w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
Digest auth with Spring Security using javaconfig
I'm not sure when you are getting the 403 Access Denied, but if it is happening when you request a protected resource before you have authenticated then you need this: @Override protected void configure (HttpSecurity http) throws Exception { http .exceptionHandling() // this entry point handles when you request a protected page and // you are not yet authenticated .authenticationEntryPoint(digestEntryPoint()) .and() .authorizeUrls() .antMatchers("/firstres/*").permitAll() .antMatchers("/secondres/*").permitAll() .antMatchers("/resources/*").permitAll() .antMatchers("/**").hasAnyAuthority("first_role", "second_role").and() // the entry point on digest filter is used for failed authentication

Categories : Java

Configuring Spring + Security +Tiles + Thymeleaf using JavaConfig
You haven't set a url mapping for your Servlet. // Dispatcher servlet ServletRegistration.Dynamic dispatcher = servletContext.addServlet("dispatcher", new DispatcherServlet(rootContext)); dispatcher.setLoadOnStartup(1); dispatcher.setAsyncSupported(true); // add this dispatcher.addMapping("/"); // or whatever you want/need

Categories : Spring

Basic and form based authentication with Spring security Javaconfig
I would say by simply doing it. Specify a second line with authorizeUrls() but for your URLs that are needed with basic authentication. Instead of formLogin() use httpBasic() @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeUrls().antMatchers("/", "/index", "/user/**", "/about").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() .and().formLogin() .loginUrl("/login") .failureUrl("/login-error") .loginProcessingUrl("/security_check") .usernameParameter("j_username").passwordParameter("j_password") .permitAll(); http.authorizeUrls().antMatchers("/api/*").hasRole("YOUR_ROLE_HERE").and().httpBasic(); http.logout().logoutUrl("/logout"); http.rememberMe().rememberMeServices(

Categories : Java

What are the security ramifications of checking security with an HTTP call to an external server?
HTTPS makes sure the message can't be read or tampered with any relaying parties (proxies, etc.) but it doesn't guarantee the source of the data is trusted. If another service can determine the other URL and wire format they could spoof a request to it. This is generally where something like request signing comes into play using a shared-secret signing mechanism. Twilio's API uses this method to prove to you that they're actually calling your servers. HTTP Signatures is a proposal for a standardized way of doing this.

Categories : Api

How to define Spring security access
I think you need some changes as below <http auto-config="true" use-expressions="true"> <intercept-url pattern="/pages/login.xhtml*" access="permitAll"/> <intercept-url pattern="/**" access="hasRole('admin')" /> Currently I'm using Spring MVC 3.2 and Spring Security 3.1

Categories : Spring

Define a outside of web.xml (e.g. server-wide)
The second after I posted my question I realized that: $CATALINA_BASE/conf/web.xml was the answer I was looking for. It's root element, as one would expect, is web-app, and the contents get added to each deployed web app (like context.xml for each context) adding the security-constraint worked. I did have to re-start Tomcat (it doesn't auto deploy for changes in that file apparently), but that is not an issue as this shouldn't change in production.

Categories : Security

Global const vs #define. Which is better from a security perspective?
If the name will be used more than once, you should probably use a global constant array: const char constant[] = "Constant"; It occupies less space — the array name is a pointer but it isn't stored in memory. By contrast, in the const char *constant = "Constant"; version, you have both a stored pointer (that could be modified) and the string value. If the name is only used once, you might decide to write the string directly as a literal in the code, or you can use the array or #define mechanism. Even if you use the #define, the user would be able to 'hex edit' the generated binary file just the same as any of the other mechanisms. There's no extra protection provided by the notation used.

Categories : C

Redirect HTTP to HTTPS in Spring Security or Tomcat
I configured the redirection from HTTP(port 80) to HTTPS(port 443) within server.xml as <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443"/>

Categories : Tomcat

Spring Security 3.2.0.RC1 - element and deprecated method
If you are using the namespace then an IDE error like this doesn't really matter, since you can guarantee that Spring Security will support the feature. You aren't actually using the method yourself. auto-config is a bad idea generally. Someone looking at that configuration won't easily know what it actually does. Do you really want basic authentication, for example? You are best to remove auto-config and explicitly add the features you want.

Categories : Java

Security of using HTTPS based services on an HTTP site
Yes, SSL just encrypts the transmission of the data, and does not offer any type of protection of the runtime environment on any client-side code. Now, it is generally considered a best practice to host everything over SSL, for these reasons: Users can get warnings that a site is transmitting data with an untrusted source if parts are from SSL and parts are not. Any cookies, will be sent in the clear when requesting the non-SSL files and may contain information that should be kept private.

