I am trying to add Spring security with customized login page and access to database to my Spring MVC application. It seems like my mapping is wrong as it can not map j_spring_security_check.

To solve the issue I had a look at following pages 1,2,3 but could not solve the issue yet.

If you do not have much time, please read PART 2 below, that is where edited section of the question begins. Otherwise, please read both PART 1 and PART 2.

PART 1

I also added following lines to my web.xml file but the application returns following exceptions.

     <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Caused by: java.lang.IllegalStateException: Duplicate Filter registration for 'springSecurityFilterChain'. Check to ensure the Filter is only configured once.
    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.registerFilter(AbstractSecurityWebApplicationInitializer.java:215)
    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.insertSpringSecurityFilterChain(AbstractSecurityWebApplicationInitializer.java:147)
    at org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer.onStartup(AbstractSecurityWebApplicationInitializer.java:121)
    at org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:175)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5423)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 6 more

Jun 13, 2015 2:44:54 PM org.apache.catalina.core.ContainerBase startInternal
SEVERE: A child container failed during start
java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost]]
    at java.util.concurrent.FutureTask.report(FutureTask.java:122)
    at java.util.concurrent.FutureTask.get(FutureTask.java:188)
    at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1123)
    at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: org.apache.catalina.LifecycleException: A child container failed during start
    at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1131)
    at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:800)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 6 more

Jun 13, 2015 2:44:54 PM org.apache.catalina.startup.Catalina start
SEVERE: The required Server component failed to start so Tomcat is unable to start.
org.apache.catalina.LifecycleException: Failed to start component [StandardServer[8005]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:456)
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardService[Catalina]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
    at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:732)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 7 more
Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
    at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 9 more
Caused by: org.apache.catalina.LifecycleException: A child container failed during start
    at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1131)
    at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:302)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 11 more

Without adding that filter once the form is submitted the request will be catch by following controller.

@Controller
public class MainController {

    @RequestMapping("/{viewName}")
    public String index(@PathVariable String viewName) {
        ...
    }

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <listener>
        <listener-class>org.apache.tiles.extras.complete.CompleteAutoloadTilesListener</listener-class>
    </listener>


    <servlet>
        <servlet-name>my</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

<!--    <listener> -->
<!--        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> -->
<!--    </listener> -->
<!--    <filter> -->
<!--        <filter-name>springSecurityFilterChain</filter-name> -->
<!--        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> -->
<!--    </filter> -->

<!--    <filter-mapping> -->
<!--        <filter-name>springSecurityFilterChain</filter-name> -->
<!--        <url-pattern>/*</url-pattern> -->
<!--    </filter-mapping> -->


    <servlet-mapping>
      <servlet-name>my</servlet-name>
      <url-pattern>/</url-pattern>
    </servlet-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/config/my-security.xml
        </param-value>
    </context-param>

</web-app>

my-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">


    <http auto-config="true" access-denied-page="/notFound.jsp"
        use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
    </http>

    <!-- <beans:import resource="security-db.xml" /> -->

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="alex" password="123456" authorities="ROLE_USER" />
                <user name="mkyong" password="123456" authorities="ROLE_USER, ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

AppConfig.java

@EnableWebMvc
@Configuration
@ComponentScan({ "com.myproject.*" })
@EnableTransactionManagement
@Import({ SecurityConfig.class })
public class AppConfig {


    @Bean
    public SessionFactory sessionFactory() {
        LocalSessionFactoryBuilder builder = new LocalSessionFactoryBuilder(
                dataSource());
        builder.scanPackages("com.myproject.model").addProperties(
                getHibernateProperties());
        return builder.buildSessionFactory();
    }

    private Properties getHibernateProperties() {
        Properties prop = new Properties();
        prop.put("hibernate.format_sql", "true");
        prop.put("hiberate.show_sql", "true");
        prop.put("hibernate.dialect", "org.hibernate.dialect.MySQL5Dialect");
        return prop;
    }

