tag:blogger.com,1999:blog-4667121987470696359.post4579168737559611069..comments2023-07-28T02:46:58.321-06:00Comments on Sleepless in Salt Lake City: Spring Security - Stateless Cookie Based Authentication with Java ConfigSanjay Acharyahttp://www.blogger.com/profile/01933976956977901677noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-4667121987470696359.post-41125700508379019022015-01-03T13:59:11.054-07:002015-01-03T13:59:11.054-07:00i m getting error
java.lang.UnsupportedOperation...i m getting error <br /><br />java.lang.UnsupportedOperationException: Should not be called by the code path at com.welflex.web.security.CookieSecurityContext.setAuthentication(CookieSecurityContext.java:26) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:314) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:288) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:213) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at com.welflex.web.security.CookieAuthenticationFilter.doFilter(CookieAuthenticationFilter.java:49) atnityanandasahoohttps://www.blogger.com/profile/12576187595060273432noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-63027754316745140332014-05-22T10:21:50.875-06:002014-05-22T10:21:50.875-06:00Thanks for the detailed explanation. I am new bee ...Thanks for the detailed explanation. I am new bee out here, can you please post the SpringSecurityConfig.java with inmemorydaoimplAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-16955546271011656112014-04-25T04:56:42.090-06:002014-04-25T04:56:42.090-06:00Very helpful article.
However, the example is miss...Very helpful article.<br />However, the example is missing a fundamental component abstracted by cookieService: generation and verification of the authentication cookie value.<br />Message Authentication Code comes to mind. Encoding a timestamp would also be appropriated to add a expiration policy.<br />Have you looked into that? What are you using in practice?Pedro Pedruzzihttps://www.blogger.com/profile/12230340793830712932noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-67589784536560329012014-01-03T10:19:41.174-07:002014-01-03T10:19:41.174-07:00Very thorough and helpful!Very thorough and helpful!MJhttps://www.blogger.com/profile/04437629205235766305noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-10332752061462478692012-12-03T15:56:45.051-07:002012-12-03T15:56:45.051-07:00You should be able to create an equivalent configu...You should be able to create an equivalent configuration by using XML. In fact, that appears to be the default way of doing the same.Sanjay Acharyahttps://www.blogger.com/profile/01933976956977901677noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-41494062299731250062012-12-03T02:23:21.468-07:002012-12-03T02:23:21.468-07:00Hi Sanjay,
Thank you for great article!
I'm ...Hi Sanjay,<br /><br />Thank you for great article! <br />I'm new in spring that's why I'm asking how to make similar configuration but using xml configs only? Is it possible?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-87784608357401477772012-08-01T01:54:03.134-06:002012-08-01T01:54:03.134-06:00I think you are right. The JSESSIONID is most prob...I think you are right. The JSESSIONID is most probably created by the container, e.g. when opening the root context, which provides some kind of welcome page.Sebastianhttp://sebstein.hpfsc.de/noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-14092089778405897612012-07-31T07:47:59.726-06:002012-07-31T07:47:59.726-06:00Also you might want to see http://stackoverflow.co...Also you might want to see http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created<br /><br />Regarding the context. It is possible that the code is not using ${ctx} on all links leading the problem. Easily fixed but this is an example :-)Sanjay Acharyahttps://www.blogger.com/profile/01933976956977901677noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-16381386089961588372012-07-31T07:44:13.997-06:002012-07-31T07:44:13.997-06:00The example code should not depend or create a JSE...The example code should not depend or create a JSESSIONID cookie. When you run under Jetty, you will notice that no JSESSIONID cookie is created. A JSESSIONID will be created if any code calls request.getSession(). In the JSP's of the example, all of them are set to "NOT" create a session as well.<br /><br />If I were to guess, this is happening at the JBoss container level or some other JSP in the container. That said, the example is still stateless as it does not use the JSESSIONID for any purpose. If you had a load balancer, you could balance across different nodes without a problem as the custom cookie created by the application (AUTHCOOKIE) is only one that is used for authentication/authorization.Sanjay Acharyahttps://www.blogger.com/profile/01933976956977901677noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-83290533994988784042012-07-31T07:28:47.468-06:002012-07-31T07:28:47.468-06:00I'm a bit surprised. I deployed your applicati...I'm a bit surprised. I deployed your application in JBoss AS 7.1.1. As it doesn't get deployed in root context, /home can't be found. But this might be just a minor misconfiguration of the request mapping.<br /><br />But while access the login page, I see that a JSESSIONID cookie is set in the request header. I checked it with Firefox Findbugs. Why is this JSESSIONID created? I expected that it shouldn't exist, because otherwise several app server nodes would need to share the sessions making the app stateful?Sebastianhttp://sebstein.hpfsc.de/noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-34231544564101391832012-04-05T18:32:01.411-06:002012-04-05T18:32:01.411-06:00Glad that it helped. Great that you are using the ...Glad that it helped. Great that you are using the TokenBasedRememberMeServices, that works well for this case. Ordering of filters is not a problem here as the CookieAuthenticationFilter is poorly named, maybe it had better be called CookieSecurityContextFilter as it is responsible for loading a context at the start of the chain. One thing to note with my example is that the cookie is not refreshed. Something that would need to be done on a call. Also the example does not demonstrate Java Config for method annotation. Tried to emulate Global security but did not succeed.Sanjay Acharyahttps://www.blogger.com/profile/01933976956977901677noreply@blogger.comtag:blogger.com,1999:blog-4667121987470696359.post-21405990678121694722012-04-04T20:37:55.601-06:002012-04-04T20:37:55.601-06:00Thanks for this post, I recently started using jav...Thanks for this post, I recently started using java based configs for my spring mvc projects and this was immensely helpful as there is absolutely no documentation for java based spring security configuration. I did run into a few issues / dilemmas that the next person that looks here might find useful: <br />1. I decided to extend springs TokenBasedRememberMeServices instead of starting a cookie management system from scratch (stateless was not a requirement for me, but I am sure this filter works both ways). <br />2. The ordering of filters here might not be correct. The cookie authentication filter (whichever you use) should be placed after your main authentication filter as mentioned in the docs http://static.springsource.org/spring-security/site/docs/3.0.x/reference/security-filter-chain.html <br />3. Without the SecurityContextPersistenceFilter, security chain will keep dropping your session unless you persist it in a cookie. Obviously on a stateless setup this is not an issue, but if anyone is trying to maintain state make sure you add that filter at the very top.Anonymousnoreply@blogger.com