Spring MVC + Security Note (4) – Migrate from Spring Security 3.X to 4.X

By W.ZH

Refer to this link

http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html

Here are some notes that common change in page or configuration files:

  1. default URL for login and logout form action are changed:
    /j_spring_security_logout     to /logout
    /j_spring_security_check     to /login
    So we need to change our JSP content for these two.
  2. Default csrf is enabled… so if you want to be disabled, just add this
    <csrf disabled=”true”/> in the <http />tag
    If you want enable, you do not need to do sth.
  3. <access-denied-handler error-page=”/page/403″ />  put inside the <http />
    not like old on as the attribute <http *** />
  4. If you have more than one roles, you can not use the
    access=”ROLE_USER,ROLE_ADMIN”  any more, you have to change to<http auto-config=”true” use-expressions=”true” >
    …..
    <intercept-url  ……. access=”hasAnyRole(‘ROLE_USER’,’ROLE_ADMIN’)” …..you maybe have others need changes, need to refer to reference page
Advertisements

Spring MVC + Security Note (3) – About the Role Name

By WZH.

In the last two examples we see that user has a role define called ROLE_USER

<user     name=”mkyong”
password=”123456″
authorities=”ROLE_USER” />

<intercept-url pattern=”/admin**” access=”ROLE_USER” />

 

You should note that ROLE_USER here is a string only.  Just need to matched the authorities later in the  Authentication part.  Authentication provider give this role and it matched with the login part request, then this role will will assigned to this principle after authentication.

You can define any role by your self. Only ROLE_ANONYMOUS is a predefined role name in the spring security to an anonymous user.

Inside Spring, the default AccessDecisionManager (which interprets the access attributes that you specify in the intercept-url element) uses a RoleVoter implementation. By default this looks for the prefix “ROLE_” on the attribute, so your best option is to make sure that your roles have this prefix.

If you want use another prefix, . eg AAA_USER, you have to define a custom AppVoter:

<bean class=”org.springframework.security.vote.RoleVoter”>
<property name=”rolePrefix” value=”AAA”/>
</bean>
you need to read more on how to do this thing.

Spring security note – Create a simple authentication-manager by get user from DB table – 1

By WZH. Aug 2016

We want authenticate user against with a DB rather from a hard code user service with username and password. So system can work like a production system.

Refer to this article and its code:

http://www.mkyong.com/spring-security/spring-security-form-login-using-database/

Here is key points:

        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query=
                    "select username,password, enabled from users where username=?"
                authorities-by-username-query=
                    "select username, role from user_roles where username =?  " />
        </authentication-provider>

users-by-username-query and users-by-username-query are two queries that to get user + password   and user + role from DB.  You do not need to use exactly field names for these in DB define , but SQL return data should there 3 items in order for users and 2 items in order for authorities.

After you make this part correct and your DB ok, you should be able to implement authenticate from DB easily. But this password could be clear pass save in DB.

Question – what if your password field is MD5 of real password in DB to ensure security how to do it in Spring security?

Let me show you one example that what you should do, add this line at <authentication-provider> first:

<authentication-provider>
            <password-encoder hash="md5"/>
            <jdbc-user-service data-source-ref="mySQLDataSource"
                users-by-username-query=
                    "select loginId, password, true from users where loginId=?"
                authorities-by-username-query=
                    "select loginId, authority from user_roles where loginId =?  " />
        </authentication-provider>

<password-encoder hash=”md5″/> will tell spring security that password read from DB is MD5 hash.  So spring will compare MD5 of the LoginForm input password with the MD5 read out from DB to do the authentication. But when you create/ register a new user into your DB, you need to calculate the MD5 by your code. You have to ensure your MD5 hash result is same with Spring.

Remember this piece of code:

PasswordEncoder encoder = new Md5PasswordEncoder();
String hashedPass = encoder.encodePassword("origClearPassword", null);

then you can save hashedPass to you DB as the “password” for hashed authentication.