Categories : Security

How to define a default Action for any http method in Play 2.1 (Scala)?
You should not try to figure out all possible bad access points to generate error messages. Instead, you can override the onHandlerNotFound method in the application's Global object. Adapted from Play's official documentation: ScalaGlobal import play.api._ import play.api.mvc._ import play.api.mvc.Results.__ object Global extends GlobalSettings { override def onHandlerNotFound(request: RequestHeader): Result = { // implement methodNotAllowed controller Action } }

Categories : Http

node.js / get request & define root folder in http module
It looks like you're trying to use the low-level socket module ('net') to implement an HTTP server. The correct module is 'http' (Node.js HTTP documentation), and the implementation is simple: Your client side: var http = require("http"); http.get("http://localhost:8001/pro.html", function(response) { response.setEncoding("utf8"); response.on("data", function(data) { console.log("response:", data); }); }).on("error", function(e) { console.log("Got err: " + e.message); }); And for the server side: var http = require("http"); var server = http.createServer(function(request, response) { response.end("Here's your pro page! ") }).listen(8001); Note that the above features an impractically-simple server that returns a fixed response without any regard

Categories : Node Js

Spring Security: How to authorize user for a given URL when using multiple `http` elements?
Old post but I get this problem and found no real answer. My implementation for that is to select the good security realm using a specific Role to recognize the realm. I get both WebInvocationPrivilegeEvaluator and FilterSecurityInterceptor ApplicationContext context = AppContext.getApplicationContext(); Map<String, WebInvocationPrivilegeEvaluator> wipes = context.getBeansOfType(WebInvocationPrivilegeEvaluator.class); Map<String, FilterSecurityInterceptor> filters = context.getBeansOfType(FilterSecurityInterceptor.class); I browse each and test the FilterSecurityInterceptor on a specific ROLE used for the realm : for (int i = 0; i < wipes.size(); i++) { privilegeEvaluator=(DefaultWebInvocationPrivilegeEvaluator) wipes.values().toArray()[i];

Categories : Java

Spring security, either http basic or form login authentication
The answer could be in the description of the create-session attribute: never - Spring Security will never create a session, but will make use of one if the application does. stateless - Spring Security will not create a session and ignore the session for obtaining a Spring Authentication. Since you chose stateless the auth object persisted in the session after the form-login is ignored. Try if never works as you expect.

Categories : Spring

Spring security with Hibernate and Annotations and basic HTTP authentication
Try to move your <global-method-security secured-annotations="enabled" /> declaration to mvc-dispather-servlet.xml because your Admin controller is picked up by mvc-dispather-servlet.xml and not by spring-security.xml. See corresponding FAQ entry.

Categories : Java

Spring Security SAML HTTP Post error with OpenAM
Just to let everyone know, I contacted ForgeRock and worked through the issue with them. This problem is related to the following issue: https://bugster.forgerock.org/jira/browse/OPENAM-2644 It is actually a bug in OpenAM which was exposed with the latest Java update (version 1.7.0_25). The temporary solution (until OpenAM 10.2 is released) is to revert back to a previous version of Java. Reverting to Java version 1.7.0_21 fixed the issue for me.

Categories : Spring

Using HTTP protocol, is there a possibility to define additional metatdata that will be associated to files being downloaded?
Do you have a full control over the http download agent/client? If yes you can check File Fork. And for NTFS it's called alternative stream.

Categories : Http

What's does it mean of" /* overloaded elements data types */ #define OE_IS_ARRAY (1<<0) #define OE_IS_OBJECT (1<<1) #define OE_IS_METHOD (1<<2)"?
This is usually used to make it unambiguous that you're talking about bit flags. 1, 2, and 4 will make most programmers realize that we're talking about a sequence of powers of 2; not everyone will instantly know that 1<<14 is 16384. The compiler will do these computations for you, so it will not slow the program down. It's all about clarity. You'll sometimes also see these things written in hexadecimal, because that maps more closely to the underlying binary representation than decimal constants and can be more compact.

Categories : PHP

Unable to execute dex: Multiple dex files define Lorg/springframework/http/HttpEntity
I think that spring-web-3.0.2.RELEASE is not needed, try to remove it and check again. That error is because the Dalvik Virtual machine found two classes with same name and package. org.springframework.http.HttpEntity exists in Spring Android and in Spring-web.

Categories : Android

How to define a handler for http errors when loading view content using ngView in AngularJs
Maybe you can use the $routeChangeError event. This event will be emitted i.a. if the template can't be loaded.

