SpringSecurity configuration

**sylvestris** · Dec 13th, 2010, 08:33 AM

I'm trying to include Spring Security in my application based on Airline. I get the following error on startup.

Code:

Caused by: java.lang.ClassNotFoundException: org.springframework.security.annotation.SecuredMethodDefinitionSource
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)
	at org.springframework.util.ClassUtils.forName(ClassUtils.java:211)
	at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:385)
	at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1138)
	... 72 more

The missing class is found in spring-security-core-tiger-2.0.5.RELEASE.jar. The webservices distribution 1.5.9 includes spring-security-core-2.0.5.RELEASE.jar but not spring-security-core-tiger-2.0.5.RELEASE.jar.

When I include the tiger jar I now get the following error

Code:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named '_authenticationManager' is defined
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:387)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:971)

I guess this is a configuration problem in my application context ? How is the _authenticationManager defined in Airline ?

**sylvestris** · Dec 14th, 2010, 02:12 AM

I'm assuming my application context configuration is wrong. I'm going back to Airline and will implement the same database based security in order to get this working.

Note, when I run Airline, and connect to GetFrequentFlyerMileage I get the following message

Code:

java.lang.NoClassDefFoundError
	at com.sun.xml.wss.ProcessingContext.setSOAPMessage(ProcessingContext.java:217)
	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.createProcessingContext(XWSSProcessor2_0Impl.java:151)
	at org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:159)

**sylvestris** · Dec 14th, 2010, 02:58 AM

When I switch to Java 1.5.0_11 (instead of Java 1.6.0_22) the error becomes

Code:

java.lang.NoClassDefFoundError: com/sun/org/apache/xml/internal/security/Init
com.sun.xml.wss.impl.SecurableSoapMessage.<clinit>(SecurableSoapMessage.java:94)
com.sun.xml.wss.ProcessingContext.setSOAPMessage(ProcessingContext.java:217)
com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.createProcessingContext(XWSSProcessor2_0Impl.java:151)
org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor.validateMessage(XwsSecurityInterceptor.java:159)

**sylvestris** · Dec 14th, 2010, 04:43 AM

I've opened the war file, added xmlsec-2.0.jar to WEB-INF/lib, imported the war into Eclipse, and I can now invoke GetFrequentFlyerMileage from soapUI. This returns a SOAP fault

Code:

sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found

I'm now going to investigate how to change the xml message soapUI has generated in order to satisfy this requirement

**sylvestris** · Dec 14th, 2010, 05:30 AM

So, why does the application return this code ?

Code:

XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
                  xmlns:mes="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
   <soapenv:Header>
     <wsse:Security xmlns:wsse="schemas.xmlsoap.org/ws/2002/07/secext/">     
       <wsse:UsernameToken>
         <wsse:Username>scott</wsse:Username>
         <wsse:Password Type="wsse:PasswordText">tiger</wsse:Password>
       </wsse:UsernameToken>
     </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <mes:GetFrequentFlyerMileageRequest>john</mes:GetFrequentFlyerMileageRequest>
   </soapenv:Body>
</soapenv:Envelope>

**sylvestris** · Dec 14th, 2010, 07:14 AM

Painful progress here ...

securityPolicy.xml now contains

Code:

<xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>

Error now is

Code:

WssSoapFaultException: javax.security.auth.callback.UnsupportedCallbackException

Input message now is

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:mes="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">
   <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:UsernameToken>
                <wsse:Username>john</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">changeme</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>   
   </soapenv:Header>
   <soapenv:Body>
      <mes:GetFrequentFlyerMileageRequest>john</mes:GetFrequentFlyerMileageRequest>
   </soapenv:Body>
</soapenv:Envelope>

**sylvestris** · Dec 14th, 2010, 08:30 AM

ok, just for the record, if anyone else has the same learning curve, the following works

Code:

<xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>

Code:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
 <SOAP-ENV:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
   <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
    <wsse:Username>john</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">JyLURAuWM7syOnXdMKAU+bDtEfM=</wsse:Password>
    <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">J1qEDgXlIrI3H7yuMXOLyA==</wsse:Nonce>
    <wsu:Created>2010-12-14T14:21:46.587Z</wsu:Created>
   </wsse:UsernameToken>
  </wsse:Security>
 </SOAP-ENV:Header>
 <SOAP-ENV:Body>
  <GetFrequentFlyerMileageRequest xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages"/>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Code:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body>
      <GetFrequentFlyerMileageResponse xmlns="http://www.springframework.org/spring-ws/samples/airline/schemas/messages">0</GetFrequentFlyerMileageResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

**sylvestris** · Dec 15th, 2010, 05:27 AM

In case anyone else needs the configuration for for PasswordText instead of PasswordDigest, the following works :

Code:

<xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>

Code:

<security:authentication-provider user-service-ref="securityService"/>

<bean id="securityService" class="org.springframework.ws.samples.airline.security.SpringFrequentFlyerSecurityService">
 <constructor-arg ref="frequentFlyerDao"/>
</bean>
  
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
 <property name="providers">
  <bean class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
   <property name="userDetailsService" ref="securityService"/>
  </bean>
 </property>
</bean>

<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
 <property name="secureResponse" value="false"/>
 <property name="policyConfiguration" value="classpath:org/springframework/ws/samples/airline/security/securityPolicy.xml"/>
 <property name="callbackHandler">
  <bean id="springSecurityHandler" class="org.springframework.ws.soap.security.xwss.callback.SpringPlainTextPasswordValidationCallbackHandler">
   <property name="authenticationManager" ref="authenticationManager"/>
  </bean>        
 </property>
</bean>

**sylvestris** · Dec 15th, 2010, 06:47 AM

As far as I can see, the explanation for this is that

Code:

SpringDigestPasswordValidationCallbackHandler.SpringSecurityDigestPasswordValidator.validate

contains

Code:

SecurityContextHolder.getContext().setAuthentication(authRequest);

and

Code:

SimplePasswordValidationCallbackHandler.SimplePlainTextPasswordValidator.validate

doesn't

Thread: SpringSecurity configuration

Thread Tools

Display

SpringSecurity configuration

Posting Permissions