 

Refer too:

http://docs.spring.io/spring-security/site/docs/3.0.x/reference/appendix-namespace.html

 

 

 

Spring MVC + Security Note (1) – Basic custom login

By WZH

Spring MVC normally is not hard to implement but to add on the security part naturally using Spring Security which in fact  needs a lot readings for reference. So here I made some notes for some fundamentals to start implement the Spring Security on MVC. Referenced from this article

http://www.mkyong.com/spring-security/spring-security-form-login-example/

you can download this project from end of the article. Here I give the major explain that key points for spring security login.

Get Spring security jars

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>3.2.5.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>3.2.5.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>3.2.5.RELEASE</version>
        </dependency>

 

Create a XML. eg spring-security.xml and put it together with web.xml(remember include this file for contextConfigLocation)

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <http pattern="/login.htm*" security="none" />
    <http auto-config="true">
        <intercept-url pattern="/admin**" access="ROLE_USER" />
        <form-login login-page="/login" 
            default-target-url="/welcome"
            authentication-failure-url="/login?error" 
            username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/login?logout" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user   name="username" 
                        password="123456" 
                        authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

 

<http pattern=”/login.htm*” security=”none” />

This is exclude one URL or one page from the security control. You can have multiple <http for these.

<intercept-url pattern=”/admin**” access=”ROLE_USER” />

define what kind of URL need to secured and what Role needed to access these URL.

<form-login  define how the form login works, which URL for login, login error, after login page, etc.

<logout define after logout ok, go to which url.

<authentication-provider page define the user and password is got from where to do the authentication. Now a hard coded user is there. After user is authenticated, he will have the authorities=”ROLE_USER”.

Now we have done config define for the Spring security, we need to define pages and controllers for it.

In the Login page:

        <form name='loginForm'
            action="<c:url value='/j_spring_security_check' />" method='POST'>

            <table>
                <tr>
                    <td>User:</td>
                    <td><input type='text' name='username'></td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><input type='password' name='password' /></td>
                </tr>
                <tr>
                    <td colspan='2'><input name="submit" type="submit"
                        value="submit" /></td>
                </tr>
            </table>

        </form>

html inputs name for user name and password, must match with the <form-login data

username-parameter=”username”
password-parameter=”password”

/j_spring_security_check   is the URL supplied by Spring security to do the authentication for you. At admin.jsp (for logout), you will see that log out URL is /j_spring_security_logout

 

Basically these are key points to make the custom login works in spring security.

 

 

How to enable/register the discussion service to the webcenter Spaces 11gPS5

By W.ZH Mar 2013 

 

1.       You need to install the WC_Collaboration together with WLS admin serve and WCP

2.       Normally your discussion server will be at the http://host:8890/owc_discussions

And its admin UI is at  http://host:8890/owc_discussions/admin

3.       Normally after install, discussion service is not automatically show up in the Spaces, you can go to Space – Administration-Configuration, under “Services and Providers”, and there is no Discussion Service. So let us make this service enabled in the spaces.

4.       Go to your EM (middleware control) – YourDomain—Webcenter-Portal-Spaces-webcenter

Click the menu of “WebCenter Portal”- Settings-Service Configuration– Discussions and Announcement, then add a new connection.

5.       Give a name, and server URL – http://host:8890/owc_discussions and others, refer to the chapter of 14.3 “Registering Discussions Servers” in the admin guide of webcenter for details, you can define a property like the application.root.category.id.

6.        Then test it, and then you can restart your space and Collaboration managed Server to make it take effect.

 

What does the application.root.category.id means at here?

 

It is the category ID (a sub category in the discussion server) that your space can link directly to the forum that under this sub category.

You can go to http://host:8890/owc_discussions/admin and then — content–Category Summary, you can see over there, you can create a new category and new forum. All the

Sub-Categories are under the Root Category, then when you click your

Sub-Category, the URL will show out like this http://host:8890/owc_discussions/admin/content-main.jsp?cat=3 .   3 the number you can use!

 

 

After you setup all these, then go to “Roles” part for Your space ( not Spaces), you can setup each group of role to have what kind of permission in the forum.


