Geek Answers Handbook

Why doesn't allowAll () work?

A worthy mention: I follow the tutorial Securing GWT Applications with Spring Security .

I do not understand. I can't permitAll to get permitAll to work the way I need it.

This is my current configuration:

 <http auto-config="true"> <intercept-url pattern="/**" access="permitAll" /> <form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" /> </http>

If I access my site at //localhost:8080 , the site becomes not fully loaded because the request

 //localhost:8080/app/xsrf

There are 403 Forbidden for some reason. The way I configured Spring Security should not be a problem here, if I understood correctly.

I do not work if just add

 <intercept-url pattern="/**" access="permitAll" />

to <http ..> what does adding this do:

 <http pattern="/app/xsrf" security="none"/>

I would like to understand why, because this is not how I want to configure Spring Security .. adding every URL that should be allowed.

An additional problem that I encountered is that for some reason (possibly the same), I cannot access //localhost:8080/login . This means that if I send my login to /login , I get 403 Forbidden .

Now you might think that adding <http pattern="/login" security="none"/> will help here, but no. If I add this to my configuration, I get 404 Not Found at this specific URL.

It starts to infuriate me, because I have been stuck here for so many days that I dare not tell you. Your help should be appreciated and rewarded.

The whole applicationContext-service.xml

 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd"> <!-- Imports --> <beans:import resource="applicationContext-jooq.xml"/> <!-- /////////////////////////////////////////////////////////////// --> <!-- // BEGIN Spring Security --> <http pattern="/app/xsrf" security="none"/> <!-- <http pattern="/login" security="none"/> --> <http auto-config="true"> <intercept-url pattern="/**" access="permitAll" /> <form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" /> </http> <beans:bean id="authenticationListener" class="com.mz.server.web.auth.CustomAuthenticationListener"/> <beans:bean id="authenticationProvider" class="com.mz.server.web.auth.CustomAuthenticationProvider"/> <beans:bean id="userDetailsService" class="com.mz.server.web.service.CustomUserDetailsService"/> <authentication-manager alias="authenticationManager"> <authentication-provider ref="authenticationProvider"/> </authentication-manager> <!-- // END Spring Security --> <!-- /////////////////////////////////////////////////////////////// --> <!-- // BEGIN Services --> <beans:bean id="loginService" class="com.mz.server.web.service.LoginService"> <beans:constructor-arg ref="dslContext" /> </beans:bean> <!-- // END Services --> </beans:beans>

Edit:

Reduced applicationContext-service.xml

 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd"> <!-- Imports --> <beans:import resource="applicationContext-jooq.xml"/> <!-- //////////////////////////////////////////////////////////////////////////////// --> <!-- // BEGIN Spring Security --> <global-method-security pre-post-annotations="enabled"/> <http auto-config="true"> <intercept-url pattern="/**" access="permitAll" /> </http> <!-- // END Spring Security--> </beans:beans>

This is web.xml

 <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <display-name>GWT Application | mz</display-name> <welcome-file-list> <!-- Default page to serve --> <welcome-file>index.html</welcome-file> </welcome-file-list> <!-- //////////////////////////////////////////////////////////////////////////////// --> <!-- // BEGIN Filters --> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- // END FILTERS --> <!-- //////////////////////////////////////////////////////////////////////////////// --> <!-- // BEGIN Listeners --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>com.mz.server.web.ServerConfig</listener-class> </listener> <!-- // END Listeners --> <!-- //////////////////////////////////////////////////////////////////////////////// --> <!-- // BEGIN Servlets --> <servlet> <servlet-name>login</servlet-name> <servlet-class>com.mz.server.web.servlet.LoginServletImpl</servlet-class> </servlet> <servlet-mapping> <servlet-name>login</servlet-name> <url-pattern>/app/login</url-pattern> </servlet-mapping> <servlet> <servlet-name>xsrf</servlet-name> <servlet-class>com.google.gwt.user.server.rpc.XsrfTokenServiceServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>xsrf</servlet-name> <url-pattern>/app/xsrf</url-pattern> </servlet-mapping> <servlet> <!-- Dispatcher Servlet for REST API for Mobile Devices --> <servlet-name>mobile-restapi</servlet-name> <servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>mobile-restapi</servlet-name> <url-pattern>/app/restapi/*</url-pattern> </servlet-mapping> <!-- // END Servlets --> <!-- //////////////////////////////////////////////////////////////////////////////// --> <!-- // BEGIN Context Parameter --> <context-param> <param-name> gwt.xsrf.session_cookie_name </param-name> <param-value> mzsid </param-value> </context-param> <context-param> <param-name> contextConfigLocation </param-name> <param-value> classpath:/**/spring-config.xml classpath*:applicationContext-service.xml </param-value> </context-param> <!-- // END Context Parameter --> <!-- //////////////////////////////////////////////////////////////////////////////// --> </web-app>
+6
source share
2 answers

It looks like the error was in web.xml . Instead of <url-pattern>/*</url-pattern> (as indicated in the next tutorial) this should be /** :

 <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <!-- It appears that this should say '/**' and not '/*' as stated in many tutorials (eg http://websystique.com/spring-security/spring-security-4-hello-world-annotation-xml-example/). --> <url-pattern>/**</url-pattern> </filter-mapping>

Interestingly, now I get the following "INFO":

 INFO: Suspicious url pattern: "/**" in context [] - see section SRV.11.2 of the Servlet specification

All I can say is that it starts to feel personal.

+6
source

EDIT: since use-expressions=true enabled by default, so this answer doesn't help. But ... I found your error:
spring automatically creates a default login page in / login, but only if you have not specified any login-page option. you set the /login option, expecting you to be redirected to this page by default. and that’s why you have 404 error not found.
so remove login-page="/login" to use the default or create your own login page.
same for authentication-failure-url="/login?error" : delete it when using the default page.
The username and password on the default login page: "j_username" and "j_password" and spring did not find them. delete them if you are not using your own registration page ...
you also added xml namespace twice for protection ... you must remove xmlns:security="http://www.springframework.org/schema/security"

only applies to spring security 3.x
if you want to use permitAll type permitAll , you need to enable them with use-expressions="true" . Remember to allow access to resources needed for your login page. here you can find some help for using expressions. my question is if you use a separate login.jsp / html page or "/ login" means the place / historytoken in your gwt application?

A small example of how it can work:

 <http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/resources/**" access="permitAll" /> <intercept-url pattern="/**" access="isFullyAuthenticated()" /> <!-- if you are not completely familiar how to use expressions --> <!-- then using this will probably easier: --> <!-- <http auto-config="true" use-expressions="false"> <!-- <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" /> --> <!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> --> <!-- <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> --> <!-- why not your /index.html/jsp?? --> <form-login default-target-url="/welcome" always-use-default-target="true"/> </http>
0
source

More articles:


All Articles