0

I'm trying to implement a simple login using Spring Security (I'm a newbie in Spring Security). I've started with Spring Security reference that contains a simple "Hello world" example (link). I've prepared a web project in Eclipse (with EAR project), file structure looks like this:

enter image description here

SecurityConfig and SecurityWebApplicationInitializer classes are identical to those in a link above ("Hello world" example). I've also added Log4j 2 configuration file and home page (login.xhtml) that (for now) just prints "test". Later it will be used as a custom login page.

web.xml contains only a welcome-file element:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    id="WebApp_ID" version="3.0">
    <display-name>SpringSecurity</display-name>
    <welcome-file-list>
        <welcome-file>pages/login.xhtml</welcome-file>
    </welcome-file-list>
</web-app>

EAR's deployment assembly looks like this:

enter image description here

When I deploy my EAR on a JBoss AS 7.1.1, there's no error, but when I access http://localhost:8080/SpringSecurity, my home page is displayed normally.

I'm guessing that the configuration above should generate a default login page. When I access my home page, that login page should appear, right? It looks like that Spring Security is not even loaded and there's no protection when accesing my home page.

I don't really understand why is this simple example not working. Any help?

peterremec
  • 488
  • 1
  • 15
  • 46
  • 1
    @dur I've already add some logging in `SecurityConfig`. Nothing gets logged, also no breakpoint gets reached. So it looks like configuration is not even loaded - not sure why. – peterremec Dec 29 '17 at 21:07
  • @dur No, it's not, I've already checked it. – peterremec Dec 30 '17 at 10:04
  • 1
    @dur Yes, JBoss 7 supports Java Servlet 3.1. Also tried WAR deployment on Tomcat 8.5 (Java Servlet 3.1) - no luck. – peterremec Dec 30 '17 at 12:13
  • I think you're missing configure(HttpSecurity http) : see https://www.mkyong.com/spring-security/spring-security-hello-world-annotation-example/ – mikep Jan 02 '18 at 06:31
  • I think, your spring jars are not available to (in classpath) your war. Just check and confirm that 'ear-subdeployments-isolated' property is set to 'false'. Ref - https://docs.jboss.org/author/display/AS7/Class+Loading+in+AS7 – vsoni Jan 02 '18 at 08:48
  • @mikep Tried your solution but no luck. I don't believe that `configure` method is necessary - `SecurityWebApplicationInitializer` should provide default configuration (according to Spring Security reference). Problem is that my configuration (`SecurityConfig` and `SecurityWebApplicationInitializer`) is not even loaded and I don't know why. I just don't see anything from [official Spring Security example](https://github.com/spring-projects/spring-security/tree/4.2.3.RELEASE/samples/javaconfig/helloworld) that I'm missing. – peterremec Jan 02 '18 at 13:58
  • @vsoni So far I've noticed that my Spring Security configuration from [official reference example](https://github.com/spring-projects/spring-security/tree/4.2.3.RELEASE/samples/javaconfig/helloworld) is not even loading. Can you try to deploy that example on any server and tell me if it's working? – peterremec Jan 02 '18 at 14:02
  • Could you try the link /SpringSecurty/login ? – mikep Jan 03 '18 at 06:22
  • @mikep this link is not working (I must add servlet mapping to `web.xml` to make it work). – peterremec Jan 03 '18 at 18:25

1 Answers1

0

I do not have JBoss on my machine currently. But I was able to deploy this example on tomcat.

The issue certainly is that the war classloader is not able to see the spring jars at runtime.

There can be two possible solutions to resolve this.

  1. If the spring jars are only required by war module (not by any other module in the ear), then you can shift these spring jars from ear's lib directory to war's WEB-INF/lib directory.

  2. If the spring jars are also required by the other modules than you can to explicitly set the Class-Path entry in the MANIFEST.MF file of the war and the other modules that require these jars in a portable way.

e.g.

Manifest-Version: 1.0 
Class-Path: lib/spring-beans-4.3.9.RELEASE.jar lib/spring-context-4.3.9.RELEASE.jar

Add all the required jars in this way separated by sapce (' ').

Note:- I used following jars to make this example run.

spring-aop-5.0.2.RELEASE.jar
spring-beans-5.0.2.RELEASE.jar
spring-context-5.0.2.RELEASE.jar
spring-core-5.0.2.RELEASE.jar
spring-expression-5.0.2.RELEASE.jar
spring-jcl-5.0.2.RELEASE.jar
spring-security-config-5.0.0.RELEASE.jar
spring-security-core-5.0.0.RELEASE.jar
spring-security-crypto-5.0.0.RELEASE.jar
spring-security-web-5.0.0.RELEASE.jar
spring-web-5.0.2.RELEASE.jar

And with this version of spring and spring-security you may have to make a small change in your code.

User.withDefaultPasswordEncoder().username("user").password("user").roles("USER").build();

or 

User.withUsername("user").password("{noop}user").roles("USER").build();

Refer - Spring Boot PasswordEncoder Error for more details about the code change required.

vsoni
  • 2,828
  • 9
  • 13
  • Thanks, I tried solution 1 on Tomcat 8.5 and it worked! It seemed strange to me because I wasn't getting any errors in console, everything looked fine but you were right. Now I should manage to deploy example on JBoss, too. Thanks again! – peterremec Jan 03 '18 at 18:47