Webdav example in Spring Security with password encription

You can find few set of link which will guide you to do the spring configuration for the webdav. But, i have reallized that most of the readers getting trouble when implementing those codes as they are not properly explain how to do it basic level.

Here is the clear working guide for the spring webdav integration with encripted password.

01. Setup the spring blank project from your desired developement tool (netbeans, eclipse,intelliJ IDEA). I am using intelliJ on this tutorial. And setup spring security example based on the available sources on the web.
Here is the few links you may try.
http://blog.solidcraft.eu/2011/03/spring-security-by-example-set-up-and.html
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/sample-apps.html

After completing the above steps, you could be able to log in to the web application using form based authontification with encripted password on the database.

Now lets setup for the webdav folder access for the above web project.

02. Modify the web.xml file for the webdav configuration.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
 http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">
    <servlet>
        <servlet-name>webdav</servlet-name>
        <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>true</param-value>
        </init-param>
        <!-- Read-Write Access Settings -->
        <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
        </init-param>
    </servlet>
    <!-- URL Mapping -->
    <servlet-mapping>
        <servlet-name>webdav</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/application-security.xml
            /WEB-INF/applicationContext.xml
        </param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>
03. As you can see the above web.xml file, following two spring configuration file should be available.

            /WEB-INF/application-security.xml
            /WEB-INF/applicationContext.xml

 04. application-security.xml file is use to control the spring security for this example.
<?xml version="1.0" encoding="UTF-8"?>

 <beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

     <http>
        <intercept-url pattern="/**" access="ROLE_DESKTOP_USER"/>
        <http-basic/>
        <custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER"/>
    </http>

     <beans:bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
        <beans:property name="userDetailsService" ref="myAuthenticationProvider"/>
        <beans:property name="authenticationEntryPoint" ref="digestEntryPoint"/>
        <beans:property name="passwordAlreadyEncoded" value="true"></beans:property>
    </beans:bean>
     <beans:bean id="digestEntryPoint"
                class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
                <beans:property name="realmName" value="my test" />
                <beans:property name="key" value="test" />
                <beans:property name="nonceValiditySeconds" value="10" />
        </beans:bean>
    <authentication-manager>
        <authentication-provider user-service-ref='myAuthenticationProvider'>
             <password-encoder ref="passwordEncoder">
                 <salt-source ref="DigestAuthenticationAwareSaltSource"/>
             </password-encoder>
        </authentication-provider>
    </authentication-manager>

       <beans:bean id="digestAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
                <beans:property name="userDetailsService" ref="myAuthenticationProvider" />
        </beans:bean>

      <beans:bean id="DigestAuthenticationAwareSaltSource" class="com.indika.service.DigestAwarePasswordEncoder">
         <beans:property name="digestRealm" value="Contacts Realm via Digest Authentication"/>
    </beans:bean>
    <beans:bean class="com.indika.service.DigestAuthenticationAwarePasswordEncoder" id="passwordEncoder"/>

     <beans:bean id="myAuthenticationProvider" class="com.indika.service.UserDetailsServiceImpl">
        <beans:property name="mstuserdao" ref="mstuserdao"/>
        <beans:property name="mstusergroupdao" ref="mstusergroupdao"/>
    </beans:bean>

     <beans:bean id="mstuserdao" class="com.indika.repository.MstUserDAO">
        <beans:property name="hibernateTemplate">
            <beans:ref bean="hibernateTemplate"/>
        </beans:property>
    </beans:bean>

     <beans:bean id="mstusergroupdao" class="com.indika.repository.MstUserGroupDAO">
        <beans:property name="hibernateTemplate">
            <beans:ref bean="hibernateTemplate"/>
        </beans:property>
    </beans:bean>

 </beans:beans>


 Above red colour classes should be created by you.