    @Bean(name = "dataSource")
    public BasicDataSource dataSource() {
        BasicDataSource ds = new BasicDataSource();
        ds.setDriverClassName("com.mysql.jdbc.Driver");
        ds.setUrl("jdbc:mysql://localhost:3306/test");
        ds.setUsername("jack");
        ds.setPassword("jack");
        return ds;
    }

    @Bean
    public HibernateTransactionManager txManager() {
        return new HibernateTransactionManager(sessionFactory());
    }

}

SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    @Qualifier("userDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(
                passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/profile/**")
                .access("hasRole('ADMIN')").and().formLogin()
                .loginPage("/signin").failureUrl("/signin?error")
                .usernameParameter("username").passwordParameter("password")
                .and().logout().logoutSuccessUrl("/index").and().csrf().and()
                .exceptionHandling().accessDeniedPage("/403");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

}

SpringMVCInitializer.java

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class SpringMvcInitializer extends
        AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { AppConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }

}

LoginController.java

@Controller
public class LoginController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public ModelAndView login(
            @RequestParam(value = "error", required = false) String error,
            @RequestParam(value = "logout", required = false) String logout) {

        ModelAndView model = new ModelAndView();
        if (error != null) {
            model.addObject("error", "Invalid username and password!");
        }

        if (logout != null) {
            model.addObject("msg", "You've been logged out successfully.");
        }
        model.setViewName("login");

        return model;

    }
}

**

PART 2

Based on Thomas's suggestions I changed the code as following

**

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <listener>
        <listener-class>org.apache.tiles.extras.complete.CompleteAutoloadTilesListener</listener-class>
    </listener>


    <servlet>
        <servlet-name>my</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
      <servlet-name>my</servlet-name>
      <url-pattern>/</url-pattern>
    </servlet-mapping>



</web-app>

AppConfig.java

@EnableWebMvc
@Configuration
@ComponentScan({ "com.myproject" })
@EnableTransactionManagement
@Import({ SecurityConfig.class })
public class AppConfig {

    @Bean
    public SessionFactory sessionFactory() {
        LocalSessionFactoryBuilder builder = new LocalSessionFactoryBuilder(
                dataSource());
        builder.scanPackages("com.myproject.model").addProperties(
                getHibernateProperties());
        return builder.buildSessionFactory();
    }

    private Properties getHibernateProperties() {
        Properties prop = new Properties();
        prop.put("hibernate.format_sql", "true");
        prop.put("hiberate.show_sql", "true");
        prop.put("hibernate.dialect", "org.hibernate.dialect.MySQL5Dialect");
        return prop;
    }

    @Bean(name = "dataSource")
    public BasicDataSource dataSource() {
        BasicDataSource ds = new BasicDataSource();
        ds.setDriverClassName("com.mysql.jdbc.Driver");
        ds.setUrl("jdbc:mysql://localhost:3306/test");
        ds.setUsername("jack");
        ds.setPassword("jack");
        return ds;
    }

    @Bean
    public HibernateTransactionManager txManager() {
        return new HibernateTransactionManager(sessionFactory());
    }

}

SecurityConfig.java

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    @Qualifier("userDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
//      auth.userDetailsService(userDetailsService).passwordEncoder(
//              passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/profile/**")
                .access("hasRole('ADMIN')").and().formLogin()
                .loginPage("/login").failureUrl("/login?error")
                .and().logout().logoutSuccessUrl("/index").and().csrf().and()
                .exceptionHandling().accessDeniedPage("/403");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

}

SpringMVCInitializer.java

public class SpringMvcInitializer extends
        AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { AppConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }

}

MainController

@Controller
public class MainController {

    @RequestMapping("/{viewName}")
    public String index(@PathVariable String viewName) {
        System.err.println("View Name is :" + viewName);
        if (isValidView(viewName)) {
            return viewName;
        }
        return null;
    }

Regarding MainController, this is the way that I handle static pages such as www.myproject.com/index, www.myproject.com/contactus etc. My other question regarding this issue is here

2

There are 2 answers

0
Daniel Newtown On BEST ANSWER

I would highly suggest you to follow either Java or XML config. I personally prefer Java config.

