Struts2 + Spring Security 2.06: Valuestack is null when attempting to use @Secured on an Action method

I just wonder, this problem occurs if you use the default configuration of Spring Security, where it expects ROLE_ prefixed names. See this question: How do I use custom roles/authorities in Spring Security? You are using the default configuration witch expects that roles starts with the “ROLE_” prefix. You will have to add a custom …

Read more

How do I disable resolving login parameters passed as url parameters / from the url

This makes Spring searching login data in both – parameters and body. I wish to disable searching those parameters in the url. I believe this is not possible since this behaviour is not implemented by Spring rather than JavaEE itself. HttpServletRequest.getParameter doc states: Returns the value of a request parameter as a String, or null …

Read more

How do I unit test spring security @PreAuthorize(hasRole)?

UPDATE Spring Security 4 provides comprehensive support for integrating with MockMvc. For example: import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.*; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration @WebAppConfiguration public class SecurityMockMvcTests { @Autowired private WebApplicationContext context; private MockMvc mvc; @Before public void setup() { mvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity()) .build(); } @Test public void withUserRequestPostProcessor() { mvc .perform(get(“/admin”).with(user(“admin”).roles(“USER”,”ADMIN”))) … } @WithMockUser(roles=”ADMIN”) @Test public void …

Read more

Implement custom AuthenticationProvider in Spring Security 2.06

If you are implementing your own AuthenticationProvider, You don’t have to implement a UserDetailsService if you don’t want to. UserDetailsService just provides a standard DAO for loading user information and some other classes within the framework are implemented to use it. Normally, to authenticate using a username and password, you would instantiate a DaoAuthenticationProvider and …

Read more

Spring Security exposing AuthenticationManager without WebSecurityConfigurerAdapter

Local AuthenticationManager A solution to be able to get and pass the AuthenticationManager (which you cannot get anymore from the deprecated WebSecurityConfigurerAdapter) to the filter, is to have a dedicated configurer which will be responsible for adding the filter. (This is inspired from the solution provided here. Edit : and now officially in the documentation). …

Read more

alternative to GrantedAuthorityImpl() class

The class GrantedAuthorityImpl has been deprecated – you can use SimpleGrantedAuthority instead: public Collection<GrantedAuthority> getAuthorities(Integer access) { List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2); if (access.compareTo(1) == 0) { authList.add(new SimpleGrantedAuthority(“ROLE_ADMIN”)); } else{ authList.add(new SimpleGrantedAuthority(“ROLE_USER”)); } return authList; }

Consider defining a bean of type ‘org.springframework.security.authentication.AuthenticationManager’ in your configuration

It seems like it’s one of the “breaking changes” Spring Boot 2.0 introduced. I believe that your case is described in Spring Boot 2.0 Migration Guide. In your WebSecurityConfigurerAdapter class you need to override authenticationManagerBean method and annotate it with @Bean, i.e.: @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); }