 05. DigestAuthenticationAwarePasswordEncoder.java

 package com.indika.service;

 import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.dao.SaltSource;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.Assert;
public class DigestAuthenticationAwarePasswordEncoder implements SaltSource, InitializingBean {

     private String digestRealm;
    public void afterPropertiesSet() throws Exception {
        Assert.hasText(digestRealm, "A Digest Realm must be set");
    }
    public Object getSalt(UserDetails user) {
        return String.format("%s:%s:", user.getUsername(), digestRealm);
    }

     public void setDigestRealm(String digestRealm) {
        this.digestRealm = digestRealm;
    }
}

 06. DigestAwarePasswordEncoder.java
package com.indika.service;

 import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.dao.SaltSource;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.Assert;
public class DigestAwarePasswordEncoder implements SaltSource, InitializingBean {

     private String digestRealm;
    public void afterPropertiesSet() throws Exception {
        Assert.hasText(digestRealm, "A Digest Realm must be set");
    }
    public Object getSalt(UserDetails user) {
        return String.format("%s:%s:", user.getUsername(), digestRealm);
    }

     public void setDigestRealm(String digestRealm) {
        this.digestRealm = digestRealm;
    }
}

07. UserDetailsServiceImpl.java/MstUserDAO.java/MstUserGroupDAO.java

You can find many sources for the above classes from the web related to the spring security configuration.



08. Once every things were completed, you can login webdav folder using the encripted password.

Comments

  1. PawelSeptember 6, 2013 at 6:06 AM

    You included DigestAwarePasswordEncoder twice - once it should be DigestAuthenticationAwarePasswordEncoder, which is missing

    ReplyDelete
    Replies
    1. 1990 කොකාවිල්September 22, 2013 at 10:58 AM

      Thanks for pointing out the mistake. Now it should ok. Thanks again..

      Delete
  2. UnknownSeptember 21, 2013 at 6:38 AM

    Hi Indika,

    I have followed the above steps to configure digest auth for my Web Service but in the request header I am always getting "Headers: {Accept=[*/*], Authorization=[Basic Ym9iOmJvY...."

    client code ---

    public static void main(String args[]) throws Exception {

    JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
    factory.setServiceClass(NextOrderNumber.class);
    factory.setAddress("http://localhost:5050/ws/NextOrderNumberService");

    Map outProps = new HashMap();
    outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    outProps.put("passwordType", "PasswordDigest");
    outProps.put(WSHandlerConstants.USER,"abcd");
    outProps.put("password", "dcba");

    outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientPasswordCallback.class.getName());

    WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
    factory.getOutInterceptors().add(wssOut);

    NextOrderNumber client = (NextOrderNumber) factory.create();
    String nextOrderNumber = client.getNextOrderNumber();
    System.out.println("NextOrderNUmber is " + nextOrderNumber);
    System.exit(0);

    }

    ----- spring config file


























    Could you please assist me ? Please post the client code as well ?

    Many thanks

    ReplyDelete

Post a Comment

Popular posts from this blog

How to copy Copy Protected VCD

Today i bought a nursery rhymes VCD from the market to my daughter. Even though it playing well with the VCD player, I just wanted to have a copy of that VCD in my laptop as it is easy to play it later on without finding the cd in the rack. Also i am pretty sure that those VCDs might not be able to read after 1 to 2 years time as the low quality of them. I am using Ubuntu 10.04 LTS and i can't play the vcd with the default settings. I tried with VLC and movie player. In movie player it is giving the error massage saying.."Could not read from resource". With VLC i am getting " File reading failed: VLC could not read the file." These are the step to play/copy the above type of VCDs, Open linux shell (Application --> Asseseries-->Terminal) Type "sudo apt-get install vcdimager" and press enter (You need to have internet connection) Type "vcdxrip". You will get warn massage and wait until it complete the operation and get the cursor
Read more

Easy tricks for your needs...

01. Remove duplicate entries (line) from the text file in Ubuntu         sort random.txt | uniq -u > rand-shorter.txt 02. Change the folder tree rights to 777 in Ubuntu                    chmod -R 777 my_folder_name 03. MySQL data export to the database from sql file                   mysql -uroot -p -h localhost mydb < mydbbackup.sql 04. Find the running port number for given process in ubuntu            ps -ax|grep process_name          example:  ps -ax|grep java will list out all the process having name java 05. Kill running process         kill -9 12344 (Here 12344 is process number given by "ps -ax|grep myprocess" command) 06. Kill a process for know port         sudo lsof -t -i:<port-number>         Example: sudo lsof -t -i:9000         The result would be the process number. Then use " kill -9 <process-number >" to kill the process. Please see the (05) of the above.         
Read more