  • Remove all Spring Security related XML configs and create following files.
  • Amend the permission addresses to whatever you have.

    public class MessageSecurityWebApplicationInitializer extends
            AbstractSecurityWebApplicationInitializer { //register the springSecurityFilterChain with the war
    
    }
    
    
    public class MessageWebApplicationInitializer extends
            AbstractAnnotationConfigDispatcherServletInitializer {
    
        @Override
        protected Class<?>[] getRootConfigClasses() {
            return new Class[] { SecurityConfig.class }; //make sure your config file gets loaded
        }
    
        @Override
        protected Class<?>[] getServletConfigClasses() {
            // TODO Auto-generated method stub
            return null;
        }
    
        @Override
        protected String[] getServletMappings() {
            // TODO Auto-generated method stub
            return null;
        }
    
    
       @Configuration
       @EnableWebMvcSecurity
       public class SecurityConfig extends WebSecurityConfigurerAdapter {
         @Autowired
            public void configureGlobal(AuthenticationManagerBuilder auth)
                throws Exception {
            System.err.println("in here");
            auth.inMemoryAuthentication().withUser("[email protected]")
                    .password("password").roles("USER"); //access to inmemory credentials
        }
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                    .antMatchers("/resources/**", "/", "/index", "/aboutus")
                    .permitAll() //allow access to your static pages and resources
                    .antMatchers("/profile/**")
                    .hasRole("USER") //profile address is only available to users ( do not need to add ROLE_ as Spring does it for you)
                    .and() //and is equivalent of end tag in XML 
                    .formLogin().loginPage("/signin").failureUrl("/signin?error")
                    .permitAll().and().logout().logoutUrl("/singout").permitAll();
        }
    

For further explanation and to access to DB refer to the documentation

11
Thomas Weglinski On

There are several issues in your code. The most important one is that you are mixing the Java configuration and the XML configuration for Spring Security. Decide which configuration you prefer to use. In my answer, I will focus on the Java-based configuration, as I would completely remove the XML configuration from your code.

In your case, the @EnableWebSecurity annotation by default already registers the appropriate filters. But if your are using the Spring MVC, it should rather be @EnableWebMvcSecurity.

Furthermore, look at your HttpSecurity configuration:

 protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/profile/**")
                .access("hasRole('ADMIN')").and().formLogin()
                .loginPage("/signin").failureUrl("/signin?error")
                .usernameParameter("username").passwordParameter("password")
                .and().logout().logoutSuccessUrl("/index").and().csrf().and()
                .exceptionHandling().accessDeniedPage("/403");
}

You are obviously telling that login page will be at /signin, but in your LoginController the mapping is for /login. And what for you config the .usernameParameter("username") .passwordParameter("password")? It's already done this way in Spring Security default configuration.

You should also add the SecurityInitializer class, which in Spring Security 3.2 can look like this:

public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {

    public SecurityInitializer() {
        super(SecurityConfig.class);
    }
}

So to sum up, the basic steps to add the Spring Security to your project is to do the following:

  1. Add the appropriate (Maven, Gradle) dependencies for Spring Security;
  2. Configure the Spring Security class annotated with @EnableWebMvcSecurity, especially in configureGlobal(...) and configure(...) methods;
  3. Register the class extending AbstractSecurityWebApplicationInitializer;
  4. Provide the mapping for login page in your controller and write down the custom form in JSP page.

The basic login form can look like this:

    <form name='loginForm' method='POST'>

      <table>
        <tr>
            <td>User:</td>
            <td><input type='text' name='username' value=''></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='password' /></td>
        </tr>
        <tr>
            <td colspan='2'><input name="submit" type="submit"
                value="submit" /></td>
        </tr>
      </table>

      <input type="hidden" name="${_csrf.parameterName}"
        value="${_csrf.token}" />

    </form>

These basic steps enable the Spring Security in your project. For more information, the good tutorials are: http://docs.spring.io/spring-security/site/docs/3.2.x/guides/hellomvc.html http://docs.spring.io/spring-security/site/docs/3.2.x/guides/form.html

Good luck :)