SpringSecurity configuration

**sylvestris** · Dec 13th, 2010, 08:33 AM

I'm trying to include Spring Security in my application based on Airline. I get the following error on startup.

Code:

Caused by: java.lang.ClassNotFoundException: org.springframework.security.annotation.SecuredMethodDefinitionSource
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)
	at org.springframework.util.ClassUtils.forName(ClassUtils.java:211)
	at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:385)
	at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1138)
	... 72 more

The missing class is found in spring-security-core-tiger-2.0.5.RELEASE.jar. The webservices distribution 1.5.9 includes spring-security-core-2.0.5.RELEASE.jar but not spring-security-core-tiger-2.0.5.RELEASE.jar.

When I include the tiger jar I now get the following error

Code:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named '_authenticationManager' is defined
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:387)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:971)

I guess this is a configuration problem in my application context ? How is the _authenticationManager defined in Airline ?

**sylvestris** · Dec 14th, 2010, 02:12 AM

I'm assuming my application context configuration is wrong. I'm going back to Airline and will implement the same database based security in order to get this working.

Note, when I run Airline, and connect to GetFrequentFlyerMileage I get the following message

Code:

java.lang.NoClassDefFoundError
	at com.sun.xml.wss.ProcessingContext.setSOAPMessage(ProcessingContext.java:217)
	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.createProcessingContext(XWSSProcessor2_0Impl.java:151)
	at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:159)

**sylvestris** · Dec 14th, 2010, 02:58 AM

When I switch to Java 1.5.0_11 (instead of Java 1.6.0_22) the error becomes

Code:

java.lang.NoClassDefFoundError: com/sun/org/apache/xml/internal/security/Init
com.sun.xml.wss.impl.SecurableSoapMessage.<clinit>(SecurableSoapMessage.java:94)
com.sun.xml.wss.ProcessingContext.setSOAPMessage(ProcessingContext.java:217)
com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.createProcessingContext(XWSSProcessor2_0Impl.java:151)
org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:159)

**sylvestris** · Dec 14th, 2010, 04:43 AM

I've opened the war file, added xmlsec-2.0.jar to WEB-INF/lib, imported the war into Eclipse, and I can now invoke GetFrequentFlyerMileage from soapUI. This returns a SOAP fault

Code:

sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found

I'm now going to investigate how to change the xml message soapUI has generated in order to satisfy this requirement

**sylvestris** · Dec 14th, 2010, 05:30 AM

So, why does the application return this code ?

Code:

XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
                  xmlns:mes="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
   <soapenv:Header>
     <wsse:Security xmlns:wsse="schemas.xmlsoap.org/ws/2002/07/secext/">     
       <wsse:UsernameToken>
         <wsse:Username>scott</wsse:Username>
         <wsse:Password Type="wsse:PasswordText">tiger</wsse:Password>
       </wsse:UsernameToken>
     </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <mes:GetFrequentFlyerMileageRequest>john</mes:GetFrequentFlyerMileageRequest>
   </soapenv:Body>
</soapenv:Envelope>

**sylvestris** · Dec 14th, 2010, 07:14 AM

Painful progress here ...

securityPolicy.xml now contains

Code:

<xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>

Error now is

Code:

WssSoapFaultException: javax.security.auth.callback.UnsupportedCallbackException

Input message now is

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:mes="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
   <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:UsernameToken>
                <wsse:Username>john</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">changeme</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>   
   </soapenv:Header>
   <soapenv:Body>
      <mes:GetFrequentFlyerMileageRequest>john</mes:GetFrequentFlyerMileageRequest>
   </soapenv:Body>
</soapenv:Envelope>

Thread: SpringSecurity configuration

Thread Tools

Display

Hybrid View

SpringSecurity configuration

Posting Permissions