• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Spring security not intercepting request

 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to do a basic spring security D/B authentication program.I tried this by two ways i.e.

Method 1 : Using custom tables for Spring Security authentication.
Method 2 : Using Spring security specific database tables for user authentication and authorization.

File Locations:
1. index.jsp -> webapp/index.jsp
2. welcome.jsp -> webapp/pages/welcome.jsp
3. login.jsp -> webapp/pages/login.jsp

For method 1,Spring security was not intercepting request and i didn't see errors in console.Instead of intercepting the request i was directly taken to welcome.jsp.

P.S - Since i was not trying authorization, i didn't use 'authorities-by-username-query' attribute below in security context xml. I'm not sure if its mandatory to create a table for authorization as well.

Below is my security-context.xml:



web.xml



BaseController


login.jsp


index.jsp


How can i debug this kind of scenarios effectively if errors are not shown in console. I've already SL4J logging enabled through maven.

For method 2, i created spring specific database tables in the name of “USERS” and “AUTHORITIES” after following linklink. Here SQL query is not used in xml as shown below.

Every thing remains same except for security-context.xml.



when i tried the above way, even though i enter correct user name & password, i was getting 'bad credentials' message [But yes, in this case spring security is intercepting the request]. I'm using Oracle database.

Please guide me where i'm going wrong in both the cases. Advance thanks.
 
Ranch Hand
Posts: 123
Firefox Browser Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi karthik,

I suggest that you start with a simple one first. Try in-memory authentication first. If that works, try other methods like those you tried.

Here is a not-exactly-related-but-might-be-helpful thread - 'Spring security problem' - https://coderanch.com/t/603564/Spring/Spring-security.


- k


--------------------------------------------------------------------------------------------------
[SpringSource Certified Spring Professional (Spring Certification) - Practice Tests]
 
karthik chellappan
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Kathleen,

Thanks for the reply. I've tried in-memory authentication and it worked fine for me. But for D/B Authentication i always keep on getting 'Bad credentials' error. I did check the link which you've referred and executed the query manually to check if its working. I found query working without any problem as there was no trailing space issues.

Now I've following 'users_detail' table in D/B :

USER_ID INTEGER

USERNAME VARCHAR2 (50 Byte)

PASSWORD VARCHAR2 (50 Byte)

ENABLED INTEGER

Data in the 'users_detail' table :

USER_ID USERNAME PASSWORD ENABLED

100 user 123456 1

My query is in security-context.xml :

"select username,password, enabled from users_detail where username=?"

when i execute the query manually i.e. select username,password,enabled from users_detail where username='user'. i get the resultsets.

Where am i going wrong ? Why is it that JdbcUserDetailsManager class always return 'Query returned no results for user 'user' ' even though there is an entry for the same in D/B.

DEBUG: org.springframework.security.provisioning.JdbcUserDetailsManager - Query returned no results for user 'user'
DEBUG: org.springframework.security.authentication.dao.DaoAuthenticationProvider - User 'user' not found

Debug mode doesn't show which method of JdbcUserDetailsManager class is being executed when i get the above error. How can i know that? Also, does spring internally do any encryption/decryption technique while saving password field?
 
ranger
Posts: 17347
11
Mac IntelliJ IDE Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK. First, yes you need both queries whether you are doing Authorization or not. Because you are using the built in JDBC UserDetails Service. Real class name JdbcDaoImpl.

I would also guess for the second example the Encryption MD5 is where the passwords aren't matching. Meaning in the database it is stored plain text, but the incoming login request has it in MD5, so they don't match.

You need to make sure the passwords are stored in the db encrypted MD5.

Mark
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic