)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
	at org.apache.catalina.core.StandardService.start(StandardService.java:525)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your  namespace or FilterChainProxy bean configuration
	at org.springframework.security.config.http.DefaultFilterChainValidator.checkPathOrder(DefaultFilterChainValidator.java:49)
	at org.springframework.security.config.http.DefaultFilterChainValidator.validate(DefaultFilterChainValidator.java:39)
	at org.springframework.security.web.FilterChainProxy.afterPropertiesSet(FilterChainProxy.java:148)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
	... 36 more

[yamasaki760]

I believe it's just the order of precedence that is the issue.

Try changing this:

Code:

<http auto-config="true" use-expressions="true" >
    <intercept-url pattern="/**.htm" access="hasRole('ROLE_CLOUD_USER')" />
    <intercept-url pattern="/login.htm" access="permitAll" />
    <intercept-url pattern="/loginfailed*" access="permitAll" />
    <intercept-url pattern="/home.htm" access="permitAll" />

to this:

Code:

<http auto-config="true" use-expressions="true" >
    <intercept-url pattern="/login.htm" access="permitAll" />
    <intercept-url pattern="/loginfailed*" access="permitAll" />
    <intercept-url pattern="/home.htm" access="permitAll" />
    <intercept-url pattern="/**.htm" access="hasRole('ROLE_CLOUD_USER')" />

[Thiagogmenezes]

This is because ou removed the pattern attribute from the first http tag.