Categories : Javascript

Spring Security "" tag failed to evaluate url properly when there are multiple elements
Here is what worked for me: org.springframework.context.ApplicationContext ctx = org.springframework.web.context.support.WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext()); java.util.Map<String, org.springframework.security.web.access.WebInvocationPrivilegeEvaluator> wipes = ctx.getBeansOfType(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator.class); if(wipes.size() > 0){ //I need last one org.springframework.security.web.access.WebInvocationPrivilegeEvaluator appEvaluator = (WebInvocationPrivilegeEvaluator)wipes.values().toArray()[wipes.size() - 1]; //set request attribute so that JSP tag can use it request.setAttribute(org.springframework.security.web.WebAttributes.WEB_INVOCATION_PRIVIL

Categories : Spring

Passing basic authentication details in spring security using http headers in java
You can use RestTemplate with Apache Commons Http Client.Build a CommonsHttpClientFactory and inject it as constructor args to resttemplate and you are good to go.Here is some basic configuration to get you started. context.xml <bean id="webServiceClient" class="com.webserviceclient.Client"> <constructor-arg ref="restTemplate"/> <constructor-arg ref="credentials"/> </bean> <bean id="httpClientParams" class="org.apache.commons.httpclient.params.HttpClientParams"> <property name="authenticationPreemptive" value="true"/> <property name="connectionManagerClass" value="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/> </bean> <bean id="httpClient" class="or

Categories : Java

How do I resolve the error "Attempt by security transparent method 'System.Web.Http.GlobalConfiguration.get_Configuration()
Do you need the pre-release version of web API OData? If so, you need to update all the other web API packages to match that version. If not, just do, install-package 'Microsoft.AspNet.WebApi.OData without the -pre option

Categories : Asp Net Mvc

How to set the port for HTTP(S) in EC2 Security Group Inbound settings for a secure public iPython Notebook server?
HTTP and HTTPs are both a TCP/IP protocol: http://www.w3schools.com/tcpip/tcpip_protocols.asp I also found this video which confirms this: http://youtu.be/JMedTCa5lec?t=4m29s and the red, crossed-out https in the url reflects the unverified certificate (probably because it's self-signed).

Categories : Http

spring security with custom filter remote access gets 401 HTTP Status 401 - Full authentication is required, but not when using localhost
I see problem in your configuration <security:custom-filter ref="restAuthenticationFilter" position="FIRST" /> You should put your filter after CONCURRENT_SESSION_FILTER to allow proper Spring Security functionality. <security:custom-filter ref="restAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/> Please look here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html#ns-custom-filters

Categories : Spring

Spring JavaConfig + JAX-WS Client
It's a FactoryBean interoperability problem with @Configuration. Take a look at this answer for details. The short version is to add a bean explicitly to your configuration. @Bean public SportsdataSoap sportsdataSoap() throws ... { return (SportsdataSoap) sportsdata().getObject(); }

Categories : Spring

Spring batch 2.2 JavaConfig
Assuming that no other artifacts require a DataSource, you can use java config to create a context without a DataSource. To do that, your configuration will need to extend DefaultBatchConfigurer as you point out. In there, you'll override two methods, createJobRepository() and setDataSource(). Below is an example context (it doesn't define a job or steps, but it bootstraps all the related beans correctly). @Configuration @EnableBatchProcessing public static class BatchConfiguration extends DefaultBatchConfigurer { @Override protected JobRepository createJobRepository() throws Exception { MapJobRepositoryFactoryBean factory = new MapJobRepositoryFactoryBean(); factory.afterPropertiesSet(); return (JobRepository) factory.getObject(); }

Categories : Java

Spring's Javaconfig and Prototyped Beans
I don't think is so much an issue of Spring XML vs Java-base configuration, but one of matching dependency scopes. Since Spring can only do dependency injection on the singleton-scoped bean at creation time, you have to lookup the prototype-scoped bean on demand. Of course the current bean-lookup approach works, but creates a dependency on the ApplicationContext. I can suggest a few other possibilities but the root of the issue is really what is involved in producing a ProtoBean, and what trade-offs should you accept. You could make BeanUser itself prototype-scoped, which would allow you to wire in the ProtoBean as a member. Of course the trade-off is you now have the same problem on the clients of BeanUser, but sometimes that would not be a problem. Another path could be using somethin

Categories : Java

Deploy Spring and Jersey App with JavaConfig on Grizzly
Try this ctx.addContextInitParameter("contextConfigLocation", "classpath:com/myapp/config/beans.xml") And you should not use com.sun.jersey.config.property.packages anymore as you already use Spring to manage the beans.

