Problem change from xml to Java Based Configuration-CodePudding

I'm using Spring Boot MVC last version (5.3) e Spring security (5.5) with LDAP users

I'm trying to change from this xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-5.4.xsd">

    <security:http auto-config="true" disable-url-rewriting="true"
                   use-expressions="true">
        <security:form-login login-page="/signin"
                             authentication-failure-url="/signinAjax?error=1" authentication-details-source-ref="customWebAuthenticationDetailsSource" authentication-success-forward-url="/logged"/>
        <security:intercept-url pattern="/" access="permitAll" />
        <security:intercept-url pattern="/isAutenticated" access="permitAll" />
        <security:intercept-url pattern="/resources/images/favicon.png"
                                access="permitAll" />
        <security:intercept-url pattern="/resources/webfonts/**"
                                access="permitAll" />
        <security:intercept-url pattern="/resources/**"
                                access="permitAll" />
        <security:intercept-url pattern="/signin"
                                access="permitAll" />
        <security:intercept-url pattern="/signinAjax"
                                access="permitAll" />
        <security:intercept-url pattern="/userList"
                                access="isAuthenticated()" />
        <security:intercept-url pattern="/imgages/**"
                                access="permitAll" />
        <security:intercept-url pattern="/**"
                                access="isAuthenticated()" />
    </security:http>

    <security:global-method-security
            secured-annotations="enabled" />

    <security:authentication-manager
            erase-credentials="true">
        <security:authentication-provider
                ref="ldapActiveDirectoryAuthProvider" />
    </security:authentication-manager>

    <bean id="ldapActiveDirectoryAuthProvider"
          class="org.springframework.security.ldap.authentication.ad.CustomActiveDirectoryLdapAuthenticationProvider">
        <constructor-arg value="XXXX" />
        <constructor-arg value="ldap://XXX:389" />
        <property name="convertSubErrorCodesToExceptions" value="true" />
        <property name="searchFilter"
                  value="(&amp;(objectClass=user)(sAMAccountName={0}))"  />
        <property name="useAuthenticationRequestCredentials" value="true" />
        <property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper" />
    </bean>

    <bean id="tdrUserDetailsContextMapper"
          class="it.xxx.account.CustomUserDetailsContextMapper" />

    <bean id="customWebAuthenticationDetailsSource"
        class="it.xxx.config.security.CustomWebAuthenticationDetailsSource"/>


</beans>

That function correctly to this Java Based Configuration

@Configuration
@EnableWebSecurity
//@EnableGlobalMethodSecurity(securedEnabled=true)
//@ImportResource(value = "classpath:spring-security-context.xml")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    


    @Bean
    public CustomWebAuthenticationDetailsSource customWebAuthenticationDetailsSource() {
        return new CustomWebAuthenticationDetailsSource();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/").permitAll()
                .antMatchers("/isAutenticated").permitAll()
                .antMatchers("/resources/**").permitAll()
                .antMatchers("/signin").permitAll()
                .antMatchers("/signinAjax").permitAll()
                .antMatchers("/userList").permitAll()
                .antMatchers("/images/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/signin")
                .authenticationDetailsSource(customWebAuthenticationDetailsSource())
                .successForwardUrl("/logged")
                .failureForwardUrl("/signinAjax?error=1");


    }



    @Bean
    public CustomActiveDirectoryLdapAuthenticationProvider ldapActiveDirectoryAuthProvider() {
        CustomActiveDirectoryLdapAuthenticationProvider provider = new CustomActiveDirectoryLdapAuthenticationProvider("xxx.local","ldap://xxx:389");
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setSearchFilter("(&amp;(objectClass=user)(sAMAccountName={0}))");
        provider.setUseAuthenticationRequestCredentials(true);
        provider.setUserDetailsContextMapper(tdrUserDetailsContextMapper());
        return provider;
    }

    @Bean
    public LoggerListener loggerListener() {
        return new LoggerListener();
    }


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.eraseCredentials(true);
        auth.authenticationProvider(ldapActiveDirectoryAuthProvider());
    }


    @Bean
    public CustomUserDetailsContextMapper tdrUserDetailsContextMapper() {
        return new CustomUserDetailsContextMapper();
    }




}

on compile and runnung of tomcat no error but is impossible to make the loggin and having this error

org.springframework.security.access.event.LoggerListener.onAuthorizationFailureEvent Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=19C02E6245BF011635B6ADC374ED4EA4], Granted Authorities=[ROLE_ANONYMOUS]]; secure object: filter invocation [POST /login]; configuration attributes: [authenticated]

I don't know what is missing.

CodePudding user response：

http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/index","/images/**","/showSignUpForm","/login","/userSignUp",
                        "/page/**","/sort/**","/sortWithPage/**","/search/**").permitAll()
                .anyRequest().authenticated()
                .and().formLogin()
                .loginPage("/login").defaultSuccessUrl("/index").permitAll()
                .and()
                .logout()
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/login?logout").permitAll();

Try in this way

CodePudding user response：

I found the problems:

Error from xml to java (&)

provider.setSearchFilter("(&(objectClass=user)(sAMAccountName={0}))");

Changed loginPage

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/").permitAll()
            .antMatchers("/isAutenticated").permitAll()
            .antMatchers("/resources/**").permitAll()
            .antMatchers("/signin").permitAll()
            .antMatchers("/signinAjax").permitAll()
            .antMatchers("/userList").permitAll()
            .antMatchers("/images/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .authenticationDetailsSource(customWebAuthenticationDetailsSource())
            .successForwardUrl("/logged")
            .failureForwardUrl("/signinAjax?error=1");


}

I don't know how function with xml....