-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi all, a couple days ago I posted about using ZK / JPA / Shiro Security. This was not a usable combination as Shiro could not access ZK's JPA entitymanager to perform the user lookup.
Now I am attempting to use the Spring framework to handle the JPA layer and since I'm using Spring I figured I may as well use Spring Security to keep the number of frameworks to a minimum. I thought it would be a smoother integration as ZK boasts ZK and Spring integration on their front page. However following ZK's Spring Security examples doesn't appear to function, at all - at least with the most current to-date version of each piece involved (Zk 5.0.5, ZK Spring Core and Spring Security 3.0RC, and Spring / Spring Security 3.0.5 ). When placing ZK's tags in spring's security xml configuration i get the following on Tomcat startup (this does prevent application startup).
Relevant portion of stack trace
Caused by: java.lang.ClassCastException: java.lang.String cannot be cast to org.springframework.beans.factory.support.RootBeanDefinition at org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser.getStandardFilter(ZkEventSecurityBeanDefinitionParser.java:177) at org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser.registerLoginOKFilter(ZkEventSecurityBeanDefinitionParser.java:133) at org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser.parse(ZkEventSecurityBeanDefinitionParser.java:101) at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73) at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1335) at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1325) at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135) at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390) ... 28 more
Relevant portion of spring's security xml config (no issues when zk-event tag is removed)
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.zkoss.org/2008/zkspring/security" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.zkoss.org/2008/zkspring/security http://www.zkoss.org/2008/zkspring/security/zkspring-security.xsd http://www.zkoss.org/2008/zkspring http://www.zkoss.org/2008/zkspring/zkspring.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> ..... <!-- Secure the ZK Event layer --> <security:zk-event login-template-close-delay="-1"> <security:intercept-event path="/**" access="permitAll"/> </security:zk-event> </beans>
I haven't customized anything yet, this is almost a direct copy from ZK's example - Does anyone see something I missed? Any ideas? Will ZK integrate smoothly with any security frameworks or is security with ZK a lot of hacking?
Do you have integrate spring-security in your web.xml ??
web.xml
. . . <!-- ====================================================== --> <!-- SPRING-SECURITY Entry Point --> <!-- ====================================================== --> <!-- Here in the web.xml we do only set a reference. --> <!-- The exact configuration is in --> <!-- the SpringSecurityContext.xml --> <!-- Look in the documentation. Spring security works --> <!-- exactly down the chain points. --> <!-- For not declared points in the --> <!-- SpringSecurityContext.xml Spring takes --> <!-- default values. --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <!-- Spring-Security is mapped to all URLs --> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> <!-- END Spring-Security --> . . .
Yes, minus whitespace differences, thats exactly how the web.xml looks for the spring security section. I have even tried the newest jar file on google code (http://code.google.com/p/zkspring/ ) as it appeared to be slightly newer. I see that I can still use annotations but it feels like its starting to get hacky. I would prefer to protect the entire zk event layer instead of *having* to use annotations.
I figured I should post the entire stack trace to see if that provides someone smarter than myself more insight instead of just the bottom portion ... here it is
INFO: Creating access control expression attribute 'permitAll' for /** Feb 21, 2011 9:41:12 AM org.springframework.security.config.http.HttpSecurityBeanDefinitionParser checkFilterChainOrder INFO: Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, Root bean: class [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 800, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 1900] Feb 21, 2011 9:41:12 AM org.springframework.web.context.ContextLoader initWebApplicationContext SEVERE: Context initialization failed org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/spring-security.xml]; nested exception is java.lang.ClassCastException: java.lang.String cannot be cast to org.springframework.beans.factory.support.RootBeanDefinition at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:412) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149) at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:124) at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:93) at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130) at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397) at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197) at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4172) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4671) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:701) at org.apache.catalina.startup.Catalina.start(Catalina.java:585) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.ClassCastException: java.lang.String cannot be cast to org.springframework.beans.factory.support.RootBeanDefinition at org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser.getStandardFilter(ZkEventSecurityBeanDefinitionParser.java:177) at org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser.registerLoginOKFilter(ZkEventSecurityBeanDefinitionParser.java:133) at org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser.parse(ZkEventSecurityBeanDefinitionParser.java:101) at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73) at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1335) at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1325) at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135) at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390) ... 28 more
Asked: 2011-02-17 12:14:38 +0800
Seen: 640 times
Last updated: Feb 21 '11