Upgrading from Spring Security 3.0.0.M2 to 3.0.0.RC1

[niklassaers]

Hi guys,
I've just upgraded from Spring Security 3.0.0.M2 to 3.0.0.RC1, and now my security filter bean fails. I've set it up like this:

Code:

   <security:http auto-config="true">
     <security:http-basic/>

     <security:intercept-url pattern="/public" filters="none"/>  
     <security:intercept-url pattern="/private/**" access="ROLE_ADMIN,ROLE_USER" />
     <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
     <security:port-mappings>
        <security:port-mapping http="8080" https="8443"/>
    </security:port-mappings>

     <security:intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
   </security:http>

This used to work fine, but now I get

Code:

SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.authentication.ProviderManager#0': Cannot create inner bean '(inner bean)' of type [org.springframework.security.config.authentication.AuthenticationManagerFactoryBean] while setting bean property 'parent'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#4': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:125)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1299)
....

Before that, I've defined my authenticationmanager:

Code:

<bean id="userService" parent="txProxyTemplate">
  <property name="target">
    <bean class="tld.mydomain.business.UserServiceImpl"/>
  </property>
  <property name="proxyInterfaces" value="tld.mydomain.business.UserService"/>
</bean>

<bean id="_authenticationManager" class="org.springframework.security.authentication.ProviderManager">
  <property name="providers">
    <list>
      <bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="userService"/>
        <property name="passwordEncoder">
          <bean class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder" />
        </property>
      </bean>
    </list>
  </property>
</bean>

This worked fine with M2 and authenticated my users, but now I get the exception above. Any suggestions? Has anything changed? Did I omit something that now came back to haunt me?

Cheers

Nik

[rohan123]

i'm also interested in this answer. i'm using 3.0M4. and i configured authenticationManager in same manner as "_authenticationManager". And i was planning to upgrade to RC1.

but i need to think twice now. i'm eager to know its solution

Thanks

[Luke Taylor]

The internal bean name "_authenticationManager" has been changed (check the BeanIds class), but you shouldn't really be using these names, they are reserverved for internal use and defining beans using them won't mess up your configuration.

You should be using really be using the <authentication-manager> tag in preference for namespace support.

[niklassaers]

Thanks, Luke. I was under the impression that it was convention that the authenticationManager should be called _authenticationManager.

So I've removed the _authenticationManager bean completely and instead added:

Code:

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider user-service-ref="userService">
	<security:password-encoder hash="plaintext"/>
  </security:authentication-provider>
</security:authentication-manager>

Is this the correct way to go about it? (the reason for plaintext passwords is the backend database, that I have no control over, uses plaintext passwords)

Cheers

Nik

[rohan123]

The internal bean name "_authenticationManager" has been changed (check the BeanIds class), but you shouldn't really be using these names, they are reserverved for internal use and defining beans using them won't mess up your configuration.

QUOTE=Luke Taylor;265539]You should be using really be using the <authentication-manager> tag in preference for namespace support.

ok... but we need to provide "sessionController". below is part of code snapshot..

Code:

    <beans:bean id="_authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <beans:property name="providers">
            <beans:list>
                <beans:ref local="daoAuthenticationProvider"/>
            </beans:list>
        </beans:property>
        <beans:property name="sessionController" ref="concurrentSessionController"/>
    </beans:bean>

    <beans:bean id="concurrentSessionController" class="org.springframework.security.authentication.concurrent.ConcurrentSessionControllerImpl">
        <beans:property name="maximumSessions" value="1"></beans:property>
        <beans:property name="sessionRegistry" ref="sessionRegistry"/>
        <!-- <beans:property name="exceptionIfMaximumExceeded" value="true"></beans:property> -->
    </beans:bean>

So how can we change above code in <authentication-manager>? it does not shows attribute like 'sessionController"

[niklassaers]

Hi Rohan,
do you need a SessionController? To me, the userService is (as shown above) wrapped in a transaction proxy template, and it contains database session and transaction information. So my authenticationProvider doesn't need to bother about that.

Cheers

Nik

[rohan123]

Hi Rohan,
do you need a SessionController? To me, the userService is (as shown above) wrapped in a transaction proxy template, and it contains database session and transaction information. So my authenticationProvider doesn't need to bother about that.

Cheers

Nik

here sessionController is for concurrentSession hanling, not for db session handling

[Luke Taylor]

Check the changelog. Concurrent session handling has been changed for 3.0

https://jira.springsource.org/browse/SEC-1229

[niklassaers]

Hi Luke, thanks for that. I hit the docs, page http://static.springsource.org/sprin...rrent-sessions . Two quickies there: authentcation => authentication. The other one, org.springframework.security.web.session.Concurren tSessionControlStrategy, was harder, as it doesn't exist in the RC1 jars as far as I can see. There is a org.springframework.security.web.authentication.se ssion.ConcurrentSessionControlStrategy, but if I substitute the missing class with this one, I get

Code:

java.lang.NoSuchMethodException: org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy.<init>()

The main thing, though, is that doing authentication with RC1 as described in post #4 on this thread rather than in post #1 that I did with M4, I now get what looks like race conditions in the authentication code.

userService implements UserDetailsService, and SecurityContextHolderFacade is a service that grabs a context (SecurityContext context = SecurityContextHolder.getContext()), grabs the username (context.getAuthentication().getName()) and uses userService to look up this user and pass it back to the controller to let the controller list only the items that are relevant to that user (return userService.lookupUser(username()))

From my point of view, this is purely read-only. Still the exception indicates that something was modified, and even modified while another modification was taking place. Have I done anything outrageous? Has something changed from M4 to RC1 that should do this? Is there anything about doing it the way described in #4 instead of #1 that should give me this? Is this a problem with Hibernate and not Spring?

Here is the stacktrace:

Code:

21-10-2009 13:23:13 org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet SampleApp threw exception
java.util.ConcurrentModificationException
at java.util.LinkedHashMap$LinkedHashIterator.nextEntry(Unknown Source)
at java.util.LinkedHashMap$ValueIterator.next(Unknown Source)
at org.hibernate.engine.StatefulPersistenceContext.afterTransactionCompletion(StatefulPersistenceContext.java:253)
at org.hibernate.impl.SessionImpl.afterTransactionCompletion(SessionImpl.java:450)
at org.hibernate.jdbc.JDBCContext.afterNontransactionalQuery(JDBCContext.java:271)
at org.hibernate.impl.SessionImpl.afterOperation(SessionImpl.java:444)
at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1604)
at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306)
at tld.myservice.business.UserServiceImpl.lookupUser(UserServiceImpl.java:29)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy21.lookupUser(Unknown Source)
at tld.myservice.business.SecurityContextHolderFacade.user(SecurityContextHolderFacade.java:31)
at tld.myservice.business.SecurityContextHolderFacade.evaluate(SecurityContextHolderFacade.java:42)
at tld.myservice.view.web.controller.ItemsController.getAll(ItemsController.java:55)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.doInvokeMethod(HandlerMethodInvoker.java:654)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:160)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:378)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:366)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:781)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:726)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:636)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:545)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:344)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:110)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:98)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:95)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:55)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:36)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:92)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:106)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Unknown Source)

Cheers

Nik

[niklassaers]

It seems that I had a big problem in database session handling in my DAO, so I've made a write-up of my solution at StackOverflow and asked for people's opinion on the solution. I hope it doesn't give more issues :-)