After all set done, you are ready to insert the taskflow of the discussion to the page in your space. There are major two TF: “Discussion Forums” “Forums – Quick View”.

You can get from the category for the “social and communications”, please note “Discussion Forums” is a full version but it cannot be used from TF.
You can only use it through the discussion page, which can be found in your pages list of space as a default supplied page by Space feature.

 

 

 

Refer to the user guide of the WC Spaces, chapter 60.1  What You Should Know About the Discussions Service

 

Framework Application has similar way to register the discussion service. I will write one article in future.

commons logging in WLS

By W.ZH Dec,2011

In WLS, basically you can use Log4J, Apache Commons Log and Oracle Diagnostic Log for your appliation logging. Here I did some testing to use the Apache Commons Log in WLS.

1. First Read the chapter of “How to Use the Commons API with WebLogic Logging Services” from here:

http://docs.oracle.com/cd/E21764_01/web.1111/e13739/config_logs.htm

2. Following that guide chapter, basically , you can make sth work. But there are something you need to note here:

As that using :

System.setProperty(LogFactory.FACTORY_PROPERTY, “weblogic.logging.commons.LogFactoryImpl”);

Seems this will set the env to org.apache.commons.logging.LogFactory=weblogic.logging.commons.LogFactoryImpl and might impact other applications running, for my testing, log abilty runs fine after I deploy my app, but after I restart my WLS, the logging does not work anymore. so might have relation with this issue. There is a forum post in myforum of oracle mentiion this.

So proper way should be put this into the commons-logging.preperties file and put this file into your WEB-INF/lib folder for commons log to use.

3. Some articles mention u also need to put the wlcommons-logging.jar into lib folder with those other two.

4. There is also a method LogFactory.getFactory().setAttribute(*,*) can do this, u need to check API.

5. The setting for level is in WLS console to a server, such as:

Home >
Summary of Servers >AdminServer,–>Logging tab –> General:

Advanced–>Logger severity properties:

when u create your instance like this:

LogFactory.getFactory().getInstance(“a.b.FooLogger”);

then you can use

a.b=Info;a.b.FooLogger=Debug

at here to control your logger level.

6. Unfortunately, my testing does not fully successfully. After I deploy my app, it works. But later it does not work anymore. Seems still something need to do for this feature. I hope can find a better tutorial next time on this feature.

A practice to make Commons logging run on AdminServer:

1. create the code like this in a java file like “How to Use the Commons API with WebLogic Logging Services”

But u can remoe the system.setP…

2. added this to the startWeblogic script JAVAOPTIONS -Dorg.apache.commons.logging.LogFactory=weblogic.logging.commons.LogFactoryImpl

3. copy the jar file of these to domain lib:

org.apache.commons.logging_1.0.4.jar
com.bea.core.weblogic.commons.logging_1.3.0.0.jar
commons-logging.jar
wlcommons-logging.jar
log4j-1.2.8.jar (optional ?)

4. Go to the following directory : \wlserver_10.3.2\server\lib\consoleapp\META-INF
5. Open “weblogic-application.xml” file
Comment following two lines:
<package-name>org.apache.log4j.*</package-name>
<package-name>org.apache.commons.*</package-name>

6. Restart the Admin-server.
7. Open Admin-console. it can run
8. go to the console to set log levels:

ome >Summary of Servers >AdminServer,–>Logging tab –> General:
Advanced–>Minimum severity to log: — set to debug

Message destination(s)–>Standard out –>Severity level: —- — set to debug

refer to:

https://bug.oraclecorp.com/pls/bug/webbug_edit.edit_info_top?rptno=9318576

https://forums.oracle.com/forums/thread.jspa?threadID=1076003

http://technology.amis.nl/blog/4815/logging-in-jdeveloper-11g-weblogic-server

WLST how to

By W.Zh Mar 2011

The WebLogic Scripting Tool (WLST) is a command-line scripting environment that you can use to create, manage, and monitor WebLogic Server domains. It is based on the Java scripting interpreter, Jython. Because of the project needs , I have done some research in WLST and use them in our project.

