0

I am working on a Java application which connects to a Spring-MVC server, using Spring-Security for authentication/authorization. The login part works, and I get a JSESSIONID back in the Java application, but when I make request to secured resource, it fails, Spring-Security is unable to find any logged in user. What am I doing wrong here?

security-applicationContext.xml :

 <security:http pattern="/resources/**" security="none"/>

    <security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
        <security:form-login login-page="/login" login-processing-url="/j_spring_security_check"
                             default-target-url="/dashboard" always-use-default-target="false"
                             authentication-failure-url="/denied"/>
        <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService"
                              token-validity-seconds="1209600" data-source-ref="dataSource"/>
        <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
        <!--<security:intercept-url pattern="/**" requires-channel="https"/>-->
        <security:port-mappings>
            <security:port-mapping http="8080" https="8443"/>
        </security:port-mappings>
        <security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/>


        <security:session-management session-fixation-protection="migrateSession">
            <security:concurrency-control session-registry-ref="sessionRegistry" max-sessions="5" expired-url="/login"/>
        </security:session-management>

    </security:http>

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="restaurantauthenticationprovider"/>
        <security:authentication-provider ref="userauthenticationprovider"/>
    </security:authentication-manager>

    <beans:bean id="encoder"
                class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11"/>
    </beans:bean>

    <beans:bean id="restaurantauthenticationprovider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
        <beans:property name="passwordEncoder" ref="encoder"/>
    </beans:bean>

    <beans:bean id="userauthenticationprovider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="UserLoginServiceImpl"/>
        <beans:property name="passwordEncoder" ref="encoder"/>
    </beans:bean>

As I have 2 tables to check from which to login, I have 2 DAOAuthenticationProviders.

UserLoginServiceImpl :

@Transactional
@Service("loginuserDetailsService")
public class UserLoginServiceImpl implements UserDetailsService {


     @Autowired
     private PersonDAO personDAO;
     @Autowired
     private UserAssembler userAssembler;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException,DataAccessException {
        System.out.println("Username is "+username);
        Person person = this.personDAO.findPersonByUserName(username.toLowerCase());
        if(person == null) { throw new UsernameNotFoundException("Wrong username or password");} 
        return userAssembler.buildUserFromUserEntity(person);
    }
}

Assembler :

@Service("userassembler")
@Transactional
public class UserAssembler {

    @Transactional
    User buildUserFromUserEntity(Person userEntity){
        System.out.println("We are in Userassembler"+userEntity.getEmail());
        String username = userEntity.getUsername().toLowerCase();
        String password = userEntity.getPassword();

        boolean enabled = userEntity.isEnabled();
        boolean accountNonExpired = userEntity.isAccountNonExpired();
        boolean credentialsNonExpired = userEntity.isCredentialsNonExpired();
        boolean accountNonLocked = userEntity.isAccountNonLocked();

        Collection<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new User(username,password,enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,authorities);
    }
}

The above is the config, now I will put the rest code which is failing :

Thread thread = new Thread(new Runnable() {
            @Override
            public void run() {
                Log.d("Username is ", username);
                String jsessionid = rest.execute("http://192.168.178.60:8080/j_spring_security_check", HttpMethod.POST,
                        new RequestCallback() {
                            @Override
                            public void doWithRequest(ClientHttpRequest request) throws IOException {
                                request.getBody().write(("j_username=" + username + "&j_password=" + password).getBytes());
                            }
                        }, new ResponseExtractor<String>() {
                            @Override
                            public String extractData(ClientHttpResponse response) throws IOException {
                                List<String> cookies = response.getHeaders().get("Cookie");
                                if (cookies == null) {
                                    cookies = response.getHeaders().get("Set-Cookie");
                                }
                                String cookie = cookies.get(cookies.size() - 1);
                                System.out.println("Cookie is " + cookie);
// The method below gets me which user is logged in, and I always get null for Controller method.
                                reply = rest.getForObject(
                                        "http://192.168.178.60:8080/dashboard", String.class);

                                int start = cookie.indexOf('=');
                                int end = cookie.indexOf(';');
                                return cookie.substring(start + 1, end);
                            }
                        });

            }
        });
        thread.start();

Update Finally, the code which worked :

// I am getting the cookie from the server, which I am setting manually for every request, cookie is a static volatile string. 

HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.add("Cookie", "JSESSIONID=" + StaticRestTemplate.jsessionid);
HttpEntity requestEntity = new HttpEntity(null, requestHeaders);

ResponseEntity rssResponse = rest.exchange(
                                  "http://192.168.178.60:8080/dashboard",
                                   HttpMethod.GET,
                                   requestEntity,
                                   String.class);

String abc = (String) rssResponse.getBody();
We are Borg
  • 5,117
  • 17
  • 102
  • 225
  • What does your person service look like? What happens if you change your method to: String checkWichUserLoggedIn(Principal p) { return p == null ? null : p.getName(); } – Rob Winch Jul 10 '15 at 15:43
  • @RobWinch : I get it as null...because user anonymous user is not found. I have updated the code in my main post, btw, when I print authentication details, the session Id is null.. I understood that RestTemplate sets a cookie internally when you authenticate, but that doesn't seem the case. – We are Borg Jul 10 '15 at 15:52
  • Do you actually get a JSESSIONID back? What is the HTTP status code? Which version of Spring Security are you using? – Rob Winch Jul 10 '15 at 15:56
  • I get jsessionid back and success when i login. – We are Borg Jul 10 '15 at 16:00

1 Answers1

1

Spring's RestTemplate does not keep track of cookies by default. This ensures you don't accidentally pass a cookie (i.e. JSESSIONID) from one user on behalf of another user (i.e. think of using the RestTemplate on a server where many users are leveraging the same RestTemplate).

If you want to do this you can configure it using something like this:

RestTemplate rest = new RestTemplate();

// initialize the RequestFactory to allow cookies
HttpClient httpClient = HttpClientBuilder.create().build();
ClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
rest.setRequestFactory(factory);

MultiValueMap<String, String> map = new LinkedMultiValueMap<String, String>();
map.add("username", "user");
map.add("password", "password");

String result = rest.postForObject("http://localhost:8080/login", map, String.class);

String hello = rest.postForObject("http://localhost:8080/", map, String.class);

assertThat(hello).isEqualTo("Hello");

To use this code you will need to ensure you have httpclient on your classpath. For example, the following might be in your pom.xml if you are using Maven:

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.5</version>
</dependency>

Obviously you will need to ensure you include the version of httpclient that works for your dependencies.

Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • httpclient is deprecated, do you something which is bit more new?? I found http://stackoverflow.com/questions/29058727/i-need-an-option-to-httpclient-in-android-to-send-data-to-php-as-it-is-deprecate , but I cannot find how to set data for Rest. – We are Borg Jul 13 '15 at 09:41
  • If you are on the latest httpclient (4.5) it shouldn't be deprecated – Rob Winch Jul 13 '15 at 12:16
  • but httpclient has a requirement of httpcore, and it is not 4.5...Also, When I use these libraries, I get other errors, so I used android-httpclient. Then also, I had some problems, finally, I used something which I will mention in bottom of my post. If you know how I can optimize it, let me know. – We are Borg Jul 13 '15 at 12:20
  • And, even on 4.5, it is deprecated... I am trying out your option again with 4.5, because it would be nice to set it once and forget... – We are Borg Jul 13 '15 at 13:39
  • Error when using 4.5 : 07-13 15:41:06.553 5465-6052/com.example.TestLunch E/AndroidRuntime﹕ FATAL EXCEPTION: Thread-171 Process: com.example.TestLunch, PID: 5465 java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/util/Args; – We are Borg Jul 13 '15 at 13:41