Categories : Spring

How can I use Spring 3.2.3 JavaConfig to read an environment variable?
You could use Springs EnvironmentAware interface: public class ClazzWithEnvironmentInfo implements EnvironmentAware{ private Environment environment; private String getSomeProperty(){ return environment.getProperty("SOME_ENV_PROPERTTY"); } @Override public void setEnvironment(Environment environment) { this.environment = environment; } }

Categories : Java

How would I make this bean in JavaConfig, I dont want to use XML with Spring anymore
Something like this should work: @Bean public DefaultAnnotationHandlerMapping defaultAnnotationHandlerMapping(){ DefaultAnnotationHandlerMapping bean = new DefaultAnnotationHandlerMapping(); bean.setUseDefaultSuffixPattern(false); return bean; } You can see my sample spring MVC app using code config here https://github.com/robhinds/spring-code-configuration-webapp/blob/master/src/main/java/com/tmm/web/configuration/WebMvcConfiguration.java

Categories : Spring

Login page with Spring Security not working URL(http://localhost:8080/site/j_spring_security_check) goes to PAGE NOT FOUND
You've been answered here and here, please don't cross-post The answers: if the j_spring_security_check URL is not part of the HST driven then make sure you add it to you hst:hosts exclusions, because otherwise the HST thinks it needs to handle the URL. and You need to insert the​ SpringSecurityValve into your existing pipelines​ as well​. ​you can use the hippo-spring-sec​ plugin for a cleaner spring security integration; http://hst-springsec.forge.onehippo.org/

Categories : Spring

Can https fallback to http and security level of https
No, HTTPS never falls back to HTTP automatically. It would take deliberate action by the user. If you're just going to a web page by putting its URL into the address bar, this is easy; for form submission it's harder. Yes, sending plain text over SSL is fine. In fact, sending a hashed password doesn't really increase security much at all -- if someone manages to sniff the connection and gets the hashed password, that's all they need to be able to login to the site. It has one small advantage: if the user uses the same password at multiple sites, learning the hashed password for one site doesn't help them get into another site that uses a different (or no) hash. And it's not likely to be feasible to send salted hashes, since the client doesn't know the salt. A cnonce adds an extra level

Categories : Asp Net

Spring Data MongoDB how do I set auto-connect-retry="true" with javaconfig style?
Simply do the following: Mongo mongo = new Mongo(); mongo.getMongoOptions().setAutoConnectRetry(true); Generally speaking, the MongoOptions type exposed contains all the settings you can apply through the namespace.

Categories : Spring

Spring JavaConfig: Retrieving beans by calling Configuration class/bean "directly"
The preferred method would be to have @Autowired private SomeBean1 somebean1; @Autowired private SomeBean2 somebean2; This is even cleaner, makes testing simpler, and avoids issues such as unnecessarily instantiating more copies than necessary.

Categories : Java

How to send an image from HTTP client to http server listening on this URL(http://localhost:8000/test)
Are you using web container like apache/nginx or one you write it yourself? If you are wondering how to decode the tcp packet in your own server, just upload a file to a server and grasp the http packet to see the detail of the protocol

Categories : Misc

Accessing declared variables inside a #define from another #define
If the struct is declared static within a function, its visibility will be limited to that function. Example (without macros): struct hoppa { int i; }; void start(void) { static struct hoppa one = {1}; } void use_it(void) { one.i = 2; //FAIL }

Categories : C

sequelize.define error: has no method 'define' in nodejs
This is because you have to instantiate Sequelize. var Sequelize = require("sequelize"); var sequelize = new Sequelize('database', 'username'); var Project = sequelize.define('Project', { title: sequelize.STRING, description: sequelize.TEXT });

Categories : Node Js

there is __cond_lock(x,c) define in compiler.h file , but no __cond_unlock(x,c) define?
Protecting critical sections using locking is up to the programmer. That means, if you hold a lock to protect a critical reason, you've must have to release the lock when you're finished. There are various types of locking primitives inside Linux kernel like. spinlock(), spinlock_irq(), spin_trylock(). They have their own purposes. Now, spin_trylock() using __cond_lock inside of it, it's because to make sure, whether that particular lock is available for locking or it's been already taken. Take a look at few examples of how spin_trylock or __cond_lock is being used. For ex. at kernel/sched/fair.c::rebalance_domain (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/sched/fair.c?id=d8dfad3876e4386666b759da3c833d62fb8b2267#n5574) see how the balancing is used, it's

Categories : Linux

Spring Security 3.1.x & JSF 2.0 : " BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains' "
I would start by checking your classpath (look in the lib directory of your WAR file) and make sure you don't have different Spring jars in there. It's not uncommon for maven to pull in transitive dependencies from some dependency and cause you to end up with Spring 3.0.x and Spring 3.1.x jars at once. You can avoid this by adding exclusions to your pom, or more simply by explicit versions each Spring jar you need. Then make sure you are using up-to-date versions of both Spring Security and Spring. Note that Spring and Spring Security are separate projects with independent version numbers. There's no reason why you can't be using Spring 3.2.3 with Spring Security 3.1.4, for example, but you should have the latest minor version of whichever release you choose.

Categories : Java



© Copyright 2017 w3hello.com Publishing Limited. All rights reserved.