I feel basic WLST usages in two places, one is the weblogic administrator to manage the Weblogic, they can create many WLST scripts and use them in their daily common management activities to the weblogci server.

The other case can use it, is in the automatica installation, such as when you develop a product, that basied on the weblogic, the last stage might be need to make a install tool for your product or application. For example you can use Oracle OUI and OSP to create an install CD package , in the install wizard, you might need to deploy, config your web application into the weblogic server, mostly you have to trigger the WLST to do this for installtion.

Even you do not use oracle OUI/OSP, you use other installer software to do install for your product, you still need to trigger the WLST if you want to anything in the weblogic for applications.

In the oracle doc for WLST, you must read is chapter 2 ” Using the WebLogic Scripting Tool” in the fusion doc lib ‘s WLST book, to understand basic idea of :

online and offline mode,

Interative Mode, Script Mode and Embeded Mode

etc.

  • How to create a datasource in WLS by WLST?

There is a sample py called the oracle WLSt doc and samples

jdbc_data_source_creation.py and  jdbc_data_source_deletion.py, you can test on it and change to your version.

  • How to import/export resource to OSB (Oracle Service Bus) in WLST?

Go to sample code place of OSB wlst sample, at here:
    http://www.oracle.com/technology/sample_code/products/osb/index.html

You can find an example to show you how to do import/export resource, download and unzip that.

Of coz you can directly use it. The sample normally use ANT to builld and trigger the “java weblog.WLST” to run the script.py file.

in fact you can read those Ant build xml file and figure out how to run that in java commoand line. Sth like this:

 

     java  -classpath /u01/app/oracle/Oracle_OSB1/lib/sb-kernel-impl.jar:/u01/app/oracle/Oracle_OSB1/modules/com.bea.common.configfwk_1.3.0.0.jar:/u01/app/oracle/Oracle_OSB1/lib/sb-kernel-api.jar:/u01/app/oracle/wlserver_10.3/server/lib/weblogic.jar weblogic.WLST import.py import.properties

sb-kernel-impl.jar

com.bea.common.configfwk_1.3.0.0.jar

sb-kernel-api.jar

are some jars that include some OSB related custom wlst command or WLS command in , that you may need inside the import.py. You need to find them in your linux system and point to right location for them and add them into your java classpath in command.

                    weblogic.jar

is the jar file that contains the weblogic.WLST program that you want to run in java.

                    import.py

is the py file to contain your WLST script to run.

                    import.properties

is the property file that define some input to your py file,

You can change the oracle’s sample upon your needs and integrate to your application.

 

  • How to deploy the SOA composite application by WLST
  1. When you build your SOA application in Jdeveloper, you can deploy them to a SAR file, in fact it is a jar file to contain all the files in.
    you can also write an ANT script to do this packaging for you.
  2. And mostly you need to create a config plan file to fit with your target deploy server to the production system of all your resources used in
    your SOA app. About all of these you can refer to the SOA suite developer guide
  3. about the deploy by WLST for soa application, such as in the command intractive mode, you can also get in the SOA suite developer guide.
    test these steps in the WLST first, to run the manuuly deploy in wlst.(you may need to point to use the SOA server’s wlst, not the WLS.)
  4. Compose your py script for this.
  5. The use java to deploy and  together with your right configplan file , you may need to use the SOA server’s weblog jar file in WLST to do the deploy for SOA app.

Refer:

http://forums.oracle.com/forums/thread.jspa?threadID=2113031

http://biemond.blogspot.com/2009/09/deploy-soa-suite-11g-composite.html

== How to start WLST ===================================================

1. You can use a WL_HOME\server\bin\setWLSEnv script to set env \

setWLSEnv.sh
java weblogic.WLST

Then u come into the interactive mode of WLST

To connect to a WebLogic Server instance after you start WLST in interactive mode:

wls:/offline> connect(‘weblogic’,’password’,’localhost:7001′)

Good site: http://wlstbyexamples.blogspot.com/

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

Refer to

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/config_scripting/using_WLST.html