This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes Spring and the fly likes Spring security not intercepting request Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring security not intercepting request" Watch "Spring security not intercepting request" New topic
Author

Spring security not intercepting request

karthik chellappan
Ranch Hand

Joined: Jul 01, 2007
Posts: 31
I'm trying to do a basic spring security D/B authentication program.I tried this by two ways i.e.

Method 1 : Using custom tables for Spring Security authentication.
Method 2 : Using Spring security specific database tables for user authentication and authorization.

File Locations:
1. index.jsp -> webapp/index.jsp
2. welcome.jsp -> webapp/pages/welcome.jsp
3. login.jsp -> webapp/pages/login.jsp

For method 1,Spring security was not intercepting request and i didn't see errors in console.Instead of intercepting the request i was directly taken to welcome.jsp.

P.S - Since i was not trying authorization, i didn't use 'authorities-by-username-query' attribute below in security context xml. I'm not sure if its mandatory to create a table for authorization as well.

Below is my security-context.xml:



web.xml



BaseController


login.jsp


index.jsp


How can i debug this kind of scenarios effectively if errors are not shown in console. I've already SL4J logging enabled through maven.

For method 2, i created spring specific database tables in the name of “USERS” and “AUTHORITIES” after following linklink. Here SQL query is not used in xml as shown below.

Every thing remains same except for security-context.xml.



when i tried the above way, even though i enter correct user name & password, i was getting 'bad credentials' message [But yes, in this case spring security is intercepting the request]. I'm using Oracle database.

Please guide me where i'm going wrong in both the cases. Advance thanks.


karthik
Kathleen Angeles
Ranch Hand

Joined: Aug 06, 2012
Posts: 122

Hi karthik,

I suggest that you start with a simple one first. Try in-memory authentication first. If that works, try other methods like those you tried.

Here is a not-exactly-related-but-might-be-helpful thread - 'Spring security problem' - https://www.coderanch.com/t/603564/Spring/Spring-security.


- k


--------------------------------------------------------------------------------------------------
[SpringSource Certified Spring Professional (Spring Certification) - Practice Tests]
karthik chellappan
Ranch Hand

Joined: Jul 01, 2007
Posts: 31
Hi Kathleen,

Thanks for the reply. I've tried in-memory authentication and it worked fine for me. But for D/B Authentication i always keep on getting 'Bad credentials' error. I did check the link which you've referred and executed the query manually to check if its working. I found query working without any problem as there was no trailing space issues.

Now I've following 'users_detail' table in D/B :

USER_ID INTEGER

USERNAME VARCHAR2 (50 Byte)

PASSWORD VARCHAR2 (50 Byte)

ENABLED INTEGER

Data in the 'users_detail' table :

USER_ID USERNAME PASSWORD ENABLED

100 user 123456 1

My query is in security-context.xml :

"select username,password, enabled from users_detail where username=?"

when i execute the query manually i.e. select username,password,enabled from users_detail where username='user'. i get the resultsets.

Where am i going wrong ? Why is it that JdbcUserDetailsManager class always return 'Query returned no results for user 'user' ' even though there is an entry for the same in D/B.

DEBUG: org.springframework.security.provisioning.JdbcUserDetailsManager - Query returned no results for user 'user'
DEBUG: org.springframework.security.authentication.dao.DaoAuthenticationProvider - User 'user' not found

Debug mode doesn't show which method of JdbcUserDetailsManager class is being executed when i get the above error. How can i know that? Also, does spring internally do any encryption/decryption technique while saving password field?
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17250
    
    6

OK. First, yes you need both queries whether you are doing Authorization or not. Because you are using the built in JDBC UserDetails Service. Real class name JdbcDaoImpl.

I would also guess for the second example the Encryption MD5 is where the passwords aren't matching. Meaning in the database it is stored plain text, but the incoming login request has it in MD5, so they don't match.

You need to make sure the passwords are stored in the db encrypted MD5.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
 
GeeCON Prague 2014
 
subject: Spring security not intercepting request