Spring MVC + Security Note (4) – Migrate from Spring Security 3.X to 4.X


Refer to this link


Here are some notes that common change in page or configuration files:

  1. default URL for login and logout form action are changed:
    /j_spring_security_logout     to /logout
    /j_spring_security_check     to /login
    So we need to change our JSP content for these two.
  2. Default csrf is enabled… so if you want to be disabled, just add this
    <csrf disabled=”true”/> in the <http />tag
    If you want enable, you do not need to do sth.
  3. <access-denied-handler error-page=”/page/403″ />  put inside the <http />
    not like old on as the attribute <http *** />
  4. If you have more than one roles, you can not use the
    access=”ROLE_USER,ROLE_ADMIN”  any more, you have to change to<http auto-config=”true” use-expressions=”true” >
    <intercept-url  ……. access=”hasAnyRole(‘ROLE_USER’,’ROLE_ADMIN’)” …..you maybe have others need changes, need to refer to reference page

Spring MVC + Security Note (3) – About the Role Name


In the last two examples we see that user has a role define called ROLE_USER

<user     name=”mkyong”
authorities=”ROLE_USER” />

<intercept-url pattern=”/admin**” access=”ROLE_USER” />


You should note that ROLE_USER here is a string only.  Just need to matched the authorities later in the  Authentication part.  Authentication provider give this role and it matched with the login part request, then this role will will assigned to this principle after authentication.

You can define any role by your self. Only ROLE_ANONYMOUS is a predefined role name in the spring security to an anonymous user.

Inside Spring, the default AccessDecisionManager (which interprets the access attributes that you specify in the intercept-url element) uses a RoleVoter implementation. By default this looks for the prefix “ROLE_” on the attribute, so your best option is to make sure that your roles have this prefix.

If you want use another prefix, . eg AAA_USER, you have to define a custom AppVoter:

<bean class=”org.springframework.security.vote.RoleVoter”>
<property name=”rolePrefix” value=”AAA”/>
you need to read more on how to do this thing.

Spring security note – Create a simple authentication-manager by get user from DB table – 1

By WZH. Aug 2016

We want authenticate user against with a DB rather from a hard code user service with username and password. So system can work like a production system.

Refer to this article and its code:


Here is key points:

            <jdbc-user-service data-source-ref="dataSource"
                    "select username,password, enabled from users where username=?"
                    "select username, role from user_roles where username =?  " />

users-by-username-query and users-by-username-query are two queries that to get user + password   and user + role from DB.  You do not need to use exactly field names for these in DB define , but SQL return data should there 3 items in order for users and 2 items in order for authorities.

After you make this part correct and your DB ok, you should be able to implement authenticate from DB easily. But this password could be clear pass save in DB.

Question – what if your password field is MD5 of real password in DB to ensure security how to do it in Spring security?

Let me show you one example that what you should do, add this line at <authentication-provider> first:

            <password-encoder hash="md5"/>
            <jdbc-user-service data-source-ref="mySQLDataSource"
                    "select loginId, password, true from users where loginId=?"
                    "select loginId, authority from user_roles where loginId =?  " />

<password-encoder hash=”md5″/> will tell spring security that password read from DB is MD5 hash.  So spring will compare MD5 of the LoginForm input password with the MD5 read out from DB to do the authentication. But when you create/ register a new user into your DB, you need to calculate the MD5 by your code. You have to ensure your MD5 hash result is same with Spring.

Remember this piece of code:

PasswordEncoder encoder = new Md5PasswordEncoder();
String hashedPass = encoder.encodePassword("origClearPassword", null);

then you can save hashedPass to you DB as the “password” for hashed authentication.


Refer too:





Spring MVC + Security Note (1) – Basic custom login


Spring MVC normally is not hard to implement but to add on the security part naturally using Spring Security which in fact  needs a lot readings for reference. So here I made some notes for some fundamentals to start implement the Spring Security on MVC. Referenced from this article


you can download this project from end of the article. Here I give the major explain that key points for spring security login.

Get Spring security jars



Create a XML. eg spring-security.xml and put it together with web.xml(remember include this file for contextConfigLocation)

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    <http pattern="/login.htm*" security="none" />
    <http auto-config="true">
        <intercept-url pattern="/admin**" access="ROLE_USER" />
        <form-login login-page="/login" 
            password-parameter="password" />
        <logout logout-success-url="/login?logout" />

                <user   name="username" 
                        authorities="ROLE_USER" />



<http pattern=”/login.htm*” security=”none” />

This is exclude one URL or one page from the security control. You can have multiple <http for these.

<intercept-url pattern=”/admin**” access=”ROLE_USER” />

define what kind of URL need to secured and what Role needed to access these URL.

<form-login  define how the form login works, which URL for login, login error, after login page, etc.

