How to set up spring security?

P

parkito2016-09-26 13:20:01

Java

parkito, 2016-09-26 13:20:01

Hello. Please help me connect my spring-security application.
So, I:
1) Registered the framework in pom, web.
2) The first page that will open (with a login and password form) -index.jsp
with a form

<div class="col-sm-6 col-md-4 col-lg-3" style="margin:40px auto; float:none;">
    <form method="post" action="/main">
        <c:url var="loginUrl" value="/j_spring_security_check"></c:url>
        <div class="col-xs-12">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-fw fa-user"></i></div>
                    <input type="email" name="j_username" class="form-control" placeholder="E-mail">
                </div>
            </div>
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-fw fa-lock"></i></div>
                    <input type="password" name="j_password" class="form-control" placeholder="Password">
                </div>
            </div>
        </div>

3) Users and passwords are stored in the database. spring-security.xml settings

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:tx="http://www.springframework.org/schema/tx"
             xmlns:context="http://www.springframework.org/schema/context"
             xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
            http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
    <beans:import resource="appServlet/servlet-context.xml"/>
    <!-- Configuring RoleVoter bean to use custom access roles, by default roles
        should be in the form ROLE_{XXX} -->
    <beans:bean id="roleVoter"
                class="org.springframework.security.access.vote.RoleVoter">
        <beans:property name="rolePrefix" value=""></beans:property>
    </beans:bean>

    <beans:bean id="accessDecisionManager"
                class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:constructor-arg name="decisionVoters"
                               ref="roleVoter"/>
    </beans:bean>


    <http realm="JavaStudy example" use-expressions="false"
          authentication-manager-ref="dao-auth"
          access-decision-manager-ref="accessDecisionManager">
        <intercept-url pattern="/main" access="ROLE_USER,ROLE_ANONYMOUS"/>
        <intercept-url pattern="/user/*" access="ROLE_USER"/>
        <intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
        <form-login login-page="/index" default-target-url="/main"
                    authentication-failure-url="/login.jsp?error=true"/>
        <logout logout-url="/logout" logout-success-url="/main"/>
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/>
                <user name="user" password="user" authorities="ROLE_USER"/>
                <user name="guest" password="guest" authorities="ROLE_GUEST"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

    <authentication-manager id="dao-auth">
        <authentication-provider user-service-ref="userDetailsService">
            <password-encoder ref="passwordEncoder"/>
        </authentication-provider>
    </authentication-manager>
    <beans:bean id="passwordEncoder"
                class="operator.utils.Converter">
    </beans:bean>


</beans:beans>

4) In the controller I have

@RequestMapping(value = "/main", method = RequestMethod.GET)
    public String dispatch(HttpServletRequest request, Locale locale, Model model) {
        org.springframework.security.core.userdetails.User user = (org.springframework.security.core.userdetails.User)
                SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        User currentUser = userService.getUserByEMAil(user.getUsername());
        request.getSession().setAttribute("currentUserU", currentUser);
        request.getSession().setAttribute("language", RussianLanguage.getRussianLanguage());
        if (currentUser.getAccessLevel().getAccessLevelId() == 1) {
            return "user/index";
        }
        else if (currentUser.getAccessLevel().getAccessLevelId() == 3){
            return "admin/index";
        }
        else return "index";
    }

5) Organized password verification by hash in Converter
However, when passing the form, I get the error Could not verify the provided CSRF token because your session was not found.
What am I doing wrong?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

E

Eugene, 2016-09-26
@zolt85

Add this feature to the http tag in the settings.
More details why all this and how it works is described in the documentation