<logout define after logout ok, go to which url.

<authentication-provider page define the user and password is got from where to do the authentication. Now a hard coded user is there. After user is authenticated, he will have the authorities=”ROLE_USER”.

Now we have done config define for the Spring security, we need to define pages and controllers for it.

In the Login page:

        <form name='loginForm'
            action="<c:url value='/j_spring_security_check' />" method='POST'>

                    <td><input type='text' name='username'></td>
                    <td><input type='password' name='password' /></td>
                    <td colspan='2'><input name="submit" type="submit"
                        value="submit" /></td>


html inputs name for user name and password, must match with the <form-login data


/j_spring_security_check   is the URL supplied by Spring security to do the authentication for you. At admin.jsp (for logout), you will see that log out URL is /j_spring_security_logout


Basically these are key points to make the custom login works in spring security.



How to detect the IP conflict issue


Sometimes you will get this kind of issue but how to find this issue existing in your net work could be a bit trick.  Because normally people will think this problem could happen in LAN.

Such as for my case, we see one sever SSH access suddenly not working with this error : “Write Failed:Broken Pipe”, this looks like my years ago experience with similar issue.

At your linux – Ubuntu, you use  a tool called arp-scan:

sudo apt-get install arp-scan

This command will show IP addresses, MAC address and manufacturer of the NIC. The line in the output that is a duplicate also identifies itself with a (DUP: 2)

sudo arp-scan -I eth0 -l

You can grep out part you have interesting to deal with it.

OIM 11g Basic Introduction

By W.ZH, Feb 15 2012.

Oracle Identity Management, in fact is a list of products, I know many developers in fact know the Identity product from the LDAP and OID.  Here I list all the OIM products and we can have a big concept. content copied from Oracle documentation.

OAM – Oracle Access Manager, access control system  for Oracle Single Sign-on (SSO)

OAPM – Oracle Authorization Policy Manager,  a GUI tool for managing the authorization policy for applications based on Oracle Platform Security Services.(OPSS)

OIM – Oracle Identity Manager (another OIM) is a user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories. It improves regulatory compliance by providing detailed reports that identify which users have access to which applications.

OID – Oracle Internet Directory, the central user repository for Oracle Identity Management, simplifying user administration in the Oracle environment and providing a standards-based general purpose directory for the diverse enterprise.

OVD – Oracle Virtual Directory is a Lightweight Directory Access Protocol (LDAP) service that provides a single, abstracted view of enterprise directory servers and

databases from a variety of vendors. Oracle Virtual Directory can serve as a single source of facts in an environment with multiple data sources.

addPrincipalToAppRole access denied – Security Access Control Exception

By W.ZH Mar 2011Issue:

When try to use OPSS API to access the LDAP, user, group ionformation in Weblogc, your code may get this exception:

Exceptionjava.lang.RuntimeException:java.security.AccessControlException:access denied
Such as for me get:

java.security.AccessControlException: access denied 
(oracle.security.jps.service.policystore.PolicyStoreAccessPermission context=APPLICATION 
name=webcenter add addPrincipalToAppRole)



The code is not in the security context of JAVA and weblogic


We can get some articles in the
Oracle® Fusion Middleware Security Guide 11g:


Your code must be granted the appropriate permissions to execute the secured operation. Depending on the scope of the permission you would like to set, you have two alternatives.The first one is to grant permission to all application code in the application’s EAR or WAR files; in this case, the call to the secured operation can be inserted anywhere in the application code.

The second one is to grant permission to just a JAR file; in this case, the call to the secured operation must be inside a privileged block.

Each of these solutions is next illustrated by an application attempting to access the credential store.

The following fragment of an applicationjazn-data.xml illustrates how to set permission to read any key within the map MY_MAP in the credential store to any code within the directory BasicAuth:


If the permission is to be granted to the code in a particular EAR or WAR file, the url specification above would have to be changed to one like the following:


In both above cases, the call to read the credential store can be placed anywhere in the application code.

If, however, the permission is to be granted to just the code in a particular JAR file, the url specification above would have to be changed to one like the following:


In this last case, the code in the file Foo.jar that calls a read operation on the credential store must be placed in an AccessController.doPrivileged block, as illustrated in the following code snippet:

import oracle.security.jps.*;
import oracle.security.jps.service.credstore.*;

JpsContextFactory factory = JpsContextFactory.getContextFactory();
JpsContext jpsContext = factory.getContext();
final CredentialStore store = jpsContext.getServiceInstance(CredentialStore.class);
Credential cred = AccessController.doPrivileged(new PrivilegedExceptionAction<PasswordCredential>() {
    public PasswordCredential run() throws JpsException {
        return store.getCredential("MY_MAP", "anyKey");

PasswordCredential pwdCred = (PasswordCredential)